From: wangmy <[email protected]>
dbus 1.14.4 (2022-10-05)
========================
This is a security update for the dbus 1.14.x stable branch, fixing
denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying
security hardening (dbus#416).
Behaviour changes:
• On Linux, dbus-daemon and other uses of DBusServer now create a
path-based Unix socket, unix:path=..., when asked to listen on a
unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to
unix:dir=... on all platforms.
Previous versions would have created an abstract socket, unix:abstract=...,
in this situation.
This change primarily affects the well-known session bus when run via
dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring
dbus with --enable-user-session and running it on a systemd system,
already used path-based Unix sockets and is unaffected by this change.
This behaviour change prevents a sandbox escape via the session bus socket
in sandboxing frameworks that can share the network namespace with the host
system, such as Flatpak.
This change might cause a regression in situations where the abstract socket
is intentionally shared between the host system and a chroot or container,
such as some use-cases of schroot(1). That regression can be resolved by
using a bind-mount to share either the D-Bus socket, or the whole /tmp
directory, with the chroot or container.
(dbus#416, Simon McVittie)
Denial of service fixes:
Evgeny Vereshchagin discovered several ways in which an authenticated
local attacker could cause a crash (denial of service) in
dbus-daemon --system or a custom DBusServer. In uncommon configurations
these could potentially be carried out by an authenticated remote attacker.
• An invalid array of fixed-length elements where the length of the array
is not a multiple of the length of the element would cause an assertion
failure in debug builds or an out-of-bounds read in production builds.
This was a regression in version 1.3.0.
(dbus#413, CVE-2022-42011; Simon McVittie)
• A syntactically invalid type signature with incorrectly nested parentheses
and curly brackets would cause an assertion failure in debug builds.
Similar messages could potentially result in a crash or incorrect message
processing in a production build, although we are not aware of a practical
example. (dbus#418, CVE-2022-42010; Simon McVittie)
• A message in non-native endianness with out-of-band Unix file descriptors
would cause a use-after-free and possible memory corruption in production
builds, or an assertion failure in debug builds. This was a regression in
version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie)
dbus 1.14.2 (2022-09-26)
========================
Fixes:
• Fix build failure on FreeBSD (dbus!277, Alex Richardson)
• Fix build failure on macOS with launchd enabled
(dbus!287, Dawid Wróbel)
• Preserve errno on failure to open /proc/self/oom_score_adj
(dbus!285, Gentoo#834725; Mike Gilbert)
• On Linux, don't log warnings if oom_score_adj is read-only but does not
need to be changed (dbus!291, Simon McVittie)
• Slightly improve error-handling for inotify
(dbus!235, Simon McVittie)
• Don't crash if dbus-daemon is asked to watch more than 128 directories
for changes (dbus!302, Jan Tojnar)
• Autotools build system fixes:
· Don't treat --with-x or --with-x=yes as a request to disable X11,
fixing a regression in 1.13.20. Instead, require X11 libraries and
fail if they cannot be detected. (dbus!263, Lars Wendler)
· When a CMake project uses an Autotools-built libdbus in a
non-standard prefix, find dbus-arch-deps.h successfully
(dbus#314, Simon McVittie)
· Don't include generated XML catalog in source releases
(dbus!317, Jan Tojnar)
· Improve robustness of detecting gcc __sync atomic builtins
(dbus!320, Alex Richardson)
• CMake build system fixes:
· Detect endianness correctly, fixing interoperability with other D-Bus
implementations on big-endian systems (dbus#375, Ralf Habacker)
· When building for Unix, install session and system bus setup
in the intended locations
(dbus!267, dbus!297; Ralf Habacker, Alex Richardson)
· Detect setresuid() and getresuid() (dbus!319, Alex Richardson)
· Detect backtrace() on FreeBSD (dbus!281, Alex Richardson)
· Don't include headers from parent directory (dbus!282, Alex Richardson)
· Distinguish between host and target TMPDIR when cross-compiling
(dbus!279, Alex Richardson)
· Fix detection of atomic operations (dbus!306, Alex Richardson)
Tests and CI enhancements:
• On Unix, skip tests that switch uid if run in a container that is
unable to do so, instead of failing (dbus#407, Simon McVittie)
• Use the latest MSYS2 packages for CI
(Ralf Habacker, Simon McVittie)
License-Update: D-Bus changed to dbus.
Signed-off-by: Wang Mingyu <[email protected]>
Signed-off-by: Alexandre Belloni <[email protected]>
(cherry picked from commit 8c2ab4c014807e2d8ad0fded4188578aa05e8c55)
Signed-off-by: Steve Sakoman <[email protected]>
---
meta/recipes-core/dbus/{dbus_1.14.0.bb => dbus_1.14.4.bb} | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
rename meta/recipes-core/dbus/{dbus_1.14.0.bb => dbus_1.14.4.bb} (96%)
diff --git a/meta/recipes-core/dbus/dbus_1.14.0.bb
b/meta/recipes-core/dbus/dbus_1.14.4.bb
similarity index 96%
rename from meta/recipes-core/dbus/dbus_1.14.0.bb
rename to meta/recipes-core/dbus/dbus_1.14.4.bb
index 863e35faf7..5f91ec2dc1 100644
--- a/meta/recipes-core/dbus/dbus_1.14.0.bb
+++ b/meta/recipes-core/dbus/dbus_1.14.4.bb
@@ -6,8 +6,9 @@ SECTION = "base"
inherit autotools pkgconfig gettext upstream-version-is-even ptest-gnome
LICENSE = "AFL-2.1 | GPL-2.0-or-later"
-LIC_FILES_CHKSUM = "file://COPYING;md5=10dded3b58148f3f1fd804b26354af3e \
-
file://dbus/dbus.h;beginline=6;endline=20;md5=866739837ccd835350af94dccd6457d8"
+LIC_FILES_CHKSUM = "file://COPYING;md5=6423dcd74d7be9715b0db247fd889da3 \
+
file://dbus/dbus.h;beginline=6;endline=20;md5=866739837ccd835350af94dccd6457d8 \
+ "
SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.xz \
file://run-ptest \
@@ -15,7 +16,7 @@ SRC_URI =
"https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.xz \
file://dbus-1.init \
"
-SRC_URI[sha256sum] =
"ccd7cce37596e0a19558fd6648d1272ab43f011d80c8635aea8fd0bad58aebd4"
+SRC_URI[sha256sum] =
"7c0f9b8e5ec0ff2479383e62c0084a3a29af99edf1514e9f659b81b30d4e353e"
EXTRA_OECONF = "--disable-xml-docs \
--disable-doxygen-docs \
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#175758):
https://lists.openembedded.org/g/openembedded-core/message/175758
Mute This Topic: https://lists.openembedded.org/mt/96203086/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
