- update to 1.14.4 (bsc#1204111, CVE-2022-42010,

bsc#1204112, CVE-2022-42011, bsc#1204113, CVE-2022-42012): This is a security update for the dbus 1.14.x stable branch, fixing denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying security hardening (dbus#416). Behaviour changes: * On Linux, dbus-daemon and other uses of DBusServer now create a path-based Unix socket, unix:path=..., when asked to listen on a unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to unix:dir=... on all platforms. Previous versions would have created an abstract socket, unix:abstract=..., in this situation. This change primarily affects the well-known session bus when run via dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring dbus with --enable-user-session and running it on a systemd system, already used path-based Unix sockets and is unaffected by this change. This behaviour change prevents a sandbox escape via the session bus socket in sandboxing frameworks that can share the network namespace with the host system, such as Flatpak. This change might cause a regression in situations where the abstract socket is intentionally shared between the host system and a chroot or container, such as some use-cases of schroot(1). That regression can be resolved by using a bind-mount to share either the D-Bus socket, or the whole /tmp directory, with the chroot or container. (dbus#416, Simon McVittie) * Denial of service fixes: - Evgeny Vereshchagin discovered several ways in which an authenticated local attacker could cause a crash (denial of service) in dbus-daemon --system or a custom DBusServer. In uncommon configurations OBS-URL: https://build.opensuse.org/package/show/Base:System/dbus-1?expand=0&rev=326
2022-10-26 09:05:34 +00:00 · 2022-10-26 09:05:34 +00:00 · a8bd6c1553
commit a8bd6c1553
parent 7cc928f081
10 changed files with 193 additions and 22 deletions
--- a/dbus-1-devel-doc.changes
+++ b/dbus-1-devel-doc.changes
@ -1,3 +1,60 @@
+-------------------------------------------------------------------
+Wed Oct 26 08:53:48 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.14.4 (bsc#1204111, CVE-2022-42010, 
+                    bsc#1204112, CVE-2022-42011,
+                    bsc#1204113, CVE-2022-42012):
+  This is a security update for the dbus 1.14.x stable branch, fixing
+  denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying
+  security hardening (dbus#416).
+  Behaviour changes:
+  * On Linux, dbus-daemon and other uses of DBusServer now create a
+     path-based Unix socket, unix:path=..., when asked to listen on a
+     unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to
+     unix:dir=... on all platforms.
+     Previous versions would have created an abstract socket, unix:abstract=...,
+     in this situation.
+     This change primarily affects the well-known session bus when run via
+     dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring
+     dbus with --enable-user-session and running it on a systemd system,
+     already used path-based Unix sockets and is unaffected by this change.
+     This behaviour change prevents a sandbox escape via the session bus socket
+     in sandboxing frameworks that can share the network namespace with the host
+     system, such as Flatpak.
+     This change might cause a regression in situations where the abstract socket
+     is intentionally shared between the host system and a chroot or container,
+     such as some use-cases of schroot(1). That regression can be resolved by
+     using a bind-mount to share either the D-Bus socket, or the whole /tmp
+     directory, with the chroot or container.
+     (dbus#416, Simon McVittie)
+  * Denial of service fixes:
+    - Evgeny Vereshchagin discovered several ways in which an authenticated
+      local attacker could cause a crash (denial of service) in
+      dbus-daemon --system or a custom DBusServer. In uncommon configurations
+      these could potentially be carried out by an authenticated remote attacker.
+    - An invalid array of fixed-length elements where the length of the array
+      is not a multiple of the length of the element would cause an assertion
+      failure in debug builds or an out-of-bounds read in production builds.
+      This was a regression in version 1.3.0.
+      (dbus#413, CVE-2022-42011; Simon McVittie)
+    - A syntactically invalid type signature with incorrectly nested parentheses
+      and curly brackets would cause an assertion failure in debug builds.
+      Similar messages could potentially result in a crash or incorrect message
+      processing in a production build, although we are not aware of a practical
+      example. (dbus#418, CVE-2022-42010; Simon McVittie)
+    - A message in non-native endianness with out-of-band Unix file descriptors
+      would cause a use-after-free and possible memory corruption in production
+      builds, or an assertion failure in debug builds. This was a regression in
+      version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie)
+    - Preserve errno on failure to open /proc/self/oom_score_adj
+      (dbus!285, Gentoo#834725; Mike Gilbert)
+    - On Linux, don't log warnings if oom_score_adj is read-only but does not
+      need to be changed (dbus!291, Simon McVittie)
+    - Slightly improve error-handling for inotify
+      (dbus!235, Simon McVittie)
+    - Don't crash if dbus-daemon is asked to watch more than 128 directories
+      for changes (dbus!302, Jan Tojnar)
+
 -------------------------------------------------------------------
 Sat Oct 15 18:13:18 UTC 2022 - Bjørn Lie <bjorn.lie@gmail.com>

--- a/dbus-1-devel-doc.spec
+++ b/dbus-1-devel-doc.spec
@ -23,7 +23,7 @@
 %global _backup %{_sysconfdir}/sysconfig/services.rpmbak.%{name}-%{version}-%{release}
 %bcond_without selinux
 Name:           dbus-1-devel-doc
-Version:        1.14.0
+Version:        1.14.4
 Release:        0
 Summary:        Developer documentation package for D-Bus
 License:        AFL-2.1 OR GPL-2.0-or-later
--- a/dbus-1-x11.changes
+++ b/dbus-1-x11.changes
@ -1,3 +1,60 @@
+-------------------------------------------------------------------
+Wed Oct 26 08:53:48 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.14.4 (bsc#1204111, CVE-2022-42010, 
+                    bsc#1204112, CVE-2022-42011,
+                    bsc#1204113, CVE-2022-42012):
+  This is a security update for the dbus 1.14.x stable branch, fixing
+  denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying
+  security hardening (dbus#416).
+  Behaviour changes:
+  * On Linux, dbus-daemon and other uses of DBusServer now create a
+     path-based Unix socket, unix:path=..., when asked to listen on a
+     unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to
+     unix:dir=... on all platforms.
+     Previous versions would have created an abstract socket, unix:abstract=...,
+     in this situation.
+     This change primarily affects the well-known session bus when run via
+     dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring
+     dbus with --enable-user-session and running it on a systemd system,
+     already used path-based Unix sockets and is unaffected by this change.
+     This behaviour change prevents a sandbox escape via the session bus socket
+     in sandboxing frameworks that can share the network namespace with the host
+     system, such as Flatpak.
+     This change might cause a regression in situations where the abstract socket
+     is intentionally shared between the host system and a chroot or container,
+     such as some use-cases of schroot(1). That regression can be resolved by
+     using a bind-mount to share either the D-Bus socket, or the whole /tmp
+     directory, with the chroot or container.
+     (dbus#416, Simon McVittie)
+  * Denial of service fixes:
+    - Evgeny Vereshchagin discovered several ways in which an authenticated
+      local attacker could cause a crash (denial of service) in
+      dbus-daemon --system or a custom DBusServer. In uncommon configurations
+      these could potentially be carried out by an authenticated remote attacker.
+    - An invalid array of fixed-length elements where the length of the array
+      is not a multiple of the length of the element would cause an assertion
+      failure in debug builds or an out-of-bounds read in production builds.
+      This was a regression in version 1.3.0.
+      (dbus#413, CVE-2022-42011; Simon McVittie)
+    - A syntactically invalid type signature with incorrectly nested parentheses
+      and curly brackets would cause an assertion failure in debug builds.
+      Similar messages could potentially result in a crash or incorrect message
+      processing in a production build, although we are not aware of a practical
+      example. (dbus#418, CVE-2022-42010; Simon McVittie)
+    - A message in non-native endianness with out-of-band Unix file descriptors
+      would cause a use-after-free and possible memory corruption in production
+      builds, or an assertion failure in debug builds. This was a regression in
+      version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie)
+    - Preserve errno on failure to open /proc/self/oom_score_adj
+      (dbus!285, Gentoo#834725; Mike Gilbert)
+    - On Linux, don't log warnings if oom_score_adj is read-only but does not
+      need to be changed (dbus!291, Simon McVittie)
+    - Slightly improve error-handling for inotify
+      (dbus!235, Simon McVittie)
+    - Don't crash if dbus-daemon is asked to watch more than 128 directories
+      for changes (dbus!302, Jan Tojnar)
+
 -------------------------------------------------------------------
 Sat Oct 15 18:12:08 UTC 2022 - Bjørn Lie <bjorn.lie@gmail.com>

--- a/dbus-1-x11.spec
+++ b/dbus-1-x11.spec
@ -23,7 +23,7 @@
 %endif
 %bcond_without selinux
 Name:           dbus-1-x11
-Version:        1.14.0
+Version:        1.14.4
 Release:        0
 Summary:        D-Bus Message Bus System
 License:        AFL-2.1 OR GPL-2.0-or-later
--- a/dbus-1.14.0.tar.xz
+++ b/dbus-1.14.0.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ccd7cce37596e0a19558fd6648d1272ab43f011d80c8635aea8fd0bad58aebd4
-size 1360228
--- a/dbus-1.14.0.tar.xz.asc
+++ b/dbus-1.14.0.tar.xz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmIcxWIACgkQ4FrhR4+B
-TE+qGBAAhuMFDt8cwBPTGewD6vLPoVhL348QWv5jZBNFtFXzLgf8cYOqHOY/ZTfn
-FmBhEziqTTr3eLUrRm71vqnTkq2mvEpQ0BGpmTD2rXbw7uluSEwX7JjA643LYo/e
-XuxCGkNLDi+UOOu96DmLdHtxxX++BHvA9T29oYhE4ZtvUMyWKzCNFUlO97vy4F0p
-5stUJ7lWtTnM5pKo7WL+gT0HLOp6ygAdzqFuKexToEowpHQ0nH57HjFUSbNCNjqY
-TYyaFz1H0208iR0hqxiCHGTB5pgCBqXOceqaUGJVRX9mRqjr8MEvbzHV/SFkamsZ
-cRaYa7k9x4IYtnIX5sotfBALo/RdwjpuytXD6JCdQP1h3cm7zrRY3VAmGJ7lZrwx
-b+0Wi/9w1eDHUPnSB8z6dVMSNE+EaWLz21fpdAHj+IcXpJzbJ25fdvTU6hiTB+CB
-Lm7ilO0CIYhNFzx7Ir95lT+8DuNOOCYlRLQtahbTUyYmfXmB+91PXIdl2LcOfyl0
-8hwC09mALt/GBOaOQUHquRNZmkwsbA/EUfgfhhvuSA3mWH1SRHZ9ado7CD8Vyq8+
-9rySEY5HvOQ/EmClrsksIqHiSeFrzp6a5PbRIYGTUPsyD1NDPOQI8l9XLIJozGEo
-Lt88atg/ZuBbJtCl5GoynLU4OG5aHYJ4hBaPPuLX9vpSSZKJD8k=
-=hg/h
-----END PGP SIGNATURE-----
--- a/dbus-1.14.4.tar.xz
+++ b/dbus-1.14.4.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7c0f9b8e5ec0ff2479383e62c0084a3a29af99edf1514e9f659b81b30d4e353e
+size 1368196
--- a/dbus-1.14.4.tar.xz.asc
+++ b/dbus-1.14.4.tar.xz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmM9YggACgkQ4FrhR4+B
+TE9JAg/8CTXHPUehTP0j88B4p8CkPbG3HH8eS0XKgAAuKN2YjOHSxtX4+2rkL2Ga
+t53EJo4dTeyeRmRuVGUhrUn548Btu8WkhsLqLaWjJ2941obXHW2jkmBRwX8afBhE
+2cBbo2HtJIX4l5+d88DnOVsF9i4JLmBBkpSkQiEZrFbmQvT1kfL1LI2yySiAQjlC
+SB4RQbJGjBiMZziarSHHw8Ttiw3WEvVeInpGGibdHvHJXqvnkuzPNQAfmVWB2UqN
+kWbsWpjAS2A7epVew1VVrgr3hyxGkBwOYPuU5wXHkHmvchv5cBQ40HLFqn82lQ05
+eVFMkbxDEd7+/BSzVBVaElYB9lpqWT95h/dYqMcVsKH4cdQAYAGmVQ/4JnMENbGT
+sj2zLlpYwwHjDumzPG43ZSnaaRCFJ0hvWGMNo4kHP7c97OIronlCOX9YFPYQJg5B
+TKPXnK3GgL3Htr5cQhR17LFUnOPdH79KQi8Q6e6N4iASfkrgApnvgDr4aZBuafTm
+1N/P730mtTgTniTWyfUOPkAAmvoCtBzcq74IXIhFXGiCbUpNI/nLdd4NG5CG2kIp
+HOIFkereXW48UopGx7T4m6RCyLjziOdjmKpewu9OC1ECyh/TkIoKhm6IHg3m7JmT
+sNPcwoO5xx7dRinIci/Npw0Dlf3eaRRruJVw9yJYR9HEom7byws=
+=foU5
+-----END PGP SIGNATURE-----
--- a/dbus-1.changes
+++ b/dbus-1.changes
@ -1,3 +1,60 @@
+-------------------------------------------------------------------
+Wed Oct 26 08:53:48 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.14.4 (bsc#1204111, CVE-2022-42010, 
+                    bsc#1204112, CVE-2022-42011,
+                    bsc#1204113, CVE-2022-42012):
+  This is a security update for the dbus 1.14.x stable branch, fixing
+  denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying
+  security hardening (dbus#416).
+  Behaviour changes:
+  * On Linux, dbus-daemon and other uses of DBusServer now create a
+     path-based Unix socket, unix:path=..., when asked to listen on a
+     unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to
+     unix:dir=... on all platforms.
+     Previous versions would have created an abstract socket, unix:abstract=...,
+     in this situation.
+     This change primarily affects the well-known session bus when run via
+     dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring
+     dbus with --enable-user-session and running it on a systemd system,
+     already used path-based Unix sockets and is unaffected by this change.
+     This behaviour change prevents a sandbox escape via the session bus socket
+     in sandboxing frameworks that can share the network namespace with the host
+     system, such as Flatpak.
+     This change might cause a regression in situations where the abstract socket
+     is intentionally shared between the host system and a chroot or container,
+     such as some use-cases of schroot(1). That regression can be resolved by
+     using a bind-mount to share either the D-Bus socket, or the whole /tmp
+     directory, with the chroot or container.
+     (dbus#416, Simon McVittie)
+  * Denial of service fixes:
+    - Evgeny Vereshchagin discovered several ways in which an authenticated
+      local attacker could cause a crash (denial of service) in
+      dbus-daemon --system or a custom DBusServer. In uncommon configurations
+      these could potentially be carried out by an authenticated remote attacker.
+    - An invalid array of fixed-length elements where the length of the array
+      is not a multiple of the length of the element would cause an assertion
+      failure in debug builds or an out-of-bounds read in production builds.
+      This was a regression in version 1.3.0.
+      (dbus#413, CVE-2022-42011; Simon McVittie)
+    - A syntactically invalid type signature with incorrectly nested parentheses
+      and curly brackets would cause an assertion failure in debug builds.
+      Similar messages could potentially result in a crash or incorrect message
+      processing in a production build, although we are not aware of a practical
+      example. (dbus#418, CVE-2022-42010; Simon McVittie)
+    - A message in non-native endianness with out-of-band Unix file descriptors
+      would cause a use-after-free and possible memory corruption in production
+      builds, or an assertion failure in debug builds. This was a regression in
+      version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie)
+    - Preserve errno on failure to open /proc/self/oom_score_adj
+      (dbus!285, Gentoo#834725; Mike Gilbert)
+    - On Linux, don't log warnings if oom_score_adj is read-only but does not
+      need to be changed (dbus!291, Simon McVittie)
+    - Slightly improve error-handling for inotify
+      (dbus!235, Simon McVittie)
+    - Don't crash if dbus-daemon is asked to watch more than 128 directories
+      for changes (dbus!302, Jan Tojnar)
+
 -------------------------------------------------------------------
 Thu Oct 13 07:29:57 UTC 2022 - Dirk Müller <dmueller@suse.com>

--- a/dbus-1.spec
+++ b/dbus-1.spec
@ -21,7 +21,7 @@
 %define _libname libdbus-1-3
 %bcond_without selinux
 Name:           dbus-1
-Version:        1.14.0
+Version:        1.14.4
 Release:        0
 Summary:        D-Bus Message Bus System
 License:        AFL-2.1 OR GPL-2.0-or-later