Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 211451 (CVE-2008-0595) - sys-apps/dbus < 1.1.20 Security policy flaw (CVE-2008-0595)
Summary: sys-apps/dbus < 1.1.20 Security policy flaw (CVE-2008-0595)
Alias: CVE-2008-0595
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: A4 [noglsa]
Depends on:
Reported: 2008-02-25 21:11 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2020-04-06 21:01 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

CVE-2008-0595.patch (CVE-2008-0595.patch,2.19 KB, patch)
2008-02-25 21:13 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-25 21:11:00 UTC
Havoc Pennington discovered a flaw in the way the dbus-daemon applies its
security policy.

Ray Strode describes it as such:
    When evaluating whether or not to invoke a method call, the bus daemon
    will look at the security policy and try to determine whether or not
    the caller is allowed access to the method call.

    Many dbus services have lines in their security policy of the form:

    <allow send_interface="some.interface.WithMethods"/>

    to explicitly whitelist the methods of a particular interface for users
    of a specific policy context.

    Normally dbus method calls are invoked fully qualified. That is to say
    the interface the method belongs to is passed to the bus daemon along
    with the method name of the method call. The bus daemon does not
    require method calls to be fully qualified, however. If a caller passes
    just the method with a NULL interface, then the bus daemon will try to
    find the interface with the corresponding method and invoke the method
    call on that interface.

    In these cases, the send_interface attribute of the allow directive is

    <allow send_interface="some.interface.WithMethods"/>

    is interpreted as an implicit <allow/>. This means that if dbus policy
    file contains any <allow send_interface="..." /> directives for a
    particular context, then it implicitly allows that context to invoke
    non-qualified method calls defined for any interface.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-25 21:13:03 UTC
Created attachment 144644 [details, diff]

Proposed patch.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-02-26 09:33:30 UTC
Adding Doug and Steev as maintainers. Please prepare an updated ebuild and attach it to this bug. Do not commit anything to CVS yet, this bug is confidential until wednesday.
Comment 3 Steev Klimaszewski (RETIRED) gentoo-dev 2008-02-27 03:36:52 UTC
Adding compnerd since I have sporadic internet access and won't be online very often.
Comment 4 Steev Klimaszewski (RETIRED) gentoo-dev 2008-02-27 18:37:57 UTC
Upstream just released dbus 1.1.20 which includes this fix.  Also includes the fix for another dbus bug that is currently open.  Would like to commit dbus 1.1.20 and mark stable as soon as possible.  Would be removing both 1.0.2 and 1.1.4 since they are both vulnerable if possible.  Or would the security team prefer we simply patch 1.0.2 and 1.1.4 for now?
Comment 5 Doug Goldstein (RETIRED) gentoo-dev 2008-02-27 18:44:29 UTC
I'm on board with steev's plan. dbus 1.1.x series is a shipping version in several mainline distros now and we're hoping to see this as the main version in Gentoo as well.
Comment 6 Doug Goldstein (RETIRED) gentoo-dev 2008-02-27 18:45:47 UTC
Additionally D-Bus upstream calls 1.1.x their "Stable Release" and 1.0.x as Legacy.
Comment 7 Doug Goldstein (RETIRED) gentoo-dev 2008-02-27 19:04:44 UTC
By the way, this flaw is now public. It's been announced on the dbus ML.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-27 20:10:08 UTC
@comment 04: We leave it up to the maintainer wether to patch or bump.

Please update URI with link to release announcement.

Next time just commit when the issue is public. No reason to wait for security.
Comment 9 Doug Goldstein (RETIRED) gentoo-dev 2008-02-27 20:46:30 UTC
(In reply to comment #8)
> @comment 04: We leave it up to the maintainer wether to patch or bump.
> Please update URI with link to release announcement.
> Next time just commit when the issue is public. No reason to wait for security.

It's already been committed. I've just been trying to test everything before announcing it.

If you want to proceed with making the GLSA. We'll be only supporting 1.1.20 from here out.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-28 00:31:48 UTC
Thx Doug.

Arches please test and mark stable. Target keywords are:

dbus-1.1.20.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"
Comment 11 Steve Dibb (RETIRED) gentoo-dev 2008-02-28 04:26:19 UTC
amd64 stable
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2008-02-28 08:39:37 UTC
x86 stable
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2008-02-28 15:47:49 UTC
alpha/ia64/sparc stable
Comment 14 Brent Baude (RETIRED) gentoo-dev 2008-02-29 02:12:35 UTC
ppc64 done
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2008-02-29 05:38:20 UTC
Stable for HPPA.
Comment 16 Ryan Hill (RETIRED) gentoo-dev 2008-03-02 21:41:12 UTC
no stable keywords for mips.
Comment 17 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-04 20:24:22 UTC
ppc stable
Comment 18 Peter Volkov (RETIRED) gentoo-dev 2008-03-05 06:40:14 UTC
Fixed in release snapshot.
Comment 19 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-12 22:11:35 UTC
time for vote. I tend to vote NO.
Comment 20 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-16 08:54:47 UTC
arm/s390 and sh (not listed here) done by Mike
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2008-03-21 02:28:19 UTC
NO too, closing.