#5212 closed enhancement (fixed)

dbus-1.14.6

Reported by: Douglas R. Reno Owned by: lfs-book
Priority: normal Milestone: 11.3
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

New point version

Change History (3)

comment:1 by Xi Ruoyao, 21 months ago

dbus 1.14.6 (2023-02-08)

Denial of service fixes:

  • Fix an incorrect assertion that could be used to crash dbus-daemon or other users of DBusServer prior to authentication, if libdbus was compiled with assertions enabled. We recommend that production builds of dbus, for example in OS distributions, should be compiled with checks but without assertions. (dbus#421, Ralf Habacker; thanks to Evgeny Vereshchagin)

Other fixes:

  • When connected to a dbus-broker, stop dbus-monitor from incorrectly replying to Peer method calls that were sent to the dbus-broker with a NULL destination (dbus#301, Kai A. Hiller)
  • Fix out-of-bounds varargs read in the dbus-daemon's config-parser. This is not attacker-triggerable and appears to be harmless in practice, but is technically undefined behaviour and is detected as such by AddressSanitizer. (dbus!357, Evgeny Vereshchagin)
  • Avoid a data race in multi-threaded use of DBusCounter (dbus#426, Ralf Habacker)
  • Fix a crash with some glibc versions when non-auditable SELinux events are logged (dbus!386, Jeremi Piotrowski)
  • If dbus_message_demarshal() runs out of memory while validating a message, report it as NoMemory rather than InvalidArgs (dbus#420, Simon McVittie)
  • Use C11 _Alignof if available, for better standards-compliance (dbus!389, Khem Raj)
  • Stop including an outdated copy of pkg.m4 in the git tree (dbus!365, Simon McVittie)
  • Documentation: · Consistently use Gitlab bug reporting URL (dbus!372, Marco Trevisan)
  • Tests fixes: · Fix the test-apparmor-activation test after dbus#416

(dbus!380, Dave Jones)

Internal changes:

  • Fix CI builds with recent git versions (dbus#447, Simon McVittie)
Last edited 21 months ago by Bruce Dubbs (previous) (diff)

in reply to:  1 comment:2 by Xi Ruoyao, 21 months ago

Replying to Xi Ruoyao:

Denial of service fixes:

  • Fix an incorrect assertion that could be used to crash dbus-daemon or other users of DBusServer prior to authentication, if libdbus was compiled with assertions enabled. We recommend that production builds of dbus, for example in OS distributions, should be compiled with checks but without assertions. (dbus#421, Ralf Habacker; thanks to Evgeny Vereshchagin)

We are compiling dbus with the default configuration (checks enabled but assertions disabled) in LFS and BLFS, so this does not affect us and we don't need a SA.

Last edited 21 months ago by Bruce Dubbs (previous) (diff)

comment:3 by Bruce Dubbs, 21 months ago

Resolution: fixed
Status: newclosed

Fixed at commit c6550e11c86cf253a48910ede162a962a7d6b08d

Update to iana-etc-20230202.
Update to zstd-1.5.4.
Update to Python3-3.11.2.
Update to e2fsprogs-1.47.0.
Update to dbus-1.14.6.
Update to linux-6.1.11.
Update to libcap-2.67.
Update to bc-6.2.4.
Note: See TracTickets for help on using tickets.