[pkg-fso-commits] [fso-frameworkd] 01/20: fix DBus permissions

Sebastian Reichel sre at moszumanska.debian.org
Sun Nov 8 13:23:09 UTC 2015 

This is an automated email from the git hooks/post-receive script.

sre pushed a commit to branch debian
in repository fso-frameworkd.

commit 3cf0b41993297ba08f98d004fc35cc596f560566
Author: Sebastian Reichel <sre at ring0.de>
Date:   Tue Jan 20 14:58:42 2015 +0100

    fix DBus permissions
---
 debian/changelog                          |  6 ++
 debian/patches/fix-dbus-permissions.patch | 96 +++++++++++++++++++++++++++++++
 debian/patches/series                     |  1 +
 3 files changed, 103 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 20294eb..47aba43 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+fso-frameworkd (0.9.5.9+git20110512-5) unstable; urgency=high
+
+  * Fix DBus permissions (Closes: CVE-2014-8156)
+
+ -- Sebastian Reichel <sre at debian.org>  Tue, 20 Jan 2015 14:58:02 +0100
+
 fso-frameworkd (0.9.5.9+git20110512-4) unstable; urgency=low
 
   * make fso-frameworkd-gta01 and fso-frameworkd-gta02 armel only,
diff --git a/debian/patches/fix-dbus-permissions.patch b/debian/patches/fix-dbus-permissions.patch
new file mode 100644
index 0000000..7b5d017
--- /dev/null
+++ b/debian/patches/fix-dbus-permissions.patch
@@ -0,0 +1,96 @@
+From: Sebastian Reichel <sre at debian.org>
+Reported-By: Simon McVittie <simon.mcvittie at collabora.co.uk>
+Last-Update: 2015-01-20
+Description: Fix Security Problem in DBus Configuration
+ Old configuration allows every local user to send arbitrary D-Bus
+ messages to the path /org/freesmartphone/Framework on *any* D-Bus
+ system service (rough HTTP analogy: send a POST to
+ http://server/org/freesmartphone/Framework on any server).
+Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2014-8156
+
+Index: fso-frameworkd/etc/dbus-1/system.d/frameworkd.conf
+===================================================================
+--- fso-frameworkd.orig/etc/dbus-1/system.d/frameworkd.conf
++++ fso-frameworkd/etc/dbus-1/system.d/frameworkd.conf
+@@ -3,70 +3,57 @@
+ <busconfig>
+     <policy context="default">
+         <allow own="org.freesmartphone.testing"/>
+-        <allow send_path="/org/freesmartphone/testing"/>
+-        <allow send_destination="org.freesmartphone.testing"/>
++        <allow send_destination="org.freesmartphone.testing" send_path="/org/freesmartphone/testing"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.onetworkd"/>
+-        <allow send_path="/org/freesmartphone.onetworkd"/>
+-        <allow send_destination="org.freesmartphone.onetwork"/>
++        <allow send_destination="org.freesmartphone.onetwork" send_path="/org/freesmartphone.onetworkd"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.frameworkd"/>
+-        <allow send_path="/org/freesmartphone/Framework"/>
+-        <allow send_destination="org.freesmartphone.frameworkd"/>
++        <allow send_destination="org.freesmartphone.frameworkd" send_path="/org/freesmartphone/Framework"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.odeviced"/>
+-        <allow send_path="/"/>
+         <allow send_destination="org.freesmartphone.odeviced"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.oeventsd"/>
+-        <allow send_path="/org/freesmartphone/Events"/>
+-        <allow send_destination="org.freesmartphone.oeventsd"/>
++        <allow send_destination="org.freesmartphone.oeventsd" send_path="/org/freesmartphone/Events"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.ousaged"/>
+-        <allow send_path="/org/freesmartphone/Usage"/>
+-        <allow send_destination="org.freesmartphone.ousaged"/>
++        <allow send_destination="org.freesmartphone.ousaged" send_path="/org/freesmartphone/Usage"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.ogsmd"/>
+-        <allow send_path="/org/freesmartphone/GSM"/>
+-        <allow send_destination="org.freesmartphone.ogsmd"/>
++        <allow send_destination="org.freesmartphone.ogsmd" send_path="/org/freesmartphone/GSM"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.ogpsd"/>
+         <allow own="org.freedesktop.Gypsy"/>
+-        <allow send_path="/org/freedesktop/Gypsy"/>
+         <allow send_destination="org.freesmartphone.ogpsd"/>
+         <allow send_destination="org.freedesktop.gypsy"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.opreferencesd"/>
+-        <allow send_path="/org/freesmartphone/Preferences"/>
+-        <allow send_destination="org.freesmartphone.opreferencesd"/>
++        <allow send_destination="org.freesmartphone.opreferencesd" send_path="/org/freesmartphone/Preferences"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.ophoned"/>
+-        <allow send_path="/org/freesmartphone/Phone"/>
+-        <allow send_destination="org.freesmartphone.ophoned"/>
++        <allow send_destination="org.freesmartphone.ophoned" send_path="/org/freesmartphone/Phone"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.opimd"/>
+-        <allow send_path="/org/freesmartphone/PIM"/>
+-        <allow send_destination="org.freesmartphone.opimd"/>
++        <allow send_destination="org.freesmartphone.opimd" send_path="/org/freesmartphone/PIM"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.otimed"/>
+-        <allow send_path="/org/freesmartphone/Time"/>
+-        <allow send_destination="org.freesmartphone.otimed"/>
++        <allow send_destination="org.freesmartphone.otimed" send_path="/org/freesmartphone/Time"/>
+     </policy>
+     <policy context="default">
+         <allow own="org.freesmartphone.omuxerd"/>
+-        <allow send_path="/org/freesmartphone/GSM/Muxer"/>
+-        <allow send_destination="org.freesmartphone.omuxerd"/>
++        <allow send_destination="org.freesmartphone.omuxerd" send_path="/org/freesmartphone/GSM/Muxer"/>
+         <allow send_interface="org.freesmartphone.GSM.MUX"/>
+     </policy>
+     <policy context="default">
diff --git a/debian/patches/series b/debian/patches/series
index a5a1f21..0682416 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 fix-setup.py
 fix-ogpsd.patch
 fix-message-notfication.patch
+fix-dbus-permissions.patch

-- 
Alioth's hooks/post-receive on /srv/git.debian.org/git/pkg-fso/fso-frameworkd.git

More information about the pkg-fso-commits mailing list