Re: [lfs-book] [LFS Trac] #4665: dbus-1.12.18
#4665: dbus-1.12.18
+-
Reporter: renodr | Owner: renodr
Type: task| Status: closed
Priority: high| Milestone: 9.2
Component: Book| Version: SVN
Severity: normal | Resolution: fixed
Keywords: |
+-
Comment (by renodr):
Some more information on the security flaw:
{{{
References: CVE-2020-12049, GHSL-2020-057, dbus#294.
dbus is the reference implementation of D-Bus, a user-space IPC mechanism
originating from freedesktop.org and commonly used on Linux and other
Unix systems.
Kevin Backhouse of the GitHub Security Lab discovered a denial of service
vulnerability[0] in dbus >= 1.3.0. An unprivileged local attacker can
cause
the system dbus-daemon (dbus-daemon --system) to leak file descriptors
(fds) by sending messages with a number of fds that exceeds the allowed
number, resulting in truncation. The attacker's connection is (correctly)
disconnected, but the fds that were attached to the truncated message
are (incorrectly) not closed. By repeating this process, the attacker
can make the dbus-daemon reach its RLIMIT_NOFILE limit. When this limit
is reached, new connections will fail, and existing connections will be
unable to send messages with fds attached, causing denial of service.
The same attack is also possible in the uncommon situation where processes
of different privilege levels communicate directly using a private D-Bus
socket (DBusServer) without going via a dbus-daemon.
In the development branch, this has been fixed[1] in version 1.13.16.
Older releases are vulnerable, except where noted below.
In the stable branch 1.12.x, this has been fixed in version 1.12.18.
This is the recommended version of dbus for production use and for
long-term-stable operating systems.
In the old stable branch 1.10.x, this has been fixed in version 1.10.30.
This branch is maintained for the benefit of older long-term-stable
operating systems such as Debian 9, and will reach end-of-life soon[2].
Older stable branches such as 1.8.x have reached end-of-life and will
not receive upstream releases to fix this. Upgrading is recommended.
However, the patch used in supported versions[1] is believed to be
suitable for third-party backports to older releases.
We have received a report[3] that in at least OmniOS (a
Solaris/OpenSolaris/illumos derivative), the solution that was committed
causes a regression due to differences in the behaviour of SCM_RIGHTS
between Linux and OmniOS. This is under investigation. On non-Linux
operating systems such as BSD and Solaris, before deploying a fixed
version, package maintainers should try running the 'test-fdpass'
test case to confirm whether their OS kernel has the Linux-like or
OmniOS-like behaviour. This test-case requires building dbus with the
--enable-modular-tests configure option, with GLib development files
available; GLib is only used for the automated tests, and is not a
dependency of the parts of dbus used in production.
[0] https://gitlab.freedesktop.org/dbus/dbus/-/issues/294
[1]
https://gitlab.freedesktop.org/dbus/dbus/-/commit/872b085f12f56da25a2dbd9bd0b2dff31d5aea63
[2] https://lists.freedesktop.org/archives/dbus/2020-June/017873.html
[3] https://gitlab.freedesktop.org/dbus/dbus/-/issues/304
--
Simon McVittie, Collabora Ltd. / Debian
dbus security contact:
https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/CONTRIBUTING.md
#reporting-security-vulnerabilities
}}}
--
Ticket URL:
LFS Trac
Re: [blfs-book] [BLFS Trac] #13626: dbus-1.12.18
#13626: dbus-1.12.18
-+-
Reporter: renodr | Owner: renodr
Type: enhancement | Status: closed
Priority: high | Milestone: 9.2
Component: BOOK | Version: SVN
Severity: normal | Resolution: fixed
Keywords: |
-+-
Comment (by renodr):
Some more information on the security flaw:
{{{
References: CVE-2020-12049, GHSL-2020-057, dbus#294.
dbus is the reference implementation of D-Bus, a user-space IPC mechanism
originating from freedesktop.org and commonly used on Linux and other
Unix systems.
Kevin Backhouse of the GitHub Security Lab discovered a denial of service
vulnerability[0] in dbus >= 1.3.0. An unprivileged local attacker can
cause
the system dbus-daemon (dbus-daemon --system) to leak file descriptors
(fds) by sending messages with a number of fds that exceeds the allowed
number, resulting in truncation. The attacker's connection is (correctly)
disconnected, but the fds that were attached to the truncated message
are (incorrectly) not closed. By repeating this process, the attacker
can make the dbus-daemon reach its RLIMIT_NOFILE limit. When this limit
is reached, new connections will fail, and existing connections will be
unable to send messages with fds attached, causing denial of service.
The same attack is also possible in the uncommon situation where processes
of different privilege levels communicate directly using a private D-Bus
socket (DBusServer) without going via a dbus-daemon.
In the development branch, this has been fixed[1] in version 1.13.16.
Older releases are vulnerable, except where noted below.
In the stable branch 1.12.x, this has been fixed in version 1.12.18.
This is the recommended version of dbus for production use and for
long-term-stable operating systems.
In the old stable branch 1.10.x, this has been fixed in version 1.10.30.
This branch is maintained for the benefit of older long-term-stable
operating systems such as Debian 9, and will reach end-of-life soon[2].
Older stable branches such as 1.8.x have reached end-of-life and will
not receive upstream releases to fix this. Upgrading is recommended.
However, the patch used in supported versions[1] is believed to be
suitable for third-party backports to older releases.
We have received a report[3] that in at least OmniOS (a
Solaris/OpenSolaris/illumos derivative), the solution that was committed
causes a regression due to differences in the behaviour of SCM_RIGHTS
between Linux and OmniOS. This is under investigation. On non-Linux
operating systems such as BSD and Solaris, before deploying a fixed
version, package maintainers should try running the 'test-fdpass'
test case to confirm whether their OS kernel has the Linux-like or
OmniOS-like behaviour. This test-case requires building dbus with the
--enable-modular-tests configure option, with GLib development files
available; GLib is only used for the automated tests, and is not a
dependency of the parts of dbus used in production.
[0] https://gitlab.freedesktop.org/dbus/dbus/-/issues/294
[1]
https://gitlab.freedesktop.org/dbus/dbus/-/commit/872b085f12f56da25a2dbd9bd0b2dff31d5aea63
[2] https://lists.freedesktop.org/archives/dbus/2020-June/017873.html
[3] https://gitlab.freedesktop.org/dbus/dbus/-/issues/304
--
Simon McVittie, Collabora Ltd. / Debian
dbus security contact:
https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/CONTRIBUTING.md
#reporting-security-vulnerabilities
}}}
--
Ticket URL:
BLFS Trac
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
[lfs-book] LFS Package Currency Check - 2020-06-04 10:50:01 GMT
Package LFS Upstream Flag acl 2.2.53 2.2.53 attr2.4.48 2.4.48 autoconf2.69 2.69 automake1.16.2 1.16.2 bash5.05.0 bc 2.7.2 2.7.2 binutils2.34 2.34 bison 3.6.3 3.6.3 bzip2 1.0.8 1.0.8 check 0.14.0 0.14.0 coreutils 8.32 8.32 dbus1.12.181.12.18 dejagnu 1.6.2 1.6.2 diffutils 3.73.7 e2fsprogs 1.45.6 1.45.6 elfutils0.179 0.179 eudev 3.2.9 3.2.9 expat 2.2.9 2.2.9 expect 5.45.4 5.45.4 file5.38 5.38 findutils 4.7.0 4.7.0 flex2.6.4 2.6.4 gawk5.1.0 5.1.0 gcc 10.1.0 10.1.0 gdbm1.18.1 1.18.1 gettext 0.20.2 0.20.2 glibc 2.31 2.31 gmp 6.2.0 6.2.0 gperf 3.13.1 grep3.43.4 groff 1.22.4 1.22.4 grub2.04 2.04 gzip1.10 1.10 iana-etc20200429 20200429 inetutils 1.9.4 1.9.4 intltool0.51.0 0.51.0 iproute25.6.0 5.7.0 * kbd 2.2.0 2.2.0 kmod27 27 less551551 lfs-bootscripts 20191031 20191031 libcap 2.36 2.36 libffi 3.33.3 libpipeline 1.5.2 1.5.2 libtool 2.4.6 2.4.6 linux 5.6.15 5.7* m4 1.4.18 1.4.18 make4.34.3 man-db 2.9.2 2.9.2 man-pages 5.06 5.06 meson 0.54.2 0.54.2 mpc 1.1.0 1.1.0 mpfr4.0.2 4.0.2 ninja 1.10.0 1.10.0 ncurses 6.26.2 openssl 1.1.1g 1.1.1g patch 2.7.6 2.7.6 perl5.30.3 5.30.3 pkg-config 0.29.2 0.29.2 procps-ng 3.3.16 -2 * psmisc 23.3 23.3 Python 3.8.3 3.8.3 readline8.08.0 sed 4.84.8 shadow 4.8.1 4.8.1 sysklogd1.5.1 1.5.1 systemd 245245 sysvinit2.96 2.96 tar 1.32 1.32 tcl 8.6.10 8.6.10 texinfo 6.76.7 tzdata 2020a 2020a udev-lfs20171102 20171102 util-linux 2.35.2 2.35.2 vim 8.2.0814 8.2.0896 * XML-Parser 2.46 2.46 xz 5.2.5 5.2.5 zlib1.2.11 1.2.11 zstd1.4.5 1.4.5 -- http://lists.linuxfromscratch.org/listinfo/lfs-book FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
[lfs-book] r11896 - in branches/cross-chap5: . appendices chapter01 chapter03 chapter06
Author: pierre Date: Wed Jun 3 23:51:00 2020 New Revision: 11896 Log: Update to upstream r11895 Modified: branches/cross-chap5/appendices/dependencies.xml branches/cross-chap5/chapter01/changelog.xml branches/cross-chap5/chapter03/patches.xml branches/cross-chap5/chapter06/libelf.xml branches/cross-chap5/chapter06/systemd.xml branches/cross-chap5/general.ent branches/cross-chap5/packages.ent branches/cross-chap5/patches.ent Modified: branches/cross-chap5/appendices/dependencies.xml == --- branches/cross-chap5/appendices/dependencies.xmlWed Jun 3 19:34:40 2020(r11895) +++ branches/cross-chap5/appendices/dependencies.xmlWed Jun 3 23:51:00 2020(r11896) @@ -1303,8 +1303,8 @@ - Bash, Bison, Coreutils, Flex, GCC, Glibc, Make, - and Linux API Headers + Bash, Bison, Coreutils, Flex, GCC, Glibc, Make, Libcap, + Libelf, and Linux API Headers @@ -1328,7 +1328,7 @@ - None + Berkeley DB and Iptables @@ -1464,7 +1464,7 @@ - Shadow + IProute2 and Shadow @@ -1499,7 +1499,7 @@ - Linux Kernel + IProute2 and Linux Kernel Modified: branches/cross-chap5/chapter01/changelog.xml == --- branches/cross-chap5/chapter01/changelog.xmlWed Jun 3 19:34:40 2020(r11895) +++ branches/cross-chap5/chapter01/changelog.xmlWed Jun 3 23:51:00 2020(r11896) @@ -42,6 +42,37 @@ or as appropriate for the entry or if needed the entire day's listitem. --> + + + 2020-06-03 + + + [renodr] - Fix systemd's build with GCC-10 with a patch instead + of CFLAGS. + + + [renodr] - Update to perl-5.30.3 (security update). Fixes + #4664. + + + [renodr] - Update to dbus-1.12.18 (security update). Fixes + #4665. + + + [renodr] - Update to man-db-2.9.2. Fixes + #4663. + + + [renodr] - Update to libcap-2.36. Fixes + #4666. + + + [renodr] - Update to bison-3.6.3. Fixes + #4667. + + + + 2020-05-31 Modified: branches/cross-chap5/chapter03/patches.xml == --- branches/cross-chap5/chapter03/patches.xml Wed Jun 3 19:34:40 2020 (r11895) +++ branches/cross-chap5/chapter03/patches.xml Wed Jun 3 23:51:00 2020 (r11896) @@ -133,6 +133,15 @@ --> + + + Systemd GCC-10 Patch - : + +Download: +MD5 sum: + + + Total size of these patches: about Modified: branches/cross-chap5/chapter06/libelf.xml == --- branches/cross-chap5/chapter06/libelf.xml Wed Jun 3 19:34:40 2020 (r11895) +++ branches/cross-chap5/chapter06/libelf.xml Wed Jun 3 23:51:00 2020 (r11896) @@ -56,7 +56,7 @@ make check -One test, run-elfclassify.sh, is known to fail. + Install only Libelf: Modified: branches/cross-chap5/chapter06/systemd.xml == --- branches/cross-chap5/chapter06/systemd.xml Wed Jun 3 19:34:40 2020 (r11895) +++ branches/cross-chap5/chapter06/systemd.xml Wed Jun 3 23:51:00 2020 (r11896) @@ -39,12 +39,11 @@ Installation of systemd - +First, apply a patch to fix the build with GCC-10: + +patch -Np1 -i ../systemd--gcc_10-fixes-1.patch + Create a symlink to work around missing xsltproc: @@ -73,7 +72,6 @@ meson --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ - -Dc_args=-Wno-format-overflow \ -Dblkid=true \ -Dbuildtype=release \ -Ddefault-dnssec=no \ @@ -98,6 +96,7 @@ The meaning of the meson options: + -D*-path=* Modified: branches/cross-chap5/general.ent == --- branches/cross-chap5/general.entWed Jun 3 19:34:40 2020(r11895) +++ branches/cross-chap5/general.entWed Jun 3 23:51:00 2020(r11896) @@ -1,13 +1,13 @@ - + - + - + Modified: branches/cross-chap5/packages.ent == --- branches/cross-chap5/packages.ent Wed Jun 3 19:34:40 2020(r11895) +++ branches/cross-chap5/packages.ent Wed Jun 3 23:51:00
