Debian Bug report logs - #510652
wpasupplicant: /etc/dbus-1/system.d file needs alterations for fd.o #18961

version graph

Package: wpasupplicant; Maintainer for wpasupplicant is Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>; Source for wpasupplicant is src:wpa.

Reported by: Simon McVittie <smcv@debian.org>

Date: Sun, 4 Jan 2009 02:12:05 UTC

Severity: normal

Merged with 510781

Found in version wpasupplicant/0.6.4-3

Done: Kel Modderman <kel@otaku42.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>:
Bug#510652; Package wpasupplicant. (Sun, 04 Jan 2009 02:12:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
New Bug report received and forwarded. Copy sent to Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>. (Sun, 04 Jan 2009 02:12:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: wpasupplicant: /etc/dbus-1/system.d file needs alterations for fd.o #18961
Date: Sun, 4 Jan 2009 02:10:03 +0000
[Message part 1 (text/plain, inline)]
Package: wpasupplicant
Version: 0.6.4-3
Severity: normal
User: pkg-utopia-maintainers@lists.alioth.debian.org
Usertags: fdo-18961

wpasupplicant's D-Bus system.d config should be updated to fix
non-deterministic allow/deny for messages with no interface (related to
CVE-2008-4311).

http://bugs.freedesktop.org/show_bug.cgi?id=18961 is the D-Bus bug tracking
this. It appears from the dnsmasq patch there that removing the lines
<allow send_interface="..."/> and <deny send_interface="..."/> is recommended
(the fact that send_destination is allowed should be sufficient).

Regards from the Cambridge BSP,
    Simon
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>:
Bug#510652; Package wpasupplicant. (Sun, 04 Jan 2009 14:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kel Modderman <kel@otaku42.de>:
Extra info received and forwarded to list. Copy sent to Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>. (Sun, 04 Jan 2009 14:39:03 GMT) Full text and rfc822 format available.

Message #10 received at 510652@bugs.debian.org (full text, mbox):

From: Kel Modderman <kel@otaku42.de>
To: pkg-wpa-devel@lists.alioth.debian.org, Simon McVittie <smcv@debian.org>, 510652@bugs.debian.org
Subject: Re: [pkg-wpa-devel] Bug#510652: wpasupplicant: /etc/dbus-1/system.d file needs alterations for fd.o #18961
Date: Mon, 5 Jan 2009 00:38:23 +1000
On Sunday 04 January 2009 12:10:03 Simon McVittie wrote:
> Package: wpasupplicant
> Version: 0.6.4-3
> Severity: normal
> User: pkg-utopia-maintainers@lists.alioth.debian.org
> Usertags: fdo-18961
> 
> wpasupplicant's D-Bus system.d config should be updated to fix
> non-deterministic allow/deny for messages with no interface (related to
> CVE-2008-4311).
> 
> http://bugs.freedesktop.org/show_bug.cgi?id=18961 is the D-Bus bug tracking
> this. It appears from the dnsmasq patch there that removing the lines
> <allow send_interface="..."/> and <deny send_interface="..."/> is recommended
> (the fact that send_destination is allowed should be sufficient).

Is this likely to be needed in wpasupplicant package for Lenny release?

Thanks, Kel.





Information forwarded to debian-bugs-dist@lists.debian.org, Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>:
Bug#510652; Package wpasupplicant. (Sun, 04 Jan 2009 22:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>. (Sun, 04 Jan 2009 22:24:03 GMT) Full text and rfc822 format available.

Message #15 received at 510652@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: 510652@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: [pkg-wpa-devel] Bug#510652: wpasupplicant: /etc/dbus-1/system.d file needs alterations for fd.o #18961
Date: Sun, 4 Jan 2009 22:21:12 +0000
[Message part 1 (text/plain, inline)]
user pkg-utopia-maintainers@lists.alioth.debian.org
usertags 510652 + fdo-18961
merge 510652 510781
thanks

Sorry about the duplicate bug - I've spent this weekend in a twisty maze
of configuration files and very similar bug reports.

> Is this likely to be needed in wpasupplicant package for Lenny release?

wpasupplicant driven by NetworkManager on a fresh lenny install seemed
to be OK, but your testing of wpasupplicant probably goes further than
mine. If anything other than NetworkManager uses the D-Bus interface, it
would be useful if you could test it with the dbus package from
<http://people.debian.org/~smcv/dbus-cve-2008-4311/> which is roughly what
we plan to push into lenny.

(Note that hal, ConsoleKit, PolicyKit and system-config-backends have
known problems with this new package - see
http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-utopia-maintainers@lists.alioth.debian.org&tag=CVE-2008-4311
for the bugs we currently believe are RC for lenny.)

    Simon
[signature.asc (application/pgp-signature, inline)]

Merged 510652 510781. Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Sun, 04 Jan 2009 22:24:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>:
Bug#510652; Package wpasupplicant. (Sun, 04 Jan 2009 23:09:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>. (Sun, 04 Jan 2009 23:09:02 GMT) Full text and rfc822 format available.

Message #22 received at 510652@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: Kel Modderman <kel@otaku42.de>
Cc: pkg-wpa-devel@lists.alioth.debian.org, 510652@bugs.debian.org
Subject: Re: [pkg-wpa-devel] Bug#510652: wpasupplicant: /etc/dbus-1/system.d file needs alterations for fd.o #18961
Date: Sun, 4 Jan 2009 23:05:20 +0000
[Message part 1 (text/plain, inline)]
On Mon, 05 Jan 2009 at 07:20:13 +1000, Kel Modderman wrote:
> On Monday 05 January 2009 06:56:08 Simon McVittie wrote:
> > Package: wpasupplicant
> > Version: 0.6.4-3
> > Severity: normal
> > User: pkg-utopia-maintainers@lists.alioth.debian.org
> > Usertags: fdo-18961
> > 
> > wpasupplicant's D-Bus system.d config should be updated to fix
> > non-deterministic allow/deny for messages with no interface; the D-Bus
> > upstream recommendation seems to be that every allow or deny rule with
> > send_interface="..." should have a suitable send_destination attribute too.
> > 
> > In this case, this would make them redundant with the lines matching
> > send_destination="...", so they can just be removed (see
> > http://bugzilla.gnome.org/show_bug.cgi?id=563730 for the equivalent
> > changes to NetworkManager).
> > 
> > http://bugs.freedesktop.org/show_bug.cgi?id=18961 is the D-Bus bug tracking
> > this; there have also been discussions on the D-Bus mailing list.
> > 
> > Regards from the Cambridge BSP,
> >     Simon
> > 
> 
> Is this different to #510652 ?

Sorry for the duplicate, I've spent today in a maze of D-Bus policy and
missed the previous bug I filed...

This is not RC for lenny, and indeed probably shouldn't be fixed in sid while
still frozen.

I believe the necessary change is to remove the lines mentioning
send_interface, like this:

 <!DOCTYPE busconfig PUBLIC
  "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
 <busconfig>
         <policy user="root">
                 <allow own="fi.epitest.hostap.WPASupplicant"/>
 
                 <allow send_destination="fi.epitest.hostap.WPASupplicant"/>
-                <allow send_interface="fi.epitest.hostap.WPASupplicant"/>
         </policy>
         <policy group="netdev">
                 <allow send_destination="fi.epitest.hostap.WPASupplicant"/>
-                <allow send_interface="fi.epitest.hostap.WPASupplicant"/>
         </policy>
         <policy context="default">
                 <deny own="fi.epitest.hostap.WPASupplicant"/>
                 <deny send_destination="fi.epitest.hostap.WPASupplicant"/>
-                <deny send_interface="fi.epitest.hostap.WPASupplicant"/>
         </policy>
 </busconfig>

However, please test with the new dbus
(<http://people.debian.org/~smcv/dbus-cve-2008-4311/>, or 1.2.8 from
experimental, or the upcoming 1.2.1-5 from sid/lenny, or something else with
CVE-2008-4311 fixed) before uploading changes to these policy files. To be
honest, a large part of the purpose of filing these bugs was in case we had
to upgrade them to RC later, but wpasupplicant seems to work OK.

Regards,
    Simon
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>:
Bug#510652; Package wpasupplicant. (Thu, 05 Feb 2009 06:42:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>. (Thu, 05 Feb 2009 06:42:02 GMT) Full text and rfc822 format available.

Message #27 received at 510652@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: Simon McVittie <smcv@debian.org>, Kel Modderman <kel@otaku42.de>, 510652@bugs.debian.org, pkg-wpa-devel@lists.alioth.debian.org
Subject: D-Bus policy file, NM 0.7
Date: Thu, 05 Feb 2009 07:40:32 +0100
[Message part 1 (text/plain, inline)]
Hi,

I just wanted to add some remarks to this bug report:
NM 0.7 uses wpasupplicant's D-Bus interface extensively and it seems to work
fine so far. Nonetheless I always get this messages in auth.log

Feb  5 06:01:10 pluto dbus-daemon: Rejected send message, 17 matched rules;
type="method_return", sender=":1.9" (uid=0 pid=2608 comm="/sbin/wpa_supplicant
-u -f /var/log/wpa_supplicant") interface="(unset)" member="(unset)" error
name="(unset)" requested_reply=0 destination=":1.68" (uid=0 pid=3564
comm="/usr/sbin/NetworkManager --pid-file /var/run/Netwo"))
Feb  5 06:01:15 pluto dbus-daemon: Rejected send message, 18 matched rules;
type="error", sender=":1.518" (uid=0 pid=9360 comm="/sbin/wpa_supplicant -u -f
/var/log/wpa_supplicant") interface="(unset)" member="(unset)" error
name="fi.epitest.hostap.WPASupplicant.InvalidInterface" requested_reply=0
destination=":1.68" (uid=0 pid=3564 comm="/usr/sbin/NetworkManager --pid-file
/var/run/Netwo"))

This happens right after NM has started wpasupplicant (via dbus activation).
During "normal" operation, I don't get any denials.

This is definitely something, that needs further investigation.

Cheers,
Michael

PS: Please CC on replies
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>:
Bug#510652; Package wpasupplicant. (Wed, 18 Feb 2009 18:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kel Modderman <kel@otaku42.de>:
Extra info received and forwarded to list. Copy sent to Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>. (Wed, 18 Feb 2009 18:15:05 GMT) Full text and rfc822 format available.

Message #32 received at 510652@bugs.debian.org (full text, mbox):

From: Kel Modderman <kel@otaku42.de>
To: Michael Biebl <biebl@debian.org>, 510652@bugs.debian.org
Cc: Simon McVittie <smcv@debian.org>, pkg-wpa-devel@lists.alioth.debian.org
Subject: Re: Bug#510652: D-Bus policy file, NM 0.7
Date: Thu, 19 Feb 2009 04:12:42 +1000
Hi Michael,

On Thursday 05 February 2009 16:40:32 Michael Biebl wrote:
> Hi,
> 
> I just wanted to add some remarks to this bug report:
> NM 0.7 uses wpasupplicant's D-Bus interface extensively and it seems to work
> fine so far. Nonetheless I always get this messages in auth.log
> 
> Feb  5 06:01:10 pluto dbus-daemon: Rejected send message, 17 matched rules;
> type="method_return", sender=":1.9" (uid=0 pid=2608 comm="/sbin/wpa_supplicant
> -u -f /var/log/wpa_supplicant") interface="(unset)" member="(unset)" error
> name="(unset)" requested_reply=0 destination=":1.68" (uid=0 pid=3564
> comm="/usr/sbin/NetworkManager --pid-file /var/run/Netwo"))
> Feb  5 06:01:15 pluto dbus-daemon: Rejected send message, 18 matched rules;
> type="error", sender=":1.518" (uid=0 pid=9360 comm="/sbin/wpa_supplicant -u -f
> /var/log/wpa_supplicant") interface="(unset)" member="(unset)" error
> name="fi.epitest.hostap.WPASupplicant.InvalidInterface" requested_reply=0
> destination=":1.68" (uid=0 pid=3564 comm="/usr/sbin/NetworkManager --pid-file
> /var/run/Netwo"))
> 
> This happens right after NM has started wpasupplicant (via dbus activation).
> During "normal" operation, I don't get any denials.
> 
> This is definitely something, that needs further investigation.
> 
> Cheers,
> Michael
> 
> PS: Please CC on replies

Can you please try to reproduce with wpa_supplicant 0.6.8, it contains a patch
[0] which may address this issue.

There is a package at [1].

Thanks, Kel.

[0] http://w1.fi/gitweb/gitweb.cgi?p=hostap-06.git;a=commitdiff;h=6f3288c6827b45eff20be7ae362608ae2a22d9c0
[1] http://sidux.net/kelmo/debian/pool/main/w/wpasupplicant/




Information forwarded to debian-bugs-dist@lists.debian.org, Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>:
Bug#510652; Package wpasupplicant. (Sun, 22 Feb 2009 17:21:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>. (Sun, 22 Feb 2009 17:21:02 GMT) Full text and rfc822 format available.

Message #37 received at 510652@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: Kel Modderman <kel@otaku42.de>
Cc: 510652@bugs.debian.org, Simon McVittie <smcv@debian.org>, pkg-wpa-devel@lists.alioth.debian.org
Subject: Re: Bug#510652: D-Bus policy file, NM 0.7
Date: Sun, 22 Feb 2009 18:18:40 +0100
[Message part 1 (text/plain, inline)]
Kel Modderman wrote:

> 
> Can you please try to reproduce with wpa_supplicant 0.6.8, it contains a patch
> [0] which may address this issue.
> 

Hi Kel,

looks like the problem is fixed. I didn't have any more occurences of this
denial in auth.log since the upgrade.

Cheers,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Reply sent to Kel Modderman <kel@otaku42.de>:
You have taken responsibility. (Mon, 01 Mar 2010 22:57:07 GMT) Full text and rfc822 format available.

Notification sent to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer. (Mon, 01 Mar 2010 22:57:08 GMT) Full text and rfc822 format available.

Message #42 received at 510652-done@bugs.debian.org (full text, mbox):

From: Kel Modderman <kel@otaku42.de>
To: Michael Biebl <biebl@debian.org>
Cc: 510652-done@bugs.debian.org, Simon McVittie <smcv@debian.org>, pkg-wpa-devel@lists.alioth.debian.org
Subject: Re: Bug#510652: D-Bus policy file, NM 0.7
Date: Tue, 2 Mar 2010 08:36:47 +1000
On Monday 23 February 2009 03:18:40 Michael Biebl wrote:
> Kel Modderman wrote:
> 
> > 
> > Can you please try to reproduce with wpa_supplicant 0.6.8, it contains a patch
> > [0] which may address this issue.
> > 
> 
> Hi Kel,
> 
> looks like the problem is fixed. I didn't have any more occurences of this
> denial in auth.log since the upgrade.

Since no more action is happening here, and everyone seems happy for the last
year I am closing this bug report.

Thanks, Kel.




Reply sent to Kel Modderman <kel@otaku42.de>:
You have taken responsibility. (Mon, 01 Mar 2010 22:57:08 GMT) Full text and rfc822 format available.

Notification sent to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer. (Mon, 01 Mar 2010 22:57:08 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 30 Mar 2010 07:37:20 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 19:21:41 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.