Accepting request 239349 from Base:System

CVE-2014-3532 CVE-2014-3533 bnc#885241 fdo#80163 fdo#79694 fd0#80469

OBS-URL: https://build.opensuse.org/request/show/239349
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dbus-1?expand=0&rev=118

dbus-1-x11.changes

@@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Wed Jul  2 16:15:37 UTC 2014 - fstrba@suse.com
+
+- Update to 1.8.6:
+  + Security fixes:
+    - On Linux ≥ 2.6.37-rc4, if sendmsg() fails with ETOOMANYREFS,
+      silently drop the message. This prevents an attack in which
+      a malicious client can make dbus-daemon disconnect a system
+      service, which is a local denial of service.
+      (bnc#885241 fdo#80163, CVE-2014-3532; Alban Crequy)
+    - Track remaining Unix file descriptors correctly when more
+      than one message in quick succession contains fds. This
+      prevents another attack in which a malicious client can make
+      dbus-daemon disconnect a system service.
+      (bnc#885241 fdo#79694, fd0#80469, CVE-2014-3533; Alejandro
+      Martínez Suárez, Simon McVittie, Alban Crequy)
+  + Other fixes:
+    - When dbus-launch --exit-with-session starts a dbus-daemon but
+      then cannot attach to a session, kill the dbus-daemon as
+      intended (fdo#74698, Роман Донченко)
+
 -------------------------------------------------------------------
 Wed Jun 11 04:58:38 UTC 2014 - fstrba@suse.com
 

dbus-1-x11.spec

@@ -46,7 +46,7 @@ BuildRequires:  pkgconfig(libsystemd-login)
 BuildRequires:  libexpat-devel
 BuildRequires:  libtool
 BuildRequires:  pkg-config
-Version:        1.8.4
+Version:        1.8.6
 Release:        0
 #
 Source0:        http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz

dbus-1.8.4.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3ef63dc8d0111042071ee7f7bafa0650c6ce2d7be957ef0b7ec269495a651ff8
-size 1860286

dbus-1.8.6.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:eded83ca007b719f32761e60fd8b9ffd0f5796a4caf455b01b5a5ef740ebd23f
+size 1861784

dbus-1.changes

@@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Wed Jul  2 16:15:37 UTC 2014 - fstrba@suse.com
+
+- Update to 1.8.6:
+  + Security fixes:
+    - On Linux ≥ 2.6.37-rc4, if sendmsg() fails with ETOOMANYREFS,
+      silently drop the message. This prevents an attack in which
+      a malicious client can make dbus-daemon disconnect a system
+      service, which is a local denial of service.
+      (bnc#885241 fdo#80163, CVE-2014-3532; Alban Crequy)
+    - Track remaining Unix file descriptors correctly when more
+      than one message in quick succession contains fds. This
+      prevents another attack in which a malicious client can make
+      dbus-daemon disconnect a system service.
+      (bnc#885241 fdo#79694, fd0#80469, CVE-2014-3533; Alejandro
+      Martínez Suárez, Simon McVittie, Alban Crequy)
+  + Other fixes:
+    - When dbus-launch --exit-with-session starts a dbus-daemon but
+      then cannot attach to a session, kill the dbus-daemon as
+      intended (fdo#74698, Роман Донченко)
+
 -------------------------------------------------------------------
 Wed Jun 11 04:58:38 UTC 2014 - fstrba@suse.com
 

dbus-1.spec

@@ -40,7 +40,7 @@ BuildRequires:  pkgconfig(libsystemd-login)
 BuildRequires:  libexpat-devel
 BuildRequires:  libtool
 BuildRequires:  pkg-config
-Version:        1.8.4
+Version:        1.8.6
 Release:        0
 #
 Source0:        http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz