No permission to call method (dbus 1.2.8)

Bug #306705 reported by Scott James Remnant (Canonical) on 2008-12-09
12
Affects Status Importance Assigned to Milestone
screen-resolution-extra (Ubuntu)
High
Alberto Milone

Bug Description

Binary package hint: screen-resolution-extra

The supplied D-Bus system bus configuration does not contain any policy to allow communication with the exported objects. Thus this only works because of a security flaw in D-Bus, fixed in 1.2.6/8.

Changed in screen-resolution-extra:
assignee: nobody → albertomilone
importance: Undecided → High
status: New → Confirmed
Alberto Milone (albertomilone) wrote :

Thanks a lot for the patch. I tested it and I didn't experience any problems in Intrepid.

Alberto Milone (albertomilone) wrote :

It works in Jaunty too.

SRU request:

TEST-CASE:
The supplied D-Bus system bus configuration does not contain any policy to allow communication with the exported objects. Thus this only works because of a security flaw in D-Bus, fixed in 1.2.6/8.

If not updated, the GNOME Screen Resolution applet will stop working when the security flaw is fixed in Dbus.

Alberto Milone (albertomilone) wrote :

The full source is available in my bazaar branch:
https://code.launchpad.net/~albertomilone/screen-resolution-extra/main

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package screen-resolution-extra - 0.4

---------------
screen-resolution-extra (0.4) jaunty; urgency=low

  [ Scott James Remnant ]
  * com.ubuntu.ScreenResolution.Mechanism.conf:
    - allow messages to be sent to the service. LP: #306705.

  [ Martin Pitt ]
  * debian/control: Add Vcs-Bzr header.

 -- Scott James Remnant <email address hidden> Sun, 04 Jan 2009 11:28:07 +0100

Changed in screen-resolution-extra:
status: Confirmed → Fix Released
Martin Pitt (pitti) wrote :

Sponsored for Jaunty. Alberto, please apply the attached patch to your bzr branch, so that it is consistent with Jaunty, and also adds the Vcs-Bzr: header.

Do we need to fix this in intrepid as well? AFAICS we only need to do that if we put the stricter D-Bus fix into intrepid.

If the new D-Bus goes in, this should go through -security, not -updates. And in that case fixes like this need to go through -security as well, and published in one USN.

If the new D-Bus does not go in, we do not need to fix this either.

Thus I unsubscribe ubuntu-sru now. If we need it in stables, please add stable tasks and subscribe ubuntu-security.

Alberto Milone (albertomilone) wrote :

Thanks for the patch, Martin.

I agree with you that, if we were to upload this fix to Intrepid, -security would be the best place where this should happen.

Today I've read Scott's email in ubuntu-devel which says:

"We've audited the system bus services shipped in Ubuntu, and are
confident that there is no security exploit.  Those services exporting
privileged methods either have sufficient "deny" rules, or use PolicyKit
for authorisation.

For this reason, and due to the large potential for regressions, we've
opted not to release a security update for previous Ubuntu versions.  We
may still do so if we discover a potential for exploit."

In other words, if they decide to update Dbus in Intrepid we'll have to upload this fix .

On Mon, 2009-01-19 at 16:43 +0000, Alberto Milone wrote:

> In other words, if they decide to update Dbus in Intrepid we'll have
> to upload this fix .
>
It's probably easier if we find a service that is exploitable, to just
upload a fix for that service's policy conf to deny the method calls
explicitly.

Scott
--
Scott James Remnant
<email address hidden>

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers