* Avoid a dbus-daemon crash if re-creating a connection's policy
fails. If it isn't possible to re-create its policy (for
example if it belongs to a user account that has been deleted
or if the Name Service Switch is broken, on a system not
supporting SO_PEERGROUPS), we now log a warning, continue to
use its current policy, and continue to reload other
connections' policies.
* If getting the groups from a user ID fails, report the error
correctly, instead of logging "(null)"
* Return the primary group ID in GetConnectionCredentials()'
UnixGroupIDs field for processes with a valid-but-empty
supplementary group list
- Disable asserts (bsc#1087072)
- set runstatedir correctly
- avoid listing cmake directory - owned by cmake package
- Use sysusers.d to create messagebus user
OBS-URL: https://build.opensuse.org/package/show/Base:System/dbus-1?expand=0&rev=338
* Denial-of-service fixes:
* Fix an assertion failure in dbus-daemon when a privileged
Monitoring connection (dbus-monitor, busctl monitor, gdbus
monitor or similar) is active, and a message from the bus
driver cannot be delivered to a client connection due to
<deny> rules or outgoing message quota. This
is a denial of service if triggered maliciously by a local
attacker.
* Fix compilation on compilers not supporting __FUNCTION__
* Fix some memory leaks on out-of-memory conditions
* Fix syntax of a code sample in dbus-api-design
OBS-URL: https://build.opensuse.org/package/show/Base:System/dbus-1?expand=0&rev=335
* Fix an incorrect assertion that could be used to crash
dbus-daemon or other users of DBusServer prior to
authentication, if libdbus was compiled with assertions
enabled.
We recommend that production builds of dbus, for example in
OS distributions, should be compiled with checks but
without assertions.
* When connected to a dbus-broker, stop dbus-monitor from
incorrectly replying to Peer method calls that were sent to the
dbus-broker with a NULL destination
* Fix out-of-bounds varargs read in the dbus-daemon's config-
parser. This is not attacker-triggerable and appears to be
harmless in practice, but is technically undefined behaviour
and is detected as such by AddressSanitizer.
* Avoid a data race in multi-threaded use of DBusCounter
* Fix a crash with some glibc versions when non-auditable
SELinux events are logged (dbus!386, Jeremi Piotrowski)
* If dbus_message_demarshal() runs out of memory while
validating a message, report it as NoMemory rather than
InvalidArgs (dbus#420, Simon McVittie)
* Use C11 _Alignof if available, for better standards-
compliance
* Stop including an outdated copy of pkg.m4 in the git tree
* Documentation:
* Fix the test-apparmor-activation test after dbus#416
* Internal changes:
* Fix CI builds with recent git versions (dbus#447, Simon
McVittie)
- switch to using multibuild
OBS-URL: https://build.opensuse.org/package/show/Base:System/dbus-1?expand=0&rev=328
bsc#1204112, CVE-2022-42011,
bsc#1204113, CVE-2022-42012):
This is a security update for the dbus 1.14.x stable branch, fixing
denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying
security hardening (dbus#416).
Behaviour changes:
* On Linux, dbus-daemon and other uses of DBusServer now create a
path-based Unix socket, unix:path=..., when asked to listen on a
unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to
unix:dir=... on all platforms.
Previous versions would have created an abstract socket, unix:abstract=...,
in this situation.
This change primarily affects the well-known session bus when run via
dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring
dbus with --enable-user-session and running it on a systemd system,
already used path-based Unix sockets and is unaffected by this change.
This behaviour change prevents a sandbox escape via the session bus socket
in sandboxing frameworks that can share the network namespace with the host
system, such as Flatpak.
This change might cause a regression in situations where the abstract socket
is intentionally shared between the host system and a chroot or container,
such as some use-cases of schroot(1). That regression can be resolved by
using a bind-mount to share either the D-Bus socket, or the whole /tmp
directory, with the chroot or container.
(dbus#416, Simon McVittie)
* Denial of service fixes:
- Evgeny Vereshchagin discovered several ways in which an authenticated
local attacker could cause a crash (denial of service) in
dbus-daemon --system or a custom DBusServer. In uncommon configurations
OBS-URL: https://build.opensuse.org/package/show/Base:System/dbus-1?expand=0&rev=326
- Update to version 1.12.22:
+ On Linux, when using traditional (non-systemd) service
activation, don't log warnings about failing to reset OOM score
adjustment if the process is already more susceptible to the
OOM killer, as user processes usually are with systemd ≥ 250.
+ On Linux, when using traditional (non-systemd) system bus
activation, reset the OOM score adjustment to 0 as intended.
If the system dbus-daemon is protected from the OOM killer,
this avoids that protection unintentionally being inherited by
every system service.
+ Avoid malloc() after fork on non-GNU libc.
+ Fix build with clang 13 by using Standard C offsetof where
available.
+ Fix build of tests on FreeBSD.
+ Make documentation build more reproducible.
+ On Unix, make X11 autolaunch cope with slashes in DISPLAY.
+ Don't try to raise RLIMIT_NOFILE beyond OPEN_MAX on macOS.
+ Fix compilation if embedded tests are enabled but verbose mode
and stats are both disabled.
+ On Linux, fix a race condition in the integration test for
transient services.
- Update to version 1.12.22:
+ On Linux, when using traditional (non-systemd) service
activation, don't log warnings about failing to reset OOM score
adjustment if the process is already more susceptible to the
OOM killer, as user processes usually are with systemd ≥ 250.
+ On Linux, when using traditional (non-systemd) system bus
activation, reset the OOM score adjustment to 0 as intended.
If the system dbus-daemon is protected from the OOM killer,
this avoids that protection unintentionally being inherited by
every system service.
+ Avoid malloc() after fork on non-GNU libc.
+ Fix build with clang 13 by using Standard C offsetof where
available.
+ Fix build of tests on FreeBSD.
+ Make documentation build more reproducible.
+ On Unix, make X11 autolaunch cope with slashes in DISPLAY.
+ Don't try to raise RLIMIT_NOFILE beyond OPEN_MAX on macOS.
+ Fix compilation if embedded tests are enabled but verbose mode
and stats are both disabled.
+ On Linux, fix a race condition in the integration test for
transient services.
- Update to version 1.12.22:
+ On Linux, when using traditional (non-systemd) service
activation, don't log warnings about failing to reset OOM score
adjustment if the process is already more susceptible to the
OOM killer, as user processes usually are with systemd ≥ 250.
+ On Linux, when using traditional (non-systemd) system bus
activation, reset the OOM score adjustment to 0 as intended.
If the system dbus-daemon is protected from the OOM killer,
this avoids that protection unintentionally being inherited by
every system service.
+ Avoid malloc() after fork on non-GNU libc.
+ Fix build with clang 13 by using Standard C offsetof where
available.
+ Fix build of tests on FreeBSD.
+ Make documentation build more reproducible.
+ On Unix, make X11 autolaunch cope with slashes in DISPLAY.
+ Don't try to raise RLIMIT_NOFILE beyond OPEN_MAX on macOS.
+ Fix compilation if embedded tests are enabled but verbose mode
and stats are both disabled.
+ On Linux, fix a race condition in the integration test for
transient services.
OBS-URL: https://build.opensuse.org/request/show/958337
OBS-URL: https://build.opensuse.org/package/show/Base:System/dbus-1?expand=0&rev=309
- Update to 1.12.20
* On Unix, avoid a use-after-free if two usernames have the same
numeric uid. In older versions this could lead to a crash (denial of
service) or other undefined behaviour, possibly including incorrect
authorization decisions if <policy group=...> is used.
Like Unix filesystems, D-Bus' model of identity cannot distinguish
between users of different names with the same numeric uid, so this
configuration is not advisable on systems where D-Bus will be used.
Thanks to Daniel Onaca.
(dbus#305, dbus!166; Simon McVittie)
- From 1.12.18
* CVE-2020-12049: If a message contains more file descriptors than can
be sent, close those that did get through before reporting error.
Previously, a local attacker could cause the system dbus-daemon (or
another system service with its own DBusServer) to run out of file
descriptors, by repeatedly connecting to the server and sending fds that
would get leaked.
Thanks to Kevin Backhouse of GitHub Security Lab.
(dbus#294, GHSL-2020-057; Simon McVittie)
* Fix a crash when the dbus-daemon is terminated while one or more
monitors are active (dbus#291, dbus!140; Simon McVittie)
* The dbus-send(1) man page now documents --bus and --peer instead of
the old --address synonym for --peer, which has been deprecated since
the introduction of --bus and --peer in 1.7.6
(fd.o #48816, dbus!115; Chris Morin)
* Fix a wrong environment variable name in dbus-daemon(1)
(dbus#275, dbus!122; Mubin, Philip Withnall)
* Fix formatting of dbus_message_append_args example
(dbus!126, Felipe Franciosi)
* Avoid a test failure on Linux when built in a container as uid 0, but
without the necessary privileges to increase resource limits
(dbus!58, Debian #908092; Simon McVittie)
* When building with CMake, cope with libX11 in a non-standard location
(dbus!129, Tuomo Rinne)
- Run spec-cleaner
OBS-URL: https://build.opensuse.org/request/show/821367
OBS-URL: https://build.opensuse.org/package/show/Base:System/dbus-1?expand=0&rev=293
