rpms/dbus/F-8 dbus-fix-for-cve-2008-0595.patch, NONE, 1.1 dbus.spec, 1.132, 1.133

Thu Feb 28 04:33:25 UTC 2008

Author: davidz

Update of /cvs/pkgs/rpms/dbus/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv6147

Modified Files:
	dbus.spec 
Added Files:
	dbus-fix-for-cve-2008-0595.patch 
Log Message:
* Wed Feb 27 2008 David Zeuthen <davidz at redhat.com> - 1.1.2-9%{?dist}
- CVE-2008-0595



dbus-fix-for-cve-2008-0595.patch:

--- NEW FILE dbus-fix-for-cve-2008-0595.patch ---

diff --git a/bus/policy.c b/bus/policy.c
index 383b2b1..caa544e 100644
--- a/bus/policy.c
+++ b/bus/policy.c
@@ -942,9 +942,19 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
       
       if (rule->d.send.interface != NULL)
         {
-          if (dbus_message_get_interface (message) != NULL &&
-              strcmp (dbus_message_get_interface (message),
-                      rule->d.send.interface) != 0)
+          /* The interface is optional in messages. For allow rules, if the message
+           * has no interface we want to skip the rule (and thus not allow);
+           * for deny rules, if the message has no interface we want to use the
+           * rule (and thus deny).
+           */
+          dbus_bool_t no_interface;
+
+          no_interface = dbus_message_get_interface (message) == NULL;
+          
+          if ((no_interface && rule->allow) ||
+              (!no_interface && 
+               strcmp (dbus_message_get_interface (message),
+                       rule->d.send.interface) != 0))
             {
               _dbus_verbose ("  (policy) skipping rule for different interface\n");
               continue;
@@ -1128,9 +1138,19 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
       
       if (rule->d.receive.interface != NULL)
         {
-          if (dbus_message_get_interface (message) != NULL &&
-              strcmp (dbus_message_get_interface (message),
-                      rule->d.receive.interface) != 0)
+          /* The interface is optional in messages. For allow rules, if the message
+           * has no interface we want to skip the rule (and thus not allow);
+           * for deny rules, if the message has no interface we want to use the
+           * rule (and thus deny).
+           */
+          dbus_bool_t no_interface;
+
+          no_interface = dbus_message_get_interface (message) == NULL;
+          
+          if ((no_interface && rule->allow) ||
+              (!no_interface &&
+               strcmp (dbus_message_get_interface (message),
+                       rule->d.receive.interface) != 0))
             {
               _dbus_verbose ("  (policy) skipping rule for different interface\n");
               continue;


Index: dbus.spec
===================================================================
RCS file: /cvs/pkgs/rpms/dbus/F-8/dbus.spec,v
retrieving revision 1.132
retrieving revision 1.133
diff -u -r1.132 -r1.133
--- dbus.spec	25 Oct 2007 18:06:48 -0000	1.132
+++ dbus.spec	28 Feb 2008 04:32:49 -0000	1.133
@@ -8,7 +8,7 @@
 Summary: D-BUS message bus
 Name: dbus
 Version: 1.1.2
-Release: 8%{?dist}
+Release: 9%{?dist}
 URL: http://www.freedesktop.org/software/dbus/
 Source0: http://dbus.freedesktop.org/releases/dbus/%{name}-%{version}.tar.gz
 Source1: doxygen_to_devhelp.xsl
@@ -43,6 +43,8 @@
 Patch4: dbus-1.1.2-no-abort.patch
 # from upstream git
 Patch5: dbus-pie.patch
+# CVE-2008-0595
+Patch6: dbus-fix-for-cve-2008-0595.patch
 
 %description
 
@@ -89,6 +91,7 @@
 %patch3 -p1 -b .audit-user
 %patch4 -p1 -b .abort
 %patch5 -p1 -b .pie
+%patch6 -p1 -b .cve-2008-0595
 
 autoreconf -f -i
 
@@ -208,6 +211,9 @@
 %{_datadir}/devhelp/books/dbus
 
 %changelog
+* Wed Feb 27 2008 David Zeuthen <davidz at redhat.com> - 1.1.2-9%{?dist}
+- CVE-2008-0595
+
 * Thu Oct 25 2007 Bill Nottingham <notting at redhat.com> - 1.1.2-8
 - have -libs obsolete older versions of the main package so that yum upgrades work
 


