Bug#776144: unblock: dbus/1.8.16-1
Control: retitle 776144 unblock: dbus/1.8.16-1
On Tue, 03 Feb 2015 at 21:47:44 +0000, Simon McVittie wrote:
> While I'm waiting for the d-i ack anyway, I've uploaded dbus/1.8.14-2 to
> avoid the bad dbus/systemd trigger interactions in upgrades
... and dbus/1.8.16-1 to fix a CVE (local denial of service, CVE-2015-0245,
https://bugs.debian.org/777545) which I consider to be RC. The bug number
is not in the changelog because I prepared and tested it under embargo,
but couldn't open the bug until unembargo day.
Diff below, omitting Autotools noise (config.sub, configure, Makefile.in).
The cmake changes do not affect the Debian package at all (we build using
Autotools) and are minimal bug fixes for other platforms, so I would prefer
o keep them, to avoid unnecessary delta between Debian and upstream.
S
---------------------------------------------------------------------------
diffstat for dbus-1.8.14 dbus-1.8.16
Makefile.in | 4 ++--
NEWS | 25 +++++++++++++++++++++++++
bus/system.conf.in | 8 ++++++++
cmake/config.h.cmake | 4 ++++
cmake/test/CMakeLists.txt | 2 +-
config.sub | 9 +++++++--
configure | 26 +++++++++++++-------------
configure.ac | 4 ++--
debian/changelog | 7 +++++++
9 files changed, 69 insertions(+), 20 deletions(-)
diff -Nru dbus-1.8.14/bus/system.conf.in dbus-1.8.16/bus/system.conf.in
--- dbus-1.8.14/bus/system.conf.in 2014-12-31 15:41:32.000000000 +0000
+++ dbus-1.8.16/bus/system.conf.in 2015-02-04 16:45:16.000000000 +0000
@@ -68,6 +68,14 @@
<deny send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.DBus"
send_member="UpdateActivationEnvironment"/>
+ <deny send_destination="org.freedesktop.DBus"
+ send_interface="org.freedesktop.systemd1.Activator"/>
+ </policy>
+
+ <!-- Only systemd, which runs as root, may report activation failures. -->
+ <policy user="root">
+ <allow send_destination="org.freedesktop.DBus"
+ send_interface="org.freedesktop.systemd1.Activator"/>
</policy>
<!-- Config files are placed here that among other things, punch
diff -Nru dbus-1.8.14/cmake/config.h.cmake dbus-1.8.16/cmake/config.h.cmake
--- dbus-1.8.14/cmake/config.h.cmake 2014-12-31 15:41:32.000000000 +0000
+++ dbus-1.8.16/cmake/config.h.cmake 2015-02-03 15:47:02.000000000 +0000
@@ -248,4 +248,8 @@
#define inline __inline
#endif
+#ifdef DBUS_WIN
+#define FD_SETSIZE @FD_SETSIZE@
+#endif
+
#endif // _DBUS_CONFIG_H
diff -Nru dbus-1.8.14/cmake/test/CMakeLists.txt dbus-1.8.16/cmake/test/CMakeLists.txt
--- dbus-1.8.14/cmake/test/CMakeLists.txt 2014-12-31 15:41:32.000000000 +0000
+++ dbus-1.8.16/cmake/test/CMakeLists.txt 2015-02-03 15:47:02.000000000 +0000
@@ -1,3 +1,4 @@
+include_directories(${CMAKE_SOURCE_DIR}/../test)
add_definitions(${DBUS_INTERNAL_CLIENT_DEFINITIONS})
@@ -66,7 +67,6 @@
include_directories(
${GLIB2_INCLUDE_DIR}
${GOBJECT_INCLUDE_DIR}
- ${CMAKE_SOURCE_DIR}/../test
)
set(TEST_LIBRARIES ${DBUS_INTERNAL_LIBRARIES} dbus-testutils ${GLIB2_LIBRARIES} ${GOBJECT_LIBRARIES})
diff -Nru dbus-1.8.14/configure.ac dbus-1.8.16/configure.ac
--- dbus-1.8.14/configure.ac 2015-01-01 23:33:20.000000000 +0000
+++ dbus-1.8.16/configure.ac 2015-02-04 16:45:19.000000000 +0000
@@ -3,7 +3,7 @@
m4_define([dbus_major_version], [1])
m4_define([dbus_minor_version], [8])
-m4_define([dbus_micro_version], [14])
+m4_define([dbus_micro_version], [16])
m4_define([dbus_version],
[dbus_major_version.dbus_minor_version.dbus_micro_version])
AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])
@@ -37,7 +37,7 @@
## increment any time the source changes; set to
## 0 if you increment CURRENT
-LT_REVISION=10
+LT_REVISION=11
## increment if any interfaces have been added; set to 0
## if any interfaces have been changed or removed. removal has
diff -Nru dbus-1.8.14/debian/changelog dbus-1.8.16/debian/changelog
--- dbus-1.8.14/debian/changelog 2015-02-03 17:28:46.000000000 +0000
+++ dbus-1.8.16/debian/changelog 2015-02-04 20:15:37.000000000 +0000
@@ -1,3 +1,10 @@
+dbus (1.8.16-1) unstable; urgency=high
+
+ * New upstream release fixes a local denial of service
+ when using systemd activation (CVE-2015-0245)
+
+ -- Simon McVittie <smcv@debian.org> Wed, 04 Feb 2015 20:14:46 +0000
+
dbus (1.8.14-2) unstable; urgency=high
* Relax the triggers from interest to interest-noawait (Closes: #771989;
diff -Nru dbus-1.8.14/NEWS dbus-1.8.16/NEWS
--- dbus-1.8.14/NEWS 2015-01-01 23:42:32.000000000 +0000
+++ dbus-1.8.16/NEWS 2015-02-04 16:48:51.000000000 +0000
@@ -1,3 +1,28 @@
+D-Bus 1.8.16 (2015-02-09)
+==
+
+The “poorly concealed wrestlers” release.
+
+Security fixes:
+
+• Do not allow non-uid-0 processes to send forged ActivationFailure
+ messages. On Linux systems with systemd activation, this would
+ allow a local denial of service: unprivileged processes could
+ flood the bus with these forged messages, winning the race with
+ the actual service activation and causing an error reply
+ to be sent back when service auto-activation was requested.
+ This does not prevent the real service from being started,
+ so it only works while the real service is not running.
+ (CVE-2015-0245, fd.o #88811; Simon McVittie)
+
+Other fixes:
+
+• fix a Windows build failure (fd.o #88009, Ralf Habacker)
+
+• on Windows, allow up to 8K connections to the dbus-daemon instead of the
+ previous 64, completing a previous fix which only worked under
+ Autotools (fd.o #71297, Ralf Habacker)
+
D-Bus 1.8.14 (2015-01-05)
==
Reply to: