Debian Bug report logs - #510709
smart-notifier: DBus configuration file doesn't allow introspection and will be broken by the fix to 503532

version graph

Package: smart-notifier; Maintainer for smart-notifier is Chow Loong Jin <hyperair@debian.org>; Source for smart-notifier is src:smart-notifier.

Reported by: Matthew Johnson <mjj29@debian.org>

Date: Sun, 4 Jan 2009 14:15:04 UTC

Severity: serious

Merged with 510789

Found in version smart-notifier/0.28-1

Fixed in version smart-notifier/0.28-1.1

Done: Simon McVittie <smcv@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Brian Sutherland <jinty@web.de>:
Bug#510709; Package smart-notifier. (Sun, 04 Jan 2009 14:15:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matthew Johnson <mjj29@debian.org>:
New Bug report received and forwarded. Copy sent to Brian Sutherland <jinty@web.de>. (Sun, 04 Jan 2009 14:15:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Matthew Johnson <mjj29@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: smart-notifier: DBus configuration file doesn't allow introspection and will be broken by the fix to 503532
Date: Sun, 04 Jan 2009 14:13:03 +0000
Package: smart-notifier
Version: 0.28-1
Severity: serious
Justification: blocks fix for CVE-2008-4311

smart-notifier should explicitly allow introspection in it's config
file. It's recommended to use send_destination= to allow all messages of
any type to your service. In addition you should not use send_interface
without send_destination. Having a single send_destination rule will
solve both these issues.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-4-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Blocking bugs of 503532 added: 510709 Request was from Matthew Johnson <mjj29@debian.org> to control@bugs.debian.org. (Sun, 04 Jan 2009 14:21:03 GMT) Full text and rfc822 format available.

Forcibly Merged 510709 510789. Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Mon, 05 Jan 2009 12:42:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Brian Sutherland <jinty@web.de>:
Bug#510709; Package smart-notifier. (Sun, 11 Jan 2009 17:00:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Brian Sutherland <jinty@web.de>. (Sun, 11 Jan 2009 17:00:07 GMT) Full text and rfc822 format available.

Message #14 received at 510709@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: 510709@bugs.debian.org
Subject: Bug #510709: smart-notifier: allows any local user to spoof a message from smartd
Date: Sun, 11 Jan 2009 16:54:02 +0000
[Message part 1 (text/plain, inline)]
On closer inspection, the part of smart-notifier running as root doesn't
need to be introspectable, because it only runs for a moment, and only
sends a signal. However, at the moment any local user can send that
signal, and the applet will happily display it, with no indication that
it did not, in fact, come from smartd (stealing focus in the process).

    Simon
[signature.asc (application/pgp-signature, inline)]

Reply sent to Simon McVittie <smcv@debian.org>:
You have taken responsibility. (Sun, 11 Jan 2009 18:09:10 GMT) Full text and rfc822 format available.

Notification sent to Matthew Johnson <mjj29@debian.org>:
Bug acknowledged by developer. (Sun, 11 Jan 2009 18:09:10 GMT) Full text and rfc822 format available.

Message #19 received at 510709-close@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: 510709-close@bugs.debian.org
Subject: Bug#510709: fixed in smart-notifier 0.28-1.1
Date: Sun, 11 Jan 2009 17:47:08 +0000
Source: smart-notifier
Source-Version: 0.28-1.1

We believe that the bug you reported is fixed in the latest version of
smart-notifier, which is due to be installed in the Debian FTP archive:

smart-notifier_0.28-1.1.diff.gz
  to pool/main/s/smart-notifier/smart-notifier_0.28-1.1.diff.gz
smart-notifier_0.28-1.1.dsc
  to pool/main/s/smart-notifier/smart-notifier_0.28-1.1.dsc
smart-notifier_0.28-1.1_all.deb
  to pool/main/s/smart-notifier/smart-notifier_0.28-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 510709@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated smart-notifier package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 11 Jan 2009 17:21:30 +0000
Source: smart-notifier
Binary: smart-notifier
Architecture: source all
Version: 0.28-1.1
Distribution: unstable
Urgency: medium
Maintainer: Brian Sutherland <jinty@web.de>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 smart-notifier - graphical hard disk health status notifier
Closes: 507490 510709
Changes: 
 smart-notifier (0.28-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload while dealing with D-Bus' CVE-2008-4311.
   * Audit the D-Bus security policy file for compatibility with D-Bus versions
     where CVE-2008-4311 has been fixed, and remove rules that appear to have
     been cargo-culted from some other package and are likely to cause
     unintended consequences for other packages (see freedesktop.org #18961).
   * Only display the SMART message if it came from the part of smart_notifier
     that only root can run, rather than allowing arbitrary local users to
     spoof arbitrary messages from smartd. (Closes: #510709)
   * Use the default Python version, and install version-independent modules
     once, rather than once per supported Python version. Not RC, but I couldn't
     bring myself to upload it without fixing this. (Closes: #507490)
Checksums-Sha1: 
 42209dbc8f4a4893093a42fda54a4b39061e8755 1078 smart-notifier_0.28-1.1.dsc
 bf900e631bc212c74475cd5fa420e3dfcf72bba0 2172 smart-notifier_0.28-1.1.diff.gz
 f611e7678f984dcf8e535c3ba9509988d3d03f3f 10888 smart-notifier_0.28-1.1_all.deb
Checksums-Sha256: 
 fcc44a32627829f9e35d07bfcc093b4bb2ea0b831ea75e9ce2e3299e99e0736c 1078 smart-notifier_0.28-1.1.dsc
 f7743155c52994ce4e2c5fff7bb51b451db1cecfa3a1f088bcfc06eb1b14b0be 2172 smart-notifier_0.28-1.1.diff.gz
 f85bdc23c6fb4cd437e266bfd945336e48099a2ec9565cafeeb6d130cc86b9a3 10888 smart-notifier_0.28-1.1_all.deb
Files: 
 96343df92315c2b9d4f6108ec77a9f24 1078 utils optional smart-notifier_0.28-1.1.dsc
 6e52841c6467d028ffbba3cdcb98433c 2172 utils optional smart-notifier_0.28-1.1.diff.gz
 b05f428237b9af03edb618bfd77e82a6 10888 utils optional smart-notifier_0.28-1.1_all.deb

-----BEGIN PGP SIGNATURE-----

iD8DBQFJaixsWSc8zVUw7HYRAkPmAKCP2cMeNE3+loUGRTqHHnQ5c6u3uwCgnQs5
EF+yyKea8zYzO2LmcLtAb0U=
=bSja
-----END PGP SIGNATURE-----





Reply sent to Simon McVittie <smcv@debian.org>:
You have taken responsibility. (Sun, 11 Jan 2009 18:09:11 GMT) Full text and rfc822 format available.

Notification sent to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer. (Sun, 11 Jan 2009 18:09:11 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 07:46:21 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 16:37:45 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.