Public bug reported: A new security release of DBus is now available:
http://dbus.freedesktop.org/dbus/releases/dbus-1.2.6.tar.gz This release contains a (partial, see below) fix for: https://bugs.freedesktop.org/show_bug.cgi?id=18229 == Summary == Joachim Breitner discovered a mistake in the default configuration for the system bus (system.conf) which made the default policy for both sent and received messages effectively *allow*, and not deny as intended. This release fixes the send side permission, but does not change the receive. See below for more details. == Available workarounds == Add explicit <deny> rules to existing policy files which do not already have them. == Mitigating factors == There are three important mitigating factors. * First, in an examination of a Fedora 10 system, many services contained explicit <deny> rules under the "default" context. These deny rules did (and continue to) operate as expected. * Second, an increasing trend has been for core system services to use PolicyKit, or otherwise do security checks on the service side. Any system which relies on PolicyKit is unaffected by this flaw. * Third, the SELinux DBus support is not affected by this flaw. Now, as mentioned above this fix is partial. DBus has two kinds of policy permissions, send and receive. Generally speaking, the send side permission is much more important. However, DBus has supported receive side permissions for a few reasons, among those are: * Ensuring signals containing sensitive data aren't visible by unexpected processes. Suggested fix: Do not put sensitive data in DBus signals; use targeted method calls. * A way for processes to "second-pass" filter messages before they reach their C code. Suggested fix: Something like PolicyKit (or just manual service-side permission checks) remain a better way to do this. For compatibility reasons, this release only fixes the send-side permission check, and not receive. A greater number of services will need to be updated for a future tightening of the receive permission. We are as yet unsure when (and in fact, if) the receive permission will be tightened in the DBus 1.2 stable branch. We will gather information about any affected programs and make a final determination at in the near future. == Conclusion Summary == * Add explicit <deny> rules under the default policy if this is applicable to your service (i.e. not using PolicyKit or similar) * Do not put sensitive information in signals == Thanks == Thanks to Joachim Breitner for the initial report and proposed patch, Tomas Hoger for the current fix, and others for their assistance with this issue. _______________________________________________ dbus mailing list [EMAIL PROTECTED] http://lists.freedesktop.org/mailman/listinfo/dbus ** Affects: dbus Importance: Unknown Status: Unknown ** Affects: dbus (Ubuntu) Importance: Critical Status: In Progress ** Description changed: - Binary package hint: dbus - - From [EMAIL PROTECTED] Fri Dec 5 19:55:35 2008 - Return-path: <[EMAIL PROTECTED]> - Envelope-to: [EMAIL PROTECTED] - Delivery-date: Fri, 05 Dec 2008 19:55:35 +0000 - Received: from fiordland.canonical.com ([91.189.94.145]) by - zelda.netsplit.com with esmtp (Exim 4.69) (envelope-from - <[EMAIL PROTECTED]>) id 1L8glz-0008Lu-Jr for - [EMAIL PROTECTED]; Fri, 05 Dec 2008 19:55:35 +0000 - Received: from cluster-e.mailcontrol.com (cluster-e.mailcontrol.com - [85.115.58.190]) by fiordland.canonical.com (Postfix) with ESMTP id - A2228B68256; Fri, 5 Dec 2008 19:55:12 +0000 (GMT) - Received: from arctowski.canonical.com (arctowski.canonical.com - [91.189.94.158]) by rly14e.srv.mailcontrol.com (MailControl) with ESMTP id - mB5JtBXk031219; Fri, 5 Dec 2008 19:55:11 GMT - Received: from fiordland.canonical.com ([91.189.94.145]) by - arctowski.canonical.com with esmtp (Exim 4.60) (envelope-from - <[EMAIL PROTECTED]>) id 1L8glb-0005dd-Id; Fri, 05 Dec 2008 - 19:55:11 +0000 - Received: from gabe.freedesktop.org (gabe.freedesktop.org - [131.252.210.177]) by fiordland.canonical.com (Postfix) with ESMTP id - C49C8B68256; Fri, 5 Dec 2008 19:55:10 +0000 (GMT) - Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by - gabe.freedesktop.org (Postfix) with ESMTP id 7EA2C9E8BE; Fri, 5 Dec 2008 - 11:55:08 -0800 (PST) - X-Original-To: [EMAIL PROTECTED] - Delivered-To: [EMAIL PROTECTED] - Received: from an-out-0708.google.com (an-out-0708.google.com - [209.85.132.249]) by gabe.freedesktop.org (Postfix) with ESMTP id - D3FBB9E741 for <[EMAIL PROTECTED]>; Fri, 5 Dec 2008 11:55:05 - -0800 (PST) - Received: by an-out-0708.google.com with SMTP id d11so111353and.39 for - <[EMAIL PROTECTED]>; Fri, 05 Dec 2008 11:55:05 -0800 (PST) - Received: by 10.100.242.20 with SMTP id p20mr252471anh.75.1228506904963; - Fri, 05 Dec 2008 11:55:04 -0800 (PST) - Received: by 10.100.127.20 with HTTP; Fri, 5 Dec 2008 11:55:04 -0800 (PST) - Message-ID: <[EMAIL PROTECTED]> - Date: Fri, 5 Dec 2008 14:55:04 -0500 - From: "Colin Walters" <[EMAIL PROTECTED]> - To: dbus <[EMAIL PROTECTED]> - Subject: [CVE-2008-4311] DBus 1.2.6 - MIME-Version: 1.0 - Content-Disposition: inline - X-Google-Sender-Auth: 916061a5b371d5d2 - X-BeenThere: [EMAIL PROTECTED] - X-Mailman-Version: 2.1.9 - Precedence: list - List-Id: <dbus.lists.freedesktop.org> - List-Unsubscribe: <http://lists.freedesktop.org/mailman/listinfo/dbus>, - <mailto:[EMAIL PROTECTED]> - List-Archive: <http://lists.freedesktop.org/archives/dbus> - List-Post: <mailto:[EMAIL PROTECTED]> - List-Help: <mailto:[EMAIL PROTECTED]> - List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dbus>, - <mailto:[EMAIL PROTECTED]> - Content-Type: text/plain; charset="us-ascii" - Content-Transfer-Encoding: 7bit - Sender: [EMAIL PROTECTED] - Errors-To: [EMAIL PROTECTED] - X-Mailcontrol-Inbound: - uq3drnD2P+ps5SfEb0fvr78+NoP1DHBZwGqKpaXB2eTgNv8D6KLIxb8+NoP1DHBZ8VSaBg0k0xw= - X-Spam-Score: -3.5 - X-Scanned-By: MailControl A_08_51_00 (www.mailcontrol.com) on 10.69.0.124 - X-Evolution-Source: imap://[EMAIL PROTECTED]/ - A new security release of DBus is now available: http://dbus.freedesktop.org/dbus/releases/dbus-1.2.6.tar.gz This release contains a (partial, see below) fix for: https://bugs.freedesktop.org/show_bug.cgi?id=18229 == Summary == Joachim Breitner discovered a mistake in the default configuration for the system bus (system.conf) which made the default policy for both sent and received messages effectively *allow*, and not deny as intended. This release fixes the send side permission, but does not change the receive. See below for more details. == Available workarounds == Add explicit <deny> rules to existing policy files which do not already have them. == Mitigating factors == There are three important mitigating factors. * First, in an examination of a Fedora 10 system, many services contained explicit <deny> rules under the "default" context. These deny rules did (and continue to) operate as expected. * Second, an increasing trend has been for core system services to use PolicyKit, or otherwise do security checks on the service side. Any system which relies on PolicyKit is unaffected by this flaw. * Third, the SELinux DBus support is not affected by this flaw. Now, as mentioned above this fix is partial. DBus has two kinds of policy permissions, send and receive. Generally speaking, the send side permission is much more important. However, DBus has supported receive side permissions for a few reasons, among those are: * Ensuring signals containing sensitive data aren't visible by unexpected processes. Suggested fix: Do not put sensitive data in DBus signals; use targeted method calls. * A way for processes to "second-pass" filter messages before they reach their C code. Suggested fix: Something like PolicyKit (or just manual service-side permission checks) remain a better way to do this. For compatibility reasons, this release only fixes the send-side permission check, and not receive. A greater number of services will need to be updated for a future tightening of the receive permission. We are as yet unsure when (and in fact, if) the receive permission will be tightened in the DBus 1.2 stable branch. We will gather information about any affected programs and make a final determination at in the near future. == Conclusion Summary == * Add explicit <deny> rules under the default policy if this is applicable to your service (i.e. not using PolicyKit or similar) * Do not put sensitive information in signals == Thanks == Thanks to Joachim Breitner for the initial report and proposed patch, Tomas Hoger for the current fix, and others for their assistance with this issue. _______________________________________________ dbus mailing list [EMAIL PROTECTED] http://lists.freedesktop.org/mailman/listinfo/dbus ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-4311 ** Changed in: dbus (Ubuntu) Importance: Undecided => Critical Status: New => In Progress ** Bug watch added: freedesktop.org Bugzilla #18229 https://bugs.freedesktop.org/show_bug.cgi?id=18229 ** Also affects: dbus via https://bugs.freedesktop.org/show_bug.cgi?id=18229 Importance: Unknown Status: Unknown -- Default D-Bus system bus policy is allow https://bugs.launchpad.net/bugs/306362 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
