No permission to call method (dbus 1.2.8)

Thanks a lot for the patch. I tested it and I didn't experience any problems in Intrepid.

It works in Jaunty too.

SRU request:

TEST-CASE:
The supplied D-Bus system bus configuration does not contain any policy to allow communication with the exported objects. Thus this only works because of a security flaw in D-Bus, fixed in 1.2.6/8.

If not updated, the GNOME Screen Resolution applet will stop working when the security flaw is fixed in Dbus.

The full source is available in my bazaar branch:
https://code.launchpad.net/~albertomilone/screen-resolution-extra/main

This bug was fixed in the package screen-resolution-extra - 0.4

---------------
screen-resolution-extra (0.4) jaunty; urgency=low

  [ Scott James Remnant ]
  * com.ubuntu.ScreenResolution.Mechanism.conf:
    - allow messages to be sent to the service. LP: #306705.

  [ Martin Pitt ]
  * debian/control: Add Vcs-Bzr header.

 -- Scott James Remnant <email address hidden> Sun, 04 Jan 2009 11:28:07 +0100

Sponsored for Jaunty. Alberto, please apply the attached patch to your bzr branch, so that it is consistent with Jaunty, and also adds the Vcs-Bzr: header.

Do we need to fix this in intrepid as well? AFAICS we only need to do that if we put the stricter D-Bus fix into intrepid.

If the new D-Bus goes in, this should go through -security, not -updates. And in that case fixes like this need to go through -security as well, and published in one USN.

If the new D-Bus does not go in, we do not need to fix this either.

Thus I unsubscribe ubuntu-sru now. If we need it in stables, please add stable tasks and subscribe ubuntu-security.

Thanks for the patch, Martin.

I agree with you that, if we were to upload this fix to Intrepid, -security would be the best place where this should happen.

Today I've read Scott's email in ubuntu-devel which says:

"We've audited the system bus services shipped in Ubuntu, and are
confident that there is no security exploit.  Those services exporting
privileged methods either have sufficient "deny" rules, or use PolicyKit
for authorisation.

For this reason, and due to the large potential for regressions, we've
opted not to release a security update for previous Ubuntu versions.  We
may still do so if we discover a potential for exploit."

In other words, if they decide to update Dbus in Intrepid we'll have to upload this fix .

On Mon, 2009-01-19 at 16:43 +0000, Alberto Milone wrote:

> In other words, if they decide to update Dbus in Intrepid we'll have
> to upload this fix .
>
It's probably easier if we find a service that is exploitable, to just
upload a fix for that service's policy conf to deny the method calls
explicitly.

Scott
--
Scott James Remnant
<email address hidden>