Debian Bug report logs - #510652
wpasupplicant: /etc/dbus-1/system.d file needs alterations for fd.o #18961

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: wpasupplicant: /etc/dbus-1/system.d file needs alterations for fd.o #18961

Date: Sun, 4 Jan 2009 02:10:03 +0000

[Message part 1 (text/plain, inline)]

Package: wpasupplicant
Version: 0.6.4-3
Severity: normal
User: pkg-utopia-maintainers@lists.alioth.debian.org
Usertags: fdo-18961

wpasupplicant's D-Bus system.d config should be updated to fix
non-deterministic allow/deny for messages with no interface (related to
CVE-2008-4311).

http://bugs.freedesktop.org/show_bug.cgi?id=18961 is the D-Bus bug tracking
this. It appears from the dnsmasq patch there that removing the lines
<allow send_interface="..."/> and <deny send_interface="..."/> is recommended
(the fact that send_destination is allowed should be sufficient).

Regards from the Cambridge BSP,
    Simon

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 510652@bugs.debian.org (full text, mbox, reply):

From: Kel Modderman <kel@otaku42.de>

To: pkg-wpa-devel@lists.alioth.debian.org, Simon McVittie <smcv@debian.org>, 510652@bugs.debian.org

Subject: Re: [pkg-wpa-devel] Bug#510652: wpasupplicant: /etc/dbus-1/system.d file needs alterations for fd.o #18961

Date: Mon, 5 Jan 2009 00:38:23 +1000

On Sunday 04 January 2009 12:10:03 Simon McVittie wrote:
> Package: wpasupplicant
> Version: 0.6.4-3
> Severity: normal
> User: pkg-utopia-maintainers@lists.alioth.debian.org
> Usertags: fdo-18961
> 
> wpasupplicant's D-Bus system.d config should be updated to fix
> non-deterministic allow/deny for messages with no interface (related to
> CVE-2008-4311).
> 
> http://bugs.freedesktop.org/show_bug.cgi?id=18961 is the D-Bus bug tracking
> this. It appears from the dnsmasq patch there that removing the lines
> <allow send_interface="..."/> and <deny send_interface="..."/> is recommended
> (the fact that send_destination is allowed should be sufficient).

Is this likely to be needed in wpasupplicant package for Lenny release?

Thanks, Kel.

Message #15 received at 510652@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 510652@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: [pkg-wpa-devel] Bug#510652: wpasupplicant: /etc/dbus-1/system.d file needs alterations for fd.o #18961

Date: Sun, 4 Jan 2009 22:21:12 +0000

[Message part 1 (text/plain, inline)]

user pkg-utopia-maintainers@lists.alioth.debian.org
usertags 510652 + fdo-18961
merge 510652 510781
thanks

Sorry about the duplicate bug - I've spent this weekend in a twisty maze
of configuration files and very similar bug reports.

> Is this likely to be needed in wpasupplicant package for Lenny release?

wpasupplicant driven by NetworkManager on a fresh lenny install seemed
to be OK, but your testing of wpasupplicant probably goes further than
mine. If anything other than NetworkManager uses the D-Bus interface, it
would be useful if you could test it with the dbus package from
<http://people.debian.org/~smcv/dbus-cve-2008-4311/> which is roughly what
we plan to push into lenny.

(Note that hal, ConsoleKit, PolicyKit and system-config-backends have
known problems with this new package - see
http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-utopia-maintainers@lists.alioth.debian.org&tag=CVE-2008-4311
for the bugs we currently believe are RC for lenny.)

    Simon

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 510652@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Kel Modderman <kel@otaku42.de>

Cc: pkg-wpa-devel@lists.alioth.debian.org, 510652@bugs.debian.org

Subject: Re: [pkg-wpa-devel] Bug#510652: wpasupplicant: /etc/dbus-1/system.d file needs alterations for fd.o #18961

Date: Sun, 4 Jan 2009 23:05:20 +0000

[Message part 1 (text/plain, inline)]

On Mon, 05 Jan 2009 at 07:20:13 +1000, Kel Modderman wrote:
> On Monday 05 January 2009 06:56:08 Simon McVittie wrote:
> > Package: wpasupplicant
> > Version: 0.6.4-3
> > Severity: normal
> > User: pkg-utopia-maintainers@lists.alioth.debian.org
> > Usertags: fdo-18961
> > 
> > wpasupplicant's D-Bus system.d config should be updated to fix
> > non-deterministic allow/deny for messages with no interface; the D-Bus
> > upstream recommendation seems to be that every allow or deny rule with
> > send_interface="..." should have a suitable send_destination attribute too.
> > 
> > In this case, this would make them redundant with the lines matching
> > send_destination="...", so they can just be removed (see
> > http://bugzilla.gnome.org/show_bug.cgi?id=563730 for the equivalent
> > changes to NetworkManager).
> > 
> > http://bugs.freedesktop.org/show_bug.cgi?id=18961 is the D-Bus bug tracking
> > this; there have also been discussions on the D-Bus mailing list.
> > 
> > Regards from the Cambridge BSP,
> >     Simon
> > 
> 
> Is this different to #510652 ?

Sorry for the duplicate, I've spent today in a maze of D-Bus policy and
missed the previous bug I filed...

This is not RC for lenny, and indeed probably shouldn't be fixed in sid while
still frozen.

I believe the necessary change is to remove the lines mentioning
send_interface, like this:

 <!DOCTYPE busconfig PUBLIC
  "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
 <busconfig>
         <policy user="root">
                 <allow own="fi.epitest.hostap.WPASupplicant"/>
 
                 <allow send_destination="fi.epitest.hostap.WPASupplicant"/>
-                <allow send_interface="fi.epitest.hostap.WPASupplicant"/>
         </policy>
         <policy group="netdev">
                 <allow send_destination="fi.epitest.hostap.WPASupplicant"/>
-                <allow send_interface="fi.epitest.hostap.WPASupplicant"/>
         </policy>
         <policy context="default">
                 <deny own="fi.epitest.hostap.WPASupplicant"/>
                 <deny send_destination="fi.epitest.hostap.WPASupplicant"/>
-                <deny send_interface="fi.epitest.hostap.WPASupplicant"/>
         </policy>
 </busconfig>

However, please test with the new dbus
(<http://people.debian.org/~smcv/dbus-cve-2008-4311/>, or 1.2.8 from
experimental, or the upcoming 1.2.1-5 from sid/lenny, or something else with
CVE-2008-4311 fixed) before uploading changes to these policy files. To be
honest, a large part of the purpose of filing these bugs was in case we had
to upgrade them to RC later, but wpasupplicant seems to work OK.

Regards,
    Simon

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 510652@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: Simon McVittie <smcv@debian.org>, Kel Modderman <kel@otaku42.de>, 510652@bugs.debian.org, pkg-wpa-devel@lists.alioth.debian.org

Subject: D-Bus policy file, NM 0.7

Date: Thu, 05 Feb 2009 07:40:32 +0100

[Message part 1 (text/plain, inline)]

Hi,

I just wanted to add some remarks to this bug report:
NM 0.7 uses wpasupplicant's D-Bus interface extensively and it seems to work
fine so far. Nonetheless I always get this messages in auth.log

Feb  5 06:01:10 pluto dbus-daemon: Rejected send message, 17 matched rules;
type="method_return", sender=":1.9" (uid=0 pid=2608 comm="/sbin/wpa_supplicant
-u -f /var/log/wpa_supplicant") interface="(unset)" member="(unset)" error
name="(unset)" requested_reply=0 destination=":1.68" (uid=0 pid=3564
comm="/usr/sbin/NetworkManager --pid-file /var/run/Netwo"))
Feb  5 06:01:15 pluto dbus-daemon: Rejected send message, 18 matched rules;
type="error", sender=":1.518" (uid=0 pid=9360 comm="/sbin/wpa_supplicant -u -f
/var/log/wpa_supplicant") interface="(unset)" member="(unset)" error
name="fi.epitest.hostap.WPASupplicant.InvalidInterface" requested_reply=0
destination=":1.68" (uid=0 pid=3564 comm="/usr/sbin/NetworkManager --pid-file
/var/run/Netwo"))

This happens right after NM has started wpasupplicant (via dbus activation).
During "normal" operation, I don't get any denials.

This is definitely something, that needs further investigation.

Cheers,
Michael

PS: Please CC on replies
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #32 received at 510652@bugs.debian.org (full text, mbox, reply):

From: Kel Modderman <kel@otaku42.de>

To: Michael Biebl <biebl@debian.org>, 510652@bugs.debian.org

Cc: Simon McVittie <smcv@debian.org>, pkg-wpa-devel@lists.alioth.debian.org

Subject: Re: Bug#510652: D-Bus policy file, NM 0.7

Date: Thu, 19 Feb 2009 04:12:42 +1000

Hi Michael,

On Thursday 05 February 2009 16:40:32 Michael Biebl wrote:
> Hi,
> 
> I just wanted to add some remarks to this bug report:
> NM 0.7 uses wpasupplicant's D-Bus interface extensively and it seems to work
> fine so far. Nonetheless I always get this messages in auth.log
> 
> Feb  5 06:01:10 pluto dbus-daemon: Rejected send message, 17 matched rules;
> type="method_return", sender=":1.9" (uid=0 pid=2608 comm="/sbin/wpa_supplicant
> -u -f /var/log/wpa_supplicant") interface="(unset)" member="(unset)" error
> name="(unset)" requested_reply=0 destination=":1.68" (uid=0 pid=3564
> comm="/usr/sbin/NetworkManager --pid-file /var/run/Netwo"))
> Feb  5 06:01:15 pluto dbus-daemon: Rejected send message, 18 matched rules;
> type="error", sender=":1.518" (uid=0 pid=9360 comm="/sbin/wpa_supplicant -u -f
> /var/log/wpa_supplicant") interface="(unset)" member="(unset)" error
> name="fi.epitest.hostap.WPASupplicant.InvalidInterface" requested_reply=0
> destination=":1.68" (uid=0 pid=3564 comm="/usr/sbin/NetworkManager --pid-file
> /var/run/Netwo"))
> 
> This happens right after NM has started wpasupplicant (via dbus activation).
> During "normal" operation, I don't get any denials.
> 
> This is definitely something, that needs further investigation.
> 
> Cheers,
> Michael
> 
> PS: Please CC on replies

Can you please try to reproduce with wpa_supplicant 0.6.8, it contains a patch
[0] which may address this issue.

There is a package at [1].

Thanks, Kel.

[0] http://w1.fi/gitweb/gitweb.cgi?p=hostap-06.git;a=commitdiff;h=6f3288c6827b45eff20be7ae362608ae2a22d9c0
[1] http://sidux.net/kelmo/debian/pool/main/w/wpasupplicant/

Message #37 received at 510652@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: Kel Modderman <kel@otaku42.de>

Cc: 510652@bugs.debian.org, Simon McVittie <smcv@debian.org>, pkg-wpa-devel@lists.alioth.debian.org

Subject: Re: Bug#510652: D-Bus policy file, NM 0.7

Date: Sun, 22 Feb 2009 18:18:40 +0100

[Message part 1 (text/plain, inline)]

Kel Modderman wrote:

> 
> Can you please try to reproduce with wpa_supplicant 0.6.8, it contains a patch
> [0] which may address this issue.
> 

Hi Kel,

looks like the problem is fixed. I didn't have any more occurences of this
denial in auth.log since the upgrade.

Cheers,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #42 received at 510652-done@bugs.debian.org (full text, mbox, reply):

From: Kel Modderman <kel@otaku42.de>

To: Michael Biebl <biebl@debian.org>

Cc: 510652-done@bugs.debian.org, Simon McVittie <smcv@debian.org>, pkg-wpa-devel@lists.alioth.debian.org

Subject: Re: Bug#510652: D-Bus policy file, NM 0.7

Date: Tue, 2 Mar 2010 08:36:47 +1000

On Monday 23 February 2009 03:18:40 Michael Biebl wrote:
> Kel Modderman wrote:
> 
> > 
> > Can you please try to reproduce with wpa_supplicant 0.6.8, it contains a patch
> > [0] which may address this issue.
> > 
> 
> Hi Kel,
> 
> looks like the problem is fixed. I didn't have any more occurences of this
> denial in auth.log since the upgrade.

Since no more action is happening here, and everyone seems happy for the last
year I am closing this bug report.

Thanks, Kel.

Send a report that this bug log contains spam.