Description of problem: There is a security issue in the implementation of Net::DBus::Object. In the place where it dispatches RPC calls, it simply does $self->can($method_name) so, it allows the dbus client to invoke any method that the service side object implements. Many service implementors would like ability to restrict this to just allow methods they explicitly export in the introspection XML data. Furthermore, the current check also allows direct invocation of several internal impl methods of Net::DBus::Object itself. This allows a remote client to do a denial of service by calling 'disconnect' which unregisters the object from the bus. It also allows the remote client to emit signals on the object which others clients may then act on. For the dbus 'system' bus, the service can be running as root, and client as an unprivileged user, so this flaw may allow a client to run things they shouldn't. While impact of being able to emit signals / invoke improper methods *may* be limited by the need to have ACLs registered with dbus system bus instance, the degree of protection depends on how well the app author wrote their ACLs. So one can't rely on this. For the dbus 'session' bus, everything is running as unprivileged user, so impact is reasonably low, denial of service. This issue is already public via upstream bug report https://rt.cpan.org/Ticket/Display.html?id=45034 And I have a patch available which should resolve it http://hg.berrange.com/libraries/net-dbus--devel?cs=be26112c5fdd Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Run the 'examples/example-service.pl' file from source tar.gz 2. In another terminal run $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello" $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.disconnect $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello" Actual results: The 'disconnect' method was allowed $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello" method return sender=:1.61 -> dest=:1.62 reply_serial=2 array [ string "Hello" string " from example-service.pl" ] $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.disconnect method return sender=:1.61 -> dest=:1.63 reply_serial=2 $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello" Error org.freedesktop.DBus.Error.UnknownMethod: Method "HelloWorld" with signature "s" on interface "org.designfu.SampleInterface" doesn't exist Expected results: The 'disconnect' method should be denied $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello" method return sender=:1.65 -> dest=:1.66 reply_serial=2 array [ string "Hello" string " from example-service.pl" ] $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.disconnect Error org.freedesktop.DBus.Error.Failed: No such method SomeObject->disconnect $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello" method return sender=:1.65 -> dest=:1.68 reply_serial=2 array [ string "Hello" string " from example-service.pl" ] Additional info: Bug affects all Fedora releases.
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
This message is a reminder that Fedora 11 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 11. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '11'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 11's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 11 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.