[Pkg-utopia-commits] r2541 - /packages/unstable/dbus/debian/patches/CVE-2008-4311.patch
sjoerd at users.alioth.debian.org
sjoerd at users.alioth.debian.org
Sun Dec 7 12:33:00 UTC 2008
Author: sjoerd
Date: Sun Dec 7 12:33:00 2008
New Revision: 2541
URL: http://svn.debian.org/wsvn/pkg-utopia/?sc=1&rev=2541
Log:
Actually commit the patch itself
Added:
packages/unstable/dbus/debian/patches/CVE-2008-4311.patch
Added: packages/unstable/dbus/debian/patches/CVE-2008-4311.patch
URL: http://svn.debian.org/wsvn/pkg-utopia/packages/unstable/dbus/debian/patches/CVE-2008-4311.patch?rev=2541&op=file
==============================================================================
--- packages/unstable/dbus/debian/patches/CVE-2008-4311.patch (added)
+++ packages/unstable/dbus/debian/patches/CVE-2008-4311.patch Sun Dec 7 12:33:00 2008
@@ -1,0 +1,41 @@
+commit 70a0ac620ab4be279ef8e0945307b541e10a1393
+Author: Tomas Hoger <thoger at redhat.com>
+Date: Thu Dec 4 15:19:13 2008 -0500
+
+ Bug 18229 - Change system.conf to correctly deny non-reply sends by default
+
+ The previous rule <allow send_requested_reply="true"/> was actually
+ applied to all messages, even if they weren't a reply. This meant
+ that in fact the default DBus policy was effectively allow, rather
+ than deny as claimed.
+
+ This fix ensures that the above rule only applies to actual reply
+ messages.
+ Signed-off-by: Colin Walters <walters at verbum.org>
+
+diff --git a/bus/system.conf.in b/bus/system.conf.in
+index 6a71926..ac2822f 100644
+--- a/bus/system.conf.in
++++ b/bus/system.conf.in
+@@ -50,9 +50,19 @@
+ even if they aren't in here -->
+ <allow send_destination="org.freedesktop.DBus"/>
+ <allow receive_sender="org.freedesktop.DBus"/>
+- <!-- valid replies are always allowed -->
+- <allow send_requested_reply="true"/>
++ <!-- allow sending valid replies -->
++ <allow send_requested_reply="true" send_type="method_return"/>
++ <allow send_requested_reply="true" send_type="error"/>
++ <!-- allow receiving valid replies -->
+ <allow receive_requested_reply="true"/>
++ <!-- Note: the rule above also allows receiving of all non-reply messages
++ that are not denied later. See:
++ https://bugs.freedesktop.org/show_bug.cgi?id=18229
++ Potentially this will be replaced in the future by the
++ following two rules:
++ <allow receive_requested_reply="true" receive_type="method_return"/>
++ <allow receive_requested_reply="true" receive_type="error"/>
++ -->
+ <!-- disallow changing the activation environment of system services -->
+ <deny send_destination="org.freedesktop.DBus"
+ send_interface="org.freedesktop.DBus"
More information about the Pkg-utopia-commits
mailing list