[yast-commit] r55003 - in /trunk/core: VERSION dbus/SCR_service/org.opensuse.yast.SCR.conf.in package/yast2-core.changes

Author: mvidner Date: Mon Jan 26 14:00:40 2009 New Revision: 55003 URL: http://svn.opensuse.org/viewcvs/yast?rev=55003&view=rev Log: Fixed the D-Bus access policy (bnc#468390, CVE-2008-4311). Modified: trunk/core/VERSION trunk/core/dbus/SCR_service/org.opensuse.yast.SCR.conf.in trunk/core/package/yast2-core.changes Modified: trunk/core/VERSION URL: http://svn.opensuse.org/viewcvs/yast/trunk/core/VERSION?rev=55003&r1=55002&r2=55003&view=diff ============================================================================== --- trunk/core/VERSION (original) +++ trunk/core/VERSION Mon Jan 26 14:00:40 2009 @@ -1 +1 @@ -2.18.1 +2.18.2 Modified: trunk/core/dbus/SCR_service/org.opensuse.yast.SCR.conf.in URL: http://svn.opensuse.org/viewcvs/yast/trunk/core/dbus/SCR_service/org.opensuse.yast.SCR.conf.in?rev=55003&r1=55002&r2=55003&view=diff ============================================================================== --- trunk/core/dbus/SCR_service/org.opensuse.yast.SCR.conf.in (original) +++ trunk/core/dbus/SCR_service/org.opensuse.yast.SCR.conf.in Mon Jan 26 14:00:40 2009 @@ -1,11 +1,20 @@ <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> <busconfig> +<!-- + Rationale: + http://lists.opensuse.org/opensuse-packaging/2009-01/msg00132.html + https://bugzilla.novell.com/show_bug.cgi?id=468390 +--> <policy user="root"> <allow own="org.opensuse.yast.SCR"/> - <allow send_interface="org.opensuse.yast.SCR.Methods"/> + <allow send_destination="org.opensuse.yast.SCR"/> </policy> <policy context="default"> - <deny own="org.opensuse.yast.SCR"/> - <@ACCESS_MODE@ send_interface="org.opensuse.yast.SCR.Methods"/> + <!-- allowed iff compiled with PolicyKit --> + <@ACCESS_MODE@ send_destination="org.opensuse.yast.SCR" + send_interface="org.opensuse.yast.SCR.Methods"/> + <!-- introspection is allowed --> + </policy> </busconfig> Modified: trunk/core/package/yast2-core.changes URL: http://svn.opensuse.org/viewcvs/yast/trunk/core/package/yast2-core.changes?rev=55003&r1=55002&r2=55003&view=diff ============================================================================== --- trunk/core/package/yast2-core.changes (original) +++ trunk/core/package/yast2-core.changes Mon Jan 26 14:00:40 2009 @@ -1,4 +1,10 @@ ------------------------------------------------------------------- +Mon Jan 26 14:00:31 CET 2009 - mvidner@suse.cz + +- Fixed the D-Bus access policy (bnc#468390, CVE-2008-4311). +- 2.18.2 + +------------------------------------------------------------------- Thu Jan 08 19:01:01 CET 2009 - aschnell@suse.de - added namespace multiset with 1. some list function, 2. some new -- To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org For additional commands, e-mail: yast-commit+help@opensuse.org