Re: D-Bus security issue
Simon McVittie wrote:
> On Sat, 03 Jan 2009 at 17:58:47 +0000, Matthew Johnson wrote:
>> In order to fix CVE-2008-4311 the default permissions on the system bus
>> have been tightened up. This has revealed bugs in the configurations
>> shipped with a number of services using the system bus which relied on
>> the broken behaviour and will now break.
> The package that we'd like to upload to sid and migrate to lenny adds the
> attached patches relative to what's in lenny and sid now. The only other
> changes are the changelog entry shown here, and renaming CVE-2008-3834.patch
> to 40-CVE-2008-3834.patch so that it gets applied in a predictable
> sequence relative to the other patches.
> This shouldn't be uploaded until we've fixed the various packages that
> we're tracking on <http://wiki.debian.org/DBusPermissions>. We're filing
> RC bugs for packages that block the change, and normal bugs for packages
> that have issues related to <http://bugs.freedesktop.org/show_bug.cgi?id=18961>.
> Patches 30 to 35 are probably larger than you'd like, but Matthew and I
> think they're good to have - they add a syslog message whenever
> permission is denied, which means that if we miss anything while fixing
> the D-Bus-dependent packages, we can at least debug the resulting failure.
Ok, please upload according to plan.