Upgrading to upstream 1.8.14 release

OBS-URL: https://build.opensuse.org/package/show/Base:System/dbus-1?expand=0&rev=186
2015-01-06 08:03:58 +00:00 · 2015-01-06 08:03:58 +00:00 · 9333f96a64
commit 9333f96a64
parent 409bcf7d4f
6 changed files with 61 additions and 7 deletions
--- a/dbus-1-x11.changes
+++ b/dbus-1-x11.changes
@ -1,3 +1,30 @@
+-------------------------------------------------------------------
+Tue Jan  6 07:57:14 UTC 2015 - fstrba@suse.com
+
+- Update to 1.8.14
+  * Security hardening:
+    - Do not allow calls to UpdateActivationEnvironment from uids
+      other than the uid of the dbus-daemon. If a system service
+      installs unsafe security policy rules that allow arbitrary
+      method calls (such as CVE-2014-8148) then this prevents
+      memory consumption and possible privilege escalation via
+      UpdateActivationEnvironment.
+      We believe that in practice, privilege escalation here is
+      avoided by dbus-daemon-launch-helper sanitizing its
+      environment; but it seems better to be safe.
+    - Do not allow calls to UpdateActivationEnvironment or the
+      Stats interface on object paths other than
+      /org/freedesktop/DBus. Some system services install unsafe
+      security policy rules that allow arbitrary method calls to
+      any destination, method and interface with a specified object
+      path; while less bad than allowing arbitrary method calls,
+      these security policies are still harmful, since dbus-daemon
+      normally offers the same API on all object paths and other
+      system services might behave similarly.
+  * Other fixes:
+    - Add missing initialization so GetExtendedTcpTable doesn't
+      crash on Windows Vista SP0 (fdo#77008, Ilya A. Tkachenko)
+
 -------------------------------------------------------------------
 Tue Nov 25 07:43:12 UTC 2014 - fstrba@suse.com

--- a/dbus-1-x11.spec
+++ b/dbus-1-x11.spec
@ -1,7 +1,7 @@
 #
 # spec file for package dbus-1-x11
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -27,7 +27,7 @@
 %define _unitdir %{_libexecdir}/systemd/system
 %endif
 Name:           dbus-1-x11
-Version:        1.8.12
+Version:        1.8.14
 Release:        0
 Summary:        D-Bus Message Bus System
 License:        GPL-2.0+ or AFL-2.1
--- a/dbus-1.8.12.tar.gz
+++ b/dbus-1.8.12.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c91428f28d2925ba32d34ffc824bfcf4d40d5e1e67befc4bcf2202f0a862501e
-size 1864609
--- a/dbus-1.8.14.tar.gz
+++ b/dbus-1.8.14.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:83425250a6a4c93b9ab4a349771a7700e8ddff2d73a5a088222ca47ae9ce1f1a
+size 1866141
--- a/dbus-1.changes
+++ b/dbus-1.changes
@ -1,3 +1,30 @@
+-------------------------------------------------------------------
+Tue Jan  6 07:57:14 UTC 2015 - fstrba@suse.com
+
+- Update to 1.8.14
+  * Security hardening:
+    - Do not allow calls to UpdateActivationEnvironment from uids
+      other than the uid of the dbus-daemon. If a system service
+      installs unsafe security policy rules that allow arbitrary
+      method calls (such as CVE-2014-8148) then this prevents
+      memory consumption and possible privilege escalation via
+      UpdateActivationEnvironment.
+      We believe that in practice, privilege escalation here is
+      avoided by dbus-daemon-launch-helper sanitizing its
+      environment; but it seems better to be safe.
+    - Do not allow calls to UpdateActivationEnvironment or the
+      Stats interface on object paths other than
+      /org/freedesktop/DBus. Some system services install unsafe
+      security policy rules that allow arbitrary method calls to
+      any destination, method and interface with a specified object
+      path; while less bad than allowing arbitrary method calls,
+      these security policies are still harmful, since dbus-daemon
+      normally offers the same API on all object paths and other
+      system services might behave similarly.
+  * Other fixes:
+    - Add missing initialization so GetExtendedTcpTable doesn't
+      crash on Windows Vista SP0 (fdo#77008, Ilya A. Tkachenko)
+
 -------------------------------------------------------------------
 Tue Nov 25 07:43:12 UTC 2014 - fstrba@suse.com

--- a/dbus-1.spec
+++ b/dbus-1.spec
@ -1,7 +1,7 @@
 #
 # spec file for package dbus-1
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -26,7 +26,7 @@
 %define _unitdir %{_libexecdir}/systemd/system
 %endif
 Name:           dbus-1
-Version:        1.8.12
+Version:        1.8.14
 Release:        0
 Summary:        D-Bus Message Bus System
 License:        GPL-2.0+ or AFL-2.1