Accepting request 434528 from Base:System

dbus 1.8.22 security update \(with bsc#1003898 referenced\) OBS-URL: https://build.opensuse.org/request/show/434528 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dbus-1?expand=0&rev=139
2016-10-13 09:24:02 +00:00 · 2016-10-13 09:24:02 +00:00 · f220b69d2e
commit f220b69d2e
parent 90d5a88fe8 211e7f30cb
7 changed files with 63 additions and 14 deletions
--- a/dbus-1-x11.changes
+++ b/dbus-1-x11.changes
@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Tue Oct 11 07:33:15 UTC 2016 - fstrba@suse.com
+
+- Update to 1.10.12
+  * Security fixes:
+    + Do not treat ActivationFailure message received from
+      root-owned systemd name as a format string. In principle this
+      is a security vulnerability, but we do not believe it is
+      exploitable in practice, because only privileged processes can
+      own the org.freedesktop.systemd1 bus name, and systemd does
+      not appear to send activation failures that contain "%".
+      Please note that this probably *was* exploitable in dbus
+      versions older than 1.6.30, 1.8.16 and 1.9.10 due to a missing
+      check which at the time was only thought to be a denial of
+      service vulnerability (CVE-2015-0245). If you are still
+      running one of those versions, patch or upgrade immediately.
+      (fdo#98157, bsc#1003898, Simon McVittie)
+  * Other fixes:
+    + Harden dbus-daemon against malicious or incorrect
+      ActivationFailure messages by rejecting them if they do not
+      come from a privileged process, or if systemd activation is
+      not enabled (fdo#98157, Simon McVittie)
+    + Avoid undefined behaviour when setting reply serial number
+      without going via union DBusBasicValue (fdo#98035, Marc Mutz)
+    + autogen.sh: fail cleanly if autoconf fails (Simon McVittie)
+
 -------------------------------------------------------------------
 Tue Sep 13 14:40:21 UTC 2016 - mvidner@suse.com

--- a/dbus-1-x11.spec
+++ b/dbus-1-x11.spec
@ -27,7 +27,7 @@ Group:          System/Daemons
 Url:            http://dbus.freedesktop.org/
 # COMMON1-BEGIN
 # COMMON1-BEGIN
-Version:        1.10.10
+Version:        1.10.12
 Release:        0
 Source0:        http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz
 Source2:        dbus-1.desktop
@ -74,8 +74,8 @@ bus daemon).

 %package -n dbus-1
 Summary:        D-Bus Message Bus System
-Group:          System/Daemons
 # FIXME: use proper Requires(pre/post/preun/...)
+Group:          System/Daemons
 PreReq:         %{_sbindir}/groupadd
 PreReq:         %{_sbindir}/useradd
 PreReq:         permissions
--- a/dbus-1-x11.spec.in
+++ b/dbus-1-x11.spec.in
@ -1,7 +1,7 @@
 #
 # spec file for package dbus-1-x11.spec
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -29,6 +29,7 @@ Url:            http://dbus.freedesktop.org/
 # COMMON1-END
 BuildRequires:  audit-devel
 BuildRequires:  doxygen
+BuildRequires:  pkgconfig
 BuildRequires:  update-desktop-files
 BuildRequires:  xmlto
 BuildRequires:  pkgconfig(x11)
@ -59,10 +60,6 @@ PreReq:         %{_sbindir}/groupadd
 PreReq:         %{_sbindir}/useradd
 PreReq:         permissions
 Requires(post): %{_libname} = %{version}
-# bug437293
-%ifarch ppc64
-Obsoletes:      dbus-1-64bit
-%endif

 %description -n dbus-1
 D-Bus is a message bus system, a simple way for applications to talk to
@ -84,7 +81,7 @@ mv %{buildroot}/bin/dbus-launch %{buildroot}/%{_bindir}
 mv %{buildroot}/bin/dbus-run-session %{buildroot}/%{_bindir}
 ln -sf %{_sbindir}/service  %{buildroot}/%{_sbindir}/rcdbus
 %if 0%{?suse_version} <= 1315 && !0%{?is_opensuse}
-install -d %{buildroot}/var/run/dbus
+install -d %{buildroot}%{_localstatedir}/run/dbus
 %else
 install -d %{buildroot}/run/dbus
 %endif
@ -120,7 +117,7 @@ ln -sf /bin/dbus-send %{buildroot}%{_bindir}/dbus-send
 %pre -n dbus-1
 %{_sbindir}/groupadd -r messagebus 2> /dev/null || :
 %if 0%{?suse_version} <= 1315 && !0%{?is_opensuse}
-%{_sbindir}/useradd -r -s /bin/false -c "User for D-Bus" -d /var/run/dbus -g messagebus messagebus 2> /dev/null || :
+%{_sbindir}/useradd -r -s /bin/false -c "User for D-Bus" -d %{_localstatedir}/run/dbus -g messagebus messagebus 2> /dev/null || :
 %else
 %{_sbindir}/useradd -r -s /bin/false -c "User for D-Bus" -d /run/dbus -g messagebus messagebus 2> /dev/null || :
 %endif
@ -181,7 +178,7 @@ fi
 # behind these permissions
 %attr(4750,root,messagebus) %verify(not mode) /lib/dbus-1/dbus-daemon-launch-helper
 %if 0%{?suse_version} <= 1315 && !0%{?is_opensuse}
-%ghost /var/run/dbus
+%ghost %{_localstatedir}/run/dbus
 %else
 %ghost /run/dbus
 %endif
--- a/dbus-1.10.10.tar.gz
+++ b/dbus-1.10.10.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9d8f1d069ab4d1a0255d7b400ea3bcef4430c42e729b1012abb2890e3f739a43
-size 1984077
--- a/dbus-1.10.12.tar.gz
+++ b/dbus-1.10.12.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:210a79430b276eafc6406c71705e9140d25b9956d18068df98a70156dc0e475d
+size 1984805
--- a/dbus-1.changes
+++ b/dbus-1.changes
@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Tue Oct 11 07:33:15 UTC 2016 - fstrba@suse.com
+
+- Update to 1.10.12
+  * Security fixes:
+    + Do not treat ActivationFailure message received from
+      root-owned systemd name as a format string. In principle this
+      is a security vulnerability, but we do not believe it is
+      exploitable in practice, because only privileged processes can
+      own the org.freedesktop.systemd1 bus name, and systemd does
+      not appear to send activation failures that contain "%".
+      Please note that this probably *was* exploitable in dbus
+      versions older than 1.6.30, 1.8.16 and 1.9.10 due to a missing
+      check which at the time was only thought to be a denial of
+      service vulnerability (CVE-2015-0245). If you are still
+      running one of those versions, patch or upgrade immediately.
+      (fdo#98157, bsc#1003898, Simon McVittie)
+  * Other fixes:
+    + Harden dbus-daemon against malicious or incorrect
+      ActivationFailure messages by rejecting them if they do not
+      come from a privileged process, or if systemd activation is
+      not enabled (fdo#98157, Simon McVittie)
+    + Avoid undefined behaviour when setting reply serial number
+      without going via union DBusBasicValue (fdo#98035, Marc Mutz)
+    + autogen.sh: fail cleanly if autoconf fails (Simon McVittie)
+
 -------------------------------------------------------------------
 Tue Sep 13 14:40:21 UTC 2016 - mvidner@suse.com

--- a/dbus-1.spec
+++ b/dbus-1.spec
@ -28,7 +28,7 @@ Group:          System/Daemons
 Url:            http://dbus.freedesktop.org/
 # WARNING don't use cosmetic beautifiers. it will break the specs after calling pre_checkin script. we don't need to be pretty, but efficient
 # COMMON1-BEGIN
-Version:        1.10.10
+Version:        1.10.12
 Release:        0
 Source0:        http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz
 Source2:        dbus-1.desktop