Testing requested: D-Bus-related packages and CVE-2008-4311

Simon McVittie smcv at debian.org
Sun Jan 4 22:01:37 UTC 2009


In order to fix CVE-2008-4311 the default permissions on the system bus
have been tightened up. This has revealed bugs in the configurations
shipped with a number of services using the system bus which relied on
the broken behaviour and will now break. We've been using
<http://wiki.debian.org/DBusPermissions> to track the resulting mess.

i386 binaries and source for a version of dbus targeted at lenny are
available from <http://people.debian.org/~smcv/dbus-cve-2008-4311/>.
This has the correct deny-by-default policy, and logs to syslog (auth.log)
when messages are disallowed. Please test D-Bus-related packages with
this version, or with the new upstream version in experimental (which
has the same deny-by-default policy but a bit less logging).

However, there are known regressions in hal, ConsoleKit, PolicyKit,
system-tools-backends and bluez-utils with this version of dbus, so
don't install it until their RC bugs have been fixed if you rely heavily
on these packages.

(hal mostly works, but RF kill-switches and cpufreq manipulation are known to
be broken; the bug I filed has a patch which works for me, and might work for
you too. Similarly, system-tools-backends' bug has a patch that works
for me. I haven't tested the other RC-buggy packages myself.)

At the Cambridge BSP we've been through all the packages that install
system bus configuration checking for obvious problems in the
configuration, and tested some of the more popular ones. However, we
weren't able to test everything, so these packages (maintainers Cc'd)
particularly need testing:

	kerneloops
	mumble
	network-manager-openvpn
	network-manager-pptp
	network-manager-vpnc
	pathfinder
	smart-notifier
	yum

Thanks,
    Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20090104/56c84488/attachment.pgp 


More information about the Pkg-voip-maintainers mailing list