Opened 18 months ago

Closed 17 months ago

Last modified 17 months ago

#5128 closed enhancement (fixed)

dbus-1.14.4

Reported by: Bruce Dubbs Owned by: lfs-book
Priority: normal Milestone: 11.3
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (3)

comment:1 by Bruce Dubbs, 17 months ago

dbus 1.14.4 (2022-10-05)

This is a security update for the dbus 1.14.x stable branch, fixing denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying security hardening.

  • On Linux, dbus-daemon and other uses of DBusServer now create a path-based Unix socket, unix:path=..., when asked to listen on a unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to unix:dir=... on all platforms. Previous versions would have created an abstract socket, unix:abstract=..., in this situation. This change primarily affects the well-known session bus when run via dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring dbus with --enable-user-session and running it on a systemd system, already used path-based Unix sockets and is unaffected by this change. This behaviour change prevents a sandbox escape via the session bus socket in sandboxing frameworks that can share the network namespace with the host system, such as Flatpak. This change might cause a regression in situations where the abstract socket is intentionally shared between the host system and a chroot or container, such as some use-cases of schroot(1). That regression can be resolved by using a bind-mount to share either the D-Bus socket, or the whole /tmp directory, with the chroot or container.

Denial of service fixes:

There are several ways in which an authenticated local attacker could cause a crash (denial of service) in dbus-daemon --system or a custom DBusServer. In uncommon configurations these could potentially be carried out by an authenticated remote attacker.

  • An invalid array of fixed-length elements where the length of the array is not a multiple of the length of the element would cause an assertion failure in debug builds or an out-of-bounds read in production builds. This was a regression in version 1.3.0. (CVE-2022-42011)
  • A syntactically invalid type signature with incorrectly nested parentheses and curly brackets would cause an assertion failure in debug builds. Similar messages could potentially result in a crash or incorrect message processing in a production build, although we are not aware of a practical example. (CVE-2022-42010)
  • A message in non-native endianness with out-of-band Unix file descriptors would cause a use-after-free and possible memory corruption in production builds, or an assertion failure in debug builds. This was a regression in version 1.3.0. (CVE-2022-42012)

comment:2 by Bruce Dubbs, 17 months ago

Resolution: fixed
Status: newclosed

Fixed at commit

Update to iana-etc-20221007.
Update to vim-9.0.0739.
Add upstream patches to readline and bash.
Update to zlib-1.2.13.
Update to man-pages-6.00.
Update to gettext-0.21.1.
Update to iproute2-6.0.0.
Update to meson-0.63.3.
Update to Python-3.10.8.
Update to xz-5.2.7.
Update to tzdata-2022e.
Update to linux-6.0.1.
Update to dbus-1.14.4.

comment:3 by Douglas R. Reno, 17 months ago

Issued SA-11.2-018

Note: See TracTickets for help on using tickets.