Bug#1037194: bookworm-pu: package dbus/1.14.8-1~deb12u1

2023-06-17 Thread Simon McVittie 
On Wed, 07 Jun 2023 at 14:11:05 +0100, Simon McVittie wrote:
> Fix a local denial of service for which the security team does not intend
> to do a DSA (dbus#457, #1037151; CVE assignment pending).

CVE-2023-34969 was now assigned.

> I'll be uploading to unstable to get
> wider user testing as soon as the trixie cycle opens

1.14.8 has been in unstable for a few days. fwupd:armhf and
slic3r-prusa:arm64 show up as regressions, but both look more like a
flaky test than a dbus bug.

A release-candidate of the bookworm package is available from:

deb [trusted=yes] https://people.debian.org/~smcv/12.1 bookworm-proposed 
main

This is intentionally versioned slightly lower (as
1.14.8-1~deb12u1~1+1+g3b42362c0) but the changelog is the only difference.

>   [ ] the issue is verified as fixed in unstable
>   - intentionally not done yet due to the full freeze

Now fixed in unstable by a functionally equivalent package.

Updated debdiff attached: the only difference between this and what I
previously sent (which is what's now in unstable) is the extra changelog
entry.

I've uploaded to stable-NEW in the hope that the stable release team will
be happy to continue following upstream stable branches like we did for
bullseye and buster, but please let me know if any of the changes are
considered inappropriate.

Thanks,
smcv
debdiff *.dsc | filterdiff -p1 -xaminclude_static.am -xMakefile.in -x'*/Makefile.in' -xconfigure

diffstat for dbus-1.14.6 dbus-1.14.8

 AUTHORS |9 ++
 Makefile.in |2 
 NEWS|   29 
 aminclude_static.am |2 
 bus/Makefile.in |2 
 bus/connection.c|   15 
 cmake/DBus1ConfigVersion.cmake  |2 
 configure   |   26 +++
 configure.ac|4 -
 dbus/Makefile.in|2 
 dbus/dbus-connection-internal.h |2 
 dbus/dbus-connection.c  |   11 ++-
 dbus/dbus-internals.h   |2 
 dbus/dbus-message.c |   12 ++-
 dbus/dbus-spawn-win.c   |8 +-
 dbus/dbus-sysdeps-win.c |4 -
 debian/changelog|   22 ++
 debian/control  |2 
 debian/gbp.conf |2 
 debian/watch|2 
 doc/dbus-api-design.duck|4 -
 test/Makefile.in|2 
 test/data/valid-config-files/forbidding.conf.in |3 
 test/monitor.c  |   84 +---
 24 files changed, 207 insertions(+), 46 deletions(-)

diff -Nru dbus-1.14.6/AUTHORS dbus-1.14.8/AUTHORS
--- dbus-1.14.6/AUTHORS	2022-10-05 11:03:53.0 +0100
+++ dbus-1.14.8/AUTHORS	2023-06-06 14:00:36.0 +0100
@@ -15,6 +15,7 @@
 Artem Bityutskiy 
 Arun Raghavan 
 Aurelien Jarno 
+Barnabás Pőcze 
 Benedikt Heine 
 Benjamin Reed 
 Bertrand SIMONNET 
@@ -46,6 +47,7 @@
 Daniel Reed 
 Daniel Wendt 
 Dan Williams 
+Dave Jones 
 Dave Reisner 
 David King 
 David Redondo 
@@ -58,6 +60,7 @@
 Dmitri Iouchtchenko 
 DreamNik 
 Eamon Walsh 
+Evgeny Vereshchagin 
 eXeC001er 
 Federico Mena Quintero 
 Felipe Franciosi 
@@ -75,6 +78,7 @@
 Havoc Pennington 
 Havoc Pennington 
 Hendrik Buschmeier 
+hongjinghao 
 hyeric 
 ilovezfs 
 Ioan-Adrian Ratiu 
@@ -90,6 +94,7 @@
 Jean-Louis Fuchs 
 Jens Granseuer 
 Jérémie Dimino 
+Jeremi Piotrowski 
 Jesper Dam 
 Jiří Klimeš 
 Joe Marcus Clarke 
@@ -104,7 +109,9 @@
 Jon Trowbridge 
 Julien Schueller 
 Justin Lee 
+Kai A. Hiller 
 Kay Sievers 
+Khem Raj 
 Kimmo Hämäläinen 
 Kir Kolyshkin 
 Kjartan Maraas 
@@ -126,6 +133,7 @@
 Marc Brockschmidt 
 Marc Mutz 
 Marc Mutz 
+Marco Trevisan (Treviño) 
 Marcus Brinkmann 
 Mark Brand 
 Mark McLoughlin 
@@ -236,6 +244,7 @@
 Wulf C. Krueger 
 Xan Lopez 
 Yaakov Selkowitz 
+Yen-Chin, Lee 
 Yiyang Fei 
 Zack Rusin 
 Zeeshan Ali 
diff -Nru dbus-1.14.6/bus/connection.c dbus-1.14.8/bus/connection.c
--- dbus-1.14.6/bus/connection.c	2022-10-02 15:06:53.0 +0100
+++ dbus-1.14.8/bus/connection.c	2023-06-06 14:00:36.0 +0100
@@ -2374,6 +2374,21 @@
   if (!dbus_message_set_sender (message, DBUS_SERVICE_DBUS))
 return FALSE;
 
+  /* Make sure the message has a non-zero serial number, otherwise
+   * bus_transaction_capture_error_reply() will not be able to mock up
+   * a corresponding reply for it. Normally this would be delayed until
+   * the first time we actually send the message out from a
+   * connection, when the transaction is committed, but that's too late
+   * in this case.
+   */
+  if (dbus_message_get_serial (message) == 0)
+{
+  dbus_uint32_t

Bug#1037194: bookworm-pu: package dbus/1.14.8-1~deb12u1

2023-06-07 Thread Cyril Brulebois 
Simon McVittie  (2023-06-07):
> Technically dbus has udebs, although as noted above they are not
> directly useful for anything.

I only glanced at the discussion that happened a few hours/days ago on
IRC, but that seemed compelling. No objections from the d-i side.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#1037194: bookworm-pu: package dbus/1.14.8-1~deb12u1

2023-06-07 Thread Simon McVittie 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@packages.debian.org, debian-b...@lists.debian.org
Control: affects -1 + src:dbus

[ Reason ]
Fix a local denial of service for which the security team does not intend
to do a DSA (dbus#457, #1037151; CVE assignment pending).

[ Impact ]
While a sysadmin is using `dbus-monitor --system` or similar tools,
an unprivileged local user can cause denial of service by crashing the
`dbus-daemon --system`.

The new upstream release also fixes some smaller bugs:
- minor memory leaks if malloc() returns NULL
- interop with non-Debian compilers
- a documentation typo

The packaging also makes dbus-daemon and dbus-bin correctly Multi-Arch:
foreign, like the larger dbus package already was, which is useful in
some cross-compiling scenarios (#1033056). I can revert this if you want,
but it seems like a low-risk and useful change to sneak into 12.1.

[ Tests ]
Build-time tests and autopkgtests pass. There is new test coverage for the
denial of service, which was able to reproduce the bug. I also smoke-tested
this on a GNOME virtual machine, and I'll be uploading to unstable to get
wider user testing as soon as the trixie cycle opens.

I avoided uploading to unstable right now because one of dbus' udebs
is included in the installer - although as far as I can see, it's only
an enabler for a feature that never happened (a11y in the graphical
installer), and isn't actually practically useful.

[ Risks ]
It's a key package, so any regressions would be highly visible.

Technically dbus has udebs, although as noted above they are not directly
useful for anything.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  - the debdiff is for what I'll upload to unstable, for bookworm
it'll get a new 1.14.8-1~deb12u1 changelog entry at the top
  [ ] the issue is verified as fixed in unstable
  - intentionally not done yet due to the full freeze

[ Changes ]
d/control: let dbus-bin:amd64 satisfy Depends: dbus-bin from a non-amd64
package, and the same for dbus-daemon, to help with cross-compiling
bus/connection.c: fix the denial of service, #1037151
dbus/dbus-connection{.c,-internal.h}: enablers for #1037151
dbus/dbus-internals.h: interop with non-gcc compilers
dbus/dbus-*-win.c: interop with non-gcc compilers, not compiled on Debian
dbus/dbus-message.c: fix minor memory leaks if out-of-memory
doc/dbus-api-design.duck: fix a typo in some sample code, not functionally
significant
AUTHORS, NEWS, configure.ac: release administrivia
test/data, test/monitor.c: reproducer for the denial of service bug

[ Other info ]
I'm the de facto upstream release manager for dbus, and I intend to keep
1.14.x suitable for Debian security updates and stable point releases
throughout the non-LTS lifetime of Debian 12, the same as I did for
older branches for the last few years.

After the packaging in unstable diverges from what's appropriate for
stable, I'll do the stable updates as 1.14.x-0+deb12u1, similar to how
we handled 1.12.x in buster and bullseye.

Please let me know if any of the changes are considered inappropriate.

smcv
debdiff *.dsc | filterdiff -p1 -xaminclude_static.am -xMakefile.in -x'*/Makefile.in' -xconfigure

diffstat for dbus-1.14.6 dbus-1.14.8

 AUTHORS |9 ++
 Makefile.in |2 
 NEWS|   29 
 aminclude_static.am |2 
 bus/Makefile.in |2 
 bus/connection.c|   15 
 cmake/DBus1ConfigVersion.cmake  |2 
 configure   |   26 +++
 configure.ac|4 -
 dbus/Makefile.in|2 
 dbus/dbus-connection-internal.h |2 
 dbus/dbus-connection.c  |   11 ++-
 dbus/dbus-internals.h   |2 
 dbus/dbus-message.c |   12 ++-
 dbus/dbus-spawn-win.c   |8 +-
 dbus/dbus-sysdeps-win.c |4 -
 debian/changelog|   14 
 debian/control  |2 
 doc/dbus-api-design.duck|4 -
 test/Makefile.in|2 
 test/data/valid-config-files/forbidding.conf.in |3 
 test/monitor.c  |   84 +---
 22 files changed, 197 insertions(+), 44 deletions(-)

diff -Nru dbus-1.14.6/AUTHORS dbus-1.14.8/AUTHORS
--- dbus-1.14.6/AUTHORS	2022-10-05 11:03:53.0 +0100
+++ dbus-1.14.8/AUTHORS	2023-06-06 14:00:36.0 +0100