Hello community,
here is the log from the commit of package dbus-1 for openSUSE:Factory checked in at 2015-01-07 09:38:12
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/dbus-1 (Old)
and /work/SRC/openSUSE:Factory/.dbus-1.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dbus-1"
Changes:
--------
--- /work/SRC/openSUSE:Factory/dbus-1/dbus-1-x11.changes 2014-11-26 10:35:34.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.dbus-1.new/dbus-1-x11.changes 2015-01-07 09:38:16.000000000 +0100
@@ -1,0 +2,27 @@
+Tue Jan 6 07:57:14 UTC 2015 - fstrba@suse.com
+
+- Update to 1.8.14
+ * Security hardening:
+ - Do not allow calls to UpdateActivationEnvironment from uids
+ other than the uid of the dbus-daemon. If a system service
+ installs unsafe security policy rules that allow arbitrary
+ method calls (such as CVE-2014-8148) then this prevents
+ memory consumption and possible privilege escalation via
+ UpdateActivationEnvironment.
+ We believe that in practice, privilege escalation here is
+ avoided by dbus-daemon-launch-helper sanitizing its
+ environment; but it seems better to be safe.
+ - Do not allow calls to UpdateActivationEnvironment or the
+ Stats interface on object paths other than
+ /org/freedesktop/DBus. Some system services install unsafe
+ security policy rules that allow arbitrary method calls to
+ any destination, method and interface with a specified object
+ path; while less bad than allowing arbitrary method calls,
+ these security policies are still harmful, since dbus-daemon
+ normally offers the same API on all object paths and other
+ system services might behave similarly.
+ * Other fixes:
+ - Add missing initialization so GetExtendedTcpTable doesn't
+ crash on Windows Vista SP0 (fdo#77008, Ilya A. Tkachenko)
+
+-------------------------------------------------------------------
@@ -527,4 +554 @@
-- remove patch dbus-cve-2012-3524.patch as incorporated upstream
-
-Changes since 1.5.12
-• Follow up to CVE-2012-3524: The additional hardening
+ * Follow up to CVE-2012-3524: The additional hardening
@@ -536,2 +560 @@
-
-• CVE-2012-3524: Don't access environment variables (fdo#52202)
+ * CVE-2012-3524: Don't access environment variables (fdo#52202)
@@ -540,2 +563 @@
-
-• Detect that users are "at the console" correctly when configured with
+ * Detect that users are "at the console" correctly when configured with
@@ -544,2 +566 @@
-
-• Remove an incorrect assertion from DBusTransport (fdo#51657,
+ * Remove an incorrect assertion from DBusTransport (fdo#51657,
@@ -547,2 +568 @@
-
-• Change how we create /var/lib/dbus so it works under Automake >= 1.11.4
+ * Change how we create /var/lib/dbus so it works under Automake >= 1.11.4
@@ -550,2 +570 @@
-
-• Don't return from dbus_pending_call_set_notify with a lock held on OOM
+ * Don't return from dbus_pending_call_set_notify with a lock held on OOM
@@ -553,2 +572 @@
-
-• Disconnect "developer mode" (assertions, verbose mode etc.) from
+ * Disconnect "developer mode" (assertions, verbose mode etc.) from
@@ -559,12 +577,8 @@
-
-• Unix-specific:
- · Check for libpthread under CMake on Unix (fdo#47237, Simon McVittie)
-
-• New requirements
- · PTHREAD_MUTEX_RECURSIVE on Unix
- · compiler support for 64-bit integers (int64_t or equivalent)
-
-• D-Bus Specification v0.19
-
-• New dbus-daemon features
- · <allow own_prefix="com.example.Service"/> rules allow the service to
+ * Unix-specific:
+ - Check for libpthread under CMake on Unix (fdo#47237, Simon McVittie)
+ * New requirements
+ - PTHREAD_MUTEX_RECURSIVE on Unix
+ - compiler support for 64-bit integers (int64_t or equivalent)
+ * D-Bus Specification v0.19
+ * New dbus-daemon features
+ - <allow own_prefix="com.example.Service"/> rules allow the service to
@@ -572,19 +586,16 @@
- · optional systemd integration when checking at_console policies
- · --nopidfile option, mainly for use by systemd
- · path_namespace and arg0namespace may appear in match rules
- · eavesdropping is disabled unless the match rule contains eavesdrop=true
-
-• New public API
- · functions to validate various string types (dbus_validate_path() etc.)
- · dbus_type_is_valid()
- · DBusBasicValue, a union of every basic type
-
-• Bug fixes
- · removed an unsafe reimplementation of recursive mutexes
- · dbus-daemon no longer busy-loops if it has far too many file descriptors
- · dbus-daemon.exe --print-address works on Windows
- · all the other bug fixes from 1.4.20
-
-• Other major implementation changes
- · on Linux, dbus-daemon uses epoll if supported, for better scalability
- · dbus_threads_init() ignores its argument and behaves like
+ - optional systemd integration when checking at_console policies
+ - --nopidfile option, mainly for use by systemd
+ - path_namespace and arg0namespace may appear in match rules
+ - eavesdropping is disabled unless the match rule contains eavesdrop=true
+ * New public API
+ - functions to validate various string types (dbus_validate_path() etc.)
+ - dbus_type_is_valid()
+ - DBusBasicValue, a union of every basic type
+ * Bug fixes
+ - removed an unsafe reimplementation of recursive mutexes
+ - dbus-daemon no longer busy-loops if it has far too many file descriptors
+ - dbus-daemon.exe --print-address works on Windows
+ - all the other bug fixes from 1.4.20
+ * Other major implementation changes
+ - on Linux, dbus-daemon uses epoll if supported, for better scalability
+ - dbus_threads_init() ignores its argument and behaves like
@@ -592,6 +603,5 @@
- · removed the per-connection link cache, improving dbus-daemon performance
-
-• Developer features
- · optional Valgrind instrumentation (--with-valgrind)
- · optional Stats interface on the dbus-daemon (--enable-stats)
- · optionally abort whenever malloc() fails (--enable-embedded-tests
+ - removed the per-connection link cache, improving dbus-daemon performance
+ * Developer features
+ - optional Valgrind instrumentation (--with-valgrind)
+ - optional Stats interface on the dbus-daemon (--enable-stats)
+ - optionally abort whenever malloc() fails (--enable-embedded-tests
@@ -599,2 +609 @@
-
-• Be more careful about monotonic time vs. real time, fixing DBUS_COOKIE_SHA1
+ * Be more careful about monotonic time vs. real time, fixing DBUS_COOKIE_SHA1
@@ -602,2 +611 @@
-
-• Don't use install(1) within the source/build trees, fixing the build as
+ * Don't use install(1) within the source/build trees, fixing the build as
@@ -605,2 +613 @@
-
-• Add missing commas in some tcp and nonce-tcp addresses, and remove
+ * Add missing commas in some tcp and nonce-tcp addresses, and remove
@@ -608,0 +616 @@
+- remove patch dbus-cve-2012-3524.patch as incorporated upstream
@@ -793 +801 @@
- - Don't touch ~/.dbus and ~/.dbus-keyrings when running 'make
+ - Don't touch ~/.dbus and ~/.dbus-keyrings when running 'make
@@ -1000,2 +1008,2 @@
- • D-Bus Specification v0.16
- · Add support for path_namespace and arg0namespace in match rules
+ * D-Bus Specification v0.16
+ - Add support for path_namespace and arg0namespace in match rules
@@ -1003 +1011 @@
- · Make argNpath support object paths, not just object-path-like strings,
+ - Make argNpath support object paths, not just object-path-like strings,
@@ -1005 +1013 @@
- • Let the bus daemon implement more than one interface (fdo#33757,
+ * Let the bus daemon implement more than one interface (fdo#33757,
@@ -1007 +1015 @@
- • Optimize _dbus_string_replace_len to reduce waste (fdo#21261,
+ * Optimize _dbus_string_replace_len to reduce waste (fdo#21261,
@@ -1009 +1017 @@
- • Require user intervention to compile with missing 64-bit support
+ * Require user intervention to compile with missing 64-bit support
@@ -1011,2 +1019,2 @@
- • Add dbus_type_is_valid as public API (fdo#20496, Simon McVittie)
- • Raise UnknownObject instead of UnknownMethod for calls to methods on
+ * Add dbus_type_is_valid as public API (fdo#20496, Simon McVittie)
+ * Raise UnknownObject instead of UnknownMethod for calls to methods on
@@ -1020 +1028 @@
- • Rename configure.in to configure.ac, and update it to modern conventions
+ * Rename configure.in to configure.ac, and update it to modern conventions
@@ -1022 +1030 @@
- • Correctly give XDG_DATA_HOME priority over XDG_DATA_DIRS (fdo#34496,
+ * Correctly give XDG_DATA_HOME priority over XDG_DATA_DIRS (fdo#34496,
@@ -1024 +1032 @@
- • Prevent X11 autolaunching if $DISPLAY is unset or empty, and add
+ * Prevent X11 autolaunching if $DISPLAY is unset or empty, and add
@@ -1027 +1035 @@
- • Install the documentation, and an index for Devhelp (fdo#13495,
+ * Install the documentation, and an index for Devhelp (fdo#13495,
@@ -1029 +1037 @@
- • If checks are not disabled, check validity of string-like types and
+ * If checks are not disabled, check validity of string-like types and
@@ -1031 +1039 @@
- • Add UnknownObject, UnknownInterface, UnknownProperty and PropertyReadOnly
+ * Add UnknownObject, UnknownInterface, UnknownProperty and PropertyReadOnly
@@ -1033 +1041 @@
- • Break up a huge conditional in config-parser so gcov can produce coverage
+ * Break up a huge conditional in config-parser so gcov can produce coverage
@@ -1035 +1043 @@
- • List which parts of the Desktop Entry specification are applicable to
+ * List which parts of the Desktop Entry specification are applicable to
@@ -1037 +1045 @@
- • Don't suppress service activation if two services have the same Exec=
+ * Don't suppress service activation if two services have the same Exec=
@@ -1039,2 +1047,2 @@
- • Windows:
- · Avoid the name ELEMENT_TYPE due to namespace-pollution from winioctl.h
+ * Windows:
+ - Avoid the name ELEMENT_TYPE due to namespace-pollution from winioctl.h
++++ 64 more lines (skipped)
++++ between /work/SRC/openSUSE:Factory/dbus-1/dbus-1-x11.changes
++++ and /work/SRC/openSUSE:Factory/.dbus-1.new/dbus-1-x11.changes
dbus-1.changes: same change
Old:
----
dbus-1.8.12.tar.gz
New:
----
dbus-1.8.14.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ dbus-1-x11.spec ++++++
--- /var/tmp/diff_new_pack.f7xccV/_old 2015-01-07 09:38:17.000000000 +0100
+++ /var/tmp/diff_new_pack.f7xccV/_new 2015-01-07 09:38:17.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package dbus-1-x11
#
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -27,7 +27,7 @@
%define _unitdir %{_libexecdir}/systemd/system
%endif
Name: dbus-1-x11
-Version: 1.8.12
+Version: 1.8.14
Release: 0
Summary: D-Bus Message Bus System
License: GPL-2.0+ or AFL-2.1
dbus-1.spec: same change
++++++ dbus-1.8.12.tar.gz -> dbus-1.8.14.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.8.12/NEWS new/dbus-1.8.14/NEWS
--- old/dbus-1.8.12/NEWS 2014-11-24 14:01:19.000000000 +0100
+++ new/dbus-1.8.14/NEWS 2015-01-02 00:42:32.000000000 +0100
@@ -1,3 +1,34 @@
+D-Bus 1.8.14 (2015-01-05)
+==
+
+The “40lb of roofing nails” release.
+
+Security hardening:
+
+• Do not allow calls to UpdateActivationEnvironment from uids other than
+ the uid of the dbus-daemon. If a system service installs unsafe
+ security policy rules that allow arbitrary method calls
+ (such as CVE-2014-8148) then this prevents memory consumption and
+ possible privilege escalation via UpdateActivationEnvironment.
+
+ We believe that in practice, privilege escalation here is avoided
+ by dbus-daemon-launch-helper sanitizing its environment; but
+ it seems better to be safe.
+
+• Do not allow calls to UpdateActivationEnvironment or the Stats interface
+ on object paths other than /org/freedesktop/DBus. Some system services
+ install unsafe security policy rules that allow arbitrary method calls
+ to any destination, method and interface with a specified object path;
+ while less bad than allowing arbitrary method calls, these security
+ policies are still harmful, since dbus-daemon normally offers the
+ same API on all object paths and other system services might behave
+ similarly.
+
+Other fixes:
+
+• Add missing initialization so GetExtendedTcpTable doesn't crash on
+ Windows Vista SP0 (fd.o #77008, Илья А. Ткаченко)
+
D-Bus 1.8.12 (2014-11-24)
==
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.8.12/bus/driver.c new/dbus-1.8.14/bus/driver.c
--- old/dbus-1.8.12/bus/driver.c 2014-11-22 11:49:21.000000000 +0100
+++ new/dbus-1.8.14/bus/driver.c 2015-01-02 00:32:22.000000000 +0100
@@ -878,6 +878,44 @@
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
+ if (!bus_driver_check_message_is_for_us (message, error))
+ return FALSE;
+
+#ifdef DBUS_UNIX
+ {
+ /* UpdateActivationEnvironment is basically a recipe for privilege
+ * escalation so let's be extra-careful: do not allow the sysadmin
+ * to shoot themselves in the foot. */
+ unsigned long uid;
+
+ if (!dbus_connection_get_unix_user (connection, &uid))
+ {
+ bus_context_log (bus_transaction_get_context (transaction),
+ DBUS_SYSTEM_LOG_SECURITY,
+ "rejected attempt to call UpdateActivationEnvironment by "
+ "unknown uid");
+ dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
+ "rejected attempt to call UpdateActivationEnvironment by "
+ "unknown uid");
+ return FALSE;
+ }
+
+ /* On the system bus, we could in principle allow uid 0 to call
+ * UpdateActivationEnvironment; but they should know better anyway,
+ * and our default system.conf has always forbidden it */
+ if (!_dbus_unix_user_is_process_owner (uid))
+ {
+ bus_context_log (bus_transaction_get_context (transaction),
+ DBUS_SYSTEM_LOG_SECURITY,
+ "rejected attempt to call UpdateActivationEnvironment by uid %lu",
+ uid);
+ dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
+ "rejected attempt to call UpdateActivationEnvironment");
+ return FALSE;
+ }
+ }
+#endif
+
activation = bus_connection_get_activation (connection);
dbus_message_iter_init (message, &iter);
@@ -1965,6 +2003,38 @@
return FALSE;
}
+/*
+ * Set @error and return FALSE if the message is not directed to the
+ * dbus-daemon by its canonical object path. This is hardening against
+ * system services with poorly-written security policy files, which
+ * might allow sending dangerously broad equivalence classes of messages
+ * such as "anything with this assumed-to-be-safe object path".
+ *
+ * dbus-daemon is unusual in that it normally ignores the object path
+ * of incoming messages; we need to keep that behaviour for the "read"
+ * read-only method calls like GetConnectionUnixUser for backwards
+ * compatibility, but it seems safer to be more restrictive for things
+ * intended to be root-only or privileged-developers-only.
+ *
+ * It is possible that there are other system services with the same
+ * quirk as dbus-daemon.
+ */
+dbus_bool_t
+bus_driver_check_message_is_for_us (DBusMessage *message,
+ DBusError *error)
+{
+ if (!dbus_message_has_path (message, DBUS_PATH_DBUS))
+ {
+ dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
+ "Method '%s' is only available at the canonical object path '%s'",
+ dbus_message_get_member (message), DBUS_PATH_DBUS);
+
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
dbus_bool_t
bus_driver_handle_message (DBusConnection *connection,
BusTransaction *transaction,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.8.12/bus/driver.h new/dbus-1.8.14/bus/driver.h
--- old/dbus-1.8.12/bus/driver.h 2014-11-04 15:51:05.000000000 +0100
+++ new/dbus-1.8.14/bus/driver.h 2015-01-02 00:32:16.000000000 +0100
@@ -46,7 +46,7 @@
BusTransaction *transaction,
DBusError *error);
dbus_bool_t bus_driver_generate_introspect_string (DBusString *xml);
-
-
+dbus_bool_t bus_driver_check_message_is_for_us (DBusMessage *message,
+ DBusError *error);
#endif /* BUS_DRIVER_H */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.8.12/bus/stats.c new/dbus-1.8.14/bus/stats.c
--- old/dbus-1.8.12/bus/stats.c 2014-11-04 15:51:05.000000000 +0100
+++ new/dbus-1.8.14/bus/stats.c 2015-01-02 00:33:10.000000000 +0100
@@ -29,6 +29,7 @@
#include