[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Testing requested: D-Bus-related packages and CVE-2008-4311

In order to fix CVE-2008-4311 the default permissions on the system bus
have been tightened up. This has revealed bugs in the configurations
shipped with a number of services using the system bus which relied on
the broken behaviour and will now break. We've been using
<http://wiki.debian.org/DBusPermissions> to track the resulting mess.

i386 binaries and source for a version of dbus targeted at lenny are
available from <http://people.debian.org/~smcv/dbus-cve-2008-4311/>.
This has the correct deny-by-default policy, and logs to syslog (auth.log)
when messages are disallowed. Please test D-Bus-related packages with
this version, or with the new upstream version in experimental (which
has the same deny-by-default policy but a bit less logging).

However, there are known regressions in hal, ConsoleKit, PolicyKit,
system-tools-backends and bluez-utils with this version of dbus, so
don't install it until their RC bugs have been fixed if you rely heavily
on these packages.

(hal mostly works, but RF kill-switches and cpufreq manipulation are known to
be broken; the bug I filed has a patch which works for me, and might work for
you too. Similarly, system-tools-backends' bug has a patch that works
for me. I haven't tested the other RC-buggy packages myself.)

At the Cambridge BSP we've been through all the packages that install
system bus configuration checking for obvious problems in the
configuration, and tested some of the more popular ones. However, we
weren't able to test everything, so these packages (maintainers Cc'd)
particularly need testing:



Attachment: signature.asc
Description: Digital signature

Reply to: