From 8b4cd106c12354858712db8c654b1cb5f011a55c35f094b39c01403d0c6c8df1 Mon Sep 17 00:00:00 2001 From: Simon Lees Date: Fri, 17 Jul 2020 00:09:42 +0000 Subject: [PATCH] Accepting request 821367 from home:elimat:branches:Base:System - Update to 1.12.20 * On Unix, avoid a use-after-free if two usernames have the same numeric uid. In older versions this could lead to a crash (denial of service) or other undefined behaviour, possibly including incorrect authorization decisions if is used. Like Unix filesystems, D-Bus' model of identity cannot distinguish between users of different names with the same numeric uid, so this configuration is not advisable on systems where D-Bus will be used. Thanks to Daniel Onaca. (dbus#305, dbus!166; Simon McVittie) - From 1.12.18 * CVE-2020-12049: If a message contains more file descriptors than can be sent, close those that did get through before reporting error. Previously, a local attacker could cause the system dbus-daemon (or another system service with its own DBusServer) to run out of file descriptors, by repeatedly connecting to the server and sending fds that would get leaked. Thanks to Kevin Backhouse of GitHub Security Lab. (dbus#294, GHSL-2020-057; Simon McVittie) * Fix a crash when the dbus-daemon is terminated while one or more monitors are active (dbus#291, dbus!140; Simon McVittie) * The dbus-send(1) man page now documents --bus and --peer instead of the old --address synonym for --peer, which has been deprecated since the introduction of --bus and --peer in 1.7.6 (fd.o #48816, dbus!115; Chris Morin) * Fix a wrong environment variable name in dbus-daemon(1) (dbus#275, dbus!122; Mubin, Philip Withnall) * Fix formatting of dbus_message_append_args example (dbus!126, Felipe Franciosi) * Avoid a test failure on Linux when built in a container as uid 0, but without the necessary privileges to increase resource limits (dbus!58, Debian #908092; Simon McVittie) * When building with CMake, cope with libX11 in a non-standard location (dbus!129, Tuomo Rinne) - Run spec-cleaner OBS-URL: https://build.opensuse.org/request/show/821367 OBS-URL: https://build.opensuse.org/package/show/Base:System/dbus-1?expand=0&rev=293 --- dbus-1-devel-doc.spec | 8 +++----- dbus-1-x11.spec | 9 ++++----- dbus-1.12.16.tar.gz | 3 --- dbus-1.12.16.tar.gz.asc | 16 ---------------- dbus-1.12.20.tar.gz | 3 +++ dbus-1.12.20.tar.gz.asc | 16 ++++++++++++++++ dbus-1.changes | 39 +++++++++++++++++++++++++++++++++++++++ dbus-1.spec | 15 +++++---------- 8 files changed, 70 insertions(+), 39 deletions(-) delete mode 100644 dbus-1.12.16.tar.gz delete mode 100644 dbus-1.12.16.tar.gz.asc create mode 100644 dbus-1.12.20.tar.gz create mode 100644 dbus-1.12.20.tar.gz.asc diff --git a/dbus-1-devel-doc.spec b/dbus-1-devel-doc.spec index 0c2f896..0d6e4b9 100644 --- a/dbus-1-devel-doc.spec +++ b/dbus-1-devel-doc.spec @@ -21,15 +21,13 @@ %define _libname libdbus-1-3 # Temporary code to disable service restart on update sflees@suse.de boo#1020301 %global _backup %{_sysconfdir}/sysconfig/services.rpmbak.%{name}-%{version}-%{release} - %bcond_without selinux Name: dbus-1-devel-doc -Version: 1.12.16 +Version: 1.12.20 Release: 0 Summary: Developer documentation package for D-Bus License: GPL-2.0-or-later OR AFL-2.1 -Group: Development/Libraries/Other -URL: http://dbus.freedesktop.org/ +URL: https://dbus.freedesktop.org/ Source0: http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz Source1: http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz.asc Source2: dbus-1.keyring @@ -75,7 +73,7 @@ echo 'GENERATE_MAN=NO' >> Doxyfile.in --without-x doxygen -u -make -C doc +%make_build -C doc %install %make_install -C doc diff --git a/dbus-1-x11.spec b/dbus-1-x11.spec index ff62c76..817fb5a 100644 --- a/dbus-1-x11.spec +++ b/dbus-1-x11.spec @@ -23,12 +23,11 @@ %endif %bcond_without selinux Name: dbus-1-x11 -Version: 1.12.16 +Version: 1.12.20 Release: 0 Summary: D-Bus Message Bus System License: GPL-2.0-or-later OR AFL-2.1 -Group: System/Daemons -URL: http://dbus.freedesktop.org/ +URL: https://dbus.freedesktop.org/ Source0: http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz Source1: http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz.asc Source2: dbus-1.keyring @@ -48,7 +47,7 @@ BuildRequires: pkgconfig(libsystemd) >= 209 BuildRequires: pkgconfig(x11) Requires(post): update-alternatives Requires(preun): update-alternatives -Supplements: packageand(dbus-1:libX11-6) +Supplements: (dbus-1 and libX11-6) Provides: dbus-launch %if %{with selinux} BuildRequires: libselinux-devel @@ -88,7 +87,7 @@ export V=1 --with-systemdsystemunitdir=%{_unitdir} \ --with-systemduserunitdir=%{_userunitdir} \ --with-x -make %{?_smp_mflags} +%make_build %install tdir=$(mktemp -d) diff --git a/dbus-1.12.16.tar.gz b/dbus-1.12.16.tar.gz deleted file mode 100644 index c18067f..0000000 --- a/dbus-1.12.16.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:54a22d2fa42f2eb2a871f32811c6005b531b9613b1b93a0d269b05e7549fec80 -size 2093296 diff --git a/dbus-1.12.16.tar.gz.asc b/dbus-1.12.16.tar.gz.asc deleted file mode 100644 index 4d8d1a9..0000000 --- a/dbus-1.12.16.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlz9bG4ACgkQ4FrhR4+B -TE/zjxAAs6AUPEMcTg8SWwOo+VJIcYRfqDZUVvBOGR7oWSwIWGs7w16k4NjGa5WA -yKE/vjaUuezXwBW54ebCBLdi2MSRszIjS1O2FcRSF4M1A6kn3q0eK0SZdi7Tc63O -8n197f7usZOLXFSx5onpm5ToHuXmj2+F6jwwpX5qNmyyRgJkEozzzxTQkiEp+xwX -TSITwhBxJu1VAfnaq/Z+puIqQpkK8gTJ+Rg9by+OVqqN5AVaKxDDGHEjw2q+oTyH -EPJH17BXevk7t8p4iHW6qU82tsnEw4EuxBA8GLQKAAhisrL9BOpcFpAmQpbClNlR -Cy+vdebE1/snIwpbPrDVT3iYd4xUWcd/RYKNEtoX6m9+bvs4jqnxuepVZj6HNbf8 -0NKIdc0zI4GrDcUVkVvcfGmpU05/30RGZP1xDXml8s2EwXJBJX+yUKvGEnKado8K -poB0Qi9I3mlfY5eWzwW8m0vdkjccEt0Q6qgbgNYpXMLWUxTKICBud4Y37T26twYy -2+LpD/Pstlrge/vlv8zK7VSpS+b2CZhrualZ74+IcYVEndhgdRXf5PCyOWxf93kw -xME+ijt9QG0eTUTiFcC3hNJ2IW5hrWdNBTaVj8eIPxR7MWghLpzPjZU8M6dfZ/Wn -FuIbR/Q5XazqDUQWokSCi2sf4HktO0t28xV200ZtxgL8YbrOQzM= -=Olzi ------END PGP SIGNATURE----- diff --git a/dbus-1.12.20.tar.gz b/dbus-1.12.20.tar.gz new file mode 100644 index 0000000..e2637e1 --- /dev/null +++ b/dbus-1.12.20.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f77620140ecb4cdc67f37fb444f8a6bea70b5b6461f12f1cbe2cec60fa7de5fe +size 2095511 diff --git a/dbus-1.12.20.tar.gz.asc b/dbus-1.12.20.tar.gz.asc new file mode 100644 index 0000000..6f42cb0 --- /dev/null +++ b/dbus-1.12.20.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl793S8ACgkQ4FrhR4+B +TE8Cfg//Ysb9qT9xLUvCCHdmg+efz1DCks9W21MnZ9EN7qIx/mJPZhqpy9nbaHGy +xQl2hnYagPZXWy7ly8HpakvzYfjtyRMCd7570n/cMmVXTF5bnfOr1feScrNEEJPc +R6LreRPVDPdiKak1bF8VeVLpil89WrtU4xRzcpWxhZLlPiN1ebOSjEKtzaW4sDYB +KdLXLRqcVgdm44NZrTB/xic0hJrO6fhTqiJVx6Lc/CoE9FNO+/60/H2PYIWRedSm +bEx76RmUJEn1c/+wCyixmiTE0aEWGbKIsTR5mZmnw5BFI9SegQk7cD67kLvqMgpz +c+SMl0ivihTgcaH9jPKeg6fEvTTMkuxHQyMgYV5Rwoq0ukTgQ+b+/MjYa5OX0QqY +4YLDqNdgVfdNabxAeGvtNoDLwIHuveB151W9/ANTd420uqkWlCjzriEAjyYv8AJt +O53dQn6KGos8QmAKyF3dmKKZb7d2XfJLa0byHt84DeM0kAabq7P9ypf4YkbmqLCC +Eb8kiP8FbNYaQs9i1L2D4RXK8fnZA88aQVf7yBcILJBsQDI/plZuxmSzZLMBF3dw +SxhcGN3ArsoOqqqWnJt65Sxtt95vO9mpOvrHMB9iQWM3X2zVXh+Et8P2QY9HVhCp +Xmj3TH9Oc6OjBipqdR8OzdTtc7lnBwjuzMhw6g2S08ZQJovniOE= +=cwnZ +-----END PGP SIGNATURE----- diff --git a/dbus-1.changes b/dbus-1.changes index 8327151..ab4418e 100644 --- a/dbus-1.changes +++ b/dbus-1.changes @@ -1,3 +1,42 @@ +------------------------------------------------------------------- +Thu Jul 16 21:28:10 UTC 2020 - Matthias Eliasson + +- Update to 1.12.20 + * On Unix, avoid a use-after-free if two usernames have the same + numeric uid. In older versions this could lead to a crash (denial of + service) or other undefined behaviour, possibly including incorrect + authorization decisions if is used. + Like Unix filesystems, D-Bus' model of identity cannot distinguish + between users of different names with the same numeric uid, so this + configuration is not advisable on systems where D-Bus will be used. + Thanks to Daniel Onaca. + (dbus#305, dbus!166; Simon McVittie) +- From 1.12.18 + * CVE-2020-12049: If a message contains more file descriptors than can + be sent, close those that did get through before reporting error. + Previously, a local attacker could cause the system dbus-daemon (or + another system service with its own DBusServer) to run out of file + descriptors, by repeatedly connecting to the server and sending fds that + would get leaked. + Thanks to Kevin Backhouse of GitHub Security Lab. + (dbus#294, GHSL-2020-057; Simon McVittie) + * Fix a crash when the dbus-daemon is terminated while one or more + monitors are active (dbus#291, dbus!140; Simon McVittie) + * The dbus-send(1) man page now documents --bus and --peer instead of + the old --address synonym for --peer, which has been deprecated since + the introduction of --bus and --peer in 1.7.6 + (fd.o #48816, dbus!115; Chris Morin) + * Fix a wrong environment variable name in dbus-daemon(1) + (dbus#275, dbus!122; Mubin, Philip Withnall) + * Fix formatting of dbus_message_append_args example + (dbus!126, Felipe Franciosi) + * Avoid a test failure on Linux when built in a container as uid 0, but + without the necessary privileges to increase resource limits + (dbus!58, Debian #908092; Simon McVittie) + * When building with CMake, cope with libX11 in a non-standard location + (dbus!129, Tuomo Rinne) +- Run spec-cleaner + ------------------------------------------------------------------- Sun Jan 19 02:59:34 UTC 2020 - Stefan BrĂ¼ns diff --git a/dbus-1.spec b/dbus-1.spec index 2a4ccf7..6386055 100644 --- a/dbus-1.spec +++ b/dbus-1.spec @@ -19,15 +19,13 @@ %define with_systemd 1 %define _name dbus %define _libname libdbus-1-3 - %bcond_without selinux Name: dbus-1 -Version: 1.12.16 +Version: 1.12.20 Release: 0 Summary: D-Bus Message Bus System License: GPL-2.0-or-later OR AFL-2.1 -Group: System/Daemons -URL: http://dbus.freedesktop.org/ +URL: https://dbus.freedesktop.org/ Source0: http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz Source1: http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz.asc Source2: dbus-1.keyring @@ -53,18 +51,16 @@ Requires(post): update-alternatives Requires(pre): permissions Requires(preun): update-alternatives Provides: dbus-launch +%sysusers_requires %if %{with selinux} BuildRequires: libselinux-devel %endif -%sysusers_requires %package -n %{_libname} Summary: Library package for D-Bus -Group: Development/Libraries/Other %package devel Summary: Developer package for D-Bus -Group: Development/Libraries/Other Requires: %{_libname} = %{version} Requires: dbus-1 = %{version} Requires: glibc-devel @@ -122,14 +118,14 @@ export V=1 --with-systemdsystemunitdir=%{_unitdir} \ --with-systemduserunitdir=%{_userunitdir} \ --without-x -make %{?_smp_mflags} +%make_build # The original dbus sysusers config does not create our account, # overwrite it with our user definition cp %{SOURCE5} bus/sysusers.d/dbus.conf %sysusers_generate_pre %{SOURCE5} messagebus %check -make %{?_smp_mflags} check +%make_build check %install %make_install @@ -175,7 +171,6 @@ rm -Rf %{buildroot}%{_datadir}/doc/dbus %post -n %{_libname} -p /sbin/ldconfig %postun -n %{_libname} -p /sbin/ldconfig - %pre -f messagebus.pre %service_add_pre dbus.service dbus.socket