Bug#770551: unblock: dbus/1.8.12-1
Control: retitle -1 unblock: dbus/1.8.12-1
Control: tags -1 - moreinfo
On Sat, 22 Nov 2014 at 11:53:23 +0000, Adam D. Barratt wrote:
> Looks okay to me; thanks.
>
> Please remove the moreinfo tag once you've uploaded.
Uploaded, see attached for the final debdiff (filtering out configure
and ltmain.sh).
S
diffstat for dbus-1.8.10 dbus-1.8.12
HACKING | 5 +++++
NEWS | 29 +++++++++++++++++++++++++++++
README | 19 +++++++++++++++++++
bus/bus.c | 2 +-
bus/config-parser.c | 2 +-
bus/connection.c | 8 ++++++++
configure.ac | 4 ++--
debian/changelog | 12 ++++++++++++
debian/dbus.README.Debian | 32 ++++++++++++++++++++++++++++++++
9 files changed, 109 insertions(+), 4 deletions(-)
diff -Nru --exclude configure --exclude ltmain.sh dbus-1.8.10/bus/bus.c dbus-1.8.12/bus/bus.c
--- dbus-1.8.10/bus/bus.c 2014-11-06 15:30:51.000000000 +0000
+++ dbus-1.8.12/bus/bus.c 2014-11-14 18:39:10.000000000 +0000
@@ -1660,7 +1660,7 @@
complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
"Rejected receive message", toggles,
message, sender, proposed_recipient, requested_reply,
- (addressed_recipient == proposed_recipient), NULL);
+ (addressed_recipient == proposed_recipient), error);
_dbus_verbose ("security policy disallowing message due to recipient policy\n");
return FALSE;
}
diff -Nru --exclude configure --exclude ltmain.sh dbus-1.8.10/bus/config-parser.c dbus-1.8.12/bus/config-parser.c
--- dbus-1.8.10/bus/config-parser.c 2014-11-04 14:51:05.000000000 +0000
+++ dbus-1.8.12/bus/config-parser.c 2014-11-22 10:49:21.000000000 +0000
@@ -438,7 +438,7 @@
* and legitimate auth will fail. If interactive auth (ask user for
* password) is allowed, then potentially it has to be quite long.
*/
- parser->limits.auth_timeout = 5000; /* 5 seconds */
+ parser->limits.auth_timeout = 30000; /* 30 seconds */
/* Do not allow a fd to stay forever in dbus-daemon
* https://bugs.freedesktop.org/show_bug.cgi?id=80559
diff -Nru --exclude configure --exclude ltmain.sh dbus-1.8.10/bus/connection.c dbus-1.8.12/bus/connection.c
--- dbus-1.8.10/bus/connection.c 2014-11-04 14:51:05.000000000 +0000
+++ dbus-1.8.12/bus/connection.c 2014-11-22 10:49:21.000000000 +0000
@@ -860,6 +860,14 @@
if (elapsed >= (double) auth_timeout)
{
+ /* Unfortunately, we can't identify the connection: it doesn't
+ * have a unique name yet, we don't know its uid/pid yet,
+ * and so on. */
+ bus_context_log (connections->context, DBUS_SYSTEM_LOG_INFO,
+ "Connection has not authenticated soon enough, closing it "
+ "(auth_timeout=%dms, elapsed: %.0fms)",
+ auth_timeout, elapsed);
+
_dbus_verbose ("Timing out authentication for connection %p\n", connection);
dbus_connection_close (connection);
}
diff -Nru --exclude configure --exclude ltmain.sh dbus-1.8.10/configure.ac dbus-1.8.12/configure.ac
--- dbus-1.8.10/configure.ac 2014-11-06 15:34:45.000000000 +0000
+++ dbus-1.8.12/configure.ac 2014-11-24 13:01:26.000000000 +0000
@@ -3,7 +3,7 @@
m4_define([dbus_major_version], [1])
m4_define([dbus_minor_version], [8])
-m4_define([dbus_micro_version], [10])
+m4_define([dbus_micro_version], [12])
m4_define([dbus_version],
[dbus_major_version.dbus_minor_version.dbus_micro_version])
AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])
@@ -37,7 +37,7 @@
## increment any time the source changes; set to
## 0 if you increment CURRENT
-LT_REVISION=8
+LT_REVISION=9
## increment if any interfaces have been added; set to 0
## if any interfaces have been changed or removed. removal has
diff -Nru --exclude configure --exclude ltmain.sh dbus-1.8.10/debian/changelog dbus-1.8.12/debian/changelog
--- dbus-1.8.10/debian/changelog 2014-11-06 16:28:35.000000000 +0000
+++ dbus-1.8.12/debian/changelog 2014-11-24 13:46:14.000000000 +0000
@@ -1,3 +1,15 @@
+dbus (1.8.12-1) unstable; urgency=medium
+
+ * New upstream release 1.8.12
+ - increase auth_timeout from 5 seconds back to 30 seconds since it
+ appears to cause slow or failed boot on some systems, reverting a
+ change in 1.8.8 (Closes: #769069)
+ - add a README.Debian to the dbus package documenting how
+ sysadmins with hostile local users can get the lower timeout back,
+ if their systems are fast enough to boot correctly like that
+
+ -- Simon McVittie <smcv@debian.org> Mon, 24 Nov 2014 13:46:01 +0000
+
dbus (1.8.10-1) unstable; urgency=medium
* New upstream release 1.8.10
diff -Nru --exclude configure --exclude ltmain.sh dbus-1.8.10/debian/dbus.README.Debian dbus-1.8.12/debian/dbus.README.Debian
--- dbus-1.8.10/debian/dbus.README.Debian 1970-01-01 01:00:00.000000000 +0100
+++ dbus-1.8.12/debian/dbus.README.Debian 2014-11-24 13:46:14.000000000 +0000
@@ -0,0 +1,32 @@
+Adjusting limits to mitigate denial of service
+==============================================
+
+'dbus-daemon --system' has several arbitrary limits which are a trade-off
+between working correctly when not under attack, and preventing local
+denial of service attacks. System administrators with particularly hostile
+local users should review these limits and tune them if necessary.
+
+In particular, the fix for CVE-2014-3639 in dbus-1.8.8 makes it difficult
+for local users to prevent connections completely, but they can still
+introduce a delay which increases with larger authentication timeout
+(auth_timeout) values, by opening many parallel connections from
+different processes and never completing the authentication handshake.
+As a result, dbus 1.8.8 also reduced the auth_timeout from 30 seconds
+to 5 seconds to mitigate this delay. However, this change resulted in
+boot failures on some systems because systemd could not authenticate
+sufficiently quickly while the system was busy, and was reverted in 1.8.12.
+
+On fast systems with hostile local users, administrators can reduce this
+delay by returning to the 5 second timeout (or any other value in
+milliseconds), by saving this as /etc/dbus-1/system-local.conf or a file
+matching /etc/dbus-1/system.d/*.conf:
+
+ <busconfig>
+ <limit name="auth_timeout">5000</limit>
+ </busconfig>
+
+If applying this change, please reboot several times and check the
+syslog or Journal for messages containing "Connection has not authenticated
+soon enough, closing it". Seeing that message while not subject to a
+denial-of-service attack indicates that the auth_timeout has been set
+too short.
diff -Nru --exclude configure --exclude ltmain.sh dbus-1.8.10/HACKING dbus-1.8.12/HACKING
--- dbus-1.8.10/HACKING 2014-11-04 14:51:05.000000000 +0000
+++ dbus-1.8.12/HACKING 2014-11-14 19:06:38.000000000 +0000
@@ -11,6 +11,11 @@
Security
===
+If you find a security vulnerability that is not known to the public,
+please report it privately to dbus-security@lists.freedesktop.org
+or by reporting a freedesktop.org bug that is marked as
+restricted to the "D-BUS security group".
+
Most of D-Bus is security sensitive. Guidelines related to that:
- avoid memcpy(), sprintf(), strlen(), snprintf, strlcat(),
diff -Nru --exclude configure --exclude ltmain.sh dbus-1.8.10/NEWS dbus-1.8.12/NEWS
--- dbus-1.8.10/NEWS 2014-11-06 15:39:02.000000000 +0000
+++ dbus-1.8.12/NEWS 2014-11-24 13:01:19.000000000 +0000
@@ -1,3 +1,32 @@
+D-Bus 1.8.12 (2014-11-24)
+==
+
+The “days of fuchsia passed” release.
+
+Fixes:
+
+• Partially revert the CVE-2014-3639 patch by increasing the default
+ authentication timeout on the system bus from 5 seconds back to 30
+ seconds, since this has been reported to cause boot regressions for
+ some users, mostly with parallel boot (systemd) on slower hardware.
+
+ On fast systems where local users are considered particularly hostile,
+ administrators can return to the 5 second timeout (or any other value
+ in milliseconds) by saving this as /etc/dbus-1/system-local.conf:
+
+ <busconfig>
+ <limit name="auth_timeout">5000</limit>
+ </busconfig>
+
+ (fd.o #86431, Simon McVittie)
+
+• Add a message in syslog/the Journal when the auth_timeout is exceeded
+ (fd.o #86431, Simon McVittie)
+
+• Send back an AccessDenied error if the addressed recipient is not allowed
+ to receive a message (and in builds with assertions enabled, don't
+ assert under the same conditions). (fd.o #86194, Jacek Bukarewicz)
+
D-Bus 1.8.10 (2014-11-10)
==
diff -Nru --exclude configure --exclude ltmain.sh dbus-1.8.10/README dbus-1.8.12/README
--- dbus-1.8.10/README 2014-11-04 14:51:05.000000000 +0000
+++ dbus-1.8.12/README 2014-11-14 19:13:23.000000000 +0000
@@ -29,6 +29,25 @@
only by accident; so you should evaluate carefully whether D-Bus makes
sense for your project.
+Security
+==
+
+If you find a security vulnerability that is not known to the public,
+please report it privately to dbus-security@lists.freedesktop.org
+or by reporting a freedesktop.org bug that is marked as
+restricted to the "D-BUS security group" (you might need to "Show
+Advanced Fields" to have that option).
+
+On Unix systems, the system bus (dbus-daemon --system) is designed
+to be a security boundary between users with different privileges.
+
+On Unix systems, the session bus (dbus-daemon --session) is designed
+to be used by a single user, and only accessible by that user.
+
+We do not currently consider D-Bus on Windows to be security-supported,
+and we do not recommend allowing untrusted users to access Windows
+D-Bus via TCP.
+
Note: low-level API vs. high-level binding APIs
===
Reply to: