This seems ready to release, but please note that technically you should state the actual *version* and not just "the package from -proposed".
-- You received this bug notification because you are a member of Debcrafters packages, which is subscribed to dbus-broker in Ubuntu. https://bugs.launchpad.net/bugs/2061155 Title: Use-after-close vulnerability in dbus-broker 35. Please upgrade package to 36 Status in dbus-broker package in Ubuntu: Fix Released Status in dbus-broker source package in Noble: Fix Committed Status in dbus-broker source package in Oracular: Fix Released Status in dbus-broker source package in Plucky: Fix Released Status in dbus-broker source package in Questing: Fix Released Bug description: [Original Description/Impact] Per https://github.com/bus1/dbus-broker/releases/tag/v36 : # dbus-broker - Linux D-Bus Message Broker ## CHANGES WITH 36: * Fix possible file-descriptor use-after-close, which can lead to broker termination or disclosure of internal file-desciptors to clients. ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: dbus-broker 35-2 ProcVersionSignature: Ubuntu 6.8.0-22.22-generic 6.8.1 Uname: Linux 6.8.0-22-generic x86_64 ApportVersion: 2.28.0-0ubuntu1 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Fri Apr 12 11:24:50 2024 InstallationDate: Installed on 2024-04-08 (4 days ago) InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Daily amd64 (20240407.2) ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR=<set> SourcePackage: dbus-broker UpgradeStatus: No upgrade log present (probably fresh install) This is a potential issue, that hasn't been demonstrated in practice, but it would be good to fix it in the noble LTS release anyway, just in case. The fix has been out and in multiple Ubuntu releases including Oracular and Plucky, and no issues have been reported. [Test Plan] Build and install the patched dbus-broker in a container and check that it doesn't break: Noble: root@localhost:/tmp# apt install ./dbus-broker_35-2ubuntu0.1_amd64.deb Reading package lists... Done Building dependency tree... Done Reading state information... Done Note, selecting 'dbus-broker' instead of './dbus-broker_35-2ubuntu0.1_amd64.deb' The following NEW packages will be installed: dbus-broker 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/169 kB of archives. After this operation, 430 kB of additional disk space will be used. Get:1 /tmp/dbus-broker_35-2ubuntu0.1_amd64.deb dbus-broker amd64 35-2ubuntu0.1 [169 kB] Selecting previously unselected package dbus-broker. (Reading database ... 27500 files and directories currently installed.) Preparing to unpack .../dbus-broker_35-2ubuntu0.1_amd64.deb ... Unpacking dbus-broker (35-2ubuntu0.1) ... Setting up dbus-broker (35-2ubuntu0.1) ... Replacing the running dbus-daemon with dbus-broker requires a reboot: please reboot the system when convenient. Created symlink /etc/systemd/user/dbus.service → /usr/lib/systemd/user/dbus-broker.service. Created symlink /etc/systemd/system/dbus.service → /usr/lib/systemd/system/dbus-broker.service. Processing triggers for man-db (2.12.0-4build2) ... Processing triggers for systemd (255.4-1ubuntu8) ... root@localhost:/tmp# systemctl daemon-reload root@localhost:/tmp# systemctl restart dbus-broker root@localhost:/tmp# systemctl status dbus-broker ● dbus-broker.service - D-Bus System Message Bus Loaded: loaded (/usr/lib/systemd/system/dbus-broker.service; enabled; preset: enabled) Active: active (running) since Tue 2025-05-06 15:00:08 BST; 3s ago TriggeredBy: ● dbus.socket Docs: man:dbus-broker-launch(1) Main PID: 2458 (dbus-broker-lau) Tasks: 2 (limit: 66786) Memory: 1.3M (peak: 2.1M) CPU: 10ms CGroup: /system.slice/dbus-broker.service ├─2458 /usr/bin/dbus-broker-launch --scope system --audit └─2459 dbus-broker --log 4 --controller 9 --machine-id b70250626e354e8481fe3ed01e2a769f --max-bytes 5368> May 06 15:00:08 localhost systemd[1]: Starting dbus-broker.service - D-Bus System Message Bus... May 06 15:00:08 localhost dbus-broker-launch[2458]: Kernel is missing AppArmor DBus support. May 06 15:00:08 localhost systemd[1]: Started dbus-broker.service - D-Bus System Message Bus. May 06 15:00:08 localhost dbus-broker-launch[2458]: Ready root@localhost:/tmp# cat /etc/os-release PRETTY_NAME="Ubuntu 24.04 LTS" NAME="Ubuntu" VERSION_ID="24.04" VERSION="24.04 LTS (Noble Numbat)" VERSION_CODENAME=noble ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/"; SUPPORT_URL="https://help.ubuntu.com/"; BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"; PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"; UBUNTU_CODENAME=noble LOGO=ubuntu-logo [Where problems could occur] File descriptor handling is pretty central to D-Bus, so if a problem occurred there the system functionality would degrade and probably stop working entirely, as clients would no longer be able to successfully pass FDs via D-Bus messages, which is relied upon heavily by components such as systemd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dbus-broker/+bug/2061155/+subscriptions -- Mailing list: https://launchpad.net/~debcrafters-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~debcrafters-packages More help : https://help.launchpad.net/ListHelp
