Hello community, here is the log from the commit of package dbus-1 for openSUSE:Factory checked in at 2016-10-13 11:24:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dbus-1 (Old) and /work/SRC/openSUSE:Factory/.dbus-1.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dbus-1" Changes: -------- --- /work/SRC/openSUSE:Factory/dbus-1/dbus-1-x11.changes 2016-09-17 14:33:04.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.dbus-1.new/dbus-1-x11.changes 2016-10-13 11:24:03.000000000 +0200 @@ -1,0 +2,26 @@ +Tue Oct 11 07:33:15 UTC 2016 - [email protected] + +- Update to 1.10.12 + * Security fixes: + + Do not treat ActivationFailure message received from + root-owned systemd name as a format string. In principle this + is a security vulnerability, but we do not believe it is + exploitable in practice, because only privileged processes can + own the org.freedesktop.systemd1 bus name, and systemd does + not appear to send activation failures that contain "%". + Please note that this probably *was* exploitable in dbus + versions older than 1.6.30, 1.8.16 and 1.9.10 due to a missing + check which at the time was only thought to be a denial of + service vulnerability (CVE-2015-0245). If you are still + running one of those versions, patch or upgrade immediately. + (fdo#98157, bsc#1003898, Simon McVittie) + * Other fixes: + + Harden dbus-daemon against malicious or incorrect + ActivationFailure messages by rejecting them if they do not + come from a privileged process, or if systemd activation is + not enabled (fdo#98157, Simon McVittie) + + Avoid undefined behaviour when setting reply serial number + without going via union DBusBasicValue (fdo#98035, Marc Mutz) + + autogen.sh: fail cleanly if autoconf fails (Simon McVittie) + +------------------------------------------------------------------- dbus-1.changes: same change Old: ---- dbus-1.10.10.tar.gz New: ---- dbus-1.10.12.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dbus-1-x11.spec ++++++ --- /var/tmp/diff_new_pack.4rpLrV/_old 2016-10-13 11:24:05.000000000 +0200 +++ /var/tmp/diff_new_pack.4rpLrV/_new 2016-10-13 11:24:05.000000000 +0200 @@ -27,7 +27,7 @@ Url: http://dbus.freedesktop.org/ # COMMON1-BEGIN # COMMON1-BEGIN -Version: 1.10.10 +Version: 1.10.12 Release: 0 Source0: http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz Source2: dbus-1.desktop @@ -74,8 +74,8 @@ %package -n dbus-1 Summary: D-Bus Message Bus System -Group: System/Daemons # FIXME: use proper Requires(pre/post/preun/...) +Group: System/Daemons PreReq: %{_sbindir}/groupadd PreReq: %{_sbindir}/useradd PreReq: permissions ++++++ dbus-1.spec ++++++ --- /var/tmp/diff_new_pack.4rpLrV/_old 2016-10-13 11:24:05.000000000 +0200 +++ /var/tmp/diff_new_pack.4rpLrV/_new 2016-10-13 11:24:05.000000000 +0200 @@ -28,7 +28,7 @@ Url: http://dbus.freedesktop.org/ # WARNING don't use cosmetic beautifiers. it will break the specs after calling pre_checkin script. we don't need to be pretty, but efficient # COMMON1-BEGIN -Version: 1.10.10 +Version: 1.10.12 Release: 0 Source0: http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz Source2: dbus-1.desktop ++++++ dbus-1-x11.spec.in ++++++ --- /var/tmp/diff_new_pack.4rpLrV/_old 2016-10-13 11:24:05.000000000 +0200 +++ /var/tmp/diff_new_pack.4rpLrV/_new 2016-10-13 11:24:05.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package dbus-1-x11.spec # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,6 +29,7 @@ # COMMON1-END BuildRequires: audit-devel BuildRequires: doxygen +BuildRequires: pkgconfig BuildRequires: update-desktop-files BuildRequires: xmlto BuildRequires: pkgconfig(x11) @@ -59,10 +60,6 @@ PreReq: %{_sbindir}/useradd PreReq: permissions Requires(post): %{_libname} = %{version} -# bug437293 -%ifarch ppc64 -Obsoletes: dbus-1-64bit -%endif %description -n dbus-1 D-Bus is a message bus system, a simple way for applications to talk to @@ -84,7 +81,7 @@ mv %{buildroot}/bin/dbus-run-session %{buildroot}/%{_bindir} ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcdbus %if 0%{?suse_version} <= 1315 && !0%{?is_opensuse} -install -d %{buildroot}/var/run/dbus +install -d %{buildroot}%{_localstatedir}/run/dbus %else install -d %{buildroot}/run/dbus %endif @@ -120,7 +117,7 @@ %pre -n dbus-1 %{_sbindir}/groupadd -r messagebus 2> /dev/null || : %if 0%{?suse_version} <= 1315 && !0%{?is_opensuse} -%{_sbindir}/useradd -r -s /bin/false -c "User for D-Bus" -d /var/run/dbus -g messagebus messagebus 2> /dev/null || : +%{_sbindir}/useradd -r -s /bin/false -c "User for D-Bus" -d %{_localstatedir}/run/dbus -g messagebus messagebus 2> /dev/null || : %else %{_sbindir}/useradd -r -s /bin/false -c "User for D-Bus" -d /run/dbus -g messagebus messagebus 2> /dev/null || : %endif @@ -181,7 +178,7 @@ # behind these permissions %attr(4750,root,messagebus) %verify(not mode) /lib/dbus-1/dbus-daemon-launch-helper %if 0%{?suse_version} <= 1315 && !0%{?is_opensuse} -%ghost /var/run/dbus +%ghost %{_localstatedir}/run/dbus %else %ghost /run/dbus %endif ++++++ dbus-1.10.10.tar.gz -> dbus-1.10.12.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.10.10/NEWS new/dbus-1.10.12/NEWS --- old/dbus-1.10.10/NEWS 2016-08-15 20:58:20.000000000 +0200 +++ new/dbus-1.10.12/NEWS 2016-10-10 11:19:15.000000000 +0200 @@ -1,3 +1,36 @@ +D-Bus 1.10.12 (2016-10-10) +== + +The “not excessively inhospitable” release. + +Security fixes: + +• Do not treat ActivationFailure message received from root-owned systemd + name as a format string. In principle this is a security vulnerability, + but we do not believe it is exploitable in practice, because only + privileged processes can own the org.freedesktop.systemd1 bus name, and + systemd does not appear to send activation failures that contain "%". + + Please note that this probably *was* exploitable in dbus versions + older than 1.6.30, 1.8.16 and 1.9.10 due to a missing check which at + the time was only thought to be a denial of service vulnerability + (CVE-2015-0245). If you are still running one of those versions, + patch or upgrade immediately. + + (fd.o #98157, Simon McVittie) + +Other fixes: + +• Harden dbus-daemon against malicious or incorrect ActivationFailure + messages by rejecting them if they do not come from a privileged + process, or if systemd activation is not enabled + (fd.o #98157, Simon McVittie) + +• Avoid undefined behaviour when setting reply serial number without going + via union DBusBasicValue (fd.o #98035, Marc Mutz) + +• autogen.sh: fail cleanly if autoconf fails (Simon McVittie) + D-Bus 1.10.10 (2016-08-15) == diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.10.10/autogen.sh new/dbus-1.10.12/autogen.sh --- old/dbus-1.10.10/autogen.sh 2015-09-30 16:48:40.000000000 +0200 +++ new/dbus-1.10.12/autogen.sh 2016-10-07 22:27:14.000000000 +0200 @@ -81,7 +81,10 @@ (autoheader --version) < /dev/null > /dev/null 2>&1 && autoheader $AUTOMAKE -a $am_opt -autoconf || echo "autoconf failed - version 2.5x is probably required" +if ! autoconf; then + echo "autoconf failed - version 2.5x is probably required" >&2 + exit 1 +fi cd $ORIGDIR diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.10.10/build-aux/ltmain.sh new/dbus-1.10.12/build-aux/ltmain.sh --- old/dbus-1.10.10/build-aux/ltmain.sh 2016-08-15 20:59:31.000000000 +0200 +++ new/dbus-1.10.12/build-aux/ltmain.sh 2016-10-10 11:23:52.000000000 +0200 @@ -31,7 +31,7 @@ PROGRAM=libtool PACKAGE=libtool -VERSION="2.4.6 Debian-2.4.6-1" +VERSION="2.4.6 Debian-2.4.6-2" package_revision=2.4.6 @@ -1977,7 +1977,7 @@ # End: # Set a version string. -scriptversion='(GNU libtool) 2.4.6 Debian-2.4.6-1' +scriptversion='(GNU libtool) 2.4.6' # func_echo ARG... @@ -2068,7 +2068,7 @@ compiler: $LTCC compiler flags: $LTCFLAGS linker: $LD (gnu? $with_gnu_ld) - version: $progname $scriptversion + version: $progname $scriptversion Debian-2.4.6-2 automake: `($AUTOMAKE --version) 2>/dev/null |$SED 1q` autoconf: `($AUTOCONF --version) 2>/dev/null |$SED 1q` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.10.10/bus/activation.c new/dbus-1.10.12/bus/activation.c --- old/dbus-1.10.10/bus/activation.c 2016-08-12 10:50:00.000000000 +0200 +++ new/dbus-1.10.12/bus/activation.c 2016-10-10 11:06:26.000000000 +0200 @@ -2274,7 +2274,7 @@ DBUS_TYPE_STRING, &code, DBUS_TYPE_STRING, &str, DBUS_TYPE_INVALID)) - dbus_set_error(&error, code, str); + dbus_set_error (&error, code, "%s", str); if (unit) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.10.10/bus/driver.c new/dbus-1.10.12/bus/driver.c --- old/dbus-1.10.10/bus/driver.c 2015-11-23 22:53:42.000000000 +0100 +++ new/dbus-1.10.12/bus/driver.c 2016-10-10 11:06:26.000000000 +0200 @@ -2616,6 +2616,15 @@ BusContext *context; DBusConnection *systemd; + /* This is a directed signal, not a method call, so the log message + * is a little weird (it talks about "calling" ActivationFailure), + * but it's close enough */ + if (!bus_driver_check_caller_is_privileged (connection, + transaction, + message, + error)) + return FALSE; + context = bus_connection_get_context (connection); systemd = bus_driver_get_owner_of_name (connection, "org.freedesktop.systemd1"); @@ -2634,6 +2643,14 @@ return TRUE; } + if (!bus_context_get_systemd_activation (context)) + { + bus_context_log (context, DBUS_SYSTEM_LOG_WARNING, + "Ignoring unexpected ActivationFailure message " + "while not using systemd activation"); + return FALSE; + } + return dbus_activation_systemd_failure(bus_context_get_activation(context), message); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.10.10/configure new/dbus-1.10.12/configure --- old/dbus-1.10.10/configure 2016-08-15 20:59:42.000000000 +0200 +++ new/dbus-1.10.12/configure 2016-10-10 11:24:11.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for dbus 1.10.10. +# Generated by GNU Autoconf 2.69 for dbus 1.10.12. # # Report bugs to <https://bugs.freedesktop.org/enter_bug.cgi?product=dbus>. # @@ -591,8 +591,8 @@ # Identity of this package. PACKAGE_NAME='dbus' PACKAGE_TARNAME='dbus' -PACKAGE_VERSION='1.10.10' -PACKAGE_STRING='dbus 1.10.10' +PACKAGE_VERSION='1.10.12' +PACKAGE_STRING='dbus 1.10.12' PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=dbus' PACKAGE_URL='' @@ -1551,7 +1551,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures dbus 1.10.10 to adapt to many kinds of systems. +\`configure' configures dbus 1.10.12 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1626,7 +1626,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of dbus 1.10.10:";; + short | recursive ) echo "Configuration of dbus 1.10.12:";; esac cat <<\_ACEOF @@ -1839,7 +1839,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -dbus configure 1.10.10 +dbus configure 1.10.12 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2615,7 +2615,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by dbus $as_me 1.10.10, which was +It was created by dbus $as_me 1.10.12, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3558,7 +3558,7 @@ # Define the identity of the package. PACKAGE='dbus' - VERSION='1.10.10' + VERSION='1.10.12' cat >>confdefs.h <<_ACEOF @@ -3858,7 +3858,7 @@ ## increment any time the source changes; set to ## 0 if you increment CURRENT -LT_REVISION=7 +LT_REVISION=8 ## increment if any interfaces have been added; set to 0 ## if any interfaces have been changed or removed. removal has @@ -3873,8 +3873,8 @@ DBUS_MAJOR_VERSION=1 DBUS_MINOR_VERSION=10 -DBUS_MICRO_VERSION=10 -DBUS_VERSION=1.10.10 +DBUS_MICRO_VERSION=12 +DBUS_VERSION=1.10.12 @@ -22914,6 +22914,7 @@ for tp_flag in $DISABLE_UNUSED_WARNINGS \ + deprecated-declarations \ missing-field-initializers \ unused-parameter \ pointer-sign \ @@ -24909,7 +24910,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by dbus $as_me 1.10.10, which was +This file was extended by dbus $as_me 1.10.12, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -24975,7 +24976,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -dbus config.status 1.10.10 +dbus config.status 1.10.12 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.10.10/configure.ac new/dbus-1.10.12/configure.ac --- old/dbus-1.10.10/configure.ac 2016-08-15 20:59:02.000000000 +0200 +++ new/dbus-1.10.12/configure.ac 2016-10-10 11:19:35.000000000 +0200 @@ -3,7 +3,7 @@ m4_define([dbus_major_version], [1]) m4_define([dbus_minor_version], [10]) -m4_define([dbus_micro_version], [10]) +m4_define([dbus_micro_version], [12]) m4_define([dbus_version], [dbus_major_version.dbus_minor_version.dbus_micro_version]) AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus]) @@ -38,7 +38,7 @@ ## increment any time the source changes; set to ## 0 if you increment CURRENT -LT_REVISION=7 +LT_REVISION=8 ## increment if any interfaces have been added; set to 0 ## if any interfaces have been changed or removed. removal has @@ -1387,6 +1387,7 @@ dnl - type-limits is probably a bug too, but having the rest of -Wextra dnl is better than nothing [$DISABLE_UNUSED_WARNINGS \ + deprecated-declarations \ missing-field-initializers \ unused-parameter \ pointer-sign \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.10.10/dbus/dbus-message.c new/dbus-1.10.12/dbus/dbus-message.c --- old/dbus-1.10.10/dbus/dbus-message.c 2016-03-02 19:52:34.000000000 +0100 +++ new/dbus-1.10.12/dbus/dbus-message.c 2016-10-07 22:27:14.000000000 +0200 @@ -1166,14 +1166,18 @@ dbus_message_set_reply_serial (DBusMessage *message, dbus_uint32_t reply_serial) { + DBusBasicValue value; + _dbus_return_val_if_fail (message != NULL, FALSE); _dbus_return_val_if_fail (!message->locked, FALSE); _dbus_return_val_if_fail (reply_serial != 0, FALSE); /* 0 is invalid */ + value.u32 = reply_serial; + return _dbus_header_set_field_basic (&message->header, DBUS_HEADER_FIELD_REPLY_SERIAL, DBUS_TYPE_UINT32, - &reply_serial); + &value); } /** diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.10.10/doc/Makefile.in new/dbus-1.10.12/doc/Makefile.in --- old/dbus-1.10.10/doc/Makefile.in 2016-08-15 20:59:41.000000000 +0200 +++ new/dbus-1.10.12/doc/Makefile.in 2016-10-10 11:24:09.000000000 +0200 @@ -723,8 +723,8 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -@DBUS_DOXYGEN_DOCS_ENABLED_FALSE@install-data-local: @DBUS_DOXYGEN_DOCS_ENABLED_FALSE@uninstall-local: +@DBUS_DOXYGEN_DOCS_ENABLED_FALSE@install-data-local: clean: clean-am clean-am: clean-generic clean-libtool clean-local mostlyclean-am
