80 lines
3.0 KiB
Plaintext
80 lines
3.0 KiB
Plaintext
|
dbus 1.12.20 (2020-07-02)
|
||
|
|
=========================
|
||
|
|
|
||
|
|
The “temporary nemesis” release.
|
||
|
|
|
||
|
|
Maybe security fixes:
|
||
|
|
|
||
|
|
• On Unix, avoid a use-after-free if two usernames have the same
|
||
|
|
numeric uid. In older versions this could lead to a crash (denial of
|
||
|
|
service) or other undefined behaviour, possibly including incorrect
|
||
|
|
authorization decisions if <policy group=...> is used.
|
||
|
|
Like Unix filesystems, D-Bus' model of identity cannot distinguish
|
||
|
|
between users of different names with the same numeric uid, so this
|
||
|
|
configuration is not advisable on systems where D-Bus will be used.
|
||
|
|
Thanks to Daniel Onaca.
|
||
|
|
(dbus#305, dbus!166; Simon McVittie)
|
||
|
|
|
||
|
|
Other fixes:
|
||
|
|
|
||
|
|
• On Solaris and its derivatives, if a cmsg header is truncated, ensure
|
||
|
|
that we do not overrun the buffer used for fd-passing, even if the
|
||
|
|
kernel tells us to.
|
||
|
|
(dbus#304, dbus!165; Andy Fiddaman)
|
||
|
|
|
||
|
|
dbus 1.12.18 (2020-06-02)
|
||
|
|
=========================
|
||
|
|
|
||
|
|
The “telepathic vines” release.
|
||
|
|
|
||
|
|
Denial of service fixes:
|
||
|
|
|
||
|
|
• CVE-2020-12049: If a message contains more file descriptors than can
|
||
|
|
be sent, close those that did get through before reporting error.
|
||
|
|
Previously, a local attacker could cause the system dbus-daemon (or
|
||
|
|
another system service with its own DBusServer) to run out of file
|
||
|
|
descriptors, by repeatedly connecting to the server and sending fds that
|
||
|
|
would get leaked.
|
||
|
|
Thanks to Kevin Backhouse of GitHub Security Lab.
|
||
|
|
(dbus#294, GHSL-2020-057; Simon McVittie)
|
||
|
|
|
||
|
|
Other fixes:
|
||
|
|
|
||
|
|
• Fix a crash when the dbus-daemon is terminated while one or more
|
||
|
|
monitors are active (dbus#291, dbus!140; Simon McVittie)
|
||
|
|
|
||
|
|
• The dbus-send(1) man page now documents --bus and --peer instead of
|
||
|
|
the old --address synonym for --peer, which has been deprecated since
|
||
|
|
the introduction of --bus and --peer in 1.7.6
|
||
|
|
(fd.o #48816, dbus!115; Chris Morin)
|
||
|
|
|
||
|
|
• Fix a wrong environment variable name in dbus-daemon(1)
|
||
|
|
(dbus#275, dbus!122; Mubin, Philip Withnall)
|
||
|
|
|
||
|
|
• Fix formatting of dbus_message_append_args example
|
||
|
|
(dbus!126, Felipe Franciosi)
|
||
|
|
|
||
|
|
• Avoid a test failure on Linux when built in a container as uid 0, but
|
||
|
|
without the necessary privileges to increase resource limits
|
||
|
|
(dbus!58, Debian #908092; Simon McVittie)
|
||
|
|
|
||
|
|
• When building with CMake, cope with libX11 in a non-standard location
|
||
|
|
(dbus!129, Tuomo Rinne)
|
||
|
|
|
||
|
|
dbus 1.12.16 (2019-06-11)
|
||
|
|
=========================
|
||
|
|
|
||
|
|
The “tree cat” release.
|
||
|
|
|
||
|
|
Security fixes:
|
||
|
|
|
||
|
|
• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
|
||
|
|
authentication for identities that differ from the user running the
|
||
|
|
DBusServer. Previously, a local attacker could manipulate symbolic
|
||
|
|
links in their own home directory to bypass authentication and connect
|
||
|
|
to a DBusServer with elevated privileges. The standard system and
|
||
|
|
session dbus-daemons in their default configuration were immune to this
|
||
|
|
attack because they did not allow DBUS_COOKIE_SHA1, but third-party
|
||
|
|
users of DBusServer such as Upstart could be vulnerable.
|
||
|
|
Thanks to Joe Vennix of Apple Information Security.
|
||
|
|
(dbus#269, Simon McVittie)
|