CVE-2014-3635 to CVE-2014-3639

OBS-URL: https://build.opensuse.org/package/show/Base:System/dbus-1?expand=0&rev=175
2014-09-16 16:29:49 +00:00 · 2014-09-16 16:29:49 +00:00 · d34837aea2
commit d34837aea2
parent dea13aa463
6 changed files with 99 additions and 7 deletions
--- a/dbus-1-x11.changes
+++ b/dbus-1-x11.changes
@ -1,3 +1,49 @@
+-------------------------------------------------------------------
+Tue Sep 16 16:21:06 UTC 2014 - fstrba@suse.com
+
+- Update to 1.8.8:
+  + Security fixes:
+    - Do not accept an extra fd in the padding of a cmsg message,
+      which could lead to a 4-byte heap buffer overrun. (CVE-2014-3635,
+      fdo#83622, bnc#896453; Simon McVittie)
+    - Reduce default for maximum Unix file descriptors passed per
+      message from 1024 to 16, preventing a uid with the default maximum
+      number of connections from exhausting the system bus' file
+      descriptors under Linux's default rlimit. Distributors or system
+      administrators with a more restrictive fd limit may wish to reduce
+      these limits further.
+      Additionally, on Linux this prevents a second denial of service
+      in which the dbus-daemon can be made to exceed the maximum number
+      of fds per sendmsg() and disconnect the process that would have
+      received them. (CVE-2014-3636, fdo#82820, bnc#896453; Alban Crequy)
+    - Disconnect connections that still have a fd pending unmarshalling
+      after a new configurable limit, pending_fd_timeout (defaulting to
+      150 seconds), removing the possibility of creating an abusive
+      connection that cannot be disconnected by setting up a circular
+      reference to a connection's file descriptor. (CVE-2014-3637,
+      fdo#80559, bnc#896453; Alban Crequy)
+    - Reduce default for maximum pending replies per connection from
+      8192 to 128, mitigating an algorithmic complexity
+      denial-of-service attack (CVE-2014-3638, fdo#81053, bnc#896453;
+      Alban Crequy)
+    - Reduce default for authentication timeout on the system bus from
+      30 seconds to 5 seconds, avoiding denial of service by using up
+      all unauthenticated connection slots; and when all unauthenticated
+      connection slots are used up, make new connection attempts block
+      instead of disconnecting them. (CVE-2014-3639, fdo#80919,
+      bnc#896453; Alban Crequy)
+  + Other fixes:
+    - Check for libsystemd from systemd >= 209, falling back to the
+      older separate libraries if not found (Umut Tezduyar Lindskog,
+      Simon McVittie)
+    - On Linux, use prctl() to disable core dumps from a test executable
+      that deliberately raises SIGSEGV to test dbus-daemon's handling
+      of that condition (fdo#83772, Simon McVittie)
+    - Fix compilation with --enable-stats (fdo#81043, Gentoo #507232;
+      Alban Crequy)
+    - Improve documentation for running tests on Windows (fdo#41252,
+       Ralf Habacker)
+
 -------------------------------------------------------------------
 Sat Jul 19 00:30:57 UTC 2014 - crrodriguez@opensuse.org

@ -16,7 +62,7 @@ Wed Jul  2 16:15:37 UTC 2014 - fstrba@suse.com

 - Update to 1.8.6:
  + Security fixes:
-    - On Linux ≥ 2.6.37-rc4, if sendmsg() fails with ETOOMANYREFS,
+    - On Linux >= 2.6.37-rc4, if sendmsg() fails with ETOOMANYREFS,
      silently drop the message. This prevents an attack in which
      a malicious client can make dbus-daemon disconnect a system
      service, which is a local denial of service.
--- a/dbus-1-x11.spec
+++ b/dbus-1-x11.spec
@ -46,7 +46,7 @@ BuildRequires:  pkgconfig(libsystemd-login)
 BuildRequires:  libexpat-devel
 BuildRequires:  libtool
 BuildRequires:  pkg-config
-Version:        1.8.6
+Version:        1.8.8
 Release:        0
 #
 Source0:        http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz
--- a/dbus-1.8.6.tar.gz
+++ b/dbus-1.8.6.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:eded83ca007b719f32761e60fd8b9ffd0f5796a4caf455b01b5a5ef740ebd23f
-size 1861784
--- a/dbus-1.8.8.tar.gz
+++ b/dbus-1.8.8.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dfab263649a979d0fff64a30cac374891a8e9940350e41f3bbd7679af32bd1fd
+size 1864881
--- a/dbus-1.changes
+++ b/dbus-1.changes
@ -1,3 +1,49 @@
+-------------------------------------------------------------------
+Tue Sep 16 16:21:06 UTC 2014 - fstrba@suse.com
+
+- Update to 1.8.8:
+  + Security fixes:
+    - Do not accept an extra fd in the padding of a cmsg message,
+      which could lead to a 4-byte heap buffer overrun. (CVE-2014-3635,
+      fdo#83622, bnc#896453; Simon McVittie)
+    - Reduce default for maximum Unix file descriptors passed per
+      message from 1024 to 16, preventing a uid with the default maximum
+      number of connections from exhausting the system bus' file
+      descriptors under Linux's default rlimit. Distributors or system
+      administrators with a more restrictive fd limit may wish to reduce
+      these limits further.
+      Additionally, on Linux this prevents a second denial of service
+      in which the dbus-daemon can be made to exceed the maximum number
+      of fds per sendmsg() and disconnect the process that would have
+      received them. (CVE-2014-3636, fdo#82820, bnc#896453; Alban Crequy)
+    - Disconnect connections that still have a fd pending unmarshalling
+      after a new configurable limit, pending_fd_timeout (defaulting to
+      150 seconds), removing the possibility of creating an abusive
+      connection that cannot be disconnected by setting up a circular
+      reference to a connection's file descriptor. (CVE-2014-3637,
+      fdo#80559, bnc#896453; Alban Crequy)
+    - Reduce default for maximum pending replies per connection from
+      8192 to 128, mitigating an algorithmic complexity
+      denial-of-service attack (CVE-2014-3638, fdo#81053, bnc#896453;
+      Alban Crequy)
+    - Reduce default for authentication timeout on the system bus from
+      30 seconds to 5 seconds, avoiding denial of service by using up
+      all unauthenticated connection slots; and when all unauthenticated
+      connection slots are used up, make new connection attempts block
+      instead of disconnecting them. (CVE-2014-3639, fdo#80919,
+      bnc#896453; Alban Crequy)
+  + Other fixes:
+    - Check for libsystemd from systemd >= 209, falling back to the
+      older separate libraries if not found (Umut Tezduyar Lindskog,
+      Simon McVittie)
+    - On Linux, use prctl() to disable core dumps from a test executable
+      that deliberately raises SIGSEGV to test dbus-daemon's handling
+      of that condition (fdo#83772, Simon McVittie)
+    - Fix compilation with --enable-stats (fdo#81043, Gentoo #507232;
+      Alban Crequy)
+    - Improve documentation for running tests on Windows (fdo#41252,
+       Ralf Habacker)
+
 -------------------------------------------------------------------
 Sat Jul 19 00:30:57 UTC 2014 - crrodriguez@opensuse.org

@ -16,7 +62,7 @@ Wed Jul  2 16:15:37 UTC 2014 - fstrba@suse.com

 - Update to 1.8.6:
  + Security fixes:
-    - On Linux ≥ 2.6.37-rc4, if sendmsg() fails with ETOOMANYREFS,
+    - On Linux >= 2.6.37-rc4, if sendmsg() fails with ETOOMANYREFS,
      silently drop the message. This prevents an attack in which
      a malicious client can make dbus-daemon disconnect a system
      service, which is a local denial of service.
--- a/dbus-1.spec
+++ b/dbus-1.spec
@ -40,7 +40,7 @@ BuildRequires:  pkgconfig(libsystemd-login)
 BuildRequires:  libexpat-devel
 BuildRequires:  libtool
 BuildRequires:  pkg-config
-Version:        1.8.6
+Version:        1.8.8
 Release:        0
 #
 Source0:        http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz