Differences between revisions 1 and 33 (spanning 32 versions)
Revision 1 as of 2009-01-04 01:19:22
Size: 1686
Comment:
Revision 33 as of 2009-08-31 05:26:58
Size: 4111
Editor: GeoffSimmons
Comment: DebianBug
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
This page tracks the changes needed to fix D-Bus deny-by-default. This page tracks the changes needed to fix DebianBug:503532: D-Bus deny-by-default.
Line 3: Line 3:
== Debian bug filed == [[http://people.debian.org/~smcv/dbus-cve-2008-4311/|"Release candidate" of dbus source and i386 binaries for testing]]
Line 5: Line 5:
[http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-utopia-maintainers@lists.alioth.debian.org&usertags=CVE-2008-4311] == Bugs related to CVE-2008-4311 ==
http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-utopia-maintainers@lists.alioth.debian.org&tag=CVE-2008-4311
Line 7: Line 8:
== Debian bug should be filed == (some of these may be non-RC)
Line 9: Line 10:
bluez-utils ([http://git.kernel.org/?p=bluetooth/bluez.git;a=blob_plain;f=src/bluetooth.conf;hb=06637b08f721e1565fa05b818adfb8a0acec804e upstream patch]) == fd.o #18961 ==
Bugs which are probably not RC, related to [[http://bugs.freedesktop.org/show_bug.cgi?id=18961|fd.o #18961]]:
Line 11: Line 13:
consolekit ([http://bugs.freedesktop.org/show_bug.cgi?id=19020 upstream patch]) http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-utopia-maintainers@lists.alioth.debian.org&tag=fdo-18961
Line 13: Line 15:
knetworkmanager ([https://bugzilla.redhat.com/show_bug.cgi?id=475468 Red Hat bug], upstream unhappy with the patch) == Otherwise broken ==
libosso, osso-gwconnect (RM requested)
Line 15: Line 18:
policykit ([https://bugs.freedesktop.org/show_bug.cgi?id=18948]) == Related bugs (not yet filed in Debian) ==
NM-0.7: http://bugzilla.gnome.org/show_bug.cgi?id=565008
Line 17: Line 21:
system-tools-backends (might be [http://bugzilla.gnome.org/show_bug.cgi?id=563857 "GNOME system monitor"], [https://bugzilla.redhat.com/show_bug.cgi?id=475203 system-config-services], [http://cvs.fedoraproject.org/viewvc/rpms/system-config-services/F-10/system-config-services-0.99.28-dbus.patch system-config-services], [https://bugzilla.redhat.com/show_bug.cgi?id=475524 system-config-samba]?) dbus-glib: http://bugs.freedesktop.org/show_bug.cgi?id=19441: Fix in dbus-glib 0.80-1 (from experimental)
Line 19: Line 23:
== Might be affected, please check == == Complete list of affected packages ==
Line 21: Line 25:
avahi Fixed packages
Line 23: Line 27:
dnsmasq || bluemon || DebianBug:510628, fixed in 1.4-5, looks ok ||
|| bluez-utils || DebianBug:510644, fixed in 3.36-3, seems ok, bare send_interfaces though, limitation of bluez architecture ||
|| consolekit || DebianBug:510645, fixed in 0.2.10-4, looks ok ||
|| hal || DebianBug:510639, fixed in 0.5.11-7, mostly ok, cleanup default section ||
|| odccm || DebianBug:510788, fixed in 0.11.1-4, looks mostly ok, restrict to interfaces? ||
|| policykit || DebianBug:510646, fixed in 0.9-2, looks ok ||
|| pommed || DebianBug:510700, fixed in 1.25~dfsg-1, looks mostly ok, allows access to everyone? ||
|| smart-notifier || DebianBug:510709, fixed in 0.28-1.1, looks ok, strict ||
|| sugar || DebianBug:510657, fixed in 0.82.8-3, looks ok ||
|| system-tools-backends || DebianBug:510744, fixed in 2.6.0-2lenny1, looks ok, too strict? ||
|| dnsmasq || DebianBug:510649, fixed in 2.47-1 ||
|| powersaved || DebianBug:510633, fixed in 0.15.20-5 ||
|| network-manager-kde || DebianBug:510757, fixed in 1:0.7~~svn908338-2 ||
|| network-manager-openvpn|| DebianBug:510730, fixed in 0.7.0-2 ||
|| network-manager-pptp || DebianBug:510732, fixed in 0.7.0-2 ||
|| network-manager-vpnc || DebianBug:510735, fixed in 0.7.0-2 ||
|| network-manager-gnome || DebianBug:510728, fixed in 0.7.0-2 ||
|| avahi-daemon || DebianBug:510653, fixed in 0.6.24-2 ||
|| network-manager || DebianBug:510729, fixed in 0.7.0.97-1 ||
Line 25: Line 47:
gpe-bluetooth Packages with bug report not yet fixed
Line 27: Line 49:
kerneloops || cups || DebianBug:510634, no patch ||
|| dhcdbd || DebianBug:510791, no patch, bare send_interfaces, superfluous default section ||
|| galago-daemon || DebianBug:511146, request to remove system bus policy file ||
|| pathfinderd || DebianBug:510696, no patch, remove bare send_interfaces and default section ||
|| system-config-printer || DebianBug:510756, no patch, superfluous default section, remove send_interface ||
|| wpasupplicant || DebianBug:510652, patch, denials with NM 0.7 ||
|| yum || DebianBug:510659, no patch, remove bare send_interfaces, default section ||
Line 29: Line 57:
mumble Packages without a bug report
Line 31: Line 59:
network-manager

network-manager-applet

network-manager-openvpn

network-manager-pptp

network-manager-vpnc

odccm

pathfinder

smart-notifier

sugar (probably unaffected, needs a second look; related to nm-applet)

system-config-printer

wpasupplicant

yum

== Non-RC severity ==

cups (mjj29)

== Unaffected ==

galago-daemon (not on system bus)

== Being dealt with ==

pommed (upstream and Debian maintainer fixing it)

libosso, osso-gwconnect (RM requested)
|| gconf-defaults-service || from experimental, bare send_interfaceS ||
|| gnome-applets-data || from experimental, bare send_interfaceS ||
|| gnome-panel-data || from experimental, bare send_interfaceS ||
|| gpe-bluetooth || no bug report filed ||
|| kerneloops || completely broken, file extension does not even end with .conf ||
|| libgksu-polkit0 || looks mostly ok ||
|| libpam-dbus || not sure, allow everyone to own the name ||
|| mumble-server || looks ok ||
|| osso-gwconnect || bare send_interfaceS, needs review ||
|| setroubleshoot || bare send_interfaceS, needs review ||
|| wicd || bare send_interfaceS, needs review, allows everyone to configure the network? ||

This page tracks the changes needed to fix 503532: D-Bus deny-by-default.

"Release candidate" of dbus source and i386 binaries for testing

http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-utopia-maintainers@lists.alioth.debian.org&tag=CVE-2008-4311

(some of these may be non-RC)

fd.o #18961

Bugs which are probably not RC, related to fd.o #18961:

http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-utopia-maintainers@lists.alioth.debian.org&tag=fdo-18961

Otherwise broken

libosso, osso-gwconnect (RM requested)

NM-0.7: http://bugzilla.gnome.org/show_bug.cgi?id=565008

dbus-glib: http://bugs.freedesktop.org/show_bug.cgi?id=19441: Fix in dbus-glib 0.80-1 (from experimental)

Complete list of affected packages

Fixed packages

bluemon

510628, fixed in 1.4-5, looks ok

bluez-utils

510644, fixed in 3.36-3, seems ok, bare send_interfaces though, limitation of bluez architecture

consolekit

510645, fixed in 0.2.10-4, looks ok

hal

510639, fixed in 0.5.11-7, mostly ok, cleanup default section

odccm

510788, fixed in 0.11.1-4, looks mostly ok, restrict to interfaces?

policykit

510646, fixed in 0.9-2, looks ok

pommed

510700, fixed in 1.25~dfsg-1, looks mostly ok, allows access to everyone?

smart-notifier

510709, fixed in 0.28-1.1, looks ok, strict

sugar

510657, fixed in 0.82.8-3, looks ok

system-tools-backends

510744, fixed in 2.6.0-2lenny1, looks ok, too strict?

dnsmasq

510649, fixed in 2.47-1

powersaved

510633, fixed in 0.15.20-5

network-manager-kde

510757, fixed in 1:0.7~~svn908338-2

network-manager-openvpn

510730, fixed in 0.7.0-2

network-manager-pptp

510732, fixed in 0.7.0-2

network-manager-vpnc

510735, fixed in 0.7.0-2

network-manager-gnome

510728, fixed in 0.7.0-2

avahi-daemon

510653, fixed in 0.6.24-2

network-manager

510729, fixed in 0.7.0.97-1

Packages with bug report not yet fixed

cups

510634, no patch

dhcdbd

510791, no patch, bare send_interfaces, superfluous default section

galago-daemon

511146, request to remove system bus policy file

pathfinderd

510696, no patch, remove bare send_interfaces and default section

system-config-printer

510756, no patch, superfluous default section, remove send_interface

wpasupplicant

510652, patch, denials with NM 0.7

yum

510659, no patch, remove bare send_interfaces, default section

Packages without a bug report

gconf-defaults-service

from experimental, bare send_interfaceS

gnome-applets-data

from experimental, bare send_interfaceS

gnome-panel-data

from experimental, bare send_interfaceS

gpe-bluetooth

no bug report filed

kerneloops

completely broken, file extension does not even end with .conf

libgksu-polkit0

looks mostly ok

libpam-dbus

not sure, allow everyone to own the name

mumble-server

looks ok

osso-gwconnect

bare send_interfaceS, needs review

setroubleshoot

bare send_interfaceS, needs review

wicd

bare send_interfaceS, needs review, allows everyone to configure the network?