• John Palmieri's avatar
    CVE-2008-0595 dbus security policy circumvention · 6db561dc
    John Palmieri authored
    * CVE-2008-0595 - security policy of the type <allow send_interface=
      "some.interface.WithMethods"/> work as an implicit allow for
      messages sent without an interface bypassing the default deny rules
      and potentially allowing restricted methods exported on the bus to be
      executed by unauthorized users.  This patch fixes the issue.
    * bus/policy.c (bus_client_policy_check_can_send,
      bus_client_policy_check_can_receive): skip messages without an
      interface when evaluating an allow rule, and thus pass it to the
      default deny rules
To find the state of this project's repository at the time of any of these versions, check out the tags.
ChangeLog 66.6 KB