[Pkg-utopia-maintainers] Bug#510639: hal.conf.in needs augmenting for new D-Bus
Simon McVittie
smcv at debian.org
Sat Jan 3 23:44:23 UTC 2009
Package: hal
Version: 0.5.11-6
Severity: serious
Justification: blocker for #503532 (CVE-2008-4311)
Tags: upstream
User: pkg-utopia-maintainers at lists.alioth.debian.org
Usertags: CVE-2008-4311
hal installs a D-Bus system policy file which doesn't allow
introspection, or the KillSwitch method used by NetworkManager. These
used to be allowed accidentally by a dbus-daemon bug, but with the
dbus-daemon currently in experimental (which is now targeted for lenny)
they will be denied.
https://bugs.freedesktop.org/show_bug.cgi?id=18985 provides a partial,
unreviewed patch. Some quick notes I made while rummaging through the
hal source tree:
org.freedesktop.Hal.SingletonAddon - emits methods (!?) which libhal receives
rfkill: org.freedesktop.Hal.Device.KillSwitch has SetPower/GetPower
dockstation: org.freedesktop.Hal.Device.DockStation has Undock
org.freedesktop.Hal.Device.Storage has CloseTray, Eject
org.freedesktop.Hal.Device.SystemPowerManagement has Suspend etc.
org.freedesktop.Hal.Device.WakeOnLan has GetEnabled, SetEnabled
LaptopPanel already covered
CPUFreq?
KeyboarBacklight?
LightSensor?
Storage.Removable?
AccessControl?
I don't know which of these should allow privileged or unprivileged
access. A conservative version would be to let root access them.
Regards from the Cambridge BSP,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20090103/9243a6d3/attachment.pgp
More information about the Pkg-utopia-maintainers
mailing list