Revisions of dbus-1
Dominique Leuenberger (dimstar_suse)
committed
(revision 180)
Expedited checkin of diffutils -> cmp migration
Ana Guerrero (anag+factory)
accepted
request 1112496
from
Factory Maintainer (factory-maintainer)
(revision 179)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 1092691
from
Dirk Mueller (dirkmueller)
(revision 178)
- update to 1.14.8 (bsc#1212126, CVE-2023-34969): * Denial-of-service fixes: * Fix an assertion failure in dbus-daemon when a privileged Monitoring connection (dbus-monitor, busctl monitor, gdbus monitor or similar) is active, and a message from the bus driver cannot be delivered to a client connection due to <deny> rules or outgoing message quota. This is a denial of service if triggered maliciously by a local attacker. * Fix compilation on compilers not supporting __FUNCTION__ * Fix some memory leaks on out-of-memory conditions * Fix syntax of a code sample in dbus-api-design
Dominique Leuenberger (dimstar_suse)
accepted
request 1067484
from
Simon Lees (simotek)
(revision 177)
Dominique Leuenberger (dimstar_suse)
accepted
request 1064302
from
Fridrich Strba (fstrba)
(revision 176)
fix multibuild
Dominique Leuenberger (dimstar_suse)
accepted
request 1031295
from
Dirk Mueller (dirkmueller)
(revision 175)
- update to 1.14.4 (bsc#1204111, CVE-2022-42010, bsc#1204112, CVE-2022-42011, bsc#1204113, CVE-2022-42012): This is a security update for the dbus 1.14.x stable branch, fixing denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying security hardening (dbus#416). Behaviour changes: * On Linux, dbus-daemon and other uses of DBusServer now create a path-based Unix socket, unix:path=..., when asked to listen on a unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to unix:dir=... on all platforms. Previous versions would have created an abstract socket, unix:abstract=..., in this situation. This change primarily affects the well-known session bus when run via dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring dbus with --enable-user-session and running it on a systemd system, already used path-based Unix sockets and is unaffected by this change. This behaviour change prevents a sandbox escape via the session bus socket in sandboxing frameworks that can share the network namespace with the host system, such as Flatpak. This change might cause a regression in situations where the abstract socket is intentionally shared between the host system and a chroot or container, such as some use-cases of schroot(1). That regression can be resolved by using a bind-mount to share either the D-Bus socket, or the whole /tmp directory, with the chroot or container. (dbus#416, Simon McVittie) * Denial of service fixes: - Evgeny Vereshchagin discovered several ways in which an authenticated local attacker could cause a crash (denial of service) in dbus-daemon --system or a custom DBusServer. In uncommon configurations
Dominique Leuenberger (dimstar_suse)
accepted
request 1011186
from
Simon Lees (simotek)
(revision 174)
Dominique Leuenberger (dimstar_suse)
accepted
request 1010413
from
Dirk Mueller (dirkmueller)
(revision 173)
- Disable asserts (bsc#1087072)
Dominique Leuenberger (dimstar_suse)
accepted
request 981473
from
Dirk Mueller (dirkmueller)
(revision 172)
- version provides - add split provides - remove unused/obsolete pre_checkin.sh - The great dbus package split of 22, in preperation for replacing dbus-daemon with dbus-broker currently there is no functional difference that will change later, this follows a similar setup to RedHat and Debian. * dbus-daemon is now in its own separate package * Create a dbus-1-common package with all the files and config that are shared between the dbus-daemon and dbus-broker implementations. * Create a dbus-1-tools package with the tools eventually we will likely want to move to only recommending this package Redhat and Debian have both already gone down this path.
Dominique Leuenberger (dimstar_suse)
accepted
request 962877
from
Dirk Mueller (dirkmueller)
(revision 171)
Dominique Leuenberger (dimstar_suse)
accepted
request 961966
from
Dirk Mueller (dirkmueller)
(revision 170)
- set runstatedir correctly
Dominique Leuenberger (dimstar_suse)
accepted
request 960278
from
Dirk Mueller (dirkmueller)
(revision 169)
Dominique Leuenberger (dimstar_suse)
accepted
request 958730
from
Dirk Mueller (dirkmueller)
(revision 168)
Dominique Leuenberger (dimstar_suse)
accepted
request 933402
from
Dirk Mueller (dirkmueller)
(revision 167)
Dominique Leuenberger (dimstar_suse)
accepted
request 883704
from
Dirk Mueller (dirkmueller)
(revision 166)
- avoid listing cmake directory - owned by cmake package
Dominique Leuenberger (dimstar_suse)
accepted
request 876715
from
Simon Lees (simotek)
(revision 165)
Dominique Leuenberger (dimstar_suse)
accepted
request 850346
from
Simon Lees (simotek)
(revision 164)
Dominique Leuenberger (dimstar_suse)
accepted
request 828602
from
Simon Lees (simotek)
(revision 163)
Dominique Leuenberger (dimstar_suse)
accepted
request 826904
from
Dirk Mueller (dirkmueller)
(revision 162)
- Update to 1.12.20 * On Unix, avoid a use-after-free if two usernames have the same numeric uid. In older versions this could lead to a crash (denial of service) or other undefined behaviour, possibly including incorrect authorization decisions if <policy group=...> is used. Like Unix filesystems, D-Bus' model of identity cannot distinguish between users of different names with the same numeric uid, so this configuration is not advisable on systems where D-Bus will be used. Thanks to Daniel Onaca. (dbus#305, dbus!166; Simon McVittie) - From 1.12.18 * CVE-2020-12049: If a message contains more file descriptors than can be sent, close those that did get through before reporting error. Previously, a local attacker could cause the system dbus-daemon (or another system service with its own DBusServer) to run out of file descriptors, by repeatedly connecting to the server and sending fds that would get leaked. Thanks to Kevin Backhouse of GitHub Security Lab. (dbus#294, GHSL-2020-057; Simon McVittie) * Fix a crash when the dbus-daemon is terminated while one or more monitors are active (dbus#291, dbus!140; Simon McVittie) * The dbus-send(1) man page now documents --bus and --peer instead of the old --address synonym for --peer, which has been deprecated since the introduction of --bus and --peer in 1.7.6 (fd.o #48816, dbus!115; Chris Morin) * Fix a wrong environment variable name in dbus-daemon(1) (dbus#275, dbus!122; Mubin, Philip Withnall) * Fix formatting of dbus_message_append_args example (dbus!126, Felipe Franciosi) * Avoid a test failure on Linux when built in a container as uid 0, but
Dominique Leuenberger (dimstar_suse)
accepted
request 765871
from
Dirk Mueller (dirkmueller)
(revision 161)
Displaying revisions 1 - 20 of 180