Hello community, here is the log from the commit of package dbus-1.1001 for openSUSE:12.1:Update checked in at 2012-10-31 16:01:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update/dbus-1.1001 (Old) and /work/SRC/openSUSE:12.1:Update/.dbus-1.1001.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "dbus-1.1001", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2012-10-22 00:44:18.403455820 +0200 +++ /work/SRC/openSUSE:12.1:Update/.dbus-1.1001.new/dbus-1-x11.changes 2012-10-31 16:01:04.000000000 +0100 @@ -0,0 +1,1595 @@ +------------------------------------------------------------------- +Wed Oct 10 13:14:55 CEST 2012 - thoenig@suse.de + +- Replace patches for CVE-2012-3524 with upstream patches + (bnc#697105). + 23fe78ceefb6cefcd58a49c77d1154b68478c8d2 + 4b351918b9f70eaedbdb3ab39208bc1f131efae0 + 57ae3670508bbf4ec57049de47c9cae727a64802 + f68dbdc3e6f895012ce33939fb524accf31bcca5 + +------------------------------------------------------------------- +Wed Oct 10 11:22:06 CEST 2012 - thoenig@suse.de + +- Add patch dbus-cve-2012-3524-fallout-fix.patch to address + fallout caused by CVE-2012-3524 (bnc#783657). Based on upstream + patch f68dbdc3e6f895012ce33939fb524accf31bcca5 . + +------------------------------------------------------------------- +Wed Sep 19 15:46:27 CEST 2012 - thoenig@suse.de + +- Add patch for CVE-2012-3524 to fix getenv() vulnerability in + suids (bnc#697105) + +------------------------------------------------------------------- +Wed Oct 12 09:47:55 UTC 2011 - coolo@suse.com + +- add patch to enable X11 autolaunch even if configure thinks + it can't be done (bnc#707817) + +------------------------------------------------------------------- +Wed Oct 12 00:32:50 CEST 2011 - dmueller@suse.de + +- update to version 1.5.8: + * Clean up dead code, and make more warnings fatal in development builds + (fd.o #39231, fd.o #41012; Simon McVittie) + * Add a regression test for fd.o #38005 (fd.o #39836, Simon McVittie) + * Add _DBUS_STATIC_ASSERT and use it to check invariants + * Fix a small memory leak, and a failure to report errors, when updating + a service file entry for activation (fd.o #39230, Simon McVittie) + * Clean up (non-abstract) Unix sockets on bus daemon exit + * On systems that use libcap-ng but not systemd, drop supplemental groups + when switching to the daemon user (Red Hat #726953, Steve Grubb) + +------------------------------------------------------------------- +Fri Sep 30 20:07:53 UTC 2011 - coolo@suse.com + +- add libtool as buildrequire to make the spec file more reliable + +------------------------------------------------------------------- +Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de + +- Remove redundant tags/sections from specfile + (cf. packaging guidelines) + +------------------------------------------------------------------- +Mon Aug 1 14:37:16 CEST 2011 - vuntz@opensuse.org + +- Update to version 1.5.6: + + Potentially incompatible (Bustle and similar debugging tools + will need changes to work as intended): + - Do not allow match rules to "eavesdrop" (receive messages + intended for a different recipient) by mistake: eavesdroppers + must now opt-in to this behaviour by putting + "eavesdrop='true'" in the match rule, which will not have any + practical effect on buses where eavesdropping is not allowed + (fdo#37890) + + Other changes: + - D-Bus Specification version 0.18 (fdo#37890, fdo#39450, + fdo#38252): + . add the "eavesdrop" keyword to match rules + . define eavesdropping, unicast messages and broadcast messages + . stop claiming that match rules are needed to match unicast + messages to you + . promote the type system to be a top-level section + - Use DBUS_ERROR_OBJECT_PATH_IN_USE if + dbus_connection_try_register_object_path or + dbus_connection_try_register_fallback fails, not + ...ADDRESS_IN_USE, and simplify object-path registration + (fdo#38874) + - Consistently use atomic operations on everything that is ever + manipulated via atomic ops, as was done for changes to + DBusConnection's refcount in 1.4.12 (fdo#38005) + - Fix a file descriptor leak when connecting to a TCP socket + (fdo#37258) + - Make "make check" in a clean tree work, by not running tests + until test data has been set up (fdo#34405) + - The dbus-daemon no longer busy-loops if it has a very large + number of file descriptors (fdo#23194) + - Refactor message flow through dispatching to avoid locking + violations if the bus daemon's message limit is hit; remove + the per-connection link cache, which was meant to improve + performance, but now reduces it (fdo#34393) + - Some cmake fixes + - Remove dead code, mainly from DBusString (fdo#38570, + fdo#39610) + - Stop storing two extra byte order indicators in each D-Bus + message (fdo#38287) + - Add an optional Stats interface which can be used to get + statistics from a running dbus-daemon if enabled at configure + time with --enable-stats (fdo#34040) + - Fix various typos (fdo#27227, fdo#38284) + - Documentation (fdo#36156): + . let xsltproc be overridden as usual: ./configure + XSLTPROC=myxsltproc + . install more documentation automatically, including + man2html output + . put dbus.devhelp in the right place (it must go in + ${htmldir}) + - Unix-specific: + . look for system services in /lib/dbus-1/system-services in + addition to all the other well-known locations; note that + this should always be /lib, even on platforms where shared + libraries on the root FS would go in /lib64, + /lib/x86_64-linux-gnu or similar (fdo#35229) + . opt-in to fd passing on Solaris (fdo#33465) + - Windows-specific: + . fix use of a mutex for autolaunch server detection + . don't crash on malloc failure in + _dbus_printf_string_upper_bound +- Manually create /lib/dbus-1/system-services in %install so that + we can own it. + +------------------------------------------------------------------- +Fri Jul 1 10:07:55 CEST 2011 - vuntz@opensuse.org + +- Update to version 1.5.4: + + Security (local denial of service): + - Byte-swap foreign-endian messages correctly, preventing a + long-standing local DoS if foreign-endian messages are + relayed through the dbus-daemon (fdo#38120, deb#629938, no + CVE number yet) + + New things: + - The constant to use for an infinite timeout now has a name, + DBUS_TIMEOUT_INFINITE. + - If GLib and DBus-GLib are already installed, more tests will be built, + providing better coverage.(fdo#34570) + + Changes: + - Consistently use atomic operations for the DBusConnection's + refcount, fixing potential threading problems (fdo#38005) + - Don't use -Wl,--gc-sections by default: in practice the size + decrease is small (300KiB on x86-64) and it frequently + doesn't work in unusual toolchains. (fdo#33466) + - Use #!/bin/sh for run-with-tmp-session-bus.sh, making it work + on *BSD (fdo#35880) + - Use ln -fs to set up dbus for systemd, which should fix + reinstallation when not using a DESTDIR (fdo#37870) + - Windows-specific changes: + . don't try to build dbus-daemon-launch-helper (fdo#37838) +- Changes from version 1.5.2: + + Notes for distributors: + - This version of D-Bus no longer uses -fPIE by default. + + Changes: + + D-Bus Specification v0.17 + . Reserve the extra characters used in signatures by GVariant + (fdo#34529) + . Define the ObjectManager interface (fdo#34869) + + Don't force -fPIE: distributions and libtool know better than + we do whether it's desirable (fdo#16621, fdo#27215) + + Allow --disable-gc-sections, in case your toolchain offers + the -ffunction-sections, -fdata-sections and + -Wl,--gc-sections options but they're broken, as seen on + Solaris (fdo#33466) + + Install dbus-daemon and dbus-daemon-launch-helper in a more + normal way (fdo#14512) + + Ensure that maintainers upload documentation with the right + permissions (fdo#36130) + + Don't force users of libdbus to be linked against + -lpthread, -lrt (fdo#32827) + + Log system-bus activation information to syslog (fdo#35705) + + Log messages dropped due to quotas to syslog (fdo#35358) + + Make the nonce-tcp transport work on Unix (fdo#34569) + + On Unix, if /var/lib/dbus/machine-id cannot be read, try + /etc/machine-id (fdo#35228) + + In the regression tests, don't report fds as "leaked" if they + were open on startup (fdo#35173) + + Make dbus-monitor bail out if asked to monitor more than one + bus, rather than silently using the last one (fdo#26548) + + Clarify documentation (fdo#35182) + + Clean up minor dead code and some incorrect error handling + (fdo#33128, fdo#29881) + + Check that compiler options are supported before using them + (fdo#19681) + + Windows: + . Remove obsolete workaround for winioctl.h (fdo#35083) + +------------------------------------------------------------------- +Tue Jun 28 08:03:00 UTC 2011 - aj@suse.de + +- Fix filelist to own a directory. +- Do not package html files twice. + +------------------------------------------------------------------- +Wed May 18 14:04:24 UTC 2011 - coolo@novell.com + +- buildrequire update-desktop-files for mimetypes.prov + +------------------------------------------------------------------- ++++ 1398 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.1:Update/.dbus-1.1001.new/dbus-1-x11.changes New Changes file: --- /dev/null 2012-10-22 00:44:18.403455820 +0200 +++ /work/SRC/openSUSE:12.1:Update/.dbus-1.1001.new/dbus-1.changes 2012-10-31 16:01:04.000000000 +0100 @@ -0,0 +1,1595 @@ +------------------------------------------------------------------- +Wed Oct 10 13:14:55 CEST 2012 - thoenig@suse.de + +- Replace patches for CVE-2012-3524 with upstream patches + (bnc#697105). + 23fe78ceefb6cefcd58a49c77d1154b68478c8d2 + 4b351918b9f70eaedbdb3ab39208bc1f131efae0 + 57ae3670508bbf4ec57049de47c9cae727a64802 + f68dbdc3e6f895012ce33939fb524accf31bcca5 + +------------------------------------------------------------------- +Wed Oct 10 11:22:06 CEST 2012 - thoenig@suse.de + +- Add patch dbus-cve-2012-3524-fallout-fix.patch to address + fallout caused by CVE-2012-3524 (bnc#783657). Based on upstream + patch f68dbdc3e6f895012ce33939fb524accf31bcca5 . + +------------------------------------------------------------------- +Wed Sep 19 15:45:51 CEST 2012 - thoenig@suse.de + +- Add patch for CVE-2012-3524 to fix getenv() vulnerability in + suids (bnc#697105) + +------------------------------------------------------------------- +Wed Oct 12 09:47:55 UTC 2011 - coolo@suse.com + +- add patch to enable X11 autolaunch even if configure thinks + it can't be done (bnc#707817) + +------------------------------------------------------------------- +Wed Oct 12 00:32:50 CEST 2011 - dmueller@suse.de + +- update to version 1.5.8: + * Clean up dead code, and make more warnings fatal in development builds + (fd.o #39231, fd.o #41012; Simon McVittie) + * Add a regression test for fd.o #38005 (fd.o #39836, Simon McVittie) + * Add _DBUS_STATIC_ASSERT and use it to check invariants + * Fix a small memory leak, and a failure to report errors, when updating + a service file entry for activation (fd.o #39230, Simon McVittie) + * Clean up (non-abstract) Unix sockets on bus daemon exit + * On systems that use libcap-ng but not systemd, drop supplemental groups + when switching to the daemon user (Red Hat #726953, Steve Grubb) + +------------------------------------------------------------------- +Fri Sep 30 20:07:53 UTC 2011 - coolo@suse.com + +- add libtool as buildrequire to make the spec file more reliable + +------------------------------------------------------------------- +Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de + +- Remove redundant tags/sections from specfile + (cf. packaging guidelines) + +------------------------------------------------------------------- +Mon Aug 1 14:37:16 CEST 2011 - vuntz@opensuse.org + +- Update to version 1.5.6: + + Potentially incompatible (Bustle and similar debugging tools + will need changes to work as intended): + - Do not allow match rules to "eavesdrop" (receive messages + intended for a different recipient) by mistake: eavesdroppers + must now opt-in to this behaviour by putting + "eavesdrop='true'" in the match rule, which will not have any + practical effect on buses where eavesdropping is not allowed + (fdo#37890) + + Other changes: + - D-Bus Specification version 0.18 (fdo#37890, fdo#39450, + fdo#38252): + . add the "eavesdrop" keyword to match rules + . define eavesdropping, unicast messages and broadcast messages + . stop claiming that match rules are needed to match unicast + messages to you + . promote the type system to be a top-level section + - Use DBUS_ERROR_OBJECT_PATH_IN_USE if + dbus_connection_try_register_object_path or + dbus_connection_try_register_fallback fails, not + ...ADDRESS_IN_USE, and simplify object-path registration + (fdo#38874) + - Consistently use atomic operations on everything that is ever + manipulated via atomic ops, as was done for changes to + DBusConnection's refcount in 1.4.12 (fdo#38005) + - Fix a file descriptor leak when connecting to a TCP socket + (fdo#37258) + - Make "make check" in a clean tree work, by not running tests + until test data has been set up (fdo#34405) + - The dbus-daemon no longer busy-loops if it has a very large + number of file descriptors (fdo#23194) + - Refactor message flow through dispatching to avoid locking + violations if the bus daemon's message limit is hit; remove + the per-connection link cache, which was meant to improve + performance, but now reduces it (fdo#34393) + - Some cmake fixes + - Remove dead code, mainly from DBusString (fdo#38570, + fdo#39610) + - Stop storing two extra byte order indicators in each D-Bus + message (fdo#38287) + - Add an optional Stats interface which can be used to get + statistics from a running dbus-daemon if enabled at configure + time with --enable-stats (fdo#34040) + - Fix various typos (fdo#27227, fdo#38284) + - Documentation (fdo#36156): + . let xsltproc be overridden as usual: ./configure + XSLTPROC=myxsltproc + . install more documentation automatically, including + man2html output + . put dbus.devhelp in the right place (it must go in + ${htmldir}) + - Unix-specific: + . look for system services in /lib/dbus-1/system-services in + addition to all the other well-known locations; note that + this should always be /lib, even on platforms where shared + libraries on the root FS would go in /lib64, + /lib/x86_64-linux-gnu or similar (fdo#35229) + . opt-in to fd passing on Solaris (fdo#33465) + - Windows-specific: + . fix use of a mutex for autolaunch server detection + . don't crash on malloc failure in + _dbus_printf_string_upper_bound +- Manually create /lib/dbus-1/system-services in %install so that + we can own it. + +------------------------------------------------------------------- +Fri Jul 1 10:07:55 CEST 2011 - vuntz@opensuse.org + +- Update to version 1.5.4: + + Security (local denial of service): + - Byte-swap foreign-endian messages correctly, preventing a + long-standing local DoS if foreign-endian messages are + relayed through the dbus-daemon (fdo#38120, deb#629938, no + CVE number yet) + + New things: + - The constant to use for an infinite timeout now has a name, + DBUS_TIMEOUT_INFINITE. + - If GLib and DBus-GLib are already installed, more tests will be built, + providing better coverage.(fdo#34570) + + Changes: + - Consistently use atomic operations for the DBusConnection's + refcount, fixing potential threading problems (fdo#38005) + - Don't use -Wl,--gc-sections by default: in practice the size + decrease is small (300KiB on x86-64) and it frequently + doesn't work in unusual toolchains. (fdo#33466) + - Use #!/bin/sh for run-with-tmp-session-bus.sh, making it work + on *BSD (fdo#35880) + - Use ln -fs to set up dbus for systemd, which should fix + reinstallation when not using a DESTDIR (fdo#37870) + - Windows-specific changes: + . don't try to build dbus-daemon-launch-helper (fdo#37838) +- Changes from version 1.5.2: + + Notes for distributors: + - This version of D-Bus no longer uses -fPIE by default. + + Changes: + + D-Bus Specification v0.17 + . Reserve the extra characters used in signatures by GVariant + (fdo#34529) + . Define the ObjectManager interface (fdo#34869) + + Don't force -fPIE: distributions and libtool know better than + we do whether it's desirable (fdo#16621, fdo#27215) + + Allow --disable-gc-sections, in case your toolchain offers + the -ffunction-sections, -fdata-sections and + -Wl,--gc-sections options but they're broken, as seen on + Solaris (fdo#33466) + + Install dbus-daemon and dbus-daemon-launch-helper in a more + normal way (fdo#14512) + + Ensure that maintainers upload documentation with the right + permissions (fdo#36130) + + Don't force users of libdbus to be linked against + -lpthread, -lrt (fdo#32827) + + Log system-bus activation information to syslog (fdo#35705) + + Log messages dropped due to quotas to syslog (fdo#35358) + + Make the nonce-tcp transport work on Unix (fdo#34569) + + On Unix, if /var/lib/dbus/machine-id cannot be read, try + /etc/machine-id (fdo#35228) + + In the regression tests, don't report fds as "leaked" if they + were open on startup (fdo#35173) + + Make dbus-monitor bail out if asked to monitor more than one + bus, rather than silently using the last one (fdo#26548) + + Clarify documentation (fdo#35182) + + Clean up minor dead code and some incorrect error handling + (fdo#33128, fdo#29881) + + Check that compiler options are supported before using them + (fdo#19681) + + Windows: + . Remove obsolete workaround for winioctl.h (fdo#35083) + +------------------------------------------------------------------- +Tue Jun 28 08:03:00 UTC 2011 - aj@suse.de + +- Fix filelist to own a directory. +- Do not package html files twice. + +------------------------------------------------------------------- +Wed May 18 14:04:24 UTC 2011 - coolo@novell.com + +- buildrequire update-desktop-files for mimetypes.prov + +------------------------------------------------------------------- ++++ 1398 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.1:Update/.dbus-1.1001.new/dbus-1.changes New: ---- baselibs.conf dbus-1-x11.changes dbus-1-x11.spec dbus-1-x11.spec.in dbus-1.5.8.tar.gz dbus-1.changes dbus-1.desktop dbus-1.spec dbus-cve-2012-3524-1.patch dbus-cve-2012-3524-2.patch dbus-cve-2012-3524-3.patch dbus-cve-2012-3524-4.patch dbus-do-autolaunch.patch dbus-log-deny.patch dbus_at_console.ck pre_checkin.sh rc.boot.dbus ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dbus-1-x11.spec ++++++ # # spec file for package dbus-1-x11 # # Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: dbus-1-x11 %define _name dbus BuildRequires: xorg-x11-devel Url: http://dbus.freedesktop.org/ Summary: D-Bus Message Bus System License: GPL-2.0+ or AFL-2.1 Group: System/Daemons # COMMON1-BEGIN # COMMON1-BEGIN BuildRequires: audit-devel BuildRequires: doxygen BuildRequires: libexpat-devel BuildRequires: libtool BuildRequires: libzio BuildRequires: pkg-config BuildRequires: update-desktop-files Version: 1.5.8 Release: 0 # bug437293 %ifarch ppc64 Obsoletes: dbus-1-64bit %endif # Source0: http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz Source1: rc.boot.dbus Source2: dbus-1.desktop Source3: dbus_at_console.ck Source4: baselibs.conf Patch0: dbus-log-deny.patch # PATCH-FIX-OPENSUSE coolo@suse.de -- force a feature configure won't accept without x11 in buildrequires Patch1: dbus-do-autolaunch.patch Patch2: dbus-cve-2012-3524-1.patch Patch3: dbus-cve-2012-3524-2.patch Patch4: dbus-cve-2012-3524-3.patch Patch5: dbus-cve-2012-3524-4.patch %if 0%{?suse_version} > 1100 %bcond_without selinux %else %bcond_with selinux %endif %if %{with selinux} BuildRequires: libselinux-devel %endif BuildRequires: libcap-ng-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build # COMMON1-END # COMMON1-END %description D-Bus contains some tools that require Xlib to be installed, those are in this separate package so server systems need not install X. %prep # COMMON2-BEGIN # COMMON2-BEGIN %setup -n %{_name}-%{version} -q %patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %build autoreconf -fi export CFLAGS="${RPM_OPT_FLAGS} -fno-strict-aliasing -fPIC" export CXXFLAGS="${RPM_OPT_FLAGS} -fno-strict-aliasing" %if 0%{?suse_version} > 1000 export CFLAGS="$CFLAGS -fstack-protector" export CXXFLAGS="$CXXFLAGS -fstack-protector" export V=1 %endif %configure \ --disable-static \ --with-pic \ --bindir=/bin \ --libexecdir=/lib/%{name} \ --libdir=/%{_lib} \ --with-init-scripts=suse \ --enable-inotify \ --enable-doxygen-docs \ %if %{with selinux} --enable-selinux \ %endif --enable-libaudit \ --with-console-auth-dir=/var/run/dbus/at_console/ \ --with-systemdsystemunitdir=/lib/systemd/system make %{?_smp_mflags} doxygen -u && doxygen ./cleanup-man-pages.sh %install # COMMON2-END # COMMON2-END tdir=$(mktemp -d) make DESTDIR=$tdir install mkdir -p %{buildroot}/%{_bindir} mkdir -p %{buildroot}/%{_mandir}/man1 mv $tdir/bin/dbus-launch %{buildroot}/%{_bindir} mv $tdir/%{_mandir}/man1/dbus-launch.1* %{buildroot}/%{_mandir}/man1 rm -rf $tdir %clean %{__rm} -rf %{buildroot} %files %defattr(-,root,root) %{_bindir}/dbus-launch %{_mandir}/man1/dbus-launch.1* %changelog ++++++ dbus-1.spec ++++++ # # spec file for package dbus-1 # # Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: dbus-1 %define _name dbus Url: http://dbus.freedesktop.org/ Summary: D-Bus Message Bus System License: GPL-2.0+ or AFL-2.1 Group: System/Daemons # COMMON1-BEGIN BuildRequires: audit-devel BuildRequires: doxygen BuildRequires: libexpat-devel BuildRequires: libtool BuildRequires: libzio BuildRequires: pkg-config BuildRequires: update-desktop-files Version: 1.5.8 Release: 0 # bug437293 %ifarch ppc64 Obsoletes: dbus-1-64bit %endif # Source0: http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz Source1: rc.boot.dbus Source2: dbus-1.desktop Source3: dbus_at_console.ck Source4: baselibs.conf Patch0: dbus-log-deny.patch # PATCH-FIX-OPENSUSE coolo@suse.de -- force a feature configure won't accept without x11 in buildrequires Patch1: dbus-do-autolaunch.patch Patch2: dbus-cve-2012-3524-1.patch Patch3: dbus-cve-2012-3524-2.patch Patch4: dbus-cve-2012-3524-3.patch Patch5: dbus-cve-2012-3524-4.patch %if 0%{?suse_version} > 1100 %bcond_without selinux %else %bcond_with selinux %endif %if %{with selinux} BuildRequires: libselinux-devel %endif BuildRequires: libcap-ng-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build # COMMON1-END PreReq: permissions /usr/sbin/groupadd /usr/sbin/useradd /sbin/insserv /etc/init.d/boot.localfs %package -n dbus-1-devel Summary: Developer package for D-Bus Group: Development/Libraries/Other Requires: %{name} = %{version} Requires: glibc-devel %package -n dbus-1-devel-doc Summary: Developer documentation package for D-Bus Group: Development/Libraries/Other Requires: %{name} = %{version} %if 0%{?suse_version} >= 1120 BuildArch: noarch %endif %description D-Bus is a message bus system, a simple way for applications to talk to one another. D-Bus supplies both a system daemon and a per-user-login-session daemon. Also, the message bus is built on top of a general one-to-one message passing framework, which can be used by any two apps to communicate directly (without going through the message bus daemon). %description -n dbus-1-devel D-Bus is a message bus system, a simple way for applications to talk to one another. D-Bus supplies both a system daemon and a per-user-login-session daemon. Also, the message bus is built on top of a general one-to-one message passing framework, which can be used by any two apps to communicate directly (without going through the message bus daemon). %description -n dbus-1-devel-doc D-Bus is a message bus system, a simple way for applications to talk to one another. D-BUS supplies both a system daemon and a per-user-login-session daemon. Also, the message bus is built on top of a general one-to-one message passing framework, which can be used by any two apps to communicate directly (without going through the message bus daemon). %prep # COMMON2-BEGIN %setup -n %{_name}-%{version} -q %patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %build autoreconf -fi export CFLAGS="${RPM_OPT_FLAGS} -fno-strict-aliasing -fPIC" export CXXFLAGS="${RPM_OPT_FLAGS} -fno-strict-aliasing" %if 0%{?suse_version} > 1000 export CFLAGS="$CFLAGS -fstack-protector" export CXXFLAGS="$CXXFLAGS -fstack-protector" export V=1 %endif %configure \ --disable-static \ --with-pic \ --bindir=/bin \ --libexecdir=/lib/%{name} \ --libdir=/%{_lib} \ --with-init-scripts=suse \ --enable-inotify \ --enable-doxygen-docs \ %if %{with selinux} --enable-selinux \ %endif --enable-libaudit \ --with-console-auth-dir=/var/run/dbus/at_console/ \ --with-systemdsystemunitdir=/lib/systemd/system make %{?_smp_mflags} doxygen -u && doxygen ./cleanup-man-pages.sh %install # COMMON2-END make DESTDIR=%{buildroot} install mkdir -p %{buildroot}/etc/init.d mkdir -p %{buildroot}/usr/sbin install -m 755 %{SOURCE1} %{buildroot}/%{_sysconfdir}/init.d/dbus ln -sf %{_sysconfdir}/init.d/dbus %{buildroot}/%{_sbindir}/rcdbus install -d %{buildroot}/%{_localstatedir}/run/dbus mkdir -p %{buildroot}/%{_datadir}/susehelp/meta/Development/Libraries/ install -m 0644 %SOURCE2 \ %{buildroot}/%{_datadir}/susehelp/meta/Development/Libraries/dbus-1.desktop mkdir -p %{buildroot}/%{_libdir}/pkgconfig mkdir -p %{buildroot}/lib/dbus-1/system-services mkdir -p %{buildroot}/%{_datadir}/dbus-1/system-services mkdir -p %{buildroot}/%{_datadir}/dbus-1/interfaces mkdir -p %{buildroot}/%{_libdir}/dbus-1.0/include/ mv -f %{buildroot}/%{_lib}/dbus-1.0/include/* %{buildroot}/%{_libdir}/dbus-1.0/include/ rm -f %{buildroot}/%{_lib}/*.la # devel stuff must not be in /lib %{__ln_s} -v /%{_lib}/$(readlink %{buildroot}/%{_lib}/lib%{name}.so) %{buildroot}%{_libdir}/lib%{name}.so %{__rm} -v %{buildroot}/%{_lib}/lib%{name}.so # fix up pkgconfig file sed -e 's@^\(libdir=\).*@\1%{_libdir}@' %{buildroot}/%{_lib}/pkgconfig/dbus-1.pc > %{buildroot}/%{_libdir}/pkgconfig/dbus-1.pc rm -f %{buildroot}/%{_lib}/pkgconfig/dbus-1.pc # rm -f %{buildroot}/bin/dbus-launch rm -f %{buildroot}/%{_mandir}/man1/dbus-launch.1* chmod a-x AUTHORS COPYING HACKING NEWS README doc/*.txt doc/file-boilerplate.c doc/TODO # install -d %{buildroot}%{_sysconfdir}/ConsoleKit/run-session.d install -m 755 %{SOURCE3} %{buildroot}%{_sysconfdir}/ConsoleKit/run-session.d mkdir -p %{buildroot}%{_localstatedir}/lib/dbus touch %{buildroot}/%{_localstatedir}/lib/dbus/machine-id %pre /usr/sbin/groupadd -r messagebus 2> /dev/null || : /usr/sbin/useradd -r -o -s /bin/false -c "User for D-Bus" -d /var/run/dbus -g messagebus messagebus 2> /dev/null || : %if 0%{?suse_version:1} %preun %{stop_on_removal dbus} %post /bin/dbus-uuidgen --ensure %{insserv_force_if_yast dbus} /sbin/ldconfig %{run_permissions} %verifyscript %verify_permissions -e /lib/dbus-1/dbus-daemon-launch-helper %postun %{insserv_cleanup} /sbin/ldconfig %endif %files %defattr(-, root, root) %dir %{_datadir}/dbus-1 %dir %{_datadir}/dbus-1/services %dir %{_datadir}/dbus-1/system-services %dir %{_datadir}/dbus-1/interfaces %dir %{_localstatedir}/lib/dbus %dir /lib/dbus-1 %dir /lib/dbus-1/system-services %doc AUTHORS COPYING HACKING NEWS README %dir %{_sysconfdir}/dbus-1 %dir %{_sysconfdir}/dbus-1/session.d %dir %{_sysconfdir}/dbus-1/system.d %config(noreplace) %{_sysconfdir}/dbus-1/session.conf %config(noreplace) %{_sysconfdir}/dbus-1/system.conf %{_sysconfdir}/init.d/dbus %{_sysconfdir}/ConsoleKit /bin/dbus-cleanup-sockets /bin/dbus-daemon /bin/dbus-monitor /bin/dbus-send /bin/dbus-uuidgen /%{_lib}/libdbus-1.so.* %{_mandir}/man1/dbus-cleanup-sockets.1.* %{_mandir}/man1/dbus-daemon.1.* %{_mandir}/man1/dbus-monitor.1.* %{_mandir}/man1/dbus-send.1.* %{_mandir}/man1/dbus-uuidgen.1.* %{_sbindir}/rcdbus # See doc/system-activation.txt in source tarball for the rationale # behind these permissions %attr(4750,root,messagebus) %verify(not mode) /lib/%{name}/dbus-daemon-launch-helper %ghost %{_localstatedir}/run/dbus %ghost %{_localstatedir}/lib/dbus/machine-id %dir /lib/systemd %dir /lib/systemd/system /lib/systemd/system/dbus.service /lib/systemd/system/dbus.socket %dir /lib/systemd/system/dbus.target.wants /lib/systemd/system/dbus.target.wants/dbus.socket %dir /lib/systemd/system/multi-user.target.wants /lib/systemd/system/multi-user.target.wants/dbus.service %dir /lib/systemd/system/sockets.target.wants /lib/systemd/system/sockets.target.wants/dbus.socket %files -n dbus-1-devel %defattr(-,root,root) %{_includedir}/* %{_libdir}/libdbus-1.so %dir %{_libdir}/dbus-1.0 %{_libdir}/dbus-1.0/include %{_libdir}/pkgconfig/dbus-1.pc %files -n dbus-1-devel-doc %defattr(-,root,root) %dir %{_datadir}/doc/dbus %{_datadir}/doc/dbus/api/ %doc %{_datadir}/doc/dbus/dbus-faq.html %doc %{_datadir}/doc/dbus/dbus-specification.html %doc %{_datadir}/doc/dbus/dbus-test-plan.html %doc %{_datadir}/doc/dbus/dbus-tutorial.html %doc %{_datadir}/doc/dbus/diagram.* %doc %{_datadir}/doc/dbus/system-activation.txt %doc doc/*.txt doc/file-boilerplate.c doc/TODO %{_datadir}/susehelp %changelog ++++++ baselibs.conf ++++++ dbus-1 dbus-1-devel ++++++ dbus-1-x11.spec.in ++++++ # # spec file for package dbus-1-x11 (Version 1.4.1) # # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # norootforbuild Name: dbus-1-x11 %define _name dbus BuildRequires: xorg-x11-devel Url: http://dbus.freedesktop.org/ License: GPL2+ or AFL 2.1 Group: System/Daemons Summary: D-Bus Message Bus System # COMMON1-BEGIN # COMMON1-END %description D-Bus contains some tools that require Xlib to be installed, those are in this separate package so server systems need not install X. %prep # COMMON2-BEGIN # COMMON2-END tdir=$(mktemp -d) make DESTDIR=$tdir install mkdir -p %{buildroot}/%{_bindir} mkdir -p %{buildroot}/%{_mandir}/man1 mv $tdir/bin/dbus-launch %{buildroot}/%{_bindir} mv $tdir/%{_mandir}/man1/dbus-launch.1* %{buildroot}/%{_mandir}/man1 rm -rf $tdir %clean %{__rm} -rf %{buildroot} %files %defattr(-,root,root) %{_bindir}/dbus-launch %{_mandir}/man1/dbus-launch.1* %changelog ++++++ dbus-1.desktop ++++++ [Desktop Entry] Name=D-Bus API Documentation DocPath=/usr/share/doc/packages/dbus-1-devel/html/index.html X-DOC-SearchMethod=htdig ++++++ dbus-cve-2012-3524-1.patch ++++++ diff -urN a/configure.ac b/configure.ac --- a/configure.ac 2012-10-10 14:40:44.400318811 +0200 +++ b/configure.ac 2012-10-10 14:40:56.523041459 +0200 @@ -570,7 +570,7 @@ AC_SEARCH_LIBS(socket,[socket network]) AC_CHECK_FUNC(gethostbyname,,[AC_CHECK_LIB(nsl,gethostbyname)]) -AC_CHECK_FUNCS(vsnprintf vasprintf nanosleep usleep setenv clearenv unsetenv socketpair getgrouplist fpathconf setrlimit poll setlocale localeconv strtoll strtoull) +AC_CHECK_FUNCS(vsnprintf vasprintf nanosleep usleep setenv clearenv unsetenv socketpair getgrouplist fpathconf setrlimit poll setlocale localeconv strtoll strtoull __secure_getenv) AC_CHECK_HEADERS([syslog.h]) if test "x$ac_cv_header_syslog_h" = "xyes"; then diff -urN a/dbus/dbus-keyring.c b/dbus/dbus-keyring.c --- a/dbus/dbus-keyring.c 2012-10-10 14:40:44.331320050 +0200 +++ b/dbus/dbus-keyring.c 2012-10-10 14:40:56.523041459 +0200 @@ -717,6 +717,13 @@ DBusCredentials *our_credentials; _DBUS_ASSERT_ERROR_IS_CLEAR (error); + + if (_dbus_check_setuid ()) + { + dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED, + "Unable to create DBus keyring when setuid"); + return NULL; + } keyring = NULL; error_set = FALSE; diff -urN a/dbus/dbus-sysdeps.c b/dbus/dbus-sysdeps.c --- a/dbus/dbus-sysdeps.c 2012-10-10 14:40:44.351319935 +0200 +++ b/dbus/dbus-sysdeps.c 2012-10-10 14:40:56.526041358 +0200 @@ -182,6 +182,11 @@ const char* _dbus_getenv (const char *varname) { + /* Don't respect any environment variables if the current process is + * setuid. This is the equivalent of glibc's __secure_getenv(). + */ + if (_dbus_check_setuid ()) + return NULL; return getenv (varname); } diff -urN a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h --- a/dbus/dbus-sysdeps.h 2012-10-10 14:40:44.331320050 +0200 +++ b/dbus/dbus-sysdeps.h 2012-10-10 14:40:56.528041293 +0200 @@ -87,6 +87,7 @@ void _dbus_abort (void) _DBUS_GNUC_NORETURN; +dbus_bool_t _dbus_check_setuid (void); const char* _dbus_getenv (const char *varname); dbus_bool_t _dbus_setenv (const char *varname, const char *value); diff -urN a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c --- a/dbus/dbus-sysdeps-unix.c 2012-10-10 14:40:44.360319729 +0200 +++ b/dbus/dbus-sysdeps-unix.c 2012-10-10 14:40:56.526041358 +0200 @@ -3349,6 +3349,13 @@ DBusString uuid; dbus_bool_t retval; + if (_dbus_check_setuid ()) + { + dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED, + "Unable to autolaunch when setuid"); + return FALSE; + } + _DBUS_ASSERT_ERROR_IS_CLEAR (error); retval = FALSE; @@ -3466,6 +3473,13 @@ _DBUS_ASSERT_ERROR_IS_CLEAR (error); + if (_dbus_check_setuid ()) + { + dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED, + "Unable to find launchd socket when setuid"); + return FALSE; + } + i = 0; argv[i] = "launchctl"; ++i; @@ -3506,6 +3520,13 @@ dbus_bool_t valid_socket; DBusString socket_path; + if (_dbus_check_setuid ()) + { + dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED, + "Unable to find launchd socket when setuid"); + return FALSE; + } + if (!_dbus_string_init (&socket_path)) { _DBUS_SET_OOM (error); @@ -3963,4 +3984,57 @@ return configure_time_path; } +/** + * **NOTE**: If you modify this function, please also consider making + * the corresponding change in GLib. See + * glib/gutils.c:g_check_setuid(). + * + * Returns TRUE if the current process was executed as setuid (or an + * equivalent __libc_enable_secure is available). See: + * http://osdir.com/ml/linux.lfs.hardened/2007-04/msg00032.html + */ +dbus_bool_t +_dbus_check_setuid (void) +{ + /* TODO: get __libc_enable_secure exported from glibc. + * See http://www.openwall.com/lists/owl-dev/2012/08/14/1 + */ +#if 0 && defined(HAVE_LIBC_ENABLE_SECURE) + { + /* See glibc/include/unistd.h */ + extern int __libc_enable_secure; + return __libc_enable_secure; + } +#elif defined(HAVE_ISSETUGID) + /* BSD: http://www.freebsd.org/cgi/man.cgi?query=issetugid&sektion=2 */ + return issetugid (); +#else + uid_t ruid, euid, suid; /* Real, effective and saved user ID's */ + gid_t rgid, egid, sgid; /* Real, effective and saved group ID's */ + + static dbus_bool_t check_setuid_initialised; + static dbus_bool_t is_setuid; + + if (_DBUS_UNLIKELY (!check_setuid_initialised)) + { +#ifdef HAVE_GETRESUID + if (getresuid (&ruid, &euid, &suid) != 0 || + getresgid (&rgid, &egid, &sgid) != 0) +#endif /* HAVE_GETRESUID */ + { + suid = ruid = getuid (); + sgid = rgid = getgid (); + euid = geteuid (); + egid = getegid (); + } + + check_setuid_initialised = TRUE; + is_setuid = (ruid != euid || ruid != suid || + rgid != egid || rgid != sgid); + + } + return is_setuid; +#endif +} + /* tests in dbus-sysdeps-util.c */ diff -urN a/dbus/dbus-sysdeps-win.c b/dbus/dbus-sysdeps-win.c --- a/dbus/dbus-sysdeps-win.c 2012-10-10 14:40:44.343319996 +0200 +++ b/dbus/dbus-sysdeps-win.c 2012-10-10 14:40:56.526041358 +0200 @@ -3593,6 +3593,12 @@ return FALSE; } +dbus_bool_t +_dbus_check_setuid (void) +{ + return FALSE; +} + /** @} end of sysdeps-win */ /* tests in dbus-sysdeps-util.c */ ++++++ dbus-cve-2012-3524-2.patch ++++++
From 4b351918b9f70eaedbdb3ab39208bc1f131efae0 Mon Sep 17 00:00:00 2001 From: Colin Walters
Date: Fri, 28 Sep 2012 01:35:22 +0000 Subject: hardening: Ensure _dbus_check_setuid() is initialized threadsafe manner
This is a highly theoretical concern, but we might as well. https://bugs.freedesktop.org/show_bug.cgi?id=52202 --- diff --git a/dbus/dbus-sysdeps-pthread.c b/dbus/dbus-sysdeps-pthread.c index c9ec9e5..c60457b 100644 --- a/dbus/dbus-sysdeps-pthread.c +++ b/dbus/dbus-sysdeps-pthread.c @@ -275,6 +275,11 @@ check_monotonic_clock (void) dbus_bool_t _dbus_threads_init_platform_specific (void) { + /* These have static variables, and we need to handle both the case + * where dbus_threads_init() has been called and when it hasn't; + * so initialize them before any threads are allowed to enter. + */ check_monotonic_clock (); + (void) _dbus_check_setuid (); return dbus_threads_init (&pthread_functions); } -- cgit v0.9.0.2-2-gbebe ++++++ dbus-cve-2012-3524-3.patch ++++++
From 57ae3670508bbf4ec57049de47c9cae727a64802 Mon Sep 17 00:00:00 2001 From: Colin Walters
Date: Fri, 28 Sep 2012 16:01:56 +0000 Subject: hardening: Remove activation helper handling for DBUS_VERBOSE
It's not really useful. See https://bugs.freedesktop.org/show_bug.cgi?id=52202#c17 --- diff --git a/bus/activation-helper.c b/bus/activation-helper.c index ab9d601..7864e0f 100644 --- a/bus/activation-helper.c +++ b/bus/activation-helper.c @@ -140,17 +140,11 @@ out_all: return desktop_file; } -/* Cleares the environment, except for DBUS_VERBOSE and DBUS_STARTER_x */ +/* Clears the environment, except for DBUS_STARTER_x */ static dbus_bool_t clear_environment (DBusError *error) { const char *starter_env = NULL; -#ifdef DBUS_ENABLE_VERBOSE_MODE - const char *debug_env = NULL; - - /* are we debugging */ - debug_env = _dbus_getenv ("DBUS_VERBOSE"); -#endif /* we save the starter */ starter_env = _dbus_getenv ("DBUS_STARTER_ADDRESS"); @@ -165,12 +159,6 @@ clear_environment (DBusError *error) } #endif -#ifdef DBUS_ENABLE_VERBOSE_MODE - /* restore the debugging environment setting if set */ - if (debug_env) - _dbus_setenv ("DBUS_VERBOSE", debug_env); -#endif - /* restore the starter */ if (starter_env) _dbus_setenv ("DBUS_STARTER_ADDRESS", starter_env); -- cgit v0.9.0.2-2-gbebe ++++++ dbus-cve-2012-3524-4.patch ++++++
From f68dbdc3e6f895012ce33939fb524accf31bcca5 Mon Sep 17 00:00:00 2001 From: Geoffrey Thomas
Date: Fri, 28 Sep 2012 05:02:06 +0000 Subject: activation-helper: Ensure DBUS_STARTER_ADDRESS is set correctly
The fix for CVE-2012-3524 filters out all environment variables if
libdbus is used from a setuid program, to prevent various spoofing
attacks.
Unfortunately, the activation helper is a setuid program linking
libdbus, and this creates a regression for launched programs using
DBUS_STARTER_ADDRESS, since it will no longer exist.
Fix this by hardcoding the starter address to the default system bus
address.
Signed-off-by: Geoffrey Thomas