[CVE-2008-4311] DBus 1.2.6

Please don’t yet update DBus for CVE-2008-4311. It’s known to break PackageKit, cups, ConsoleKit, DeviceKit, DeviceKit-power, gdm, and system-config-services. There’s a partial bugfix that has been pushed so PackageKit tools still run (without the GetTid or SetLocale errors), but as introspection is still broken they’ll be odd little warnings and errors for other stuff.

I do understand how important this update is, but given this wasn’t a root login vulnerability, or anything crazy like that, I’m surprised it didn’t sit in updates-testing for a few days to fix up all the other system daemons. The worst bit is that it’s broken automatic updates for thousands of people.

I’m planning to spend this morning closing duplicate bugzillas. Fun.

Published by

hughsie

Richard has over 10 years of experience developing open source software. He is the maintainer of GNOME Software, PackageKit, GNOME Packagekit, GNOME Power Manager, GNOME Color Manager, colord, and UPower and also contributes to many other projects and opensource standards. Richard has three main areas of interest on the free desktop, color management, package management, and power management. Richard graduated a few years ago from the University of Surrey with a Masters in Electronics Engineering. He now works for Red Hat in the desktop group, and also manages a company selling open source calibration equipment. Richard's outside interests include taking photos and eating good food.

14 thoughts on “[CVE-2008-4311] DBus 1.2.6”

  1. Did anyone in fedora actually test this bug before it was pushed to repos? I mean it is probably the worst update bug I’ve seen yet… mostly as it breaks updates ?!?!

    Also, has anyone tried to pull it from the repo? I updated on sunday around mid day and it broke packagekit, now i’ve got two systems with a broken package kit (among other things) and no sign of a downgrade going… No warnings either until this morning. Not that most people would have gotten that warning.

    Fedora need to issue a newer package that reverses this fix and test the fix properly and they need to do this pdq!

  2. Read this post on Planet Gnome, laughed, realised I too run fedora with the testing repo and I did an update today, cursed self ;)

    Thanks for the workaround!

  3. Maxious:

    You can partially work around the bug by editing (as root) /etc/dbus-1/system.d/org.freedesktop.PackageKit.conf and adding an extra line (similar line to allow send_interface=”org.freedesktop.PackageKit”):

    allow send_interface="org.freedesktop.PackageKit.Transaction"/

    (note, I can’t paste in the XML due to filtering)

    This obviously doesn’t fix introspection, or the other services affected.

  4. Wow, it must suck to be you :P

    (Or a Fedora user like me :P )

    Will this fuck-up be fixable with just another update??

  5. Rather inexcusable patch management from the Fedora project.

    Like people ask above: do you really push patches to non-rawhide without actually testing them?
    Inconceivable.

    Hopefully the aftermath discussion leads to some practical resolution; otherwise another nail in the coffin of Fedora’s so-called “quality assurance”.

  6. guys .. duh
    this update ducked my fedora 10 Cambridge box :S
    please if you knew any updates let us know …
    thanks ..

  7. al, sure, I don’t doubt that. I’m not angry at the people who caused this problem, as I might make the same sort of mistake myself in the future. Fedora is fast moving, but I agree this sort of bug should not happen.

Comments are closed.