Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#12073 closed enhancement (fixed)

dbus-1.12.14 (wait for LFS) CVE-2019-12749

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 9.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version

Enhancements:

• Raise soft fd limit to match hard limit, even if unprivileged.
  This makes session buses with many clients, or with clients that make
  heavy use of fd-passing, less likely to suffer from fd exhaustion.
  (dbus!103, Simon McVittie)

Fixes:

• If a privileged dbus-daemon has a hard fd limit greater than 64K, don't
  reduce it to 64K, ensuring that we can put back the original fd limits
  when carrying out traditional (non-systemd) activation. This fixes a
  regression with systemd >= 240 in which system services inherited
  dbus-daemon's hard and soft limit of 64K fds, instead of the intended
  soft limit of 1K and hard limit of 512K or 1M.
  (dbus!103, Debian#928877; Simon McVittie)

• Fix build failures caused by an AX_CODE_COVERAGE API change in newer
  autoconf-archive versions (dbus#249, dbus!88; Simon McVittie)

• Fix build failures with newer autoconf-archive versions that include
  AX_-prefixed shell variable names (dbus#249, dbus!86; Simon McVittie)

• Parse section/group names in .service files according to the syntax
  from the Desktop Entry Specification, rejecting control characters
  and non-ASCII in section/group names (dbus#208, David King)

• Fix various -Wlogical-op issues that cause build failure with newer
  gcc versions (dbus#225, dbus!109; David King)

• Don't assume we can set permissions on a directory, for the benefit of
  MSYS and Cygwin builds (dbus#216, dbus!110; Simon McVittie)

• Don't overwrite PKG_CONFIG_PATH and related environment variables when
  the pkg-config-based version of DBus1Config is used in a CMake project
  (dbus#267, dbus!96; Clemens Lang)

Change History (5)

comment:1 by Bruce Dubbs, 5 years ago

Summary: dbus-1.12.14dbus-1.12.14 (wait for LFS)

comment:2 by Douglas R. Reno, 5 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

Grab GNOME tickets to clear things up properly. This is my plan for the beginning of the week.

comment:3 by Douglas R. Reno, 5 years ago

Priority: normalhigh
Summary: dbus-1.12.14 (wait for LFS)dbus-1.12.14 (wait for LFS) CVE-2019-12749

Now version 1.12.16

dbus is the reference implementation of D-Bus, a message bus for
communication between applications and system services.

This is a stable-branch security fix release. Upgrading is recommended,
unless you are following the older security-fix-only stable branch 1.10.x.

<http://dbus.freedesktop.org/releases/dbus/dbus-1.12.16.tar.gz>
<http://dbus.freedesktop.org/releases/dbus/dbus-1.12.16.tar.gz.asc>
git tag: dbus-1.12.16

The “tree cat” release.

Security fixes:

• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
  authentication for identities that differ from the user running the
  DBusServer. Previously, a local attacker could manipulate symbolic
  links in their own home directory to bypass authentication and connect
  to a DBusServer with elevated privileges. The standard system and
  session dbus-daemons in their default configuration were immune to this
  attack because they did not allow DBUS_COOKIE_SHA1, but third-party
  users of DBusServer such as Upstart could be vulnerable.
  Thanks to Joe Vennix of Apple Information Security.
  (dbus#269, Simon McVittie)

comment:4 by Douglas R. Reno, 5 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r21678

comment:5 by Bruce Dubbs, 5 years ago

Milestone: 8.59.0

Milestone renamed

Note: See TracTickets for help on using tickets.