File _patchinfo of Package patchinfo.3010
<patchinfo>
<issue id="896453" tracker="bnc">VUL-0: CVE-2014-3635 - CVE-2014-3639: dbus-1: various denial of service issues in fd passing</issue>
<issue id="CVE-2014-3636" tracker="cve" />
<issue id="CVE-2014-3637" tracker="cve" />
<issue id="CVE-2014-3635" tracker="cve" />
<issue id="CVE-2014-3638" tracker="cve" />
<issue id="CVE-2014-3639" tracker="cve" />
<issue id="CVE-2012-3524" tracker="cve" />
<category>security</category>
<rating>moderate</rating>
<packager>fstrba</packager>
<description>
DBUS-1 was upgraded to upstream release 1.8.
This brings the version of dbus to the latest stable release from an
unstable snapshot 1.7.4 that is know to have several regressions
- Upstream changes since 1.7.4:
+ Security fixes:
- Do not accept an extra fd in the padding of a cmsg message, which
could lead to a 4-byte heap buffer overrun. (CVE-2014-3635,
fdo#83622; Simon McVittie)
- Reduce default for maximum Unix file descriptors passed per
message from 1024 to 16, preventing a uid with the default maximum
number of connections from exhausting the system bus' file
descriptors under Linux's default rlimit. Distributors or system
administrators with a restrictive fd limit may wish to reduce
these limits further.
Additionally, on Linux this prevents a second denial of service in
which the dbus-daemon can be made to exceed the maximum number of
fds per sendmsg() and disconnect the process that would have
received them. (CVE-2014-3636, fdo#82820; Alban Crequy)
- Disconnect connections that still have a fd pending unmarshalling
after a new configurable limit, pending_fd_timeout (defaulting to
150 seconds), removing the possibility of creating an abusive
connection that cannot be disconnected by setting up a circular
reference to a connection's file descriptor. (CVE-2014-3637,
fdo#80559; Alban Crequy)
- Reduce default for maximum pending replies per connection from
8192 to 128, mitigating an algorithmic complexity
denial-of-service attack (CVE-2014-3638, fdo#81053; Alban Crequy)
- Reduce default for authentication timeout on the system bus from
30 seconds to 5 seconds, avoiding denial of service by using up
all unauthenticated connection slots; and when all unauthenticated
connection slots are used up, make new connection attempts block
instead of disconnecting them. (CVE-2014-3639, fdo#80919;
Alban Crequy)
- On Linux >0 2.6.37-rc4, if sendmsg() fails with ETOOMANYREFS,
silently drop the message. This prevents an attack in which a
malicious client can make dbus-daemon disconnect a system service,
which is a local denial of service. (fdo#80163, CVE-2014-3532;
Alban Crequy)
- Track remaining Unix file descriptors correctly when more than one
message in quick succession contains fds. This prevents another
attack in which a malicious client can make dbus-daemon disconnect
a system service. (fdo#79694, fdo#80469, CVE-2014-3533; Alejandro
Martínez Suárez, Simon McVittie, Alban Crequy)
- Alban Crequy at Collabora Ltd. discovered and fixed a
denial-of-service flaw in dbus-daemon, part of the reference
implementation of D-Bus.
Additionally, in highly unusual environments the same flaw could
lead to a side channel between processes that should not be able
to communicate. (CVE-2014-3477, fdo#78979)
+ Other fixes and enhancements:
- Check for libsystemd from systemd >= 209, falling back to the
older separate libraries if not found (Umut Tezduyar Lindskog,
Simon McVittie)
- On Linux, use prctl() to disable core dumps from a test executable
that deliberately raises SIGSEGV to test dbus-daemon's handling
of that condition (fdo#83772, Simon McVittie)
- Fix compilation with --enable-stats (fdo#81043, Gentoo #507232;
Alban Crequy)
- Improve documentation for running tests on Windows (fdo#41252,
Ralf Habacker)
- When dbus-launch --exit-with-session starts a dbus-daemon but then
cannot attach to a session, kill the dbus-daemon as intended
(fdo#74698, Роман Донченко)
- in the CMake build system, add some hints for Linux users
cross-compiling Windows D-Bus binaries to be able to run tests
under Wine (fdo#41252, Ralf Habacker)
- add Documentation key to dbus.service (fdo#77447, Cameron Norman)
- in "dbus-uuidgen --ensure", try to copy systemd's /etc/machine-id
to /var/lib/dbus/machine-id instead of generating an entirely new
ID (fdo#77941, Simon McVittie)
- if dbus-launch receives an X error very quickly, do not kill
unrelated processes (fdo#74698, Роман Донченко)
- on Windows, allow up to 8K connections to the dbus-daemon, instead
of the previous 64 (fdo#71297; Cristian Onet, Ralf Habacker)
- cope with \r\n newlines in regression tests, since on Windows,
dbus-daemon.exe uses text mode (fdo#75863, Руслан Ижбулатов)
- Enhance the CMake build system to check for GLib and compile/run a
subset of the regression tests (fdo#41252, fdo#73495;
Ralf Habacker)
- don't rely on va_copy(), use DBUS_VA_COPY() wrapper (fdo#72840,
Ralf Habacker)
- fix compilation of systemd journal support on older systemd
versions where sd-journal.h doesn't include syslog.h (fdo#73455,
Ralf Habacker)
- fix compilation on older MSVC versions by including stdlib.h
(fdo#73455, Ralf Habacker)
- Allow <allow_anonymous/> to appear in an included configuration
file (fdo#73475, Matt Hoosier)
- If the tests crash with an assertion failure, they no longer
default to blocking for a debugger to be attached. Set
DBUS_BLOCK_ON_ABORT in the environment if you want the old
behaviour.
- To improve debuggability, the dbus-daemon and
dbus-daemon-eavesdrop tests can be run with an external
dbus-daemon by setting DBUS_TEST_DAEMON_ADDRESS in the
environment. Test-cases that require an unusually-configured
dbus-daemon are skipped.
- don't require messages with no INTERFACE to be dispatched
(fdo#68597, Simon McVittie)
- document "tcp:bind=..." and "nonce-tcp:bind=..." (fdo#72301,
Chengwei Yang)
- define "listenable" and "connectable" addresses, and discuss
the difference (fdo#61303, Simon McVittie)
- support printing Unix file descriptors in dbus-send, dbus-monitor
(fdo#70592, Robert Ancell)
- don't install systemd units if --disable-systemd is given
(fdo#71818, Chengwei Yang)
- don't leak memory on out-of-memory while listing activatable or
active services (fdo#71526, Radoslaw Pajak)
- fix undefined behaviour in a regression test (fdo#69924, DreamNik)
- escape Unix socket addresses correctly (fdo#46013, Chengwei Yang)
- on SELinux systems, don't assume that SECCLASS_DBUS,
DBUS__ACQUIRE_SVC and DBUS__SEND_MSG are numerically equal to
their values in the reference policy (fdo#88719, osmond sun)
- define PROCESS_QUERY_LIMITED_INFORMATION if missing from MinGW < 4
headers (fdo#71366, Matt Fischer)
- define WIN32_LEAN_AND_MEAN to avoid conflicts between winsock.h
and winsock2.h (fdo#71405, Matt Fischer)
- do not return failure from _dbus_read_nonce() with no error set,
preventing a potential crash (fdo#72298, Chengwei Yang)
- on BSD systems, avoid some O(1)-per-process memory and fd leaks in
kqueue, preventing test failures (fdo#69332, fdo#72213; Chengwei
Yang)
- fix warning spam on Hurd by not trying to set SO_REUSEADDR on Unix
sockets, which doesn't do anything anyway on at least Linux and
FreeBSD (fdo#69492, Simon McVittie)
- fix use of TCP sockets on FreeBSD and Hurd by tolerating EINVAL
from sendmsg() with SCM_CREDS (retrying with plain send()), and
looking for credentials more correctly (fdo#69492, Simon McVittie)
- ensure that tests run with a temporary XDG_RUNTIME_DIR to avoid
getting mixed up in XDG/systemd "user sessions" (fdo#61301,
Simon McVittie)
- refresh cached policy rules for existing connections when bus
configuration changes (fdo#39463, Chengwei Yang)
- If systemd support is enabled, libsystemd-journal is now required.
- When activating a non-systemd service under systemd, annotate its
stdout/stderr with its bus name in the Journal. Known limitation:
because the socket is opened before forking, the process will
still be logged as if it had dbus-daemon's process ID and user ID.
(fdo#68559, Chengwei Yang)
- Document more configuration elements in dbus-daemon(1)
(fdo#69125, Chengwei Yang)
- Don't leak string arrays or fds if
dbus_message_iter_get_args_valist() unpacks them and then
encounters an error (fdo#21259, Chengwei Yang)
- If compiled with libaudit, retain CAP_AUDIT_WRITE so we can write
disallowed method calls to the audit log, fixing a regression in
1.7.6 (fdo#49062, Colin Walters)
- path_namespace='/' in match rules incorrectly matched nothing; it
now matches everything. (fdo#70799, Simon McVittie)
- Directory change notification via dnotify on Linux is no longer
supported; it hadn't compiled successfully since 2010 in any case.
If you don't have inotify (Linux) or kqueue (*BSD), you will need
to send SIGHUP to the dbus-daemon when its configuration changes.
(fdo#33001, Chengwei Yang)
- Compiling with --disable-userdb-cache is no longer supported;
it didn't work since at least 2008, and would lead to an extremely
slow dbus-daemon even it worked. (fdo#15589, fdo#17133, fdo#66947;
Chengwei Yang)
- The DBUS_DISABLE_ASSERTS CMake option didn't actually disable most
assertions. It has been renamed to DBUS_DISABLE_ASSERT to be
consistent with the Autotools build system. (fdo#66142, Chengwei
Yang)
- --with-valgrind=auto enables Valgrind instrumentation if and only
if valgrind headers are available. The default is still
--with-valgrind=no. (fdo#56925, Simon McVittie)
- Platforms with no 64-bit integer type are no longer supported.
(fdo#65429, Simon McVittie)
- GNU make is now (documented to be) required. (fdo#48277, Simon
McVittie)
- Full test coverage no longer requires dbus-glib, although the
tests do not exercise the shared library (only a static copy) if
dbus-glib is missing. (fdo#68852, Simon McVittie)
- D-Bus Specification 0.22
* Document GetAdtAuditSessionData() and
GetConnectionSELinuxSecurityContext() (fdo#54445, Simon)
* Fix example .service file (fdo#66481, Chengwei Yang)
* Don't claim D-Bus is "low-latency" (lower than what?), just give
factual statements about it supporting async use (fdo#65141,
Justin Lee)
* Document the contents of .service files, and the fact that
system services' filenames are constrained (fdo#66608; Simon
McVittie, Chengwei Yang)
- Be thread-safe by default on all platforms, even if
dbus_threads_init_default() has not been called. For compatibility
with older libdbus, library users should continue to call
dbus_threads_init_default(): it is harmless to do so. (fdo#54972,
Simon McVittie)
- Add GetConnectionCredentials() method (fdo#54445, Simon)
- New API: dbus_setenv(), a simple wrapper around setenv().
Note that this is not thread-safe. (fdo#39196, Simon)
- Add dbus-send --peer=ADDRESS (connect to a given peer-to-peer
connection, like --address=ADDRESS in previous versions) and
dbus-send --bus=ADDRESS (connect to a given bus, like dbus-monitor
--address=ADDRESS). dbus-send --address still exists for backwards
compatibility, but is no longer documented. (fdo#48816, Andrey
Mazo)
- "dbus-daemon --nofork" is allowed on Windows again. (fdo#68852,
Simon McVittie)
- Avoid an infinite busy-loop if a signal interrupts waitpid()
(fdo#68945, Simon McVittie)
- Clean up memory for parent nodes when objects are unexported
(fdo#60176, Thomas Fitzsimmons)
- Make dbus_connection_set_route_peer_messages(x, FALSE) behave as
documented. Previously, it assumed its second parameter was TRUE.
(fdo#69165, Chengwei Yang)
- Escape addresses containing non-ASCII characters correctly
(fdo#53499, Chengwei Yang)
- Document <servicedir> search order correctly (fdo#66994, Chengwei
Yang)
- Don't crash on "dbus-send --session / x.y.z" which regressed in
1.7.4. (fdo#65923, Chengwei Yang)
- If malloc() returns NULL in _dbus_string_init() or similar, don't
free an invalid pointer if the string is later freed (fdo#65959,
Chengwei Yang)
- If malloc() returns NULL in dbus_set_error(), don't va_end() a
va_list that was never va_start()ed (fdo#66300, Chengwei Yang)
- fix build failure with --enable-stats (fdo#66004, Chengwei Yang)
- fix a regression test on platforms with strict alignment
(fdo#67279, Colin Walters)
- Avoid calling function parameters "interface" since certain
Windows headers have a namespace-polluting macro of that name
(fdo#66493, Ivan Romanov)
- Assorted Doxygen fixes (fdo#65755, Chengwei Yang)
- Various thread-safety improvements to static variables (fdo#68610,
Simon McVittie)
- Make "make -j check" work (fdo#68852, Simon McVittie)
- Fix a NULL pointer dereference on an unlikely error path
(fdo#69327, Sviatoslav Chagaev)
- Improve valgrind memory pool tracking (fdo#69326, Sviatoslav
Chagaev)
- Don't over-allocate memory in dbus-monitor (fdo#69329, Sviatoslav
Chagaev)
- dbus-monitor can monitor dbus-daemon < 1.5.6 again (fdo#66107,
Chengwei Yang)
- If accept4() fails with EINVAL, as it can on older Linux kernels
with newer glibc, try accept() instead of going into a busy-loop.
(fdo#69026, Chengwei Yang)
- If socket() or socketpair() fails with EINVAL or EPROTOTYPE, for
instance on Hurd or older Linux with a new glibc, try without
SOCK_CLOEXEC. (fdo#69073; Pino Toscano, Chengwei Yang)
- Fix a file descriptor leak on an error code path. (fdo#69182,
Sviatoslav Chagaev)
- dbus-run-session: clear some unwanted environment variables
(fdo#39196, Simon)
- dbus-run-session: compile on FreeBSD (fdo#66197, Chengwei Yang)
- Don't fail the autolaunch test if there is no DISPLAY (fdo#40352,
Simon)
- Use dbus-launch from the builddir for testing, not the installed
copy (fdo#37849, Chengwei Yang)
- Fix compilation if writev() is unavailable (fdo#69409, Vasiliy
Balyasnyy)
- Remove broken support for LOCAL_CREDS credentials passing, and
document where each credential-passing scheme is used (fdo#60340,
Simon McVittie)
- Make autogen.sh work on *BSD by not assuming GNU coreutils
functionality fdo#35881, fdo#69787; Chengwei Yang)
- dbus-monitor: be portable to NetBSD (fdo#69842, Chengwei Yang)
- dbus-launch: stop using non-portable asprintf (fdo#37849, Simon)
- Improve error reporting from the setuid activation helper
(fdo#66728, Chengwei Yang)
- Remove unavailable command-line options from 'dbus-daemon --help'
(fdo#42441, Ralf Habacker)
- Add support for looking up local TCPv4 clients' credentials on
Windows XP via the undocumented AllocateAndGetTcpExTableFromStack
function (fdo#66060, Ralf Habacker)
- Fix insufficient dependency-tracking (fdo#68505, Simon McVittie)
- Don't include wspiapi.h, fixing a compiler warning (fdo#68852,
Simon McVittie)
- add DBUS_ENABLE_ASSERT, DBUS_ENABLE_CHECKS for less confusing
conditionals (fdo#66142, Chengwei Yang)
- improve verbose-mode output (fdo#63047, Colin Walters)
- consolidate Autotools and CMake build (fdo#64875, Ralf Habacker)
- fix various unused variables, unusual build configurations
etc. (fdo#65712, fdo#65990, fdo#66005, fdo#66257, fdo#69165,
fdo#69410, fdo#70218; Chengwei Yang, Vasiliy Balyasnyy)
- dbus-cve-2014-3533.patch: Add patch for CVE-2014-3533 to fix
(fdo#63127)
• CVE-2012-3524: Don't access environment variables (fdo#52202)
(fdo#51521, Dave Reisner)
• Remove an incorrect assertion from DBusTransport (fdo#51657,
(fdo#51406, Simon McVittie)
(fdo#51032, Simon McVittie)
(fdo#34671, Simon McVittie)
· Check for libpthread under CMake on Unix (fdo#47237, Simon McVittie)
spec-compliance (fdo#48580, David Zeuthen)
non-root when using OpenBSD install(1) (fdo#48217, Antoine Jacoutot)
(fdo#45896, Simon McVittie)
(fdo#39549, Simon McVittie)
invent their own "union of everything" type (fdo#11191, Simon
find(1) (fdo#33840, Simon McVittie)
(fdo#46273, Alban Crequy)
again on Win32, but not on WinCE (fdo#46049, Simon
(fdo#47321, Andoni Morales Alastruey)
(fdo#39231, fdo#41012; Simon McVittie)
* Add a regression test for fdo#38005 (fdo#39836, Simon McVittie)
a service file entry for activation (fdo#39230, Simon McVittie)
(fdo#24317, #34870; Will Thompson, David Zeuthen, Simon McVittie)
and document it better (fdo#31818, Will Thompson)
• Let the bus daemon implement more than one interface (fdo#33757,
• Optimize _dbus_string_replace_len to reduce waste (fdo#21261,
(fdo#35114, Simon McVittie)
• Add dbus_type_is_valid as public API (fdo#20496, Simon McVittie)
to unknown interfaces in the bus daemon (fdo#34527, Lennart Poettering)
(fdo#32245; Javier Jardón, Simon McVittie)
• Correctly give XDG_DATA_HOME priority over XDG_DATA_DIRS (fdo#34496,
in embedded environments (fdo#19997, NB#219964; Simon McVittie)
• Install the documentation, and an index for Devhelp (fdo#13495,
booleans when sending them (fdo#16338, NB#223152; Simon McVittie)
errors to dbus-shared.h (fdo#34527, Lennart Poettering)
data (fdo#10887, Simon McVittie)
.service files (fdo#19159, Sven Herzberg)
(fdo#35750, Colin Walters)
(fdo#32805, Mark Brand)
which could result in a busy-loop (fdo#32992, NB#200248; possibly
• Fix failure to detect abstract socket support (fdo#29895)
(fdo#32262, NB#180486)
• Improve some error code paths (fdo#29981, fdo#32264, fdo#32262,
fdo#33128, fdo#33277, fdo#33126, NB#180486)
• Avoid possible symlink attacks in /tmp during compilation (fdo#32854)
• Tidy up dead code (fdo#25306, fdo#33128, fdo#34292, NB#180486)
• Improve gcc malloc annotations (fdo#32710)
• Documentation improvements (fdo#11190)
• Avoid readdir_r, which is difficult to use correctly (fdo#8284,
fdo#15922, LP#241619)
• Cope with invalid files in session.d, system.d (fdo#19186,
• Don't distribute generated files that embed our builddir (fdo#30285,
fdo#34292)
(fdo#33474, LP#381063)
with lcov HTML reports and --enable-compiler-coverage (fdo#10887)
· support credentials-passing (fdo#32542)
· opt-in to thread safety (fdo#33464)
</description>
<reboot_needed/>
<summary>dbus-1: security and bugfix update to 1.8</summary>
</patchinfo>
