[Pkg-utopia-commits] r2541 - /packages/unstable/dbus/debian/patches/CVE-2008-4311.patch

sjoerd at users.alioth.debian.org sjoerd at users.alioth.debian.org
Sun Dec 7 12:33:00 UTC 2008 

Author: sjoerd
Date: Sun Dec  7 12:33:00 2008
New Revision: 2541

URL: http://svn.debian.org/wsvn/pkg-utopia/?sc=1&rev=2541
Log:
Actually commit the patch itself

Added:
    packages/unstable/dbus/debian/patches/CVE-2008-4311.patch

Added: packages/unstable/dbus/debian/patches/CVE-2008-4311.patch
URL: http://svn.debian.org/wsvn/pkg-utopia/packages/unstable/dbus/debian/patches/CVE-2008-4311.patch?rev=2541&op=file
==============================================================================
--- packages/unstable/dbus/debian/patches/CVE-2008-4311.patch (added)
+++ packages/unstable/dbus/debian/patches/CVE-2008-4311.patch Sun Dec  7 12:33:00 2008
@@ -1,0 +1,41 @@
+commit 70a0ac620ab4be279ef8e0945307b541e10a1393
+Author: Tomas Hoger <thoger at redhat.com>
+Date:   Thu Dec 4 15:19:13 2008 -0500
+
+    Bug 18229 - Change system.conf to correctly deny non-reply sends by default
+    
+    The previous rule <allow send_requested_reply="true"/> was actually
+    applied to all messages, even if they weren't a reply.  This meant
+    that in fact the default DBus policy was effectively allow, rather
+    than deny as claimed.
+    
+    This fix ensures that the above rule only applies to actual reply
+    messages.
+    Signed-off-by: Colin Walters <walters at verbum.org>
+
+diff --git a/bus/system.conf.in b/bus/system.conf.in
+index 6a71926..ac2822f 100644
+--- a/bus/system.conf.in
++++ b/bus/system.conf.in
+@@ -50,9 +50,19 @@
+          even if they aren't in here -->
+     <allow send_destination="org.freedesktop.DBus"/>
+     <allow receive_sender="org.freedesktop.DBus"/>
+-    <!-- valid replies are always allowed -->
+-    <allow send_requested_reply="true"/>
++    <!-- allow sending valid replies -->
++    <allow send_requested_reply="true" send_type="method_return"/>
++    <allow send_requested_reply="true" send_type="error"/>
++    <!-- allow receiving valid replies -->
+     <allow receive_requested_reply="true"/>
++    <!-- Note: the rule above also allows receiving of all non-reply messages
++         that are not denied later.  See:
++         https://bugs.freedesktop.org/show_bug.cgi?id=18229
++         Potentially this will be replaced in the future by the
++         following two rules:
++    <allow receive_requested_reply="true" receive_type="method_return"/>
++    <allow receive_requested_reply="true" receive_type="error"/>
++    -->
+     <!-- disallow changing the activation environment of system services -->
+     <deny send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.DBus"

More information about the Pkg-utopia-commits mailing list