pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/sysutils/dbus dbus: update to 1.14.4.



details:   https://anonhg.NetBSD.org/pkgsrc/rev/d36654c50720
branches:  trunk
changeset: 386371:d36654c50720
user:      wiz <wiz%pkgsrc.org@localhost>
date:      Thu Oct 06 21:29:56 2022 +0000

description:
dbus: update to 1.14.4.

dbus 1.14.4 (2022-10-05)
========================

This is a security update for the dbus 1.14.x stable branch, fixing
denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying
security hardening (dbus#416).

Behaviour changes:

• On Linux, dbus-daemon and other uses of DBusServer now create a
  path-based Unix socket, unix:path=..., when asked to listen on a
  unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to
  unix:dir=... on all platforms.
  Previous versions would have created an abstract socket, unix:abstract=...,
  in this situation.
  This change primarily affects the well-known session bus when run via
  dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring
  dbus with --enable-user-session and running it on a systemd system,
  already used path-based Unix sockets and is unaffected by this change.
  This behaviour change prevents a sandbox escape via the session bus socket
  in sandboxing frameworks that can share the network namespace with the host
  system, such as Flatpak.
  This change might cause a regression in situations where the abstract socket
  is intentionally shared between the host system and a chroot or container,
  such as some use-cases of schroot(1). That regression can be resolved by
  using a bind-mount to share either the D-Bus socket, or the whole /tmp
  directory, with the chroot or container.
  (dbus#416, Simon McVittie)

Denial of service fixes:

Evgeny Vereshchagin discovered several ways in which an authenticated
local attacker could cause a crash (denial of service) in
dbus-daemon --system or a custom DBusServer. In uncommon configurations
these could potentially be carried out by an authenticated remote attacker.

• An invalid array of fixed-length elements where the length of the array
  is not a multiple of the length of the element would cause an assertion
  failure in debug builds or an out-of-bounds read in production builds.
  This was a regression in version 1.3.0.
  (dbus#413, CVE-2022-42011; Simon McVittie)

• A syntactically invalid type signature with incorrectly nested parentheses
  and curly brackets would cause an assertion failure in debug builds.
  Similar messages could potentially result in a crash or incorrect message
  processing in a production build, although we are not aware of a practical
  example. (dbus#418, CVE-2022-42010; Simon McVittie)

• A message in non-native endianness with out-of-band Unix file descriptors
  would cause a use-after-free and possible memory corruption in production
  builds, or an assertion failure in debug builds. This was a regression in
  version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie)

diffstat:

 sysutils/dbus/Makefile |  4 ++--
 sysutils/dbus/distinfo |  8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diffs (28 lines):

diff -r fa72e769de9f -r d36654c50720 sysutils/dbus/Makefile
--- a/sysutils/dbus/Makefile    Thu Oct 06 20:17:43 2022 +0000
+++ b/sysutils/dbus/Makefile    Thu Oct 06 21:29:56 2022 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.133 2022/10/03 12:44:00 wiz Exp $
+# $NetBSD: Makefile,v 1.134 2022/10/06 21:29:56 wiz Exp $
 
-DISTNAME=      dbus-1.14.2
+DISTNAME=      dbus-1.14.4
 CATEGORIES=    sysutils
 MASTER_SITES=  https://dbus.freedesktop.org/releases/dbus/
 EXTRACT_SUFX=  .tar.xz
diff -r fa72e769de9f -r d36654c50720 sysutils/dbus/distinfo
--- a/sysutils/dbus/distinfo    Thu Oct 06 20:17:43 2022 +0000
+++ b/sysutils/dbus/distinfo    Thu Oct 06 21:29:56 2022 +0000
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.99 2022/10/03 12:44:00 wiz Exp $
+$NetBSD: distinfo,v 1.100 2022/10/06 21:29:56 wiz Exp $
 
-BLAKE2s (dbus-1.14.2.tar.xz) = e494ae3be33733c32bf1f32d1b5b2e72ac73895344f1c87156291f5042dd1294
-SHA512 (dbus-1.14.2.tar.xz) = 6e503385bfc1b17d4922dc6d2fb3fa10626ed306fe2b3a6a59f6cf81667c4cd63c2fc5e4fd040f48415235e9f4a75b10948ef512f022af1edab20f426271a9b4
-Size (dbus-1.14.2.tar.xz) = 1362972 bytes
+BLAKE2s (dbus-1.14.4.tar.xz) = cf470548eb1d0c688f4962a52ee3a218c18b5d4c23df488adcf4f74b9d4d5f17
+SHA512 (dbus-1.14.4.tar.xz) = 7c8ce95b8a4c63cf51cc9f10bebbc19e66d6a96c4806befad48c3fe73b4468bb2b50f9570b73fe05ff12223e5e6815032139d316995eb670c28b23c028f293d6
+Size (dbus-1.14.4.tar.xz) = 1368196 bytes
 SHA1 (patch-configure) = 9dee6306aa07b60449a0f9f0f1ea3dccbc70dcb4
 SHA1 (patch-dbus_dbus-sysdeps-unix.c) = 3dfc60eba7ab9d5a29d2a842ce0baa1b109df716
 SHA1 (patch-dbus_dbus-sysdeps-util-unix.c) = 537bb8a30bd0bde8ac208a7ce9a4e1903246b443


Home | Main Index | Thread Index | Old Index