if I understand everything correctly, there is a bad security bug in dbus:
The default configuration contains the lines
<allow send_requested_reply="true"/>
<allow receive_requested_reply="true"/>
with the valid intention to allow all replies to be send without explicit permission. Otherwise, dbus claims to have a default-no policy.
But what happens instead is: When a message is considered for sending, it enters bus_client_policy_check_can_send in policy.c[1]. There, all rules are looked at, but only SEND rules considered (line 893) – the first of the above rules is such a rule. Now we check for various conditions that might occur in such a rule (e.g. destination and the like), but none of these exist besides send_requested_reply. But in line 909 this is only done for messages which are replies. This means that for normal messages, we continue with the code and end up in line 1028, where we set the allowed flag! If no other rule kicks in, this stays allowed until the end.
A proper fix would be to add an else statement to the if in line 909, which calls continue, I think.
I did not adjust the severity or priority, per bug submitting etiquette, but I consider this a major bug.
Hi,
if I understand everything correctly, there is a bad security bug in dbus:
The default configuration contains the lines reply=" true"/> requested_ reply=" true"/>
<allow send_requested_
<allow receive_
with the valid intention to allow all replies to be send without explicit permission. Otherwise, dbus claims to have a default-no policy.
But what happens instead is: When a message is considered for sending, it enters bus_client_ policy_ check_can_ send in policy.c[1]. There, all rules are looked at, but only SEND rules considered (line 893) – the first of the above rules is such a rule. Now we check for various conditions that might occur in such a rule (e.g. destination and the like), but none of these exist besides send_requested_ reply. But in line 909 this is only done for messages which are replies. This means that for normal messages, we continue with the code and end up in line 1028, where we set the allowed flag! If no other rule kicks in, this stays allowed until the end.
A proper fix would be to add an else statement to the if in line 909, which calls continue, I think.
I did not adjust the severity or priority, per bug submitting etiquette, but I consider this a major bug.
Thanks,
Joachim
[1] http:// gitweb. freedesktop. org/?p= dbus/dbus. git;a=blob; h=caa544e7a4f04 1e0cc9b250dc8c8 14a7b06e927b; hb=14afa0564e9e ea01d28d4b2fd1e 6ac0bfec626e7; f=bus/policy. c#l865