pool/dbus-1
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
97c139473e
dbus-1/dbus-1-x11.spec
Dirk Mueller a8bd6c1553 - update to 1.14.4 (bsc#1204111, CVE-2022-42010, 
bsc#1204112, CVE-2022-42011,
                    bsc#1204113, CVE-2022-42012):
  This is a security update for the dbus 1.14.x stable branch, fixing
  denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying
  security hardening (dbus#416).
  Behaviour changes:
  * On Linux, dbus-daemon and other uses of DBusServer now create a
     path-based Unix socket, unix:path=..., when asked to listen on a
     unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to
     unix:dir=... on all platforms.
     Previous versions would have created an abstract socket, unix:abstract=...,
     in this situation.
     This change primarily affects the well-known session bus when run via
     dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring
     dbus with --enable-user-session and running it on a systemd system,
     already used path-based Unix sockets and is unaffected by this change.
     This behaviour change prevents a sandbox escape via the session bus socket
     in sandboxing frameworks that can share the network namespace with the host
     system, such as Flatpak.
     This change might cause a regression in situations where the abstract socket
     is intentionally shared between the host system and a chroot or container,
     such as some use-cases of schroot(1). That regression can be resolved by
     using a bind-mount to share either the D-Bus socket, or the whole /tmp
     directory, with the chroot or container.
     (dbus#416, Simon McVittie)
  * Denial of service fixes:
    - Evgeny Vereshchagin discovered several ways in which an authenticated
      local attacker could cause a crash (denial of service) in
      dbus-daemon --system or a custom DBusServer. In uncommon configurations

OBS-URL: https://build.opensuse.org/package/show/Base:System/dbus-1?expand=0&rev=326
2022-10-26 09:05:34 +00:00

126 lines
4.1 KiB
RPMSpec
Raw Blame History

#
# spec file for package dbus-1-x11
#
# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define _name dbus
%define _libname libdbus-1-3
%if 0%{?suse_version} <= 1320
%define _userunitdir %{_prefix}/lib/systemd/user
%endif
%bcond_without selinux
Name: dbus-1-x11
Version: 1.14.4
Release: 0
Summary: D-Bus Message Bus System
License: AFL-2.1 OR GPL-2.0-or-later
URL: https://dbus.freedesktop.org/
Source0: https://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.xz
Source1: https://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.xz.asc
Source2: dbus-1.keyring
Source3: baselibs.conf
Source4: dbus-1.desktop
# PATCH-FEATURE-OPENSUSE feature-suse-log-deny.patch
Patch0: feature-suse-log-deny.patch
# PATCH-FIX-OPENSUSE coolo@suse.de -- force a feature configure won't accept without x11 in buildrequires
Patch1: feature-suse-do-autolaunch.patch
# PATCH-FEATURE-OPENSUSE sflees@suse.de, users shouldn't be allowed to start / stop the dbus service.
Patch2: feature-suse-refuse-manual-start-stop.patch
BuildRequires: alts
BuildRequires: autoconf-archive
BuildRequires: libcap-ng-devel
BuildRequires: libexpat-devel >= 2.1.0
BuildRequires: libtool
BuildRequires: pkgconfig
BuildRequires: pkgconfig(libsystemd) >= 209
BuildRequires: pkgconfig(x11)
Requires: alts
Supplements: (dbus-1 and libX11-6)
Provides: dbus-launch
%if %{with selinux}
BuildRequires: libselinux-devel
%endif
%description
D-Bus contains some tools that require Xlib to be installed, those are
in this separate package so server systems need not install X.
%prep
%setup -q -n %{_name}-%{version}
%autopatch -p1
%build
echo 'HTML_TIMESTAMP=NO' >> Doxyfile.in
# We use -fpie/-pie for the whole build; this is the recommended way to harden
# the build upstream, see discussion in fdo#46570
export CFLAGS="%{optflags} -fno-strict-aliasing -fPIC -fpie"
export LDFLAGS="-pie"
export CXXFLAGS="%{optflags} -fno-strict-aliasing"
export V=1
# --with-x=auto is a workaround until https://gitlab.freedesktop.org/dbus/dbus/-/merge_requests/263
# is included (1.14.1+)
%configure \
--disable-static \
--disable-asserts \
--runstatedir=%{_rundir} \
--libexecdir=%{_libexecdir}/dbus-1 \
--enable-inotify \
--disable-doxygen-docs \
%if %{with selinux}
--enable-selinux \
%endif
--enable-systemd \
--enable-user-session \
--enable-libaudit \
--with-console-auth-dir=/run/dbus/at_console/ \
--with-system-pid-file=/run/dbus/pid \
--with-system-socket=/run/dbus/system_bus_socket \
--with-systemdsystemunitdir=%{_unitdir} \
--with-systemduserunitdir=%{_userunitdir} \
--with-x=auto
%make_build
%install
tdir=$(mktemp -d)
make DESTDIR=$tdir install
mkdir -p %{buildroot}/%{_bindir}
mv $tdir/%{_bindir}/dbus-launch %{buildroot}/%{_bindir}/dbus-launch.x11
# create entries for libalternatives
ln -sf %{_bindir}/alts %{buildroot}%{_bindir}/dbus-launch
mkdir -p %{buildroot}%{_datadir}/libalternatives/dbus-launch
cat > %{buildroot}%{_datadir}/libalternatives/dbus-launch/20.conf <<EOF
binary=%{_bindir}/dbus-launch.x11
group=dbus-launch
EOF
%pre
# removing old update-alternatives entries
if [ "$1" -gt 0 ] && [ -f %{_sbindir}/update-alternatives ] ; then
%{_sbindir}/update-alternatives --remove dbus-launch %{_bindir}/dbus-launch.x11
fi
%files
%dir %{_datadir}/libalternatives
%dir %{_datadir}/libalternatives/dbus-launch
%{_datadir}/libalternatives/dbus-launch/20.conf
%{_bindir}/dbus-launch
%{_bindir}/dbus-launch.x11
%changelog
Reference in New Issue View Git Blame Copy Permalink