Package: system-tools-backends Version: 2.6.0-2 Severity: normal User: [email protected] Usertags: fdo-18961 CVE-2008-4311
system-tools-backends's D-Bus system.d config doesn't seem to allow introspection of the configuration modules. This used to be allowed by a dbus-daemon bug that caused the default to be allow; we're now trying to fix this. However, the configuration modules don't actually seem to be intended to be accessed except via the dispatcher, so this might be acceptable (since the dispatcher doesn't call Introspect). As a result, I've only filed this bug as normal, although I'll escalate it to serious if testing with the default-deny version of D-Bus fails. https://bugs.freedesktop.org/show_bug.cgi?id=18980 is an upstream tracking bug for services with this problem. As a related 'normal' bug which should be fixed at the same time, the config file should also be updated to fix non-deterministic allow/deny for messages with no interface; the D-Bus upstream recommendation seems to be that every allow or deny rule with send_interface="..." should have a suitable send_destination attribute too. It's unclear to me whether the FooConfig modules are separate processes, or in-process with the main daemon; if they're separate processes they'll each need a send_destination rule. http://bugs.freedesktop.org/show_bug.cgi?id=18961 is the D-Bus bug tracking the send_interface issue, and there have also been discussions on the D-Bus mailing list. Regards from the Cambridge BSP, Simon
signature.asc
Description: Digital signature
