[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#840350: marked as done (jessie-pu: package dbus/1.8.22-0+deb8u1)

Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <1484397423.1091.25.camel@adam-barratt.org.uk>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #840350,
regarding jessie-pu: package dbus/1.8.22-0+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
840350: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840350
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

I've released a new upstream version of dbus which fixes a potential
security vulnerability. I don't *think* it's exploitable in Debian
oldstable or later, so the security team don't intend to do a DSA;
but I'd like to get the fix into jessie in case we were wrong.
Advisory: <http://www.openwall.com/lists/oss-security/2016/10/10/9>

In addition, I'd like to fix dbus RC bug
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813970> (dbus fails
to remove if something is trying to connect to the system bus in
parallel with the removal process), which has been fixed in unstable
since March.

Proposed debdiff is attached, with Autotools noise stripped. This is
the minimal version which doesn't add a dependency; the "nice" version
would be to use deb-systemd-invoke instead of systemctl, but
init-system-helpers isn't Essential in jessie, so I'd have to add
a dependency for that. Please let me know which you'd prefer.

The one thing you might find odd in the debdiff is that it adds
-Wno-deprecated-declarations. This was necessary to be able to build
the new upstream release on recent distributions where readdir_r()
is marked deprecated; it doesn't have any practical impact on the
binary contents.

Regards,
    S

# debdiff --exclude=config.guess --exclude=config.sub --exclude=config.h.in --exclude=configure --exclude=install-sh --exclude=ltmain.sh --exclude=m4 --exclude=Makefile.in dbus_1.8.20-0%2bdeb8u1.dsc dbus_1.8.22-0+deb8u1.dsc

diffstat for dbus-1.8.20 dbus-1.8.22

 NEWS              |   21 +++++++++++++++++++++
 bus/activation.c  |    2 +-
 configure.ac      |    5 +++--
 debian/changelog  |   11 +++++++++++
 debian/dbus.prerm |   14 ++++++++++++++
 5 files changed, 50 insertions(+), 3 deletions(-)

diff -Nru --exclude config.guess --exclude config.sub --exclude config.h.in --exclude configure --exclude install-sh --exclude ltmain.sh --exclude m4 --exclude Makefile.in dbus-1.8.20/bus/activation.c dbus-1.8.22/bus/activation.c
--- dbus-1.8.20/bus/activation.c	2015-05-14 13:23:25.000000000 +0100
+++ dbus-1.8.22/bus/activation.c	2016-10-10 10:08:30.000000000 +0100
@@ -2249,7 +2249,7 @@
                              DBUS_TYPE_STRING, &code,
                              DBUS_TYPE_STRING, &str,
                              DBUS_TYPE_INVALID))
-    dbus_set_error(&error, code, str);
+    dbus_set_error (&error, code, "%s", str);
 
 
   if (unit)
diff -Nru --exclude config.guess --exclude config.sub --exclude config.h.in --exclude configure --exclude install-sh --exclude ltmain.sh --exclude m4 --exclude Makefile.in dbus-1.8.20/configure.ac dbus-1.8.22/configure.ac
--- dbus-1.8.20/configure.ac	2015-07-21 17:32:10.000000000 +0100
+++ dbus-1.8.22/configure.ac	2016-10-10 10:21:56.000000000 +0100
@@ -3,7 +3,7 @@
 
 m4_define([dbus_major_version], [1])
 m4_define([dbus_minor_version], [8])
-m4_define([dbus_micro_version], [20])
+m4_define([dbus_micro_version], [22])
 m4_define([dbus_version],
           [dbus_major_version.dbus_minor_version.dbus_micro_version])
 AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])
@@ -37,7 +37,7 @@
 
 ## increment any time the source changes; set to
 ##  0 if you increment CURRENT
-LT_REVISION=13
+LT_REVISION=14
 
 ## increment if any interfaces have been added; set to 0
 ## if any interfaces have been changed or removed. removal has
@@ -1347,6 +1347,7 @@
   dnl - type-limits is probably a bug too, but having the rest of -Wextra
   dnl   is better than nothing
   [$DISABLE_UNUSED_WARNINGS \
+   deprecated-declarations \
    missing-field-initializers \
    unused-parameter \
    sign-compare \
diff -Nru --exclude config.guess --exclude config.sub --exclude config.h.in --exclude configure --exclude install-sh --exclude ltmain.sh --exclude m4 --exclude Makefile.in dbus-1.8.20/debian/changelog dbus-1.8.22/debian/changelog
--- dbus-1.8.20/debian/changelog	2015-07-21 18:02:01.000000000 +0100
+++ dbus-1.8.22/debian/changelog	2016-10-10 11:42:50.000000000 +0100
@@ -1,3 +1,14 @@
+dbus (1.8.22-0+deb8u1) jessie; urgency=medium
+
+  * New upstream bugfix release
+    - fix a potential format string vulnerability, which is not believed
+      to be exploitable in practice
+  * dbus.prerm: ensure that dbus.socket is stopped before removal,
+    so that a new connection to the bus won't cause dbus.service to be
+    restarted (Closes: #813970)
+
+ -- Simon McVittie <smcv@debian.org>  Mon, 10 Oct 2016 11:42:50 +0100
+
 dbus (1.8.20-0+deb8u1) jessie; urgency=medium
 
   * New upstream bugfix release
diff -Nru --exclude config.guess --exclude config.sub --exclude config.h.in --exclude configure --exclude install-sh --exclude ltmain.sh --exclude m4 --exclude Makefile.in dbus-1.8.20/debian/dbus.prerm dbus-1.8.22/debian/dbus.prerm
--- dbus-1.8.20/debian/dbus.prerm	1970-01-01 01:00:00.000000000 +0100
+++ dbus-1.8.22/debian/dbus.prerm	2016-10-10 11:42:50.000000000 +0100
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -e
+
+if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
+	# Before stopping dbus-daemon, ensure that it won't just be
+	# reactivated by dbus.socket. The "invoke-rc.d dbus stop"
+	# added by debhelper, below, will harmlessly not do anything.
+	systemctl stop dbus.socket dbus.service || exit $?
+fi
+
+#DEBHELPER#
+
+exit 0
diff -Nru --exclude config.guess --exclude config.sub --exclude config.h.in --exclude configure --exclude install-sh --exclude ltmain.sh --exclude m4 --exclude Makefile.in dbus-1.8.20/NEWS dbus-1.8.22/NEWS
--- dbus-1.8.20/NEWS	2015-07-21 17:31:58.000000000 +0100
+++ dbus-1.8.22/NEWS	2016-10-10 10:21:56.000000000 +0100
@@ -1,3 +1,24 @@
+D-Bus 1.8.22 (2016-10-10)
+==
+
+The “barren and lifeless” release.
+
+Security fixes:
+
+• Do not treat ActivationFailure message received from root-owned systemd
+  name as a format string. In principle this is a security vulnerability,
+  but we do not believe it is exploitable in practice, because only
+  privileged processes can own the org.freedesktop.systemd1 bus name, and
+  systemd does not appear to send activation failures that contain "%".
+
+  Please note that this probably *was* exploitable in dbus versions
+  older than 1.6.30, 1.8.16 and 1.9.10 due to a missing check which at
+  the time was only thought to be a denial of service vulnerability
+  (CVE-2015-0245). If you are still running one of those versions,
+  patch or upgrade immediately.
+
+  (fd.o #98157, Simon McVittie)
+
 D-Bus 1.8.20 (2015-07-21)
 ==

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 8.7

Hi,

Each of these bugs refers to an update that was included in today's 8.7
point release.

Regards,

Adam

--- End Message ---
Reply to: