[Bug 1157462] New: libdbus-1 uses abort() which is an absolute nogo for a system library
http://bugzilla.opensuse.org/show_bug.cgi?id=1157462 Bug ID: 1157462 Summary: libdbus-1 uses abort() which is an absolute nogo for a system library Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: All OS: openSUSE Factory Status: NEW Severity: Critical Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: werner@suse.com QA Contact: qa-bugs@suse.de CC: simonf.lees@suse.com Depends on: 1157431 Found By: --- Blocker: --- Indeed: /local/werner> nm -D /usr/lib/libdbus-1.so.3.19.4 | grep abort 0003a4d0 T _dbus_abort U abort -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1157462 http://bugzilla.opensuse.org/show_bug.cgi?id=1157462#c1 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bnc-team-screening@forge.pr |simonf.lees@suse.com |ovo.novell.com | Flags| |needinfo?(simonf.lees@suse. | |com) --- Comment #1 from Dr. Werner Fink <werner@suse.com> --- Could one please explain why libdbus-1 is configured with default --enable-embedded-tests --enable-asserts instead of using --disable-embedded-tests --disable-asserts why we're using users systems as debugging systems? Any system library should not use abort() nor exist() for debugging. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1157462 http://bugzilla.opensuse.org/show_bug.cgi?id=1157462#c2 --- Comment #2 from Dr. Werner Fink <werner@suse.com> --- @ Simon : I'd like to see an answer on this bug. Do you agree, that system libraries shiuld not use in debugging cases the abort() nor exit() calls at all? If you do not agree, then yoi might give some reason here why you think the libdbus-1 should do an abort() for nitpicking corner cases. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1157462 http://bugzilla.opensuse.org/show_bug.cgi?id=1157462#c3 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dimstar@opensuse.org, | |tchvatal@suse.com --- Comment #3 from Dr. Werner Fink <werner@suse.com> --- That is what Debian does https://sources.debian.org/patches/dbus/1.10.28-0+deb9u1/debian/Don-t-abort-... By which rational we do not the same? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1157462 http://bugzilla.opensuse.org/show_bug.cgi?id=1157462#c4 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com --- Comment #4 from Dr. Werner Fink <werner@suse.com> --- Are we affected by CVE-2019-12749? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1157462 http://bugzilla.opensuse.org/show_bug.cgi?id=1157462#c5 --- Comment #5 from Dr. Werner Fink <werner@suse.com> --- I see bug#1137832 ... but is this also fixed in Factory/Tumbleweed with dbus-1.12.12? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1157462 http://bugzilla.opensuse.org/show_bug.cgi?id=1157462#c6 --- Comment #6 from Dr. Werner Fink <werner@suse.com> --- AFAICS from https://dbus.freedesktop.org/releases/dbus/dbus-1.13.12.tar.xz the fix had been added upstream in dbus-1.13.12/dbus/dbus-auth.c also from Changelog dbus 1.13.12 (2019-06-11) ========================= The “patio squirrel” release. Security fixes: • CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1 authentication for identities that differ from the user running the DBusServer. Previously, a local attacker could manipulate symbolic links in their own home directory to bypass authentication and connect to a DBusServer with elevated privileges. The standard system and session dbus-daemons in their default configuration were immune to this attack because they did not allow DBUS_COOKIE_SHA1, but third-party users of DBusServer such as Upstart could be vulnerable. Thanks to Joe Vennix of Apple Information Security. (dbus#269, Simon McVittie) Enhancements: • dbus-daemon <allow> and <deny> rules can now specify a send_destination_prefix attribute, which is like a combination of send_destination and the arg0namespace keyword in match rules: a rule with send_destination_prefix="com.example.Foo" matches messages sent to any destination that is in the queue to own well-known names like com.example.Foo or com.example.Foo.A.B (but not com.example.Foobar). (dbus!85, Adrian Szyndela) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1157462 http://bugzilla.opensuse.org/show_bug.cgi?id=1157462#c9 Simon Lees <simonf.lees@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(simonf.lees@suse. | |com), needinfo? | --- Comment #9 from Simon Lees <simonf.lees@suse.com> --- (In reply to Dr. Werner Fink from comment #8)
SR#752324 -- could one have a review? Other than me!
Sorry due to timezones I was done for Friday when you sent this, doing the update was on my today list if I hadn't heard a good reason to keep --enable-asserts. I this using --disable-asserts would be better then adding another patch, its also now how debian handle it. https://salsa.debian.org/utopia-team/dbus/blob/debian/master/debian/rules -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1157462 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1158543 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1157462 Bug 1157462 depends on bug 1158543, which changed state. Bug 1158543 Summary: Broken dbus implementation in sddm as no second greeter is posssible over dbus http://bugzilla.opensuse.org/show_bug.cgi?id=1158543 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |DUPLICATE -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1157462 Bug 1157462 depends on bug 1158543, which changed state. Bug 1158543 Summary: Broken dbus implementation in sddm as no second greeter is posssible over dbus http://bugzilla.opensuse.org/show_bug.cgi?id=1158543 What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|DUPLICATE |--- -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1157462 Bug 1157462 depends on bug 1158543, which changed state. Bug 1158543 Summary: Broken dbus API aborts sddm if second greeter is not posssible over dbus due X server crash http://bugzilla.opensuse.org/show_bug.cgi?id=1158543 What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution|--- |UPSTREAM -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com