[Pkg-utopia-maintainers] Bug#510653: avahi-daemon: /etc/dbus-1/system.d file needs alterations for fd.o #18961

Simon McVittie smcv at debian.org
Sun Jan 4 02:17:19 UTC 2009


Package: avahi-daemon
Version: 0.6.23-3
Severity: normal
User: pkg-utopia-maintainers at lists.alioth.debian.org
Usertags: fdo-18961

avahi-daemon's D-Bus system.d config should be updated to fix
non-deterministic allow/deny for messages with no interface (related to
CVE-2008-4311); the D-Bus upstream recommendation seems to be that every
allow or deny rule with send_interface="..." should have a suitable
send_destination attribute too.

http://bugs.freedesktop.org/show_bug.cgi?id=18961 is the D-Bus bug tracking
this; there have also been discussions on the D-Bus mailing list.

In this case, it appears it might also be possible to bypass the intended
restriction on SetHostName by sending the method call with an empty interface
name.

Regards from the Cambridge BSP,
    Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20090104/2143fbc3/attachment-0001.pgp 


More information about the Pkg-utopia-maintainers mailing list