From patchwork Sun Dec 11 12:33:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 6293 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4NVPM06W8Dz3wfW for ; Sun, 11 Dec 2022 12:33:48 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4NVPLx12tkzx0; Sun, 11 Dec 2022 12:33:45 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4NVPLw5bszz309T; Sun, 11 Dec 2022 12:33:44 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4NVPLv63Gbz2xhb for ; Sun, 11 Dec 2022 12:33:43 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4NVPLv4Kv2zL3; Sun, 11 Dec 2022 12:33:43 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1670762023; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lJBPVbYn4hedkPnrW5wKYBzQmyIbulz9C2dgj1flR9E=; b=z7vQie9gtwsTmNHhzjGNu9wfdA6tS2h4uYd8XNYpuSrFQPR35rWhe0GLysSiOFW898maX2 cGp8uD07dz0OIKDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1670762023; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lJBPVbYn4hedkPnrW5wKYBzQmyIbulz9C2dgj1flR9E=; b=obRQlu39GFaovzUjeR4SvG3M2xyAWu3qU9cUdgr4FHwDPlfAjco/aPRG7jnkc6yFDGSAWy VCK/H1srik5Tpw7uyZJmbYxlWebRz7ihKP8ui/JXd0pmMsILSAREV6Xhd4cFXq7H3o9BLQ TismPPtavFur7ZUbc+jqarwgJKPyaSz3AKnViZz+TJi8XWzBO7JNn0MsCssrQyGYKp0O5j 6jPaw+oT9v1IMT+PL1oi2E+2+HE6SEB5SoZmLQRrPoyN1jFqlAqwN3nYZBe0h2bH83xmwW SjrmItimiHGjfd959rrlbsapfWJuERm1FahVr8HuNtXxFm/5QMHBPZ7UtyVDQw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] dbus: Update to version 1.14.4 Date: Sun, 11 Dec 2022 13:33:23 +0100 Message-Id: <20221211123330.5155-2-adolf.belka@ipfire.org> In-Reply-To: <20221211123330.5155-1-adolf.belka@ipfire.org> References: <20221211123330.5155-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Update from version 1.14.0 to 1.14.4 - Update of rootfile - Changelog dbus 1.14.4 (2022-10-05) This is a security update for the dbus 1.14.x stable branch, fixing denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying security hardening (dbus#416). Behaviour changes: • On Linux, dbus-daemon and other uses of DBusServer now create a path-based Unix socket, unix:path=..., when asked to listen on a unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to unix:dir=... on all platforms. Previous versions would have created an abstract socket, unix:abstract=..., in this situation. This change primarily affects the well-known session bus when run via dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring dbus with --enable-user-session and running it on a systemd system, already used path-based Unix sockets and is unaffected by this change. This behaviour change prevents a sandbox escape via the session bus socket in sandboxing frameworks that can share the network namespace with the host system, such as Flatpak. This change might cause a regression in situations where the abstract socket is intentionally shared between the host system and a chroot or container, such as some use-cases of schroot(1). That regression can be resolved by using a bind-mount to share either the D-Bus socket, or the whole /tmp directory, with the chroot or container. (dbus#416, Simon McVittie) Denial of service fixes: Evgeny Vereshchagin discovered several ways in which an authenticated local attacker could cause a crash (denial of service) in dbus-daemon --system or a custom DBusServer. In uncommon configurations these could potentially be carried out by an authenticated remote attacker. • An invalid array of fixed-length elements where the length of the array is not a multiple of the length of the element would cause an assertion failure in debug builds or an out-of-bounds read in production builds. This was a regression in version 1.3.0. (dbus#413, CVE-2022-42011; Simon McVittie) • A syntactically invalid type signature with incorrectly nested parentheses and curly brackets would cause an assertion failure in debug builds. Similar messages could potentially result in a crash or incorrect message processing in a production build, although we are not aware of a practical example. (dbus#418, CVE-2022-42010; Simon McVittie) • A message in non-native endianness with out-of-band Unix file descriptors would cause a use-after-free and possible memory corruption in production builds, or an assertion failure in debug builds. This was a regression in version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie) dbus 1.14.2 (2022-09-26) Fixes: • Fix build failure on FreeBSD (dbus!277, Alex Richardson) • Fix build failure on macOS with launchd enabled (dbus!287, Dawid Wróbel) • Preserve errno on failure to open /proc/self/oom_score_adj (dbus!285, Gentoo#834725; Mike Gilbert) • On Linux, don't log warnings if oom_score_adj is read-only but does not need to be changed (dbus!291, Simon McVittie) • Slightly improve error-handling for inotify (dbus!235, Simon McVittie) • Don't crash if dbus-daemon is asked to watch more than 128 directories for changes (dbus!302, Jan Tojnar) • Autotools build system fixes: · Don't treat --with-x or --with-x=yes as a request to disable X11, fixing a regression in 1.13.20. Instead, require X11 libraries and fail if they cannot be detected. (dbus!263, Lars Wendler) · When a CMake project uses an Autotools-built libdbus in a non-standard prefix, find dbus-arch-deps.h successfully (dbus#314, Simon McVittie) · Don't include generated XML catalog in source releases (dbus!317, Jan Tojnar) · Improve robustness of detecting gcc __sync atomic builtins (dbus!320, Alex Richardson) • CMake build system fixes: · Detect endianness correctly, fixing interoperability with other D-Bus implementations on big-endian systems (dbus#375, Ralf Habacker) · When building for Unix, install session and system bus setup in the intended locations (dbus!267, dbus!297; Ralf Habacker, Alex Richardson) · Detect setresuid() and getresuid() (dbus!319, Alex Richardson) · Detect backtrace() on FreeBSD (dbus!281, Alex Richardson) · Don't include headers from parent directory (dbus!282, Alex Richardson) · Distinguish between host and target TMPDIR when cross-compiling (dbus!279, Alex Richardson) · Fix detection of atomic operations (dbus!306, Alex Richardson) Tests and CI enhancements: • On Unix, skip tests that switch uid if run in a container that is unable to do so, instead of failing (dbus#407, Simon McVittie) • Use the latest MSYS2 packages for CI (Ralf Habacker, Simon McVittie) Signed-off-by: Adolf Belka Reviewed-by: Peter Müller --- config/rootfiles/packages/dbus | 2 +- lfs/dbus | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/rootfiles/packages/dbus b/config/rootfiles/packages/dbus index 82817a942..3f752c21e 100644 --- a/config/rootfiles/packages/dbus +++ b/config/rootfiles/packages/dbus @@ -40,7 +40,7 @@ usr/bin/dbus-uuidgen #usr/lib/libdbus-1.la #usr/lib/libdbus-1.so usr/lib/libdbus-1.so.3 -usr/lib/libdbus-1.so.3.32.0 +usr/lib/libdbus-1.so.3.32.1 #usr/lib/pkgconfig/dbus-1.pc usr/libexec/dbus-daemon-launch-helper #usr/share/dbus-1 diff --git a/lfs/dbus b/lfs/dbus index 9e80718e4..9aceceb08 100644 --- a/lfs/dbus +++ b/lfs/dbus @@ -26,7 +26,7 @@ include Config SUMMARY = D-Bus Message Bus System -VER = 1.14.0 +VER = 1.14.4 THISAPP = dbus-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = dbus -PAK_VER = 7 +PAK_VER = 8 DEPS = @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = ae0ebc2779e840e2d83f633029f81fba0e35969648dddce0280640dd9bee3f9508aa7fb6aef696d1c4c56d40f91b754941f847525afaee5cc3170ad23a7eddbf +$(DL_FILE)_BLAKE2 = 7da5cd8f09eaef7a64f35f8ccbeb81c5687b3fad02d6ac05dd4c232e0f731dbcf4c76c36b615e6216815c8f8631bf9cb32543665440153a1199b1b35922cdda4 install : $(TARGET)