Secure testing team - Oct 2008 - Bug#503532: send_requested_reply="true" allows all non-reply messages

Package: dbus
Version: 1.2.1-3
Severity: normal
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I found the following dbus bug. I think it has security implications, but I
can?t
judge it?s impact, therefore I did not set the Severtiy. Security team
is CC?ed.

Upstream bug here https://bugs.freedesktop.org/show_bug.cgi?id=18229
copied text is:

if I understand everything correctly, there is a bad security bug in
dbus:

The default configuration contains the lines
    <allow send_requested_reply="true"/>
    <allow receive_requested_reply="true"/>
with the valid intention to allow all replies to be send without explicit
permission. Otherwise, dbus claims to have a default-no policy.

But what happens instead is: When a message is considered for sending, it
enters bus_client_policy_check_can_send in policy.c[1]. There, all rules are
looked at, but only SEND rules considered (line 893) ? the first of the above
rules is such a rule. Now we check for various conditions that might occur in
such a rule (e.g. destination and the like), but none of these exist besides
send_requested_reply. But in line 909 this is only done for messages which are
replies. This means that for normal messages, we continue with the code and end
up in line 1028, where we set the allowed flag! If no other rule kicks in, this
stays allowed until the end.

A proper fix would be to add an else statement to the if in line 909, which
calls continue, I think.


Thanks,
Joachim

- -- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, ''unstable''), (1,
''experimental'')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-2-486
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages dbus depends on:
ii  adduser                       3.110      add and remove users and groups
ii  debianutils                   2.30       Miscellaneous utilities specific t
ii  libc6                         2.7-15     GNU C Library: Shared libraries
ii  libdbus-1-3                   1.2.1-3    simple interprocess messaging syst
ii  libexpat1                     2.0.1-4    XML parsing C library - runtime li
ii  libselinux1                   2.0.65-5   SELinux shared libraries
ii  lsb-base                      3.2-20     Linux Standard Base 3.2 init scrip

Versions of packages dbus recommends:
ii  dbus-x11                      1.2.1-3    simple interprocess messaging syst

dbus suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkEjZYACgkQ9ijrk0dDIGx7nQCdGHBqviTS6SS23c5JoIJYVDeR
HTwAn3oQZFtVm3xI1MwjqoS37cBPauGe
=AvGx
-----END PGP SIGNATURE-----