Possible MBF due to DBus security issue

To: debian-devel@lists.debian.org
Subject: Possible MBF due to DBus security issue
From: Matthew Johnson <mjj29@debian.org>
Date: Sat, 3 Jan 2009 17:58:47 +0000
Message-id: <[🔎] 20090103175846.GM8174@matthew.ath.cx>

In order to fix CVE-2008-4311 the default permissions on the system bus
have been tightened up. This has revealed bugs in the configurations
shipped with a number of services using the system bus which relied on
the broken behaviour and will now break.

A fixed version of dbus has been uploaded to experimental. The release
team would like this version to go into lenny, but we need to fix any
bugs caused by that version. Upstream have already started collating
patches to upstreams[0] so for many of the larger packages will already
have patches there.

Below is the list of all the packages which currently have configuration
for the system bus. I've not yet checked them to see whether or not they
have problems with their config files but will  be doing so soon and
filing bugs. It would be great if all the maintainers could check their
packages with the dbus from experimental to ensure that they still
function properly. 

All that needs to be done to fix this is to edit the config file which
is dropped in /etc/dbus-1/system.d/ to allow all of the incoming method
calls and outgoing signals. Method replies/errors and introspection
already have exceptions. 

List of packages which may be affected:

Masayuki Hatta (mhatta) <mhatta@debian.org>
   cups (U)

Moray Allan <moray@debian.org>
   gpe-bluetooth (U)

Michael Biebl <biebl@debian.org>
   consolekit (U)
   dhcdbd (U)
   hal (U)
   knetworkmanager
   network-manager (U)
   network-manager-applet (U)
   policykit (U)
   powersave

Julien BLACHE <jblache@debian.org>
   pommed

Phil Blundell <pb@debian.org>
   gpe-bluetooth (U)

Debian Bluetooth Maintainers <pkg-bluetooth-maintainers@lists.alioth.debian.org>
   bluez-utils

Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>
   cups

Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
   system-config-printer (U)
   system-tools-backends (U)

Debian GPE team <pkg-gpe-maintainers@lists.alioth.debian.org>
   gpe-bluetooth (U)

Debian Maemo Maintainers <pkg-maemo-maintainers@lists.alioth.debian.org>
   libosso
   osso-gwconnect

Debian OLPC <debian-olpc-devel@lists.alioth.debian.org>
   sugar

Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
   mumble

Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>
   wpasupplicant

Sebastian Dröge <slomo@debian.org>
   avahi (U)
   hal (U)

Edd Dumbill <ejad@debian.org>
   bluez-utils (U)

Filippo Giunchedi <filippo@debian.org>
   bluez-utils (U)

Soren Hansen <soren@ubuntu.com>
   network-manager-openvpn
   network-manager-vpnc

Mario Iseli <mario@debian.org>
   bluez-utils (U)

Matthew Johnson <mjj29@debian.org>
   bluemon

Simon Kelley <simon@thekelleys.org.uk>
   dnsmasq

Anand Kumria <wildfire@progsoc.org>
   yum

Jonny Lamb <jonnylamb@jonnylamb.com>
   libosso (U)
   odccm
   osso-gwconnect (U)

Roger Leigh <rleigh@debian.org>
   cups (U)

Jeff Licquia <licquia@debian.org>
   cups (U)

Patrick Matthäi <patrick.matthaei@web.de>
   mumble (U)

Kyle McMartin <kyle@debian.org>
   wpasupplicant (U)

Loic Minier <lool@dooz.org>
   avahi (U)
   libosso (U)
   osso-gwconnect (U)
   system-tools-backends (U)

Kel Modderman <kel@otaku42.de>
   wpasupplicant (U)

Josselin Mouette <joss@debian.org>
   system-config-printer (U)
   system-tools-backends (U)

Kenshi Muto <kmuto@debian.org>
   cups (U)

Thorvald Natvig <slicer@users.sourceforge.net>
   mumble (U)

Patrick Patterson <ppatters@debian.org>
   pathfinder

Martin Pitt <mpitt@debian.org>
   cups (U)

Martin-Éric Racine <q-funk@iki.fi>
   cups (U)

Andres Salomon <dilinger@debian.org>
   yum (U)

Otavio Salvador <otavio@debian.org>
   system-config-printer
   system-tools-backends (U)

Niv Sardi <xaiki@debian.org>
   system-tools-backends (U)

Riccardo Setti <giskard@debian.org>
   galago-daemon
   network-manager (U)

Riccardo Setti <giskard@autistici.org>
   dhcdbd (U)

Sjoerd Simons <sjoerd@debian.org>
   avahi (U)
   dhcdbd (U)
   hal (U)

Jonas Smedegaard <dr@jones.dk>
   sugar (U)

Jose Carlos Garcia Sogo <jsogo@debian.org>
   system-tools-backends

Brian Sutherland <jinty@web.de>
   smart-notifier

Philippe De Swert <philippedeswert@scarlet.be>
   gpe-bluetooth (U)

Reinhard Tartler <siretart@tauware.de>
   wpasupplicant (U)

Enrico Tassi <gareuselesinge@debian.org>
   network-manager-pptp

Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
   avahi
   consolekit
   dhcdbd
   hal
   network-manager
   network-manager-applet
   policykit

Riku Voipio <riku.voipio@iki.fi>
   libosso (U)
   osso-gwconnect (U)

Matthew Wilcox <willy@debian.org>
   kerneloops

Neil Williams <codehelp@debian.org>
   gpe-bluetooth



0. https://bugs.freedesktop.org/show_bug.cgi?id=18980

-- 
Matthew Johnson

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Possible MBF due to DBus security issue
  - From: Julien BLACHE <jblache@debian.org>
- Re: Possible MBF due to DBus security issue
  - From: Simon McVittie <smcv@debian.org>
- Re: Possible MBF due to DBus security issue
  - From: Matthew Johnson <mjj29@debian.org>
- Re: Possible MBF due to DBus security issue
  - From: Josselin Mouette <joss@debian.org>
- Re: Possible MBF due to DBus security issue
  - From: Neil Williams <codehelp@debian.org>
- Re: D-Bus security issue
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Re: "Semantic" shell? (for lack of better name)
Next by Date: Re: Possible MBF due to DBus security issue
Previous by thread: Re: "Semantic" shell? (for lack of better name)
Next by thread: Re: Possible MBF due to DBus security issue
Index(es):
- Date
- Thread