Author: mvidner
Date: Mon Jan 26 14:00:40 2009
New Revision: 55003
URL: http://svn.opensuse.org/viewcvs/yast?rev=55003&view=rev
Log:
Fixed the D-Bus access policy (bnc#468390, CVE-2008-4311).
Modified:
trunk/core/VERSION
trunk/core/dbus/SCR_service/org.opensuse.yast.SCR.conf.in
trunk/core/package/yast2-core.changes
Modified: trunk/core/VERSION
URL: http://svn.opensuse.org/viewcvs/yast/trunk/core/VERSION?rev=55003&r1=55002&r2=55003&view=diff
==============================================================================
--- trunk/core/VERSION (original)
+++ trunk/core/VERSION Mon Jan 26 14:00:40 2009
@@ -1 +1 @@
-2.18.1
+2.18.2
Modified: trunk/core/dbus/SCR_service/org.opensuse.yast.SCR.conf.in
URL: http://svn.opensuse.org/viewcvs/yast/trunk/core/dbus/SCR_service/org.opensuse.yast.SCR.conf.in?rev=55003&r1=55002&r2=55003&view=diff
==============================================================================
--- trunk/core/dbus/SCR_service/org.opensuse.yast.SCR.conf.in (original)
+++ trunk/core/dbus/SCR_service/org.opensuse.yast.SCR.conf.in Mon Jan 26 14:00:40 2009
@@ -1,11 +1,20 @@
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
+<!--
+ Rationale:
+ http://lists.opensuse.org/opensuse-packaging/2009-01/msg00132.html
+ https://bugzilla.novell.com/show_bug.cgi?id=468390
+-->
<policy user="root">
<allow own="org.opensuse.yast.SCR"/>
- <allow send_interface="org.opensuse.yast.SCR.Methods"/>
+ <allow send_destination="org.opensuse.yast.SCR"/>
</policy>
<policy context="default">
- <deny own="org.opensuse.yast.SCR"/>
- <@ACCESS_MODE@ send_interface="org.opensuse.yast.SCR.Methods"/>
+ <!-- allowed iff compiled with PolicyKit -->
+ <@ACCESS_MODE@ send_destination="org.opensuse.yast.SCR"
+ send_interface="org.opensuse.yast.SCR.Methods"/>
+ <!-- introspection is allowed -->
+