bsc#1204112, CVE-2022-42011,
bsc#1204113, CVE-2022-42012):
This is a security update for the dbus 1.14.x stable branch, fixing
denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying
security hardening (dbus#416).
Behaviour changes:
* On Linux, dbus-daemon and other uses of DBusServer now create a
path-based Unix socket, unix:path=..., when asked to listen on a
unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to
unix:dir=... on all platforms.
Previous versions would have created an abstract socket, unix:abstract=...,
in this situation.
This change primarily affects the well-known session bus when run via
dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring
dbus with --enable-user-session and running it on a systemd system,
already used path-based Unix sockets and is unaffected by this change.
This behaviour change prevents a sandbox escape via the session bus socket
in sandboxing frameworks that can share the network namespace with the host
system, such as Flatpak.
This change might cause a regression in situations where the abstract socket
is intentionally shared between the host system and a chroot or container,
such as some use-cases of schroot(1). That regression can be resolved by
using a bind-mount to share either the D-Bus socket, or the whole /tmp
directory, with the chroot or container.
(dbus#416, Simon McVittie)
* Denial of service fixes:
- Evgeny Vereshchagin discovered several ways in which an authenticated
local attacker could cause a crash (denial of service) in
dbus-daemon --system or a custom DBusServer. In uncommon configurations
OBS-URL: https://build.opensuse.org/package/show/Base:System/dbus-1?expand=0&rev=326
- Update to version 1.12.22:
+ On Linux, when using traditional (non-systemd) service
activation, don't log warnings about failing to reset OOM score
adjustment if the process is already more susceptible to the
OOM killer, as user processes usually are with systemd ≥ 250.
+ On Linux, when using traditional (non-systemd) system bus
activation, reset the OOM score adjustment to 0 as intended.
If the system dbus-daemon is protected from the OOM killer,
this avoids that protection unintentionally being inherited by
every system service.
+ Avoid malloc() after fork on non-GNU libc.
+ Fix build with clang 13 by using Standard C offsetof where
available.
+ Fix build of tests on FreeBSD.
+ Make documentation build more reproducible.
+ On Unix, make X11 autolaunch cope with slashes in DISPLAY.
+ Don't try to raise RLIMIT_NOFILE beyond OPEN_MAX on macOS.
+ Fix compilation if embedded tests are enabled but verbose mode
and stats are both disabled.
+ On Linux, fix a race condition in the integration test for
transient services.
- Update to version 1.12.22:
+ On Linux, when using traditional (non-systemd) service
activation, don't log warnings about failing to reset OOM score
adjustment if the process is already more susceptible to the
OOM killer, as user processes usually are with systemd ≥ 250.
+ On Linux, when using traditional (non-systemd) system bus
activation, reset the OOM score adjustment to 0 as intended.
If the system dbus-daemon is protected from the OOM killer,
this avoids that protection unintentionally being inherited by
every system service.
+ Avoid malloc() after fork on non-GNU libc.
+ Fix build with clang 13 by using Standard C offsetof where
available.
+ Fix build of tests on FreeBSD.
+ Make documentation build more reproducible.
+ On Unix, make X11 autolaunch cope with slashes in DISPLAY.
+ Don't try to raise RLIMIT_NOFILE beyond OPEN_MAX on macOS.
+ Fix compilation if embedded tests are enabled but verbose mode
and stats are both disabled.
+ On Linux, fix a race condition in the integration test for
transient services.
- Update to version 1.12.22:
+ On Linux, when using traditional (non-systemd) service
activation, don't log warnings about failing to reset OOM score
adjustment if the process is already more susceptible to the
OOM killer, as user processes usually are with systemd ≥ 250.
+ On Linux, when using traditional (non-systemd) system bus
activation, reset the OOM score adjustment to 0 as intended.
If the system dbus-daemon is protected from the OOM killer,
this avoids that protection unintentionally being inherited by
every system service.
+ Avoid malloc() after fork on non-GNU libc.
+ Fix build with clang 13 by using Standard C offsetof where
available.
+ Fix build of tests on FreeBSD.
+ Make documentation build more reproducible.
+ On Unix, make X11 autolaunch cope with slashes in DISPLAY.
+ Don't try to raise RLIMIT_NOFILE beyond OPEN_MAX on macOS.
+ Fix compilation if embedded tests are enabled but verbose mode
and stats are both disabled.
+ On Linux, fix a race condition in the integration test for
transient services.
OBS-URL: https://build.opensuse.org/request/show/958337
OBS-URL: https://build.opensuse.org/package/show/Base:System/dbus-1?expand=0&rev=309
* On Unix, avoid a use-after-free if two usernames have the same
numeric uid. In older versions this could lead to a crash (denial of
service) or other undefined behaviour, possibly including incorrect
authorization decisions if <policy group=...> is used.
Like Unix filesystems, D-Bus' model of identity cannot distinguish
between users of different names with the same numeric uid, so this
configuration is not advisable on systems where D-Bus will be used.
Thanks to Daniel Onaca.
(dbus#305, dbus!166; Simon McVittie)
- From 1.12.18
* CVE-2020-12049: If a message contains more file descriptors than can
be sent, close those that did get through before reporting error.
Previously, a local attacker could cause the system dbus-daemon (or
another system service with its own DBusServer) to run out of file
descriptors, by repeatedly connecting to the server and sending fds that
would get leaked.
Thanks to Kevin Backhouse of GitHub Security Lab.
(dbus#294, GHSL-2020-057; Simon McVittie)
* Fix a crash when the dbus-daemon is terminated while one or more
monitors are active (dbus#291, dbus!140; Simon McVittie)
* The dbus-send(1) man page now documents --bus and --peer instead of
the old --address synonym for --peer, which has been deprecated since
the introduction of --bus and --peer in 1.7.6
(fd.o #48816, dbus!115; Chris Morin)
* Fix a wrong environment variable name in dbus-daemon(1)
(dbus#275, dbus!122; Mubin, Philip Withnall)
* Fix formatting of dbus_message_append_args example
(dbus!126, Felipe Franciosi)
* Avoid a test failure on Linux when built in a container as uid 0, but
OBS-URL: https://build.opensuse.org/package/show/Base:System/dbus-1?expand=0&rev=294
