[Bug 1666358] Re: iio-sensor-proxy: Insecure configuration of dbus service

Mon, 20 Feb 2017 18:56:50 -0800 

** Bug watch added: Debian Bug tracker #853951
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853951

** Also affects: iio-sensor-proxy (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853951
   Importance: Unknown
       Status: Unknown

** Bug watch added: github.com/hadess/iio-sensor-proxy/issues #41
   https://github.com/hadess/iio-sensor-proxy/issues/41

** Also affects: iio-sensor-proxy via
   https://github.com/hadess/iio-sensor-proxy/issues/41
   Importance: Unknown
       Status: Unknown

** Description changed:

  The dbus configuration for iio-sensor-proxy allowed any process on the
  system bus to send an org.freedesktop.DBus.Properties.Set() call to any
  other process on the system bus, even if the destination process
  expected to be only accessible by root.
  
  https://github.com/hadess/iio-sensor-proxy/commit/e2d81f2
  
  This was fixed in the upstream version 2.1
  and in Debian's 2.0-4 (which was autosynced to zesty).
  
  I'll prepare debdiff's containing the Debian fix for xenial and yakkety.
  
  Test Case
  =========
  dbus-send --system --dest=org.freedesktop.nm_dispatcher --type=method_call \
      --print-reply / org.freedesktop.DBus.Properties.Set string:Foo 
variant:string:bar
  
  Bad response:
  Error org.freedesktop.DBus.Error.UnknownMethod: No such interface
   'org.freedesktop.DBus.Properties' on object at path /
  
  Good response:
  
  Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 
matched  rules; type="method_call", sender=":1.5523" (uid=1000 pid=13527
   comm="dbus-send --system --dest=org.freedesktop.nm_dispa")
   interface="org.freedesktop.DBus.Properties" member="Set" error
   name="(unset)" requested_reply="0"
   destination="org.freedesktop.nm_dispatcher" (uid=0 pid=13528
   comm="/usr/lib/NetworkManager/nm-dispatcher ")
+ 
+ Testing Done So Far
+ ==================
+ None

** Patch added: "iio-sensor-proxy-lp1666358-xenial.debdiff"
   
https://bugs.launchpad.net/iio-sensor-proxy/+bug/1666358/+attachment/4823031/+files/iio-sensor-proxy-lp1666358-xenial.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1666358

Title:
  iio-sensor-proxy: Insecure configuration of dbus service

To manage notifications about this bug go to:
https://bugs.launchpad.net/iio-sensor-proxy/+bug/1666358/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to