I found a nasty bug from match_rule_equal() that can cause matches to be removed
from another connections (thanks goes to other guys for finding reproducable use
case for the bug).
Created attachment 7884 [details] [review]
Lightly tested patch.
I hope you relialise this is quite severe security bug... The patch has been
tested inside Nokia.
Restricting bug visibility, though I guess it's a little late.
Kimmo have you thought of exploits for this other than denial of service?
Security team will want to understand possible consequences.
Adding bressers to cc list for errata advice.
(In reply to comment #3)
> Kimmo have you thought of exploits for this other than denial of service?
> Security team will want to understand possible consequences.
No, I'm not aware of any more exploits. I guess not much serious security
technology is based on D-Bus yet...
I had a chat with John,
He and I agree that we should embargo this issue until 2006-12-12 at 14:00 UTC.
I've assigned CVE-2006-6107 to this issue and plan to send the details to the
Vendor Security mailing list for peer review. Any public announcements
regarding this flaw should mention the CVE id to help avoid confusion.
Do you have a simple reproducer for this flaw that can be distributed to other
vendors for QA purposes?
Do keep in mind that while this bug is marked private now, it wasn't
originally; it is possible the bug is effectively public.
also again I think this is a local denial of service only, as far as we know
(it doesn't allow sending disallowed messages, it just allows disabling the
receipt of messages that another process may have been expecting; and there is
no tcp socket, only unix domain)
(In reply to comment #7)
> Do you have a simple reproducer for this flaw that can be distributed to other
> vendors for QA purposes?
We don't have the software public yet, but the use case was the following. There
are three processes A, B, and C. All of them add the same match (same value). A
is started first, then B, and lastly C. Now, B and C are closed: if B is closed
before C, A's match is removed; but if C is closed before B, A's match is not
removed (no buggy behaviour). (B and C call dbus_bus_remove_match on exit.)
It should be possible to reproduce this with simple programs, but I have not
Is D-Bus 0.22 affected by this? Thanks.
(for the record, the patch applies to the D-Bus 0.22 tarball with little fuzz)
this effects all versions of D-Bus but the harm depend on services running on
Removing from security group as this is out of embargo