80601 – sys-apps/dbus: Allows Local Users to Connect to the Session Bus

Bug 80601 - sys-apps/dbus: Allows Local Users to Connect to the Session Bus

Summary: sys-apps/dbus: Allows Local Users to Connect to the Session Bus

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://securitytracker.com/alerts/200...
Whiteboard:	B4 [noglsa]
Keywords:

Duplicates (1):	95671 (view as bug list)
Depends on:
Blocks:

Reported:	2005-02-03 09:34 UTC by Jean-François Brunette (RETIRED)
Modified:	2006-03-23 19:34 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jean-François Brunette (RETIRED) gentoo-dev

2005-02-03 09:34:54 UTC

Description:  A vulnerability was reported in D-BUS. A local user can send D-BUS messages to other users.

Daniel Reed reported that the session bus does not restrict connections base on the user's uid. A local user can invoke dbus-send to connect to another user's session bus.

The flaw resides in 'bus/policy.c'.
Impact:  A local user can send D-BUS messages to other users.

Comment 1 Jean-François Brunette (RETIRED) gentoo-dev

2005-02-03 09:35:36 UTC

A patch is available here: https://bugs.freedesktop.org/show_bug.cgi?id=2436

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2005-02-03 13:43:19 UTC

CAN-2005-0201
Impact is unclear, I fear information leak may not be the worse we can expect...

foser/base-system, please evaluate FreeDesktop bug and patch accordingly.

Comment 3 foser (RETIRED) gentoo-dev

2005-02-09 14:55:28 UTC

added the suggested patch to 0.23-r3 and marked x86

impact is minor imo as discussed on irc

Comment 4 Markus Rothe (RETIRED) gentoo-dev

2005-02-10 09:20:24 UTC

stable on ppc64

Comment 5 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-02-10 12:41:09 UTC

Stable on ppc.

Comment 6 Jan Brinkmann (RETIRED) gentoo-dev

2005-02-11 06:18:03 UTC

stable on amd64

Comment 7 Thierry Carrez (RETIRED) gentoo-dev

2005-02-11 07:26:58 UTC

GLSA vote, I vote NO.

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-02-11 11:41:28 UTC

I vote NO -> closing.

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-02-11 11:49:25 UTC

Tada, now actually closing, sorry for the spam:-)

Comment 10 Thierry Carrez (RETIRED) gentoo-dev

2005-06-10 04:53:57 UTC

*** Bug 95671 has been marked as a duplicate of this bug. ***