- Update from version 1.14.0 to 1.14.4 - Update of rootfile - Changelog dbus 1.14.4 (2022-10-05) This is a security update for the dbus 1.14.x stable branch, fixing denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying security hardening (dbus#416). Behaviour changes: • On Linux, dbus-daemon and other uses of DBusServer now create a path-based Unix socket, unix:path=..., when asked to listen on a unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to unix:dir=... on all platforms. Previous versions would have created an abstract socket, unix:abstract=..., in this situation. This change primarily affects the well-known session bus when run via dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring dbus with --enable-user-session and running it on a systemd system, already used path-based Unix sockets and is unaffected by this change. This behaviour change prevents a sandbox escape via the session bus socket in sandboxing frameworks that can share the network namespace with the host system, such as Flatpak. This change might cause a regression in situations where the abstract socket is intentionally shared between the host system and a chroot or container, such as some use-cases of schroot(1). That regression can be resolved by using a bind-mount to share either the D-Bus socket, or the whole /tmp directory, with the chroot or container. (dbus#416, Simon McVittie) Denial of service fixes: Evgeny Vereshchagin discovered several ways in which an authenticated local attacker could cause a crash (denial of service) in dbus-daemon --system or a custom DBusServer. In uncommon configurations these could potentially be carried out by an authenticated remote attacker. • An invalid array of fixed-length elements where the length of the array is not a multiple of the length of the element would cause an assertion failure in debug builds or an out-of-bounds read in production builds. This was a regression in version 1.3.0. (dbus#413, CVE-2022-42011; Simon McVittie) • A syntactically invalid type signature with incorrectly nested parentheses and curly brackets would cause an assertion failure in debug builds. Similar messages could potentially result in a crash or incorrect message processing in a production build, although we are not aware of a practical example. (dbus#418, CVE-2022-42010; Simon McVittie) • A message in non-native endianness with out-of-band Unix file descriptors would cause a use-after-free and possible memory corruption in production builds, or an assertion failure in debug builds. This was a regression in version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie) dbus 1.14.2 (2022-09-26) Fixes: • Fix build failure on FreeBSD (dbus!277, Alex Richardson) • Fix build failure on macOS with launchd enabled (dbus!287, Dawid Wróbel) • Preserve errno on failure to open /proc/self/oom_score_adj (dbus!285, Gentoo#834725; Mike Gilbert) • On Linux, don't log warnings if oom_score_adj is read-only but does not need to be changed (dbus!291, Simon McVittie) • Slightly improve error-handling for inotify (dbus!235, Simon McVittie) • Don't crash if dbus-daemon is asked to watch more than 128 directories for changes (dbus!302, Jan Tojnar) • Autotools build system fixes: · Don't treat --with-x or --with-x=yes as a request to disable X11, fixing a regression in 1.13.20. Instead, require X11 libraries and fail if they cannot be detected. (dbus!263, Lars Wendler) · When a CMake project uses an Autotools-built libdbus in a non-standard prefix, find dbus-arch-deps.h successfully (dbus#314, Simon McVittie) · Don't include generated XML catalog in source releases (dbus!317, Jan Tojnar) · Improve robustness of detecting gcc __sync atomic builtins (dbus!320, Alex Richardson) • CMake build system fixes: · Detect endianness correctly, fixing interoperability with other D-Bus implementations on big-endian systems (dbus#375, Ralf Habacker) · When building for Unix, install session and system bus setup in the intended locations (dbus!267, dbus!297; Ralf Habacker, Alex Richardson) · Detect setresuid() and getresuid() (dbus!319, Alex Richardson) · Detect backtrace() on FreeBSD (dbus!281, Alex Richardson) · Don't include headers from parent directory (dbus!282, Alex Richardson) · Distinguish between host and target TMPDIR when cross-compiling (dbus!279, Alex Richardson) · Fix detection of atomic operations (dbus!306, Alex Richardson) Tests and CI enhancements: • On Unix, skip tests that switch uid if run in a container that is unable to do so, instead of failing (dbus#407, Simon McVittie) • Use the latest MSYS2 packages for CI (Ralf Habacker, Simon McVittie)
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- config/rootfiles/packages/dbus | 2 +- lfs/dbus | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/rootfiles/packages/dbus b/config/rootfiles/packages/dbus index 82817a942..3f752c21e 100644 --- a/config/rootfiles/packages/dbus +++ b/config/rootfiles/packages/dbus @@ -40,7 +40,7 @@ usr/bin/dbus-uuidgen #usr/lib/libdbus-1.la #usr/lib/libdbus-1.so usr/lib/libdbus-1.so.3 -usr/lib/libdbus-1.so.3.32.0 +usr/lib/libdbus-1.so.3.32.1 #usr/lib/pkgconfig/dbus-1.pc usr/libexec/dbus-daemon-launch-helper #usr/share/dbus-1 diff --git a/lfs/dbus b/lfs/dbus index 9e80718e4..9aceceb08 100644 --- a/lfs/dbus +++ b/lfs/dbus @@ -26,7 +26,7 @@ include Config
SUMMARY = D-Bus Message Bus System
-VER = 1.14.0 +VER = 1.14.4
THISAPP = dbus-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = dbus -PAK_VER = 7 +PAK_VER = 8
DEPS =
@@ -48,7 +48,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = ae0ebc2779e840e2d83f633029f81fba0e35969648dddce0280640dd9bee3f9508aa7fb6aef696d1c4c56d40f91b754941f847525afaee5cc3170ad23a7eddbf +$(DL_FILE)_BLAKE2 = 7da5cd8f09eaef7a64f35f8ccbeb81c5687b3fad02d6ac05dd4c232e0f731dbcf4c76c36b615e6216815c8f8631bf9cb32543665440153a1199b1b35922cdda4
install : $(TARGET)