Diff for "DBusPermissions"

Differences between revisions 21 and 23 (spanning 2 versions)

This page tracks the changes needed to fix [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503532 D-Bus deny-by-default].

[http://people.debian.org/~smcv/dbus-cve-2008-4311/ "Release candidate" of dbus source and i386 binaries for testing]

Bugs related to CVE-2008-4311

http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-utopia-maintainers@lists.alioth.debian.org&tag=CVE-2008-4311

(some of these may be non-RC)

fd.o #18961

Bugs which are probably not RC, related to [http://bugs.freedesktop.org/show_bug.cgi?id=18961 fd.o #18961]:

http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-utopia-maintainers@lists.alioth.debian.org&tag=fdo-18961

Otherwise broken

libosso, osso-gwconnect (RM requested)

Related bugs (not yet filed in Debian)

NM-0.7: http://bugzilla.gnome.org/show_bug.cgi?id=565008

dbus-glib: http://bugs.freedesktop.org/show_bug.cgi?id=19441

Complete list of affected packages

Fixed packages

bluemon	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510626 #510626], fixed in 1.4-5, looks ok
bluez-utils	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510644 #510644], fixed in 3.36-3, seems ok, bare send_interfaces though, limitation of bluez architecture
consolekit	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510645 #510645], fixed in 0.2.10-4, looks ok
hal	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510639 #510639], fixed in 0.5.11-7, mostly ok, cleanup default section
odccm	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510788 #510788], fixed in 0.11.1-4, looks mostly ok, restrict to interfaces?
policykit	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510646 #510646], fixed in 0.9-2, looks ok
pommed	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510700 #510700], fixed in 1.25~dfsg-1, looks mostly ok, allows access to everyone?
smart-notifier	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510709 #510709], fixed in 0.28-1.1, looks ok, strict
sugar	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510657 #510657], fixed in 0.82.8-3, looks ok
system-tools-backends	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510744 #510744], fixed in 2.6.0-2lenny1, looks ok, strict

Packages with bug report not yet fixed

avahi-daemon	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510653 #510653], no patch
cups	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510634 #510634], no patch
dhcdbd	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510791 #510791], no patch, bare send_interfaces, superfluous default section
dnsmasq	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510649 #510649], patch via upstream bug report
galago-daemon	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511146 #511146], request to remove system bus policy file
network-manager	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510729 #510729], no patch
network-manager-gnome	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510728 #510728], no patch
network-manager-kde	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510757 #510757], no patch
network-manager-openvpn	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510730 #510730], no patch
network-manager-pptp	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510732 #510732], no patch
network-manager-vpnc	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510735 #510735], no patch
pathfinderd	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510696 #510696], no patch, remove bare send_interfaces and default section
powersaved	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510633 #510633], patch seems ok, move introspection in default section!
system-config-printer	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510756 #510756], no patch, superfluous default section, remove send_interface
wpasupplicant	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510652 #510652], patch, denials with NM 0.7
yum	[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510659 #510659], no patch, remove bare send_interfaces, default section

Packages without a bug report

gconf-defaults-service	from experimental, bare send_interfaceS
gnome-applets-data	from experimental, bare send_interfaceS
gnome-panel-data	from experimental, bare send_interfaceS
gpe-bluetooth	no bug report filed
kerneloops	completely broken, file extension does not even end with .conf
libgksu-polkit0	looks mostly ok
libpam-dbus	not sure, allow everyone to own the name
mumble-server	looks ok
osso-gwconnect	bare send_interfaceS, needs review
setroubleshoot	bare send_interfaceS, needs review
wicd	bare send_interfaceS, needs review, allows everyone to configure the network?

-  ⇤ ← Revision 21 as of 2009-01-17 11:34:57 → 
  Size: 932
  Editor: MichaelBiebl
  Comment:
+   ← Revision 23 as of 2009-02-05 17:06:45 → ⇥
  Size: 5350
  Editor: MichaelBiebl
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 6:
-[http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-utopia-maintainers@lists.alioth.debian.org&tag=CVE-2008-4311]
+http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-utopia-maintainers@lists.alioth.debian.org&tag=CVE-2008-4311
-Line 12:
+Line 11:
-Line 15:
+Line 13:
-[http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-utopia-maintainers@lists.alioth.debian.org&tag=fdo-18961]
+http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-utopia-maintainers@lists.alioth.debian.org&tag=fdo-18961
-Line 18:
+Line 16:
-Line 22:
+Line 19:
+NM-0.7: http://bugzilla.gnome.org/show_bug.cgi?id=565008
-Line 23:
+Line 21:
-NM-0.7: [http://bugzilla.gnome.org/show_bug.cgi?id=565008]
+dbus-glib: http://bugs.freedesktop.org/show_bug.cgi?id=19441
-Line 25:
+Line 23:
-dbus-glib: [http://bugs.freedesktop.org/show_bug.cgi?id=19441]
+== Complete list of affected packages ==

Fixed packages

|| bluemon                || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510626 #510626], fixed in 1.4-5, looks ok ||
|| bluez-utils            || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510644 #510644], fixed in 3.36-3, seems ok, bare send_interfaces though, limitation of bluez architecture ||
|| consolekit             || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510645 #510645], fixed in 0.2.10-4, looks ok ||
|| hal                    || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510639 #510639], fixed in 0.5.11-7, mostly ok, cleanup default section ||
|| odccm                  || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510788 #510788], fixed in 0.11.1-4, looks mostly ok, restrict to interfaces? ||
|| policykit              || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510646 #510646], fixed in 0.9-2, looks ok ||
|| pommed                 || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510700 #510700], fixed in 1.25~dfsg-1, looks mostly ok, allows access to everyone? ||
|| smart-notifier         || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510709 #510709], fixed in 0.28-1.1, looks ok, strict ||
|| sugar                  || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510657 #510657], fixed in 0.82.8-3, looks ok ||
|| system-tools-backends  || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510744 #510744], fixed in 2.6.0-2lenny1, looks ok, strict ||

Packages with bug report not yet fixed

|| avahi-daemon           || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510653 #510653], no patch ||
|| cups                   || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510634 #510634], no patch ||
|| dhcdbd                 || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510791 #510791], no patch, bare send_interfaces, superfluous default section ||
|| dnsmasq                || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510649 #510649], patch via upstream bug report ||
|| galago-daemon          || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511146 #511146], request to remove system bus policy file ||
|| network-manager        || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510729 #510729], no patch ||
|| network-manager-gnome  || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510728 #510728], no patch ||
|| network-manager-kde    || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510757 #510757], no patch ||
|| network-manager-openvpn|| [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510730 #510730], no patch ||
|| network-manager-pptp   || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510732 #510732], no patch ||
|| network-manager-vpnc   || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510735 #510735], no patch ||
|| pathfinderd            || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510696 #510696], no patch, remove bare send_interfaces and default section ||
|| powersaved             || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510633 #510633], patch seems ok, move introspection in default section! ||
|| system-config-printer  || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510756 #510756], no patch, superfluous default section, remove send_interface ||
|| wpasupplicant          || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510652 #510652], patch, denials with NM 0.7 ||
|| yum                    || [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510659 #510659], no patch, remove bare send_interfaces, default section ||

Packages without a bug report

|| gconf-defaults-service || from experimental, bare send_interfaceS ||
|| gnome-applets-data     || from experimental, bare send_interfaceS ||
|| gnome-panel-data       || from experimental, bare send_interfaceS ||
|| gpe-bluetooth          || no bug report filed ||
|| kerneloops             || completely broken, file extension does not even end with .conf ||
|| libgksu-polkit0        || looks mostly ok ||
|| libpam-dbus            || not sure, allow everyone to own the name ||
|| mumble-server          || looks ok ||
|| osso-gwconnect         || bare send_interfaceS, needs review ||
|| setroubleshoot         || bare send_interfaceS, needs review ||
|| wicd                   || bare send_interfaceS, needs review, allows everyone to configure the network? ||