Accepting request 434528 from Base:System
dbus 1.8.22 security update \(with bsc#1003898 referenced\) OBS-URL: https://build.opensuse.org/request/show/434528 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dbus-1?expand=0&rev=139
This commit is contained in:
commit
f220b69d2e
@ -1,3 +1,29 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 11 07:33:15 UTC 2016 - fstrba@suse.com
|
||||
|
||||
- Update to 1.10.12
|
||||
* Security fixes:
|
||||
+ Do not treat ActivationFailure message received from
|
||||
root-owned systemd name as a format string. In principle this
|
||||
is a security vulnerability, but we do not believe it is
|
||||
exploitable in practice, because only privileged processes can
|
||||
own the org.freedesktop.systemd1 bus name, and systemd does
|
||||
not appear to send activation failures that contain "%".
|
||||
Please note that this probably *was* exploitable in dbus
|
||||
versions older than 1.6.30, 1.8.16 and 1.9.10 due to a missing
|
||||
check which at the time was only thought to be a denial of
|
||||
service vulnerability (CVE-2015-0245). If you are still
|
||||
running one of those versions, patch or upgrade immediately.
|
||||
(fdo#98157, bsc#1003898, Simon McVittie)
|
||||
* Other fixes:
|
||||
+ Harden dbus-daemon against malicious or incorrect
|
||||
ActivationFailure messages by rejecting them if they do not
|
||||
come from a privileged process, or if systemd activation is
|
||||
not enabled (fdo#98157, Simon McVittie)
|
||||
+ Avoid undefined behaviour when setting reply serial number
|
||||
without going via union DBusBasicValue (fdo#98035, Marc Mutz)
|
||||
+ autogen.sh: fail cleanly if autoconf fails (Simon McVittie)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 13 14:40:21 UTC 2016 - mvidner@suse.com
|
||||
|
||||
|
@ -27,7 +27,7 @@ Group: System/Daemons
|
||||
Url: http://dbus.freedesktop.org/
|
||||
# COMMON1-BEGIN
|
||||
# COMMON1-BEGIN
|
||||
Version: 1.10.10
|
||||
Version: 1.10.12
|
||||
Release: 0
|
||||
Source0: http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz
|
||||
Source2: dbus-1.desktop
|
||||
@ -74,8 +74,8 @@ bus daemon).
|
||||
|
||||
%package -n dbus-1
|
||||
Summary: D-Bus Message Bus System
|
||||
Group: System/Daemons
|
||||
# FIXME: use proper Requires(pre/post/preun/...)
|
||||
Group: System/Daemons
|
||||
PreReq: %{_sbindir}/groupadd
|
||||
PreReq: %{_sbindir}/useradd
|
||||
PreReq: permissions
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package dbus-1-x11.spec
|
||||
#
|
||||
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -29,6 +29,7 @@ Url: http://dbus.freedesktop.org/
|
||||
# COMMON1-END
|
||||
BuildRequires: audit-devel
|
||||
BuildRequires: doxygen
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: update-desktop-files
|
||||
BuildRequires: xmlto
|
||||
BuildRequires: pkgconfig(x11)
|
||||
@ -59,10 +60,6 @@ PreReq: %{_sbindir}/groupadd
|
||||
PreReq: %{_sbindir}/useradd
|
||||
PreReq: permissions
|
||||
Requires(post): %{_libname} = %{version}
|
||||
# bug437293
|
||||
%ifarch ppc64
|
||||
Obsoletes: dbus-1-64bit
|
||||
%endif
|
||||
|
||||
%description -n dbus-1
|
||||
D-Bus is a message bus system, a simple way for applications to talk to
|
||||
@ -84,7 +81,7 @@ mv %{buildroot}/bin/dbus-launch %{buildroot}/%{_bindir}
|
||||
mv %{buildroot}/bin/dbus-run-session %{buildroot}/%{_bindir}
|
||||
ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcdbus
|
||||
%if 0%{?suse_version} <= 1315 && !0%{?is_opensuse}
|
||||
install -d %{buildroot}/var/run/dbus
|
||||
install -d %{buildroot}%{_localstatedir}/run/dbus
|
||||
%else
|
||||
install -d %{buildroot}/run/dbus
|
||||
%endif
|
||||
@ -120,7 +117,7 @@ ln -sf /bin/dbus-send %{buildroot}%{_bindir}/dbus-send
|
||||
%pre -n dbus-1
|
||||
%{_sbindir}/groupadd -r messagebus 2> /dev/null || :
|
||||
%if 0%{?suse_version} <= 1315 && !0%{?is_opensuse}
|
||||
%{_sbindir}/useradd -r -s /bin/false -c "User for D-Bus" -d /var/run/dbus -g messagebus messagebus 2> /dev/null || :
|
||||
%{_sbindir}/useradd -r -s /bin/false -c "User for D-Bus" -d %{_localstatedir}/run/dbus -g messagebus messagebus 2> /dev/null || :
|
||||
%else
|
||||
%{_sbindir}/useradd -r -s /bin/false -c "User for D-Bus" -d /run/dbus -g messagebus messagebus 2> /dev/null || :
|
||||
%endif
|
||||
@ -181,7 +178,7 @@ fi
|
||||
# behind these permissions
|
||||
%attr(4750,root,messagebus) %verify(not mode) /lib/dbus-1/dbus-daemon-launch-helper
|
||||
%if 0%{?suse_version} <= 1315 && !0%{?is_opensuse}
|
||||
%ghost /var/run/dbus
|
||||
%ghost %{_localstatedir}/run/dbus
|
||||
%else
|
||||
%ghost /run/dbus
|
||||
%endif
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:9d8f1d069ab4d1a0255d7b400ea3bcef4430c42e729b1012abb2890e3f739a43
|
||||
size 1984077
|
3
dbus-1.10.12.tar.gz
Normal file
3
dbus-1.10.12.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:210a79430b276eafc6406c71705e9140d25b9956d18068df98a70156dc0e475d
|
||||
size 1984805
|
@ -1,3 +1,29 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 11 07:33:15 UTC 2016 - fstrba@suse.com
|
||||
|
||||
- Update to 1.10.12
|
||||
* Security fixes:
|
||||
+ Do not treat ActivationFailure message received from
|
||||
root-owned systemd name as a format string. In principle this
|
||||
is a security vulnerability, but we do not believe it is
|
||||
exploitable in practice, because only privileged processes can
|
||||
own the org.freedesktop.systemd1 bus name, and systemd does
|
||||
not appear to send activation failures that contain "%".
|
||||
Please note that this probably *was* exploitable in dbus
|
||||
versions older than 1.6.30, 1.8.16 and 1.9.10 due to a missing
|
||||
check which at the time was only thought to be a denial of
|
||||
service vulnerability (CVE-2015-0245). If you are still
|
||||
running one of those versions, patch or upgrade immediately.
|
||||
(fdo#98157, bsc#1003898, Simon McVittie)
|
||||
* Other fixes:
|
||||
+ Harden dbus-daemon against malicious or incorrect
|
||||
ActivationFailure messages by rejecting them if they do not
|
||||
come from a privileged process, or if systemd activation is
|
||||
not enabled (fdo#98157, Simon McVittie)
|
||||
+ Avoid undefined behaviour when setting reply serial number
|
||||
without going via union DBusBasicValue (fdo#98035, Marc Mutz)
|
||||
+ autogen.sh: fail cleanly if autoconf fails (Simon McVittie)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 13 14:40:21 UTC 2016 - mvidner@suse.com
|
||||
|
||||
|
@ -28,7 +28,7 @@ Group: System/Daemons
|
||||
Url: http://dbus.freedesktop.org/
|
||||
# WARNING don't use cosmetic beautifiers. it will break the specs after calling pre_checkin script. we don't need to be pretty, but efficient
|
||||
# COMMON1-BEGIN
|
||||
Version: 1.10.10
|
||||
Version: 1.10.12
|
||||
Release: 0
|
||||
Source0: http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz
|
||||
Source2: dbus-1.desktop
|
||||
|
Loading…
Reference in New Issue
Block a user