Bug 469151 (CVE-2008-4311)
Summary: | CVE-2008-4311 dbus: incorrect use of [send|receive]_requested_reply policy rule attribute in system.conf | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED WONTFIX | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | bressers, cmeadors, dcbw, ddumas, jkeck, jlieskov, kreilly, mclasen, otaylor, tpelka, vdanen, walters | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-02-17 15:31:36 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 474895, 489875, 489877, 489878, 489879, 489884, 489886, 489894, 489899, 489953, 489955 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Tomas Hoger
2008-10-30 09:51:25 UTC
Brief summary of my upstream comment: http://bugs.freedesktop.org/show_bug.cgi?id=18229#c4 Current behaviour seems to comply with the semantics documented in dbus-daemon(1) man page. Attributes [send|receive]_requested_reply are defined to be ignored for non-reply messages. Therefore default system.conf configuration file seems to rely on an incorrect assumption that rule: <allow send_requested_reply="true"/> only applies to reply messages, while it's actually <allow/> for non-replies. We may need to change default system.conf to list: <allow send_requested_reply="true" send_type="method_return"/> <allow send_requested_reply="true" send_type="error"/> (and similar for receive_requested_reply) to make sure rule only applies to intended message types. Other patches proposed so far change previously defined semantics. Another update from the upstream bug: Restricting rule: <allow receive_requested_reply="true"/> seems to be problematic, as too many applications mistakenly rely on this rule. Each dbus message is checked against policy two times - first to check if sender is permitted to send the message, second to check if receiver is permitted to receive the message. So the applications may have all send rules defined correctly, very few have any rules receive rules. Is there a patch for this yet upstream? Created attachment 323869 [details]
The change I proposed in the upstream bug
Yeah, lets see if davidz can get some upstream comment on it. I don't feel comfortable putting this into RHEL until we get _somebody_ from upstream to sign off on it. Public now via new upstream release 1.2.6: http://lists.freedesktop.org/archives/dbus/2008-December/010702.html Upstream patch: http://cgit.freedesktop.org/dbus/dbus/commit/?id=70a0ac620ab4be279ef8e0945307b541e10a1393 From CVE entry: The default configuration of system.conf in D-Bus (aka DBus) before 1.2.6 omits the send_type attribute in certain rules, which allows local users to bypass intended access restrictions by (1) sending messages, related to send_requested_reply; and possibly (2) receiving messages, related to receive_requested_reply. Adding other references: http://lists.freedesktop.org/archives/dbus/2008-December/010702.html http://www.securityfocus.com/bid/32674 http://www.vupen.com/english/advisories/2008/3355 http://secunia.com/advisories/33047 http://secunia.com/advisories/33055 http://xforce.iss.net/xforce/xfdb/47138 I am going to defer this issue. The fix is very complicated and the risk outweighs the potential reward. This flaw may be fixed in a future dbus update. Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. |