CVS commit: pkgsrc/sysutils/dbus

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/sysutils/dbus
From: "Thomas Klausner" <wiz%netbsd.org@localhost>
Date: Thu, 6 Oct 2022 21:29:56 +0000

Module Name:    pkgsrc
Committed By:   wiz
Date:           Thu Oct  6 21:29:56 UTC 2022

Modified Files:
        pkgsrc/sysutils/dbus: Makefile distinfo

Log Message:
dbus: update to 1.14.4.

dbus 1.14.4 (2022-10-05)
========================

This is a security update for the dbus 1.14.x stable branch, fixing
denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying
security hardening (dbus#416).

Behaviour changes:

• On Linux, dbus-daemon and other uses of DBusServer now create a
  path-based Unix socket, unix:path=..., when asked to listen on a
  unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to
  unix:dir=... on all platforms.
  Previous versions would have created an abstract socket, unix:abstract=...,
  in this situation.
  This change primarily affects the well-known session bus when run via
  dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring
  dbus with --enable-user-session and running it on a systemd system,
  already used path-based Unix sockets and is unaffected by this change.
  This behaviour change prevents a sandbox escape via the session bus socket
  in sandboxing frameworks that can share the network namespace with the host
  system, such as Flatpak.
  This change might cause a regression in situations where the abstract socket
  is intentionally shared between the host system and a chroot or container,
  such as some use-cases of schroot(1). That regression can be resolved by
  using a bind-mount to share either the D-Bus socket, or the whole /tmp
  directory, with the chroot or container.
  (dbus#416, Simon McVittie)

Denial of service fixes:

Evgeny Vereshchagin discovered several ways in which an authenticated
local attacker could cause a crash (denial of service) in
dbus-daemon --system or a custom DBusServer. In uncommon configurations
these could potentially be carried out by an authenticated remote attacker.

• An invalid array of fixed-length elements where the length of the array
  is not a multiple of the length of the element would cause an assertion
  failure in debug builds or an out-of-bounds read in production builds.
  This was a regression in version 1.3.0.
  (dbus#413, CVE-2022-42011; Simon McVittie)

• A syntactically invalid type signature with incorrectly nested parentheses
  and curly brackets would cause an assertion failure in debug builds.
  Similar messages could potentially result in a crash or incorrect message
  processing in a production build, although we are not aware of a practical
  example. (dbus#418, CVE-2022-42010; Simon McVittie)

• A message in non-native endianness with out-of-band Unix file descriptors
  would cause a use-after-free and possible memory corruption in production
  builds, or an assertion failure in debug builds. This was a regression in
  version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie)


To generate a diff of this commit:
cvs rdiff -u -r1.133 -r1.134 pkgsrc/sysutils/dbus/Makefile
cvs rdiff -u -r1.99 -r1.100 pkgsrc/sysutils/dbus/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/sysutils/dbus/Makefile
diff -u pkgsrc/sysutils/dbus/Makefile:1.133 pkgsrc/sysutils/dbus/Makefile:1.134
--- pkgsrc/sysutils/dbus/Makefile:1.133 Mon Oct  3 12:44:00 2022
+++ pkgsrc/sysutils/dbus/Makefile       Thu Oct  6 21:29:56 2022
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.133 2022/10/03 12:44:00 wiz Exp $
+# $NetBSD: Makefile,v 1.134 2022/10/06 21:29:56 wiz Exp $
 
-DISTNAME=      dbus-1.14.2
+DISTNAME=      dbus-1.14.4
 CATEGORIES=    sysutils
 MASTER_SITES=  https://dbus.freedesktop.org/releases/dbus/
 EXTRACT_SUFX=  .tar.xz

Index: pkgsrc/sysutils/dbus/distinfo
diff -u pkgsrc/sysutils/dbus/distinfo:1.99 pkgsrc/sysutils/dbus/distinfo:1.100
--- pkgsrc/sysutils/dbus/distinfo:1.99  Mon Oct  3 12:44:00 2022
+++ pkgsrc/sysutils/dbus/distinfo       Thu Oct  6 21:29:56 2022
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.99 2022/10/03 12:44:00 wiz Exp $
+$NetBSD: distinfo,v 1.100 2022/10/06 21:29:56 wiz Exp $
 
-BLAKE2s (dbus-1.14.2.tar.xz) = e494ae3be33733c32bf1f32d1b5b2e72ac73895344f1c87156291f5042dd1294
-SHA512 (dbus-1.14.2.tar.xz) = 6e503385bfc1b17d4922dc6d2fb3fa10626ed306fe2b3a6a59f6cf81667c4cd63c2fc5e4fd040f48415235e9f4a75b10948ef512f022af1edab20f426271a9b4
-Size (dbus-1.14.2.tar.xz) = 1362972 bytes
+BLAKE2s (dbus-1.14.4.tar.xz) = cf470548eb1d0c688f4962a52ee3a218c18b5d4c23df488adcf4f74b9d4d5f17
+SHA512 (dbus-1.14.4.tar.xz) = 7c8ce95b8a4c63cf51cc9f10bebbc19e66d6a96c4806befad48c3fe73b4468bb2b50f9570b73fe05ff12223e5e6815032139d316995eb670c28b23c028f293d6
+Size (dbus-1.14.4.tar.xz) = 1368196 bytes
 SHA1 (patch-configure) = 9dee6306aa07b60449a0f9f0f1ea3dccbc70dcb4
 SHA1 (patch-dbus_dbus-sysdeps-unix.c) = 3dfc60eba7ab9d5a29d2a842ce0baa1b109df716
 SHA1 (patch-dbus_dbus-sysdeps-util-unix.c) = 537bb8a30bd0bde8ac208a7ce9a4e1903246b443

Prev by Date: CVS commit: pkgsrc/finance/bitcoin
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/finance/bitcoin
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index