Hello community, here is the log from the commit of package dbus-1 for openSUSE:Factory checked in at 2014-06-18 08:35:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dbus-1 (Old) and /work/SRC/openSUSE:Factory/.dbus-1.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dbus-1" Changes: -------- --- /work/SRC/openSUSE:Factory/dbus-1/dbus-1-x11.changes 2014-05-06 13:39:29.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.dbus-1.new/dbus-1-x11.changes 2014-06-18 08:35:45.000000000 +0200 @@ -1,0 +2,13 @@ +Wed Jun 11 04:58:38 UTC 2014 - [email protected] + +- Update to 1.8.2: + + Security fix: + - Alban Crequy at Collabora Ltd. discovered and fixed a + denial-of-service flaw in dbus-daemon, part of the reference + implementation of D-Bus. + Additionally, in highly unusual environments the same flaw + could lead to a side channel between processes that should + not be able to communicate. (CVE-2014-3477, fdo#78979, + bnc#881137) + +------------------------------------------------------------------- dbus-1.changes: same change Old: ---- dbus-1.8.2.tar.gz New: ---- dbus-1.8.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dbus-1-x11.spec ++++++ --- /var/tmp/diff_new_pack.HlRxzR/_old 2014-06-18 08:35:46.000000000 +0200 +++ /var/tmp/diff_new_pack.HlRxzR/_new 2014-06-18 08:35:46.000000000 +0200 @@ -46,7 +46,7 @@ BuildRequires: libexpat-devel BuildRequires: libtool BuildRequires: pkg-config -Version: 1.8.2 +Version: 1.8.4 Release: 0 # Source0: http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz dbus-1.spec: same change ++++++ dbus-1.8.2.tar.gz -> dbus-1.8.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.8.2/NEWS new/dbus-1.8.4/NEWS --- old/dbus-1.8.2/NEWS 2014-04-30 20:49:38.000000000 +0200 +++ new/dbus-1.8.4/NEWS 2014-06-05 15:52:21.000000000 +0200 @@ -1,3 +1,14 @@ +D-Bus 1.8.4 (2014-06-10) +== + +Security fix: + +• Alban Crequy at Collabora Ltd. discovered and fixed a denial-of-service + flaw in dbus-daemon, part of the reference implementation of D-Bus. + Additionally, in highly unusual environments the same flaw could lead to + a side channel between processes that should not be able to communicate. + (CVE-2014-3477, fd.o #78979) + D-Bus 1.8.2 (2014-04-30) == diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.8.2/bus/activation.c new/dbus-1.8.4/bus/activation.c --- old/dbus-1.8.2/bus/activation.c 2014-01-25 13:39:24.000000000 +0100 +++ new/dbus-1.8.4/bus/activation.c 2014-06-05 15:35:18.000000000 +0200 @@ -1162,14 +1162,11 @@ dbus_bool_t bus_activation_send_pending_auto_activation_messages (BusActivation *activation, BusService *service, - BusTransaction *transaction, - DBusError *error) + BusTransaction *transaction) { BusPendingActivation *pending_activation; DBusList *link; - _DBUS_ASSERT_ERROR_IS_CLEAR (error); - /* Check if it's a pending activation */ pending_activation = _dbus_hash_table_lookup_string (activation->pending_activations, bus_service_get_name (service)); @@ -1186,6 +1183,9 @@ if (entry->auto_activation && (entry->connection == NULL || dbus_connection_get_is_connected (entry->connection))) { DBusConnection *addressed_recipient; + DBusError error; + + dbus_error_init (&error); addressed_recipient = bus_service_get_primary_owners_connection (service); @@ -1193,8 +1193,22 @@ if (!bus_dispatch_matches (transaction, entry->connection, addressed_recipient, - entry->activation_message, error)) - goto error; + entry->activation_message, &error)) + { + /* If permission is denied, we just want to return the error + * to the original method invoker; in particular, we don't + * want to make the RequestName call fail with that error + * (see fd.o #78979, CVE-2014-3477). */ + if (!bus_transaction_send_error_reply (transaction, entry->connection, + &error, entry->activation_message)) + { + bus_connection_send_oom_error (entry->connection, + entry->activation_message); + } + + link = next; + continue; + } } link = next; @@ -1203,7 +1217,6 @@ if (!add_restore_pending_to_transaction (transaction, pending_activation)) { _dbus_verbose ("Could not add cancel hook to transaction to revert removing pending activation\n"); - BUS_SET_OOM (error); goto error; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.8.2/bus/activation.h new/dbus-1.8.4/bus/activation.h --- old/dbus-1.8.2/bus/activation.h 2014-01-25 13:39:24.000000000 +0100 +++ new/dbus-1.8.4/bus/activation.h 2014-06-03 16:55:35.000000000 +0200 @@ -62,8 +62,7 @@ dbus_bool_t bus_activation_send_pending_auto_activation_messages (BusActivation *activation, BusService *service, - BusTransaction *transaction, - DBusError *error); + BusTransaction *transaction); #endif /* BUS_ACTIVATION_H */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.8.2/bus/services.c new/dbus-1.8.4/bus/services.c --- old/dbus-1.8.2/bus/services.c 2014-01-25 13:39:24.000000000 +0100 +++ new/dbus-1.8.4/bus/services.c 2014-06-03 16:55:35.000000000 +0200 @@ -588,8 +588,9 @@ activation = bus_context_get_activation (registry->context); retval = bus_activation_send_pending_auto_activation_messages (activation, service, - transaction, - error); + transaction); + if (!retval) + BUS_SET_OOM (error); out: return retval; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.8.2/configure new/dbus-1.8.4/configure --- old/dbus-1.8.2/configure 2014-04-30 21:14:38.000000000 +0200 +++ new/dbus-1.8.4/configure 2014-06-05 15:56:49.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for dbus 1.8.2. +# Generated by GNU Autoconf 2.69 for dbus 1.8.4. # # Report bugs to <https://bugs.freedesktop.org/enter_bug.cgi?product=dbus>. # @@ -591,8 +591,8 @@ # Identity of this package. PACKAGE_NAME='dbus' PACKAGE_TARNAME='dbus' -PACKAGE_VERSION='1.8.2' -PACKAGE_STRING='dbus 1.8.2' +PACKAGE_VERSION='1.8.4' +PACKAGE_STRING='dbus 1.8.4' PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=dbus' PACKAGE_URL='' @@ -1512,7 +1512,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures dbus 1.8.2 to adapt to many kinds of systems. +\`configure' configures dbus 1.8.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1586,7 +1586,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of dbus 1.8.2:";; + short | recursive ) echo "Configuration of dbus 1.8.4:";; esac cat <<\_ACEOF @@ -1783,7 +1783,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -dbus configure 1.8.2 +dbus configure 1.8.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2502,7 +2502,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by dbus $as_me 1.8.2, which was +It was created by dbus $as_me 1.8.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3442,7 +3442,7 @@ # Define the identity of the package. PACKAGE='dbus' - VERSION='1.8.2' + VERSION='1.8.4' cat >>confdefs.h <<_ACEOF @@ -3742,7 +3742,7 @@ ## increment any time the source changes; set to ## 0 if you increment CURRENT -LT_REVISION=4 +LT_REVISION=5 ## increment if any interfaces have been added; set to 0 ## if any interfaces have been changed or removed. removal has @@ -3755,8 +3755,8 @@ DBUS_MAJOR_VERSION=1 DBUS_MINOR_VERSION=8 -DBUS_MICRO_VERSION=2 -DBUS_VERSION=1.8.2 +DBUS_MICRO_VERSION=4 +DBUS_VERSION=1.8.4 @@ -23266,7 +23266,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by dbus $as_me 1.8.2, which was +This file was extended by dbus $as_me 1.8.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -23332,7 +23332,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -dbus config.status 1.8.2 +dbus config.status 1.8.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.8.2/configure.ac new/dbus-1.8.4/configure.ac --- old/dbus-1.8.2/configure.ac 2014-04-30 20:48:29.000000000 +0200 +++ new/dbus-1.8.4/configure.ac 2014-06-05 15:53:52.000000000 +0200 @@ -3,7 +3,7 @@ m4_define([dbus_major_version], [1]) m4_define([dbus_minor_version], [8]) -m4_define([dbus_micro_version], [2]) +m4_define([dbus_micro_version], [4]) m4_define([dbus_version], [dbus_major_version.dbus_minor_version.dbus_micro_version]) AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus]) @@ -37,7 +37,7 @@ ## increment any time the source changes; set to ## 0 if you increment CURRENT -LT_REVISION=4 +LT_REVISION=5 ## increment if any interfaces have been added; set to 0 ## if any interfaces have been changed or removed. removal has -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
