From a8bd6c15536745089052b46e95d8e3b93440663236bedb4e318dcca4469290b9 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Wed, 26 Oct 2022 09:05:34 +0000 Subject: [PATCH] - update to 1.14.4 (bsc#1204111, CVE-2022-42010, bsc#1204112, CVE-2022-42011, bsc#1204113, CVE-2022-42012): This is a security update for the dbus 1.14.x stable branch, fixing denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying security hardening (dbus#416). Behaviour changes: * On Linux, dbus-daemon and other uses of DBusServer now create a path-based Unix socket, unix:path=..., when asked to listen on a unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to unix:dir=... on all platforms. Previous versions would have created an abstract socket, unix:abstract=..., in this situation. This change primarily affects the well-known session bus when run via dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring dbus with --enable-user-session and running it on a systemd system, already used path-based Unix sockets and is unaffected by this change. This behaviour change prevents a sandbox escape via the session bus socket in sandboxing frameworks that can share the network namespace with the host system, such as Flatpak. This change might cause a regression in situations where the abstract socket is intentionally shared between the host system and a chroot or container, such as some use-cases of schroot(1). That regression can be resolved by using a bind-mount to share either the D-Bus socket, or the whole /tmp directory, with the chroot or container. (dbus#416, Simon McVittie) * Denial of service fixes: - Evgeny Vereshchagin discovered several ways in which an authenticated local attacker could cause a crash (denial of service) in dbus-daemon --system or a custom DBusServer. In uncommon configurations OBS-URL: https://build.opensuse.org/package/show/Base:System/dbus-1?expand=0&rev=326 --- dbus-1-devel-doc.changes | 57 ++++++++++++++++++++++++++++++++++++++++ dbus-1-devel-doc.spec | 2 +- dbus-1-x11.changes | 57 ++++++++++++++++++++++++++++++++++++++++ dbus-1-x11.spec | 2 +- dbus-1.14.0.tar.xz | 3 --- dbus-1.14.0.tar.xz.asc | 16 ----------- dbus-1.14.4.tar.xz | 3 +++ dbus-1.14.4.tar.xz.asc | 16 +++++++++++ dbus-1.changes | 57 ++++++++++++++++++++++++++++++++++++++++ dbus-1.spec | 2 +- 10 files changed, 193 insertions(+), 22 deletions(-) delete mode 100644 dbus-1.14.0.tar.xz delete mode 100644 dbus-1.14.0.tar.xz.asc create mode 100644 dbus-1.14.4.tar.xz create mode 100644 dbus-1.14.4.tar.xz.asc diff --git a/dbus-1-devel-doc.changes b/dbus-1-devel-doc.changes index 576fbb9..8431252 100644 --- a/dbus-1-devel-doc.changes +++ b/dbus-1-devel-doc.changes @@ -1,3 +1,60 @@ +------------------------------------------------------------------- +Wed Oct 26 08:53:48 UTC 2022 - Dirk Müller + +- update to 1.14.4 (bsc#1204111, CVE-2022-42010, + bsc#1204112, CVE-2022-42011, + bsc#1204113, CVE-2022-42012): + This is a security update for the dbus 1.14.x stable branch, fixing + denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying + security hardening (dbus#416). + Behaviour changes: + * On Linux, dbus-daemon and other uses of DBusServer now create a + path-based Unix socket, unix:path=..., when asked to listen on a + unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to + unix:dir=... on all platforms. + Previous versions would have created an abstract socket, unix:abstract=..., + in this situation. + This change primarily affects the well-known session bus when run via + dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring + dbus with --enable-user-session and running it on a systemd system, + already used path-based Unix sockets and is unaffected by this change. + This behaviour change prevents a sandbox escape via the session bus socket + in sandboxing frameworks that can share the network namespace with the host + system, such as Flatpak. + This change might cause a regression in situations where the abstract socket + is intentionally shared between the host system and a chroot or container, + such as some use-cases of schroot(1). That regression can be resolved by + using a bind-mount to share either the D-Bus socket, or the whole /tmp + directory, with the chroot or container. + (dbus#416, Simon McVittie) + * Denial of service fixes: + - Evgeny Vereshchagin discovered several ways in which an authenticated + local attacker could cause a crash (denial of service) in + dbus-daemon --system or a custom DBusServer. In uncommon configurations + these could potentially be carried out by an authenticated remote attacker. + - An invalid array of fixed-length elements where the length of the array + is not a multiple of the length of the element would cause an assertion + failure in debug builds or an out-of-bounds read in production builds. + This was a regression in version 1.3.0. + (dbus#413, CVE-2022-42011; Simon McVittie) + - A syntactically invalid type signature with incorrectly nested parentheses + and curly brackets would cause an assertion failure in debug builds. + Similar messages could potentially result in a crash or incorrect message + processing in a production build, although we are not aware of a practical + example. (dbus#418, CVE-2022-42010; Simon McVittie) + - A message in non-native endianness with out-of-band Unix file descriptors + would cause a use-after-free and possible memory corruption in production + builds, or an assertion failure in debug builds. This was a regression in + version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie) + - Preserve errno on failure to open /proc/self/oom_score_adj + (dbus!285, Gentoo#834725; Mike Gilbert) + - On Linux, don't log warnings if oom_score_adj is read-only but does not + need to be changed (dbus!291, Simon McVittie) + - Slightly improve error-handling for inotify + (dbus!235, Simon McVittie) + - Don't crash if dbus-daemon is asked to watch more than 128 directories + for changes (dbus!302, Jan Tojnar) + ------------------------------------------------------------------- Sat Oct 15 18:13:18 UTC 2022 - Bjørn Lie diff --git a/dbus-1-devel-doc.spec b/dbus-1-devel-doc.spec index 3c35304..900acf1 100644 --- a/dbus-1-devel-doc.spec +++ b/dbus-1-devel-doc.spec @@ -23,7 +23,7 @@ %global _backup %{_sysconfdir}/sysconfig/services.rpmbak.%{name}-%{version}-%{release} %bcond_without selinux Name: dbus-1-devel-doc -Version: 1.14.0 +Version: 1.14.4 Release: 0 Summary: Developer documentation package for D-Bus License: AFL-2.1 OR GPL-2.0-or-later diff --git a/dbus-1-x11.changes b/dbus-1-x11.changes index 9184622..426d4c8 100644 --- a/dbus-1-x11.changes +++ b/dbus-1-x11.changes @@ -1,3 +1,60 @@ +------------------------------------------------------------------- +Wed Oct 26 08:53:48 UTC 2022 - Dirk Müller + +- update to 1.14.4 (bsc#1204111, CVE-2022-42010, + bsc#1204112, CVE-2022-42011, + bsc#1204113, CVE-2022-42012): + This is a security update for the dbus 1.14.x stable branch, fixing + denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying + security hardening (dbus#416). + Behaviour changes: + * On Linux, dbus-daemon and other uses of DBusServer now create a + path-based Unix socket, unix:path=..., when asked to listen on a + unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to + unix:dir=... on all platforms. + Previous versions would have created an abstract socket, unix:abstract=..., + in this situation. + This change primarily affects the well-known session bus when run via + dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring + dbus with --enable-user-session and running it on a systemd system, + already used path-based Unix sockets and is unaffected by this change. + This behaviour change prevents a sandbox escape via the session bus socket + in sandboxing frameworks that can share the network namespace with the host + system, such as Flatpak. + This change might cause a regression in situations where the abstract socket + is intentionally shared between the host system and a chroot or container, + such as some use-cases of schroot(1). That regression can be resolved by + using a bind-mount to share either the D-Bus socket, or the whole /tmp + directory, with the chroot or container. + (dbus#416, Simon McVittie) + * Denial of service fixes: + - Evgeny Vereshchagin discovered several ways in which an authenticated + local attacker could cause a crash (denial of service) in + dbus-daemon --system or a custom DBusServer. In uncommon configurations + these could potentially be carried out by an authenticated remote attacker. + - An invalid array of fixed-length elements where the length of the array + is not a multiple of the length of the element would cause an assertion + failure in debug builds or an out-of-bounds read in production builds. + This was a regression in version 1.3.0. + (dbus#413, CVE-2022-42011; Simon McVittie) + - A syntactically invalid type signature with incorrectly nested parentheses + and curly brackets would cause an assertion failure in debug builds. + Similar messages could potentially result in a crash or incorrect message + processing in a production build, although we are not aware of a practical + example. (dbus#418, CVE-2022-42010; Simon McVittie) + - A message in non-native endianness with out-of-band Unix file descriptors + would cause a use-after-free and possible memory corruption in production + builds, or an assertion failure in debug builds. This was a regression in + version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie) + - Preserve errno on failure to open /proc/self/oom_score_adj + (dbus!285, Gentoo#834725; Mike Gilbert) + - On Linux, don't log warnings if oom_score_adj is read-only but does not + need to be changed (dbus!291, Simon McVittie) + - Slightly improve error-handling for inotify + (dbus!235, Simon McVittie) + - Don't crash if dbus-daemon is asked to watch more than 128 directories + for changes (dbus!302, Jan Tojnar) + ------------------------------------------------------------------- Sat Oct 15 18:12:08 UTC 2022 - Bjørn Lie diff --git a/dbus-1-x11.spec b/dbus-1-x11.spec index ea927e5..a8ef5b9 100644 --- a/dbus-1-x11.spec +++ b/dbus-1-x11.spec @@ -23,7 +23,7 @@ %endif %bcond_without selinux Name: dbus-1-x11 -Version: 1.14.0 +Version: 1.14.4 Release: 0 Summary: D-Bus Message Bus System License: AFL-2.1 OR GPL-2.0-or-later diff --git a/dbus-1.14.0.tar.xz b/dbus-1.14.0.tar.xz deleted file mode 100644 index 7d4c69d..0000000 --- a/dbus-1.14.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ccd7cce37596e0a19558fd6648d1272ab43f011d80c8635aea8fd0bad58aebd4 -size 1360228 diff --git a/dbus-1.14.0.tar.xz.asc b/dbus-1.14.0.tar.xz.asc deleted file mode 100644 index b386c41..0000000 --- a/dbus-1.14.0.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmIcxWIACgkQ4FrhR4+B -TE+qGBAAhuMFDt8cwBPTGewD6vLPoVhL348QWv5jZBNFtFXzLgf8cYOqHOY/ZTfn -FmBhEziqTTr3eLUrRm71vqnTkq2mvEpQ0BGpmTD2rXbw7uluSEwX7JjA643LYo/e -XuxCGkNLDi+UOOu96DmLdHtxxX++BHvA9T29oYhE4ZtvUMyWKzCNFUlO97vy4F0p -5stUJ7lWtTnM5pKo7WL+gT0HLOp6ygAdzqFuKexToEowpHQ0nH57HjFUSbNCNjqY -TYyaFz1H0208iR0hqxiCHGTB5pgCBqXOceqaUGJVRX9mRqjr8MEvbzHV/SFkamsZ -cRaYa7k9x4IYtnIX5sotfBALo/RdwjpuytXD6JCdQP1h3cm7zrRY3VAmGJ7lZrwx -b+0Wi/9w1eDHUPnSB8z6dVMSNE+EaWLz21fpdAHj+IcXpJzbJ25fdvTU6hiTB+CB -Lm7ilO0CIYhNFzx7Ir95lT+8DuNOOCYlRLQtahbTUyYmfXmB+91PXIdl2LcOfyl0 -8hwC09mALt/GBOaOQUHquRNZmkwsbA/EUfgfhhvuSA3mWH1SRHZ9ado7CD8Vyq8+ -9rySEY5HvOQ/EmClrsksIqHiSeFrzp6a5PbRIYGTUPsyD1NDPOQI8l9XLIJozGEo -Lt88atg/ZuBbJtCl5GoynLU4OG5aHYJ4hBaPPuLX9vpSSZKJD8k= -=hg/h ------END PGP SIGNATURE----- diff --git a/dbus-1.14.4.tar.xz b/dbus-1.14.4.tar.xz new file mode 100644 index 0000000..df2c692 --- /dev/null +++ b/dbus-1.14.4.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7c0f9b8e5ec0ff2479383e62c0084a3a29af99edf1514e9f659b81b30d4e353e +size 1368196 diff --git a/dbus-1.14.4.tar.xz.asc b/dbus-1.14.4.tar.xz.asc new file mode 100644 index 0000000..4acced1 --- /dev/null +++ b/dbus-1.14.4.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmM9YggACgkQ4FrhR4+B +TE9JAg/8CTXHPUehTP0j88B4p8CkPbG3HH8eS0XKgAAuKN2YjOHSxtX4+2rkL2Ga +t53EJo4dTeyeRmRuVGUhrUn548Btu8WkhsLqLaWjJ2941obXHW2jkmBRwX8afBhE +2cBbo2HtJIX4l5+d88DnOVsF9i4JLmBBkpSkQiEZrFbmQvT1kfL1LI2yySiAQjlC +SB4RQbJGjBiMZziarSHHw8Ttiw3WEvVeInpGGibdHvHJXqvnkuzPNQAfmVWB2UqN +kWbsWpjAS2A7epVew1VVrgr3hyxGkBwOYPuU5wXHkHmvchv5cBQ40HLFqn82lQ05 +eVFMkbxDEd7+/BSzVBVaElYB9lpqWT95h/dYqMcVsKH4cdQAYAGmVQ/4JnMENbGT +sj2zLlpYwwHjDumzPG43ZSnaaRCFJ0hvWGMNo4kHP7c97OIronlCOX9YFPYQJg5B +TKPXnK3GgL3Htr5cQhR17LFUnOPdH79KQi8Q6e6N4iASfkrgApnvgDr4aZBuafTm +1N/P730mtTgTniTWyfUOPkAAmvoCtBzcq74IXIhFXGiCbUpNI/nLdd4NG5CG2kIp +HOIFkereXW48UopGx7T4m6RCyLjziOdjmKpewu9OC1ECyh/TkIoKhm6IHg3m7JmT +sNPcwoO5xx7dRinIci/Npw0Dlf3eaRRruJVw9yJYR9HEom7byws= +=foU5 +-----END PGP SIGNATURE----- diff --git a/dbus-1.changes b/dbus-1.changes index 8fd5671..2fd479d 100644 --- a/dbus-1.changes +++ b/dbus-1.changes @@ -1,3 +1,60 @@ +------------------------------------------------------------------- +Wed Oct 26 08:53:48 UTC 2022 - Dirk Müller + +- update to 1.14.4 (bsc#1204111, CVE-2022-42010, + bsc#1204112, CVE-2022-42011, + bsc#1204113, CVE-2022-42012): + This is a security update for the dbus 1.14.x stable branch, fixing + denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying + security hardening (dbus#416). + Behaviour changes: + * On Linux, dbus-daemon and other uses of DBusServer now create a + path-based Unix socket, unix:path=..., when asked to listen on a + unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to + unix:dir=... on all platforms. + Previous versions would have created an abstract socket, unix:abstract=..., + in this situation. + This change primarily affects the well-known session bus when run via + dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring + dbus with --enable-user-session and running it on a systemd system, + already used path-based Unix sockets and is unaffected by this change. + This behaviour change prevents a sandbox escape via the session bus socket + in sandboxing frameworks that can share the network namespace with the host + system, such as Flatpak. + This change might cause a regression in situations where the abstract socket + is intentionally shared between the host system and a chroot or container, + such as some use-cases of schroot(1). That regression can be resolved by + using a bind-mount to share either the D-Bus socket, or the whole /tmp + directory, with the chroot or container. + (dbus#416, Simon McVittie) + * Denial of service fixes: + - Evgeny Vereshchagin discovered several ways in which an authenticated + local attacker could cause a crash (denial of service) in + dbus-daemon --system or a custom DBusServer. In uncommon configurations + these could potentially be carried out by an authenticated remote attacker. + - An invalid array of fixed-length elements where the length of the array + is not a multiple of the length of the element would cause an assertion + failure in debug builds or an out-of-bounds read in production builds. + This was a regression in version 1.3.0. + (dbus#413, CVE-2022-42011; Simon McVittie) + - A syntactically invalid type signature with incorrectly nested parentheses + and curly brackets would cause an assertion failure in debug builds. + Similar messages could potentially result in a crash or incorrect message + processing in a production build, although we are not aware of a practical + example. (dbus#418, CVE-2022-42010; Simon McVittie) + - A message in non-native endianness with out-of-band Unix file descriptors + would cause a use-after-free and possible memory corruption in production + builds, or an assertion failure in debug builds. This was a regression in + version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie) + - Preserve errno on failure to open /proc/self/oom_score_adj + (dbus!285, Gentoo#834725; Mike Gilbert) + - On Linux, don't log warnings if oom_score_adj is read-only but does not + need to be changed (dbus!291, Simon McVittie) + - Slightly improve error-handling for inotify + (dbus!235, Simon McVittie) + - Don't crash if dbus-daemon is asked to watch more than 128 directories + for changes (dbus!302, Jan Tojnar) + ------------------------------------------------------------------- Thu Oct 13 07:29:57 UTC 2022 - Dirk Müller diff --git a/dbus-1.spec b/dbus-1.spec index de44340..9e3f93b 100644 --- a/dbus-1.spec +++ b/dbus-1.spec @@ -21,7 +21,7 @@ %define _libname libdbus-1-3 %bcond_without selinux Name: dbus-1 -Version: 1.14.0 +Version: 1.14.4 Release: 0 Summary: D-Bus Message Bus System License: AFL-2.1 OR GPL-2.0-or-later