Re: [PATCH] dbus: Update to version 1.14.4

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 7010 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> - Update from version 1.14.0 to 1.14.4
> - Update of rootfile
> - Changelog
>     dbus 1.14.4 (2022-10-05)
>      This is a security update for the dbus 1.14.x stable branch, fixing
>      denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying
>      security hardening (dbus#416).
> 	Behaviour changes:
> 		• On Linux, dbus-daemon and other uses of DBusServer now create a
> 		  path-based Unix socket, unix:path=..., when asked to listen on a
> 		  unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to
> 		  unix:dir=... on all platforms.
> 		  Previous versions would have created an abstract socket, unix:abstract=...,
> 		  in this situation.
> 		  This change primarily affects the well-known session bus when run via
> 		  dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring
> 		  dbus with --enable-user-session and running it on a systemd system,
> 		  already used path-based Unix sockets and is unaffected by this change.
> 		  This behaviour change prevents a sandbox escape via the session bus socket
> 		  in sandboxing frameworks that can share the network namespace with the host
> 		  system, such as Flatpak.
> 		  This change might cause a regression in situations where the abstract socket
> 		  is intentionally shared between the host system and a chroot or container,
> 		  such as some use-cases of schroot(1). That regression can be resolved by
> 		  using a bind-mount to share either the D-Bus socket, or the whole /tmp
> 		  directory, with the chroot or container.
> 		  (dbus#416, Simon McVittie)
> 	Denial of service fixes:
> 		Evgeny Vereshchagin discovered several ways in which an authenticated
> 		local attacker could cause a crash (denial of service) in
> 		dbus-daemon --system or a custom DBusServer. In uncommon configurations
> 		these could potentially be carried out by an authenticated remote attacker.
> 		• An invalid array of fixed-length elements where the length of the array
> 		  is not a multiple of the length of the element would cause an assertion
> 		  failure in debug builds or an out-of-bounds read in production builds.
> 		  This was a regression in version 1.3.0.
> 		  (dbus#413, CVE-2022-42011; Simon McVittie)
> 		• A syntactically invalid type signature with incorrectly nested parentheses
> 		  and curly brackets would cause an assertion failure in debug builds.
> 		  Similar messages could potentially result in a crash or incorrect message
> 		  processing in a production build, although we are not aware of a practical
> 		  example. (dbus#418, CVE-2022-42010; Simon McVittie)
> 		• A message in non-native endianness with out-of-band Unix file descriptors
> 		  would cause a use-after-free and possible memory corruption in production
> 		  builds, or an assertion failure in debug builds. This was a regression in
> 		  version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie)
>     dbus 1.14.2 (2022-09-26)
> 	Fixes:
> 		• Fix build failure on FreeBSD (dbus!277, Alex Richardson)
> 		• Fix build failure on macOS with launchd enabled
> 		  (dbus!287, Dawid Wróbel)
> 		• Preserve errno on failure to open /proc/self/oom_score_adj
> 		  (dbus!285, Gentoo#834725; Mike Gilbert)
> 		• On Linux, don't log warnings if oom_score_adj is read-only but does not
> 		  need to be changed (dbus!291, Simon McVittie)
> 		• Slightly improve error-handling for inotify
> 		  (dbus!235, Simon McVittie)
> 		• Don't crash if dbus-daemon is asked to watch more than 128 directories
> 		  for changes (dbus!302, Jan Tojnar)
> 		• Autotools build system fixes:
> 			  · Don't treat --with-x or --with-x=yes as a request to disable X11,
> 			    fixing a regression in 1.13.20. Instead, require X11 libraries and
> 			    fail if they cannot be detected. (dbus!263, Lars Wendler)
> 			  · When a CMake project uses an Autotools-built libdbus in a
> 			    non-standard prefix, find dbus-arch-deps.h successfully
> 			    (dbus#314, Simon McVittie)
> 			  · Don't include generated XML catalog in source releases
> 			    (dbus!317, Jan Tojnar)
> 			  · Improve robustness of detecting gcc __sync atomic builtins
> 			    (dbus!320, Alex Richardson)
> 		• CMake build system fixes:
> 			  · Detect endianness correctly, fixing interoperability with other D-Bus
> 			    implementations on big-endian systems (dbus#375, Ralf Habacker)
> 			  · When building for Unix, install session and system bus setup
> 			    in the intended locations
> 			    (dbus!267, dbus!297; Ralf Habacker, Alex Richardson)
> 			  · Detect setresuid() and getresuid() (dbus!319, Alex Richardson)
> 			  · Detect backtrace() on FreeBSD (dbus!281, Alex Richardson)
> 			  · Don't include headers from parent directory (dbus!282, Alex Richardson)
> 			  · Distinguish between host and target TMPDIR when cross-compiling
> 			    (dbus!279, Alex Richardson)
> 			  · Fix detection of atomic operations (dbus!306, Alex Richardson)
> 		Tests and CI enhancements:
> 			• On Unix, skip tests that switch uid if run in a container that is
> 			  unable to do so, instead of failing (dbus#407, Simon McVittie)
> 			• Use the latest MSYS2 packages for CI
> 			  (Ralf Habacker, Simon McVittie)
> 
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
>  config/rootfiles/packages/dbus | 2 +-
>  lfs/dbus                       | 6 +++---
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/config/rootfiles/packages/dbus b/config/rootfiles/packages/dbus
> index 82817a942..3f752c21e 100644
> --- a/config/rootfiles/packages/dbus
> +++ b/config/rootfiles/packages/dbus
> @@ -40,7 +40,7 @@ usr/bin/dbus-uuidgen
>  #usr/lib/libdbus-1.la
>  #usr/lib/libdbus-1.so
>  usr/lib/libdbus-1.so.3
> -usr/lib/libdbus-1.so.3.32.0
> +usr/lib/libdbus-1.so.3.32.1
>  #usr/lib/pkgconfig/dbus-1.pc
>  usr/libexec/dbus-daemon-launch-helper
>  #usr/share/dbus-1
> diff --git a/lfs/dbus b/lfs/dbus
> index 9e80718e4..9aceceb08 100644
> --- a/lfs/dbus
> +++ b/lfs/dbus
> @@ -26,7 +26,7 @@ include Config
>  
>  SUMMARY    = D-Bus Message Bus System
>  
> -VER        = 1.14.0
> +VER        = 1.14.4
>  
>  THISAPP    = dbus-$(VER)
>  DL_FILE    = $(THISAPP).tar.xz
> @@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
>  DIR_APP    = $(DIR_SRC)/$(THISAPP)
>  TARGET     = $(DIR_INFO)/$(THISAPP)
>  PROG       = dbus
> -PAK_VER    = 7
> +PAK_VER    = 8
>  
>  DEPS       =
>  
> @@ -48,7 +48,7 @@ objects = $(DL_FILE)
>  
>  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>  
> -$(DL_FILE)_BLAKE2 = ae0ebc2779e840e2d83f633029f81fba0e35969648dddce0280640dd9bee3f9508aa7fb6aef696d1c4c56d40f91b754941f847525afaee5cc3170ad23a7eddbf
> +$(DL_FILE)_BLAKE2 = 7da5cd8f09eaef7a64f35f8ccbeb81c5687b3fad02d6ac05dd4c232e0f731dbcf4c76c36b615e6216815c8f8631bf9cb32543665440153a1199b1b35922cdda4
>  
>  install : $(TARGET)
>