$OpenBSD: patch-bus_policy_c,v 1.1 2008/02/29 13:38:56 bernd Exp $ Security fix for CVE-2008-0595. http://secunia.com/advisories/29148/ http://lists.freedesktop.org/archives/dbus/2008-February/009401.html --- bus/policy.c.orig Mon Dec 11 20:21:22 2006 +++ bus/policy.c Fri Feb 29 10:33:17 2008 @@ -931,9 +931,19 @@ bus_client_policy_check_can_send (BusClientPolicy *pol if (rule->d.send.interface != NULL) { - if (dbus_message_get_interface (message) != NULL && - strcmp (dbus_message_get_interface (message), - rule->d.send.interface) != 0) + /* The interface is optional in messages. For allow rules, if the message + * has no interface we want to skip the rule (and thus not allow); + * for deny rules, if the message has no interface we want to use the + * rule (and thus deny). + */ + dbus_bool_t no_interface; + + no_interface = dbus_message_get_interface (message) == NULL; + + if ((no_interface && rule->allow) || + (!no_interface && + strcmp (dbus_message_get_interface (message), + rule->d.send.interface) != 0)) { _dbus_verbose (" (policy) skipping rule for different interface\n"); continue; @@ -1117,9 +1127,19 @@ bus_client_policy_check_can_receive (BusClientPolicy * if (rule->d.receive.interface != NULL) { - if (dbus_message_get_interface (message) != NULL && - strcmp (dbus_message_get_interface (message), - rule->d.receive.interface) != 0) + /* The interface is optional in messages. For allow rules, if the message + * has no interface we want to skip the rule (and thus not allow); + * for deny rules, if the message has no interface we want to use the + * rule (and thus deny). + */ + dbus_bool_t no_interface; + + no_interface = dbus_message_get_interface (message) == NULL; + + if ((no_interface && rule->allow) || + (!no_interface && + strcmp (dbus_message_get_interface (message), + rule->d.receive.interface) != 0)) { _dbus_verbose (" (policy) skipping rule for different interface\n"); continue;