CVE-2008-0595

Publication date 29 February 2008

Last updated 24 July 2024

Ubuntu priority

dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interface.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
dbus	8.04 LTS hardy	Fixed 1.1.20-1ubuntu1
	7.10 gutsy	Fixed 1.1.1-3ubuntu4.2
	7.04 feisty	Fixed 1.0.2-1ubuntu4.2
	6.10 edgy	Ignored end of life
	6.06 LTS dapper	Fixed 0.60-6ubuntu8.3

Notes

jdstrand

be sure to check the redhat bug for test cases

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
dbus	Vendor: https://rhn.redhat.com/errata/RHSA-2008-0159.html Vendor: http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:054

CVE-2008-0595

Status

Notes

jdstrand

Patch details

References

Related Ubuntu Security Notices (USN)

Other references