core: work around dbus-glib property access bug (CVE-2010-1172) (rh #585394)

More info:
https://bugzilla.redhat.com/show_bug.cgi?id=585394
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1172

dbus-glib was not properly enforcing the 'access' permissions on
object properties exported using its API.  There were 2 specific bugs:

1) dbus-glib did not enforce the introspection read/write property
permissions, so if the GObject property definition allowed write
access (which is sometimes desirable), D-Bus clients could modify
that value even if the introspection said it was read-only

2) dbus-glib was not filtering out GObject properties that were
not listed in the introspection XML.  Thus, if the GObject defined
more properties than were listed in the introspection XML (which is
also often useful, and MM uses this quite a bit) those properties
would also be exposed to D-Bus clients.

To fix this completely, you need to:

1) get dbus-glib master when the patch is commited, OR grab the
patch from https://bugzilla.redhat.com/show_bug.cgi?id=585394 and
build a new dbus-glib

2) rebuild ModemManager against the new dbus-glib

1 files changed, 6 insertions, 0 deletions

diff --git a/configure.ac b/configure.ac
index 16d59f5e8..a0c65e79e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -70,6 +70,12 @@ case $with_polkit in
         ;;
 esac
 
+dnl
+dnl Checks for new dbus-glib property access function
+dnl
+AC_CHECK_LIB([dbus-glib-1], [dbus_glib_global_set_disable_legacy_property_access], ac_have_dg_prop="1", ac_have_dg_prop="0")
+AC_DEFINE_UNQUOTED(HAVE_DBUS_GLIB_DISABLE_LEGACY_PROP_ACCESS, $ac_have_dg_prop, [Define if you have a dbus-glib with dbus_glib_global_set_disable_legacy_property_access()])
+
 # PPPD
 AC_CHECK_HEADERS(pppd/pppd.h, have_pppd_headers="yes", have_pppd_headers="no")
 AM_CONDITIONAL(HAVE_PPPD_H, test "x$have_pppd_headers" = "xyes")