2 files changed, 38 insertions, 6 deletions

diff --git a/ChangeLog b/ChangeLog
index e4a32374..4b68cb37 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,17 @@
 2008-02-26  John (J5) Palmieri  <johnp@redhat.com>
 
+	* CVE-2008-0595 - security policy of the type <allow send_interface=
+	  "some.interface.WithMethods"/> work as an implicit allow for
+	  messages sent without an interface bypassing the default deny rules
+	  and potentially allowing restricted methods exported on the bus to be
+	  executed by unauthorized users.  This patch fixes the issue.
+	* bus/policy.c (bus_client_policy_check_can_send,
+	  bus_client_policy_check_can_receive): skip messages without an 
+	  interface when evaluating an allow rule, and thus pass it to the
+	  default deny rules
+
+2008-02-26  John (J5) Palmieri  <johnp@redhat.com>
+
 	* correctly unref connections without guids during shutdown
 	* dbus/dbus-connection.c (close_connection_on_shutdown): new method
 	  split out from shared_connections_shutdown
diff --git a/bus/policy.c b/bus/policy.c
index 383b2b18..caa544e7 100644
--- a/bus/policy.c
+++ b/bus/policy.c
@@ -942,9 +942,19 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
       
       if (rule->d.send.interface != NULL)
         {
-          if (dbus_message_get_interface (message) != NULL &&
-              strcmp (dbus_message_get_interface (message),
-                      rule->d.send.interface) != 0)
+          /* The interface is optional in messages. For allow rules, if the message
+           * has no interface we want to skip the rule (and thus not allow);
+           * for deny rules, if the message has no interface we want to use the
+           * rule (and thus deny).
+           */
+          dbus_bool_t no_interface;
+
+          no_interface = dbus_message_get_interface (message) == NULL;
+          
+          if ((no_interface && rule->allow) ||
+              (!no_interface && 
+               strcmp (dbus_message_get_interface (message),
+                       rule->d.send.interface) != 0))
             {
               _dbus_verbose ("  (policy) skipping rule for different interface\n");
               continue;
@@ -1128,9 +1138,19 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
       
       if (rule->d.receive.interface != NULL)
         {
-          if (dbus_message_get_interface (message) != NULL &&
-              strcmp (dbus_message_get_interface (message),
-                      rule->d.receive.interface) != 0)
+          /* The interface is optional in messages. For allow rules, if the message
+           * has no interface we want to skip the rule (and thus not allow);
+           * for deny rules, if the message has no interface we want to use the
+           * rule (and thus deny).
+           */
+          dbus_bool_t no_interface;
+
+          no_interface = dbus_message_get_interface (message) == NULL;
+          
+          if ((no_interface && rule->allow) ||
+              (!no_interface &&
+               strcmp (dbus_message_get_interface (message),
+                       rule->d.receive.interface) != 0))
             {
               _dbus_verbose ("  (policy) skipping rule for different interface\n");
               continue;