CVE-2008-4311 vulnerability

Debian Bug report logs - #508032
CVE-2008-4311 vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Michael Gilbert" <michael.s.gilbert@gmail.com>

To: submit@bugs.debian.org

Subject: CVE-2008-4311 vulnerability

Date: Sat, 6 Dec 2008 23:49:25 -0500

Package: dbus
Severity: grave
Justification: user security hole
Version: 1.0.2-1+etch4
Version: 1.2.1-4
Version: 1.2.4-1

fedora has just released fixes for a vulnerability in dbus.  they did
not describe what the problem actually is, and the issue is still
reserved in the cve database [1].  see the fedora security
announcement for more details [2].

thanks for working to keep debian secure.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4311
[2] https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00209.html

Message #12 received at 508032-close@bugs.debian.org (full text, mbox, reply):

From: Sjoerd Simons <sjoerd@debian.org>

To: 508032-close@bugs.debian.org

Subject: Bug#508032: fixed in dbus 1.2.8-1

Date: Sun, 14 Dec 2008 18:02:05 +0000

Source: dbus
Source-Version: 1.2.8-1

We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive:

dbus-1-doc_1.2.8-1_all.deb
  to pool/main/d/dbus/dbus-1-doc_1.2.8-1_all.deb
dbus-x11_1.2.8-1_amd64.deb
  to pool/main/d/dbus/dbus-x11_1.2.8-1_amd64.deb
dbus_1.2.8-1.diff.gz
  to pool/main/d/dbus/dbus_1.2.8-1.diff.gz
dbus_1.2.8-1.dsc
  to pool/main/d/dbus/dbus_1.2.8-1.dsc
dbus_1.2.8-1_amd64.deb
  to pool/main/d/dbus/dbus_1.2.8-1_amd64.deb
dbus_1.2.8.orig.tar.gz
  to pool/main/d/dbus/dbus_1.2.8.orig.tar.gz
libdbus-1-3_1.2.8-1_amd64.deb
  to pool/main/d/dbus/libdbus-1-3_1.2.8-1_amd64.deb
libdbus-1-dev_1.2.8-1_amd64.deb
  to pool/main/d/dbus/libdbus-1-dev_1.2.8-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 508032@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sjoerd Simons <sjoerd@debian.org> (supplier of updated dbus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 07 Dec 2008 13:30:19 +0000
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev
Architecture: source all amd64
Version: 1.2.8-1
Distribution: experimental
Urgency: low
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Sjoerd Simons <sjoerd@debian.org>
Description: 
 dbus       - simple interprocess messaging system
 dbus-1-doc - simple interprocess messaging system (documentation)
 dbus-x11   - simple interprocess messaging system (X11 deps)
 libdbus-1-3 - simple interprocess messaging system
 libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 503532 508032
Changes: 
 dbus (1.2.8-1) experimental; urgency=low
 .
   [ Sjoerd Simons ]
   * New upstream release
   * Fixes CVE-2008-4311 (Closes: #503532, #508032)
 .
   [ Michael Biebl ]
   * debian/libdbus-1-3.symbols
     - Updated, new symbol has been added.
   * debian/rules
     - Bump shlibs to 1.2.4.
   * debian/control
     - Bump Standards-Version to 3.8.0. No further changes.
Checksums-Sha1: 
 de07212c94d0c67b8b041cc8cccb3b08eb23a1f9 1536 dbus_1.2.8-1.dsc
 f6a5215b1eb6fee17821beb22f2e934ad383bfbe 1571133 dbus_1.2.8.orig.tar.gz
 a5711abfedd4f1241c84c63fc3befe671cf452fa 26581 dbus_1.2.8-1.diff.gz
 93f491fc75a86c592fd0c2efcbd8335836955ce8 1803724 dbus-1-doc_1.2.8-1_all.deb
 b89523d2b493bf39a5aaaa70eee8393936d5e6f4 225600 dbus_1.2.8-1_amd64.deb
 8d6932da06beb77b21345c36196de40ecdc241f1 39920 dbus-x11_1.2.8-1_amd64.deb
 430b4798c23f3b4d8a1694e871b90a44c84e10d4 138360 libdbus-1-3_1.2.8-1_amd64.deb
 1e98be27d4d3c532b66f238652c9f8df8bd263ba 235100 libdbus-1-dev_1.2.8-1_amd64.deb
Checksums-Sha256: 
 11429c11e855b38a2e4eb97d538106a60dd96135ac169a1b06ed972f2011126c 1536 dbus_1.2.8-1.dsc
 167a06f0236c9d9288dad106e83fb184bbea213c732bb90ae487d6a02b90b105 1571133 dbus_1.2.8.orig.tar.gz
 a0200d93e5f14b3df42f78823901aec5d238abc01d074f44aafebbc4c5f416bb 26581 dbus_1.2.8-1.diff.gz
 c8f09fb22b740449ceeef27955f432aeab2401ef8974563c1256fb0a655ddffc 1803724 dbus-1-doc_1.2.8-1_all.deb
 45afac4fb0053219f6e950baad34f860b687aed6144f9089935aa4dfa20c4c6b 225600 dbus_1.2.8-1_amd64.deb
 7eba4d61aeabd47f6e93a90625261be52d3774cc9ae127f74e18547eb97068e4 39920 dbus-x11_1.2.8-1_amd64.deb
 cc03cc5a6a6b18a63032195f6c270d3b1db9c277a63c818eabcdfa650ca2897c 138360 libdbus-1-3_1.2.8-1_amd64.deb
 255e6d951589cff5f2ba381fa866cd110a8701c7f8e3f3d1b9af540df0973878 235100 libdbus-1-dev_1.2.8-1_amd64.deb
Files: 
 29d8429e17f598c6478182c1c9eeffb0 1536 devel optional dbus_1.2.8-1.dsc
 f8559a7a3b7cf5ec7e3eb80cfe44efe4 1571133 devel optional dbus_1.2.8.orig.tar.gz
 f1c001481e9e5c8de491b8ce46f1c928 26581 devel optional dbus_1.2.8-1.diff.gz
 2c9b6bc62680ffb992d4d35c964af18e 1803724 doc optional dbus-1-doc_1.2.8-1_all.deb
 0e635e28342acb9cb2833b2c795fd848 225600 devel optional dbus_1.2.8-1_amd64.deb
 b1adaed558d8e31dfb5a1321cb259178 39920 x11 optional dbus-x11_1.2.8-1_amd64.deb
 07c372f1a057321d5f162c4f8e2556a8 138360 libs optional libdbus-1-3_1.2.8-1_amd64.deb
 b7aa16eba4cf08b51598430883d834c5 235100 libdevel optional libdbus-1-dev_1.2.8-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklFSVQACgkQgTd+SodosdIjHwCZAZRUgqnGq9iP+UbzzO3y2stz
xI4AoMwvfWMZ6OZ4g9yT1taxeZOYA2GO
=S3SH
-----END PGP SIGNATURE-----

Message #24 received at 508032@bugs.debian.org (full text, mbox, reply):

From: Patrick Schoenfeld <schoenfeld@in-medias-res.com>

To: 508032@bugs.debian.org, 503532@bugs.debian.org, sjoerd@debian.org

Subject: Security vulnerability in dbus

Date: Thu, 18 Dec 2008 13:39:18 +0100

Hi,

I saw that you made an upload for bug #503532 and #508032 to
experimental. Now I wonder if you plan to make an upload to unstable
suitable for lenny?

Best Regards,
Patrick

Message #29 received at 508032@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: Patrick Schoenfeld <schoenfeld@in-medias-res.com>, 508032@bugs.debian.org

Subject: Re: [Pkg-utopia-maintainers] Bug#508032: Security vulnerability in dbus

Date: Thu, 18 Dec 2008 14:19:13 +0100

[Message part 1 (text/plain, inline)]

Patrick Schoenfeld wrote:
> Hi,
> 
> I saw that you made an upload for bug #503532 and #508032 to
> experimental. Now I wonder if you plan to make an upload to unstable
> suitable for lenny?

Just some pointers:

Fedora did an upload for their stable distribution, and they were burnt heavily
[1], so that they reverted the upload again [2].

Two much unrelated (D-Bus using) software was broken by this change. There is a
tracking bug, which tries to collect all affected software [3]. And we don't
know yet, if more stuff is broken.

The fallout of this change is significant.
With lenny being in deep freeze, it would be really hard to get all affected
packages fixed and it potentially delays the release even further.

If we try to address this bug for lenny, we would need a clear ack from the
release team.

There is a proposed new release of dbus [4], which will revert the policy
changes again but add improved logging, to allow it to easier identify which
software is affected.


Cheers,
Michael


[1] http://lists.freedesktop.org/archives/dbus/2008-December/010759.html
[2] https://www.redhat.com/archives/fedora-devel-list/2008-December/msg01445.html
[3] https://bugs.freedesktop.org/show_bug.cgi?id=18980
[4] http://lists.freedesktop.org/archives/dbus/2008-December/010769.html

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #34 received at 508032@bugs.debian.org (full text, mbox, reply):

From: Sjoerd Simons <sjoerd@luon.net>

To: Patrick Schoenfeld <schoenfeld@in-medias-res.com>

Cc: 508032@bugs.debian.org, 503532@bugs.debian.org

Subject: Re: Security vulnerability in dbus

Date: Sat, 20 Dec 2008 12:48:50 +0000

On Thu, Dec 18, 2008 at 01:39:18PM +0100, Patrick Schoenfeld wrote:
> Hi,
> 
> I saw that you made an upload for bug #503532 and #508032 to
> experimental. Now I wonder if you plan to make an upload to unstable
> suitable for lenny?

Unfortunately the situation is a little bit more complicated then that.
Tightening up the security of the dbus config is known to break various other
programs. D-Bus upstream just released a permissive version which will allow
the same things as the older dbus versions did, but logs about things that
would break with the new rules. We intend to upload that to unstable rsn, so we
can find and fix most if not all issues before uploading the final, secure verison.

  Sjoerd
-- 
If you can survive death, you can probably survive anything.

Message #39 received at 508032@bugs.debian.org (full text, mbox, reply):

From: Patrick Schoenfeld <schoenfeld@in-medias-res.com>

To: Sjoerd Simons <sjoerd@luon.net>

Cc: 508032@bugs.debian.org, 503532@bugs.debian.org

Subject: Re: Security vulnerability in dbus

Date: Mon, 22 Dec 2008 12:33:00 +0100

On Sat, Dec 20, 2008 at 12:48:50PM +0000, Sjoerd Simons wrote:
> > I saw that you made an upload for bug #503532 and #508032 to
> > experimental. Now I wonder if you plan to make an upload to unstable
> > suitable for lenny?
> 
> Unfortunately the situation is a little bit more complicated then that.

More complicated then what? I did not say "do you intend to upload
the experimental version to unstable", I've asked weither you plan to
make a suitable leny upload.

> Tightening up the security of the dbus config is known to break various other
> programs. D-Bus upstream just released a permissive version which will allow
> the same things as the older dbus versions did, but logs about things that
> would break with the new rules. We intend to upload that to unstable rsn, so we
> can find and fix most if not all issues before uploading the final, secure verison.

OK. I just wanted to know if there is any progress going, when I went
through the list of RC bugs, before looking deeper into the issue.

Regards,
Patrick

Message #44 received at 508032@bugs.debian.org (full text, mbox, reply):

From: Matthew Johnson <mjj29@debian.org>

To: debian-release@lists.debian.org, debian-security@lists.debian.org, sjoerd@debian.org, 508032@bugs.debian.org

Subject: DBus plan for Lenny

Date: Sat, 3 Jan 2009 13:39:54 +0000

[Message part 1 (text/plain, inline)]

Hi guys, I'm looking to come up with a plan for DBus in Lenny. The
relevant bug is #508032.

A quick synopsis of the problem is that until recently DBus was shipped
with a default configuration on the system bus which allowed more
message than was intended. 1.2.10 fixes this but unfortunately it breaks
numerous other bits of software which relied on this (mainly
introspection). There is also a 'permissive' release which merely logs
when there would be a problem but still lets them through. It does not
actually fix the problem, however.

If we do want to fix the problem properly then all the packages which
rely on the broken behaviour will also need to be fixed. This should be
as simple as just adding a few lines to their system bus config files.
I've attached a list of packages which would be affected. The shorter
list (*-files*, also has a list of versions in lenny and sid and
migration excuses. Sorry if there's a better way to do that than I've
found!) is those packages which already drop a file in
/etc/dbus-1/system.d, which should be everything. There is a small
possibility that there is a package which does not currently have a
config file but which should. The longer list is rdepends of
libdbus-1-3, it will definitely not be anything not on this list.

Opinions?

Matt
-- 
Matthew Johnson

[packages-files.dd-list.txt (text/plain, attachment)]

[packages-files.excuses.txt (text/plain, attachment)]

[packages-files.txt (text/plain, attachment)]

[packages-files.versions.txt (text/plain, attachment)]

[packages-rdepends.dd-list.txt (text/plain, attachment)]

[packages-rdepends.txt (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #49 received at 508032@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: Matthew Johnson <mjj29@debian.org>

Cc: debian-release@lists.debian.org, debian-security@lists.debian.org, sjoerd@debian.org, 508032@bugs.debian.org

Subject: Re: DBus plan for Lenny

Date: Sat, 03 Jan 2009 15:59:39 +0100

Matthew Johnson wrote:
> Hi guys, I'm looking to come up with a plan for DBus in Lenny. The
> relevant bug is #508032.
> 
> A quick synopsis of the problem is that until recently DBus was shipped
> with a default configuration on the system bus which allowed more
> message than was intended. 1.2.10 fixes this but unfortunately it breaks
> numerous other bits of software which relied on this (mainly
> introspection). There is also a 'permissive' release which merely logs
> when there would be a problem but still lets them through. It does not
> actually fix the problem, however.
> 
> If we do want to fix the problem properly then all the packages which
> rely on the broken behaviour will also need to be fixed. This should be
> as simple as just adding a few lines to their system bus config files.
> I've attached a list of packages which would be affected. The shorter
> list (*-files*, also has a list of versions in lenny and sid and
> migration excuses. Sorry if there's a better way to do that than I've
> found!) is those packages which already drop a file in
> /etc/dbus-1/system.d, which should be everything. There is a small
> possibility that there is a package which does not currently have a
> config file but which should. The longer list is rdepends of
> libdbus-1-3, it will definitely not be anything not on this list.
> 
> Opinions?

Please start preparing things in unstable, so we can have a further idea
of the impact and how to solve the remaining bits, TIA.

Cheers

Luk

Message #70 received at 508032-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 508032-close@bugs.debian.org

Subject: Bug#508032: fixed in dbus 1.2.1-5

Date: Sat, 10 Jan 2009 23:02:06 +0000

Source: dbus
Source-Version: 1.2.1-5

We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive:

dbus-1-doc_1.2.1-5_all.deb
  to pool/main/d/dbus/dbus-1-doc_1.2.1-5_all.deb
dbus-x11_1.2.1-5_i386.deb
  to pool/main/d/dbus/dbus-x11_1.2.1-5_i386.deb
dbus_1.2.1-5.diff.gz
  to pool/main/d/dbus/dbus_1.2.1-5.diff.gz
dbus_1.2.1-5.dsc
  to pool/main/d/dbus/dbus_1.2.1-5.dsc
dbus_1.2.1-5_i386.deb
  to pool/main/d/dbus/dbus_1.2.1-5_i386.deb
libdbus-1-3_1.2.1-5_i386.deb
  to pool/main/d/dbus/libdbus-1-3_1.2.1-5_i386.deb
libdbus-1-dev_1.2.1-5_i386.deb
  to pool/main/d/dbus/libdbus-1-dev_1.2.1-5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 508032@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated dbus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 10 Jan 2009 21:43:16 +0000
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev
Architecture: source all i386
Version: 1.2.1-5
Distribution: unstable
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 dbus       - simple interprocess messaging system
 dbus-1-doc - simple interprocess messaging system (documentation)
 dbus-x11   - simple interprocess messaging system (X11 deps)
 libdbus-1-3 - simple interprocess messaging system
 libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 503532 508032
Changes: 
 dbus (1.2.1-5) unstable; urgency=high
 .
   [ Sjoerd Simons ]
   * debian/patches/CVE-2008-4311.patch:
     + Added, Fixes CVE-2008-4311. A mistake in the default configuration for
       the system bus (system.conf) which made the default policy for both sent
       and received messages effectively *allow*, and not deny as intended. This
       patch fixes the send side permissions (Closes: #503532, #508032)
   * Urgency high for the security fix
 .
   [ Simon McVittie ]
   * Rename CVE-*.patch to prefix them with a sequence number so it's clear
     what order they should apply in
   * Add 51-CVE-2008-4311-but-allow-signals.patch, cherry-picked from upstream
     git commit d899734475: after fixing CVE-2008-4311, re-allow emitting
     signals
   * debian/patches/3[0-4]*.patch, cherry-picked from upstream git (see patches
     for commit IDs): add logging when permission to send a message is denied
   * debian/patches/35-syslog-h.patch: #include <syslog.h> to fix compilation
     with the logging patches applied
   * Add myself to Uploaders
Checksums-Sha1: 
 c6bbeaf6adaf8bfaab2c29a3673ae06f13bdc27b 1538 dbus_1.2.1-5.dsc
 d6487cdd1e7642d4e8c85b70c22194f65485dc09 38407 dbus_1.2.1-5.diff.gz
 5322db4f0b383668cb103c7bd8bb0f3f2adbb388 1822318 dbus-1-doc_1.2.1-5_all.deb
 33ca15975f3c69d5cfb633b5ab17b335c836ef07 229016 dbus_1.2.1-5_i386.deb
 bfde3c36e2e14b97af81953b710f51c40d1e4d7b 63448 dbus-x11_1.2.1-5_i386.deb
 0f96acf34bd4fe478d3b7edeb12a2200c6e18b5c 147732 libdbus-1-3_1.2.1-5_i386.deb
 006669638cb49e7c067d0fb7bfecde44ed1fcc3f 235596 libdbus-1-dev_1.2.1-5_i386.deb
Checksums-Sha256: 
 4e93374fe27ff43852fa38ddad38238192f9f0a3bedecb62d15d988368320cfb 1538 dbus_1.2.1-5.dsc
 a7e86a2034de58e1d5b41f963b27c791386b59269a9204ff988045eb889d9905 38407 dbus_1.2.1-5.diff.gz
 0d6ffcb9ac4855d220f8bf4038c9ba8f03e247bba7943ada83cbdc1c12385070 1822318 dbus-1-doc_1.2.1-5_all.deb
 00820f2ee73ce296adb5980a6a1862b0ea6e28c9a524cb70b951a2f1c0bacd2c 229016 dbus_1.2.1-5_i386.deb
 645a4e5841ee3e3fbe9907233ddc8ea3f8a302e98633e11051edb85bcb6c2aa3 63448 dbus-x11_1.2.1-5_i386.deb
 c96b6e2b0b32a40f12075eb34d5d820f0d01414cc3d5942e440aac26e66fbb8d 147732 libdbus-1-3_1.2.1-5_i386.deb
 08167b75a3de06f592e778593393244ed280d26e391f4373f21c7ad5148e28bc 235596 libdbus-1-dev_1.2.1-5_i386.deb
Files: 
 52f7ccdff41e06473f6156268b37e3fa 1538 devel optional dbus_1.2.1-5.dsc
 5c3158b6e63b83d717f5dd8081b44e5c 38407 devel optional dbus_1.2.1-5.diff.gz
 65d3cb630ada231a1b09b991da64bf0c 1822318 doc optional dbus-1-doc_1.2.1-5_all.deb
 f3b65b62ff6d67379d0aef23bba5d5d6 229016 devel optional dbus_1.2.1-5_i386.deb
 868e7115ced3c6196c0e8bc249afa37e 63448 x11 optional dbus-x11_1.2.1-5_i386.deb
 e20b7d548c4d4ef9407d83726ab62ffa 147732 libs optional libdbus-1-3_1.2.1-5_i386.deb
 37a6786eb691800198fb81941e016a8b 235596 libdevel optional libdbus-1-dev_1.2.1-5_i386.deb

-----BEGIN PGP SIGNATURE-----

iD8DBQFJaSXuWSc8zVUw7HYRApELAJ9xeiYY+SKB2YSEkGS1wMNkoKnMUACg5wvH
QlPFufHhxIR4RrQCTVVcljU=
=X1ZZ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.