[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#770551: unblock: dbus/1.8.12-1



Control: retitle -1 unblock: dbus/1.8.12-1
Control: tags -1 - moreinfo

On Sat, 22 Nov 2014 at 11:53:23 +0000, Adam D. Barratt wrote:
> Looks okay to me; thanks.
> 
> Please remove the moreinfo tag once you've uploaded.

Uploaded, see attached for the final debdiff (filtering out configure
and ltmain.sh).

    S
diffstat for dbus-1.8.10 dbus-1.8.12

 HACKING                   |    5 +++++
 NEWS                      |   29 +++++++++++++++++++++++++++++
 README                    |   19 +++++++++++++++++++
 bus/bus.c                 |    2 +-
 bus/config-parser.c       |    2 +-
 bus/connection.c          |    8 ++++++++
 configure.ac              |    4 ++--
 debian/changelog          |   12 ++++++++++++
 debian/dbus.README.Debian |   32 ++++++++++++++++++++++++++++++++
 9 files changed, 109 insertions(+), 4 deletions(-)

diff -Nru --exclude configure --exclude ltmain.sh dbus-1.8.10/bus/bus.c dbus-1.8.12/bus/bus.c
--- dbus-1.8.10/bus/bus.c	2014-11-06 15:30:51.000000000 +0000
+++ dbus-1.8.12/bus/bus.c	2014-11-14 18:39:10.000000000 +0000
@@ -1660,7 +1660,7 @@
       complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
           "Rejected receive message", toggles,
           message, sender, proposed_recipient, requested_reply,
-          (addressed_recipient == proposed_recipient), NULL);
+          (addressed_recipient == proposed_recipient), error);
       _dbus_verbose ("security policy disallowing message due to recipient policy\n");
       return FALSE;
     }
diff -Nru --exclude configure --exclude ltmain.sh dbus-1.8.10/bus/config-parser.c dbus-1.8.12/bus/config-parser.c
--- dbus-1.8.10/bus/config-parser.c	2014-11-04 14:51:05.000000000 +0000
+++ dbus-1.8.12/bus/config-parser.c	2014-11-22 10:49:21.000000000 +0000
@@ -438,7 +438,7 @@
        * and legitimate auth will fail.  If interactive auth (ask user for
        * password) is allowed, then potentially it has to be quite long.
        */
-      parser->limits.auth_timeout = 5000; /* 5 seconds */
+      parser->limits.auth_timeout = 30000; /* 30 seconds */
 
       /* Do not allow a fd to stay forever in dbus-daemon
        * https://bugs.freedesktop.org/show_bug.cgi?id=80559
diff -Nru --exclude configure --exclude ltmain.sh dbus-1.8.10/bus/connection.c dbus-1.8.12/bus/connection.c
--- dbus-1.8.10/bus/connection.c	2014-11-04 14:51:05.000000000 +0000
+++ dbus-1.8.12/bus/connection.c	2014-11-22 10:49:21.000000000 +0000
@@ -860,6 +860,14 @@
 
           if (elapsed >= (double) auth_timeout)
             {
+              /* Unfortunately, we can't identify the connection: it doesn't
+               * have a unique name yet, we don't know its uid/pid yet,
+               * and so on. */
+              bus_context_log (connections->context, DBUS_SYSTEM_LOG_INFO,
+                  "Connection has not authenticated soon enough, closing it "
+                  "(auth_timeout=%dms, elapsed: %.0fms)",
+                  auth_timeout, elapsed);
+
               _dbus_verbose ("Timing out authentication for connection %p\n", connection);
               dbus_connection_close (connection);
             }
diff -Nru --exclude configure --exclude ltmain.sh dbus-1.8.10/configure.ac dbus-1.8.12/configure.ac
--- dbus-1.8.10/configure.ac	2014-11-06 15:34:45.000000000 +0000
+++ dbus-1.8.12/configure.ac	2014-11-24 13:01:26.000000000 +0000
@@ -3,7 +3,7 @@
 
 m4_define([dbus_major_version], [1])
 m4_define([dbus_minor_version], [8])
-m4_define([dbus_micro_version], [10])
+m4_define([dbus_micro_version], [12])
 m4_define([dbus_version],
           [dbus_major_version.dbus_minor_version.dbus_micro_version])
 AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])
@@ -37,7 +37,7 @@
 
 ## increment any time the source changes; set to
 ##  0 if you increment CURRENT
-LT_REVISION=8
+LT_REVISION=9
 
 ## increment if any interfaces have been added; set to 0
 ## if any interfaces have been changed or removed. removal has
diff -Nru --exclude configure --exclude ltmain.sh dbus-1.8.10/debian/changelog dbus-1.8.12/debian/changelog
--- dbus-1.8.10/debian/changelog	2014-11-06 16:28:35.000000000 +0000
+++ dbus-1.8.12/debian/changelog	2014-11-24 13:46:14.000000000 +0000
@@ -1,3 +1,15 @@
+dbus (1.8.12-1) unstable; urgency=medium
+
+  * New upstream release 1.8.12
+    - increase auth_timeout from 5 seconds back to 30 seconds since it
+      appears to cause slow or failed boot on some systems, reverting a
+      change in 1.8.8 (Closes: #769069)
+    - add a README.Debian to the dbus package documenting how
+      sysadmins with hostile local users can get the lower timeout back,
+      if their systems are fast enough to boot correctly like that
+
+ -- Simon McVittie <smcv@debian.org>  Mon, 24 Nov 2014 13:46:01 +0000
+
 dbus (1.8.10-1) unstable; urgency=medium
 
   * New upstream release 1.8.10
diff -Nru --exclude configure --exclude ltmain.sh dbus-1.8.10/debian/dbus.README.Debian dbus-1.8.12/debian/dbus.README.Debian
--- dbus-1.8.10/debian/dbus.README.Debian	1970-01-01 01:00:00.000000000 +0100
+++ dbus-1.8.12/debian/dbus.README.Debian	2014-11-24 13:46:14.000000000 +0000
@@ -0,0 +1,32 @@
+Adjusting limits to mitigate denial of service
+==============================================
+
+'dbus-daemon --system' has several arbitrary limits which are a trade-off
+between working correctly when not under attack, and preventing local
+denial of service attacks. System administrators with particularly hostile
+local users should review these limits and tune them if necessary.
+
+In particular, the fix for CVE-2014-3639 in dbus-1.8.8 makes it difficult
+for local users to prevent connections completely, but they can still
+introduce a delay which increases with larger authentication timeout
+(auth_timeout) values, by opening many parallel connections from
+different processes and never completing the authentication handshake.
+As a result, dbus 1.8.8 also reduced the auth_timeout from 30 seconds
+to 5 seconds to mitigate this delay. However, this change resulted in
+boot failures on some systems because systemd could not authenticate
+sufficiently quickly while the system was busy, and was reverted in 1.8.12.
+
+On fast systems with hostile local users, administrators can reduce this
+delay by returning to the 5 second timeout (or any other value in
+milliseconds), by saving this as /etc/dbus-1/system-local.conf or a file
+matching /etc/dbus-1/system.d/*.conf:
+
+  <busconfig>
+    <limit name="auth_timeout">5000</limit>
+  </busconfig>
+
+If applying this change, please reboot several times and check the
+syslog or Journal for messages containing "Connection has not authenticated
+soon enough, closing it". Seeing that message while not subject to a
+denial-of-service attack indicates that the auth_timeout has been set
+too short.
diff -Nru --exclude configure --exclude ltmain.sh dbus-1.8.10/HACKING dbus-1.8.12/HACKING
--- dbus-1.8.10/HACKING	2014-11-04 14:51:05.000000000 +0000
+++ dbus-1.8.12/HACKING	2014-11-14 19:06:38.000000000 +0000
@@ -11,6 +11,11 @@
 Security
 ===
 
+If you find a security vulnerability that is not known to the public,
+please report it privately to dbus-security@lists.freedesktop.org
+or by reporting a freedesktop.org bug that is marked as
+restricted to the "D-BUS security group".
+
 Most of D-Bus is security sensitive.  Guidelines related to that:
 
  - avoid memcpy(), sprintf(), strlen(), snprintf, strlcat(),
diff -Nru --exclude configure --exclude ltmain.sh dbus-1.8.10/NEWS dbus-1.8.12/NEWS
--- dbus-1.8.10/NEWS	2014-11-06 15:39:02.000000000 +0000
+++ dbus-1.8.12/NEWS	2014-11-24 13:01:19.000000000 +0000
@@ -1,3 +1,32 @@
+D-Bus 1.8.12 (2014-11-24)
+==
+
+The “days of fuchsia passed” release.
+
+Fixes:
+
+• Partially revert the CVE-2014-3639 patch by increasing the default
+  authentication timeout on the system bus from 5 seconds back to 30
+  seconds, since this has been reported to cause boot regressions for
+  some users, mostly with parallel boot (systemd) on slower hardware.
+
+  On fast systems where local users are considered particularly hostile,
+  administrators can return to the 5 second timeout (or any other value
+  in milliseconds) by saving this as /etc/dbus-1/system-local.conf:
+
+  <busconfig>
+    <limit name="auth_timeout">5000</limit>
+  </busconfig>
+
+  (fd.o #86431, Simon McVittie)
+
+• Add a message in syslog/the Journal when the auth_timeout is exceeded
+  (fd.o #86431, Simon McVittie)
+
+• Send back an AccessDenied error if the addressed recipient is not allowed
+  to receive a message (and in builds with assertions enabled, don't
+  assert under the same conditions). (fd.o #86194, Jacek Bukarewicz)
+
 D-Bus 1.8.10 (2014-11-10)
 ==
 
diff -Nru --exclude configure --exclude ltmain.sh dbus-1.8.10/README dbus-1.8.12/README
--- dbus-1.8.10/README	2014-11-04 14:51:05.000000000 +0000
+++ dbus-1.8.12/README	2014-11-14 19:13:23.000000000 +0000
@@ -29,6 +29,25 @@
 only by accident; so you should evaluate carefully whether D-Bus makes
 sense for your project.
 
+Security
+==
+
+If you find a security vulnerability that is not known to the public,
+please report it privately to dbus-security@lists.freedesktop.org
+or by reporting a freedesktop.org bug that is marked as
+restricted to the "D-BUS security group" (you might need to "Show
+Advanced Fields" to have that option).
+
+On Unix systems, the system bus (dbus-daemon --system) is designed
+to be a security boundary between users with different privileges.
+
+On Unix systems, the session bus (dbus-daemon --session) is designed
+to be used by a single user, and only accessible by that user.
+
+We do not currently consider D-Bus on Windows to be security-supported,
+and we do not recommend allowing untrusted users to access Windows
+D-Bus via TCP.
+
 Note: low-level API vs. high-level binding APIs
 ===
 

Reply to: