Bug 432419 (CVE-2008-0595)
| Summary: | CVE-2008-0595 dbus security policy circumvention | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Josh Bressers <bressers> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||
| Severity: | high | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | davidz, johnp, kreilly, mclasen, rstrode, security-response-team | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | 1.0.2-7.fc7 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-02-28 21:36:14 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 432435, 432436, 432437, 432438 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
Created attachment 294608 [details]
Proposed patch
This doesn't affect rhel4 after all. I rewrote the testcase in C using the dbus 0.22 api and I get a lovely assertion blown: [Calling DoPowerfulThing without interface...18538: assertion failed "(interface && member) || (error_name) || !(interface || member || error_name)" file "dbus-message.c" line 1060 The first clause of the assertion says that method calls need to be fully qualified. This is now public: http://lists.freedesktop.org/archives/dbus/2008-February/009401.html dbus-1.0.2-7.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. dbus-1.1.2-9.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. |
Havoc Pennington discovered a flaw in the way the dbus-daemon applies its security policy. Ray Strode describes it as such: When evaluating whether or not to invoke a method call, the bus daemon will look at the security policy and try to determine whether or not the caller is allowed access to the method call. Many dbus services have lines in their security policy of the form: <allow send_interface="some.interface.WithMethods"/> to explicitly whitelist the methods of a particular interface for users of a specific policy context. Normally dbus method calls are invoked fully qualified. That is to say the interface the method belongs to is passed to the bus daemon along with the method name of the method call. The bus daemon does not require method calls to be fully qualified, however. If a caller passes just the method with a NULL interface, then the bus daemon will try to find the interface with the corresponding method and invoke the method call on that interface. In these cases, the send_interface attribute of the allow directive is ignored. <allow send_interface="some.interface.WithMethods"/> is interpreted as an implicit <allow/>. This means that if dbus policy file contains any <allow send_interface="..." /> directives for a particular context, then it implicitly allows that context to invoke non-qualified method calls defined for any interface.