I found a nasty bug from match_rule_equal() that can cause matches to be removed from another connections (thanks goes to other guys for finding reproducable use case for the bug).
Created attachment 7884 [details] [review] proposed patch Lightly tested patch.
I hope you relialise this is quite severe security bug... The patch has been tested inside Nokia.
Restricting bug visibility, though I guess it's a little late. Kimmo have you thought of exploits for this other than denial of service? Security team will want to understand possible consequences.
Adding bressers to cc list for errata advice.
(In reply to comment #3) ... > Kimmo have you thought of exploits for this other than denial of service? > Security team will want to understand possible consequences. No, I'm not aware of any more exploits. I guess not much serious security technology is based on D-Bus yet...
I had a chat with John, He and I agree that we should embargo this issue until 2006-12-12 at 14:00 UTC. I've assigned CVE-2006-6107 to this issue and plan to send the details to the Vendor Security mailing list for peer review. Any public announcements regarding this flaw should mention the CVE id to help avoid confusion.
Kimmo, Do you have a simple reproducer for this flaw that can be distributed to other vendors for QA purposes?
Do keep in mind that while this bug is marked private now, it wasn't originally; it is possible the bug is effectively public.
also again I think this is a local denial of service only, as far as we know (it doesn't allow sending disallowed messages, it just allows disabling the receipt of messages that another process may have been expecting; and there is no tcp socket, only unix domain)
(In reply to comment #7) ... > Do you have a simple reproducer for this flaw that can be distributed to other > vendors for QA purposes? We don't have the software public yet, but the use case was the following. There are three processes A, B, and C. All of them add the same match (same value). A is started first, then B, and lastly C. Now, B and C are closed: if B is closed before C, A's match is removed; but if C is closed before B, A's match is not removed (no buggy behaviour). (B and C call dbus_bus_remove_match on exit.) It should be possible to reproduce this with simple programs, but I have not tried that.
Is D-Bus 0.22 affected by this? Thanks.
(for the record, the patch applies to the D-Bus 0.22 tarball with little fuzz)
this effects all versions of D-Bus but the harm depend on services running on the bus.
Removing from security group as this is out of embargo
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.