bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 10:35:53 +02:00

Files

Adolf Belka 6d144d259f dbus: Update to version 1.14.4

- Update from version 1.14.0 to 1.14.4
- Update of rootfile
- Changelog
    dbus 1.14.4 (2022-10-05)
     This is a security update for the dbus 1.14.x stable branch, fixing
     denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying
     security hardening (dbus#416).
	Behaviour changes:
		• On Linux, dbus-daemon and other uses of DBusServer now create a
		  path-based Unix socket, unix:path=..., when asked to listen on a
		  unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to
		  unix:dir=... on all platforms.
		  Previous versions would have created an abstract socket, unix:abstract=...,
		  in this situation.
		  This change primarily affects the well-known session bus when run via
		  dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring
		  dbus with --enable-user-session and running it on a systemd system,
		  already used path-based Unix sockets and is unaffected by this change.
		  This behaviour change prevents a sandbox escape via the session bus socket
		  in sandboxing frameworks that can share the network namespace with the host
		  system, such as Flatpak.
		  This change might cause a regression in situations where the abstract socket
		  is intentionally shared between the host system and a chroot or container,
		  such as some use-cases of schroot(1). That regression can be resolved by
		  using a bind-mount to share either the D-Bus socket, or the whole /tmp
		  directory, with the chroot or container.
		  (dbus#416, Simon McVittie)
	Denial of service fixes:
		Evgeny Vereshchagin discovered several ways in which an authenticated
		local attacker could cause a crash (denial of service) in
		dbus-daemon --system or a custom DBusServer. In uncommon configurations
		these could potentially be carried out by an authenticated remote attacker.
		• An invalid array of fixed-length elements where the length of the array
		  is not a multiple of the length of the element would cause an assertion
		  failure in debug builds or an out-of-bounds read in production builds.
		  This was a regression in version 1.3.0.
		  (dbus#413, CVE-2022-42011; Simon McVittie)
		• A syntactically invalid type signature with incorrectly nested parentheses
		  and curly brackets would cause an assertion failure in debug builds.
		  Similar messages could potentially result in a crash or incorrect message
		  processing in a production build, although we are not aware of a practical
		  example. (dbus#418, CVE-2022-42010; Simon McVittie)
		• A message in non-native endianness with out-of-band Unix file descriptors
		  would cause a use-after-free and possible memory corruption in production
		  builds, or an assertion failure in debug builds. This was a regression in
		  version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie)
    dbus 1.14.2 (2022-09-26)
	Fixes:
		• Fix build failure on FreeBSD (dbus!277, Alex Richardson)
		• Fix build failure on macOS with launchd enabled
		  (dbus!287, Dawid Wróbel)
		• Preserve errno on failure to open /proc/self/oom_score_adj
		  (dbus!285, Gentoo#834725; Mike Gilbert)
		• On Linux, don't log warnings if oom_score_adj is read-only but does not
		  need to be changed (dbus!291, Simon McVittie)
		• Slightly improve error-handling for inotify
		  (dbus!235, Simon McVittie)
		• Don't crash if dbus-daemon is asked to watch more than 128 directories
		  for changes (dbus!302, Jan Tojnar)
		• Autotools build system fixes:
			  · Don't treat --with-x or --with-x=yes as a request to disable X11,
			    fixing a regression in 1.13.20. Instead, require X11 libraries and
			    fail if they cannot be detected. (dbus!263, Lars Wendler)
			  · When a CMake project uses an Autotools-built libdbus in a
			    non-standard prefix, find dbus-arch-deps.h successfully
			    (dbus#314, Simon McVittie)
			  · Don't include generated XML catalog in source releases
			    (dbus!317, Jan Tojnar)
			  · Improve robustness of detecting gcc __sync atomic builtins
			    (dbus!320, Alex Richardson)
		• CMake build system fixes:
			  · Detect endianness correctly, fixing interoperability with other D-Bus
			    implementations on big-endian systems (dbus#375, Ralf Habacker)
			  · When building for Unix, install session and system bus setup
			    in the intended locations
			    (dbus!267, dbus!297; Ralf Habacker, Alex Richardson)
			  · Detect setresuid() and getresuid() (dbus!319, Alex Richardson)
			  · Detect backtrace() on FreeBSD (dbus!281, Alex Richardson)
			  · Don't include headers from parent directory (dbus!282, Alex Richardson)
			  · Distinguish between host and target TMPDIR when cross-compiling
			    (dbus!279, Alex Richardson)
			  · Fix detection of atomic operations (dbus!306, Alex Richardson)
		Tests and CI enhancements:
			• On Unix, skip tests that switch uid if run in a container that is
			  unable to do so, instead of failing (dbus#407, Simon McVittie)
			• Use the latest MSYS2 packages for CI
			  (Ralf Habacker, Simon McVittie)

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>

2022-12-26 08:43:27 +00:00