Bug#858635: unblock (pre-approval): dbus/1.10.18-1 with #857660 fixed

[Cyril Brulebois]

Cyril Brulebois  (2017-04-06):
> My objection right now is only about the timing, I'm not trying to get
> your work delayed until after stretch. I think I've already done some
> extra work in the past to make sure stuff which weren't block-udeb'd got
> into testing after the release.

It's fine to merge this now, thanks.


KiBi.


signature.asc
Description: Digital signature

Bug#858635: unblock (pre-approval): dbus/1.10.18-1 with #857660 fixed

[Simon McVittie]

On Thu, 06 Apr 2017 at 17:36:51 +0200, Cyril Brulebois wrote:
> My objection right now is only about the timing

Great - as long as it isn't prevented from getting there eventually,
that's all I want.

S

Bug#858635: unblock (pre-approval): dbus/1.10.18-1 with #857660 fixed

[Cyril Brulebois]

Hi,

Simon McVittie  (2017-04-06):
> On Thu, 06 Apr 2017 at 10:22:50 +0200, Cyril Brulebois wrote:
> > Tempted to NACK this for the time being. A line must be drawn, and
> > things are getting into shape for the release; since it was uploaded
> > today, I think it can mature a bit in unstable until Stretch RC 3 is
> > out.
> 
> I'm happy to let this not migrate for a bit, as long as we don't find
> a security vulnerability in dbus in the meantime.
> 
> Having had permission to release this in the first place, I'd like to
> get it into stretch eventually, so that upstream releases don't have
> to either revert a valid bugfix or contain a non-security fix if/when
> there's a security issue (realistically I expect to have to do at least
> one 1.10.z security release during stretch's lifetime).

My objection right now is only about the timing, I'm not trying to get
your work delayed until after stretch. I think I've already done some
extra work in the past to make sure stuff which weren't block-udeb'd got
into testing after the release.

Hope it clarifies.


KiBi.


signature.asc
Description: Digital signature

Bug#858635: unblock (pre-approval): dbus/1.10.18-1 with #857660 fixed

[Simon McVittie]

On Thu, 06 Apr 2017 at 10:22:50 +0200, Cyril Brulebois wrote:
> Tempted to NACK this for the time being. A line must be drawn, and
> things are getting into shape for the release; since it was uploaded
> today, I think it can mature a bit in unstable until Stretch RC 3 is
> out.

I'm happy to let this not migrate for a bit, as long as we don't find
a security vulnerability in dbus in the meantime.

Having had permission to release this in the first place, I'd like to
get it into stretch eventually, so that upstream releases don't have
to either revert a valid bugfix or contain a non-security fix if/when
there's a security issue (realistically I expect to have to do at least
one 1.10.z security release during stretch's lifetime).

S

Bug#858635: unblock (pre-approval): dbus/1.10.18-1 with #857660 fixed

[Niels Thykier]

Cyril Brulebois:
> Niels Thykier  (2017-04-06):
>> Simon McVittie:
>>> On Wed, 05 Apr 2017 at 13:23:00 +, Niels Thykier wrote:
 I am fine with it including it in stretch (at least assuming it is done
 prior to the stretch release).
>>>
>>> Here's an updated debdiff. An upstream bug reported an invalid memory
>>> access in one of the tests, and the fix seemed low-risk (it only
>>> touches test code), so I added that in; I hope that's OK. I can revert
>>> it if you really want me to.
>>>
>>> This is now on its way through unstable.
>>>
>>> (The added .gitignore is because dbus/1.10.16-1 was built with different
>>> gbp-buildpackage settings, and doesn't affect binary packages at all.)
>>>
>>> S
>>>
>>
>> Ack from here; CC'ing KiBi for a d-i ack.
> 
> Tempted to NACK this for the time being. A line must be drawn, and
> things are getting into shape for the release; since it was uploaded
> today, I think it can mature a bit in unstable until Stretch RC 3 is
> out.
> 
> Alternatively, we could urgent it so that it gets into testing a few
> hours after its upload (changelog doesn't look like it could touch d-i
> even remotely…), but I'm not sure that's desirable.
> 
> 
> KiBi.
> 

Lets wait for the next d-i release then. :)

~Niels

Bug#858635: unblock (pre-approval): dbus/1.10.18-1 with #857660 fixed

[Cyril Brulebois]

Niels Thykier  (2017-04-06):
> Simon McVittie:
> > On Wed, 05 Apr 2017 at 13:23:00 +, Niels Thykier wrote:
> >> I am fine with it including it in stretch (at least assuming it is done
> >> prior to the stretch release).
> > 
> > Here's an updated debdiff. An upstream bug reported an invalid memory
> > access in one of the tests, and the fix seemed low-risk (it only
> > touches test code), so I added that in; I hope that's OK. I can revert
> > it if you really want me to.
> > 
> > This is now on its way through unstable.
> > 
> > (The added .gitignore is because dbus/1.10.16-1 was built with different
> > gbp-buildpackage settings, and doesn't affect binary packages at all.)
> > 
> > S
> > 
> 
> Ack from here; CC'ing KiBi for a d-i ack.

Tempted to NACK this for the time being. A line must be drawn, and
things are getting into shape for the release; since it was uploaded
today, I think it can mature a bit in unstable until Stretch RC 3 is
out.

Alternatively, we could urgent it so that it gets into testing a few
hours after its upload (changelog doesn't look like it could touch d-i
even remotely…), but I'm not sure that's desirable.


KiBi.


signature.asc
Description: Digital signature

Bug#858635: unblock (pre-approval): dbus/1.10.18-1 with #857660 fixed

[Niels Thykier]

Simon McVittie:
> On Wed, 05 Apr 2017 at 13:23:00 +, Niels Thykier wrote:
>> I am fine with it including it in stretch (at least assuming it is done
>> prior to the stretch release).
> 
> Here's an updated debdiff. An upstream bug reported an invalid memory
> access in one of the tests, and the fix seemed low-risk (it only
> touches test code), so I added that in; I hope that's OK. I can revert
> it if you really want me to.
> 
> This is now on its way through unstable.
> 
> (The added .gitignore is because dbus/1.10.16-1 was built with different
> gbp-buildpackage settings, and doesn't affect binary packages at all.)
> 
> S
> 

Ack from here; CC'ing KiBi for a d-i ack.

~Niels

Bug#858635: unblock (pre-approval): dbus/1.10.18-1 with #857660 fixed

[Simon McVittie]

On Wed, 05 Apr 2017 at 13:23:00 +, Niels Thykier wrote:
> I am fine with it including it in stretch (at least assuming it is done
> prior to the stretch release).

Here's an updated debdiff. An upstream bug reported an invalid memory
access in one of the tests, and the fix seemed low-risk (it only
touches test code), so I added that in; I hope that's OK. I can revert
it if you really want me to.

This is now on its way through unstable.

(The added .gitignore is because dbus/1.10.16-1 was built with different
gbp-buildpackage settings, and doesn't affect binary packages at all.)

S
diffstat for dbus-1.10.16 dbus-1.10.18

 Makefile.in   |2 +-
 NEWS  |   16 +++-
 bus/bus.c |   40 ++--
 configure |   26 +-
 configure.ac  |4 ++--
 debian/.gitignore |   22 ++
 debian/changelog  |   11 +++
 test/corrupt.c|   11 +++
 8 files changed, 97 insertions(+), 35 deletions(-)

diff -Nru dbus-1.10.16/bus/bus.c dbus-1.10.18/bus/bus.c
--- dbus-1.10.16/bus/bus.c	2015-09-30 15:48:40.0 +0100
+++ dbus-1.10.18/bus/bus.c	2017-03-22 09:32:31.0 +
@@ -931,6 +931,27 @@
   !_dbus_pipe_is_stdout_or_stderr (print_pid_pipe))
 _dbus_pipe_close (print_pid_pipe, NULL);
 
+  /* Here we change our credentials if required,
+   * as soon as we've set up our sockets and pidfile.
+   * This must be done before initializing LSMs, so that the netlink
+   * monitoring thread started by avc_init() will not lose CAP_AUDIT_WRITE
+   * when the main thread calls setuid().
+   * https://bugs.freedesktop.org/show_bug.cgi?id=92832
+   */
+  if (context->user != NULL)
+{
+  if (!_dbus_change_to_daemon_user (context->user, error))
+	{
+	  _DBUS_ASSERT_ERROR_IS_SET (error);
+	  goto failed;
+	}
+}
+
+  /* Auditing should be initialized before LSMs, so that the LSMs are able
+   * to log audit-events that happen during their initialization.
+   */
+  bus_audit_init (context);
+
   if (!bus_selinux_full_init ())
 {
   bus_context_log (context, DBUS_SYSTEM_LOG_FATAL, "SELinux enabled but D-Bus initialization failed; check system log\n");
@@ -950,6 +971,11 @@
  "AppArmor D-Bus mediation is enabled\n");
 }
 
+  /* When SELinux is used, this must happen after bus_selinux_full_init()
+   * so that it has access to the access vector cache, which is required
+   * to process  elements.
+   * http://lists.freedesktop.org/archives/dbus/2008-October/010491.html
+   */
   if (!process_config_postinit (context, parser, error))
 {
   _DBUS_ASSERT_ERROR_IS_SET (error);
@@ -962,20 +988,6 @@
   parser = NULL;
 }
 
-  /* Here we change our credentials if required,
-   * as soon as we've set up our sockets and pidfile
-   */
-  if (context->user != NULL)
-{
-  if (!_dbus_change_to_daemon_user (context->user, error))
-	{
-	  _DBUS_ASSERT_ERROR_IS_SET (error);
-	  goto failed;
-	}
-}
-
-  bus_audit_init (context);
-
   dbus_server_free_data_slot (_data_slot);
 
   return context;
diff -Nru dbus-1.10.16/configure dbus-1.10.18/configure
--- dbus-1.10.16/configure	2017-02-16 13:47:19.0 +
+++ dbus-1.10.18/configure	2017-04-05 16:25:13.0 +0100
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for dbus 1.10.16.
+# Generated by GNU Autoconf 2.69 for dbus 1.10.18.
 #
 # Report bugs to .
 #
@@ -591,8 +591,8 @@
 # Identity of this package.
 PACKAGE_NAME='dbus'
 PACKAGE_TARNAME='dbus'
-PACKAGE_VERSION='1.10.16'
-PACKAGE_STRING='dbus 1.10.16'
+PACKAGE_VERSION='1.10.18'
+PACKAGE_STRING='dbus 1.10.18'
 PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=dbus'
 PACKAGE_URL=''
 
@@ -1553,7 +1553,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures dbus 1.10.16 to adapt to many kinds of systems.
+\`configure' configures dbus 1.10.18 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1628,7 +1628,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
- short | recursive ) echo "Configuration of dbus 1.10.16:";;
+ short | recursive ) echo "Configuration of dbus 1.10.18:";;
esac
   cat <<\_ACEOF
 
@@ -1841,7 +1841,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-dbus configure 1.10.16
+dbus configure 1.10.18
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2617,7 +2617,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by dbus $as_me 1.10.16, which was
+It was created by dbus $as_me 1.10.18, which 

Bug#858635: unblock (pre-approval): dbus/1.10.18-1 with #857660 fixed

[Niels Thykier]

Simon McVittie:
> On Wed, 05 Apr 2017 at 10:23:00 +, Niels Thykier wrote:
>> Simon McVittie:
>>> I would like to check whether the fix for #857660 (fd.o #92832) is
>>> something the release team would be comfortable with seeing in stretch,
>>> or whether it should be deferred to buster. I was recently able to get
>>> it tested and reviewed by SELinux users other than its author.
>>
>> I believe we have 1.11 now, so this should already be fixed via that,
>> correct?
> 
> No, we only have 1.11 in experimental. dbus uses a GNOME-like odd/even
> versioning scheme, so 1.odd branches are unsuitable for stable [...]

Ah, indeed, I misread the dak output.


> 
> The proposed fix for #857660 is a backport from the 1.11 branch.
> 
> I'm intending to release 1.12.0 sometime after stretch is released, with
> buster probably shipping with 1.12.z or 1.14.z for some large number z.
> 
> Please let me know whether you'd prefer me to release this change to
> 1.10.z for stretch, or exclude it from 1.10.z.
> 

I am fine with it including it in stretch (at least assuming it is done
prior to the stretch release).

> [...]
> 
> For the buster cycle (or at least the first part of it), I'm considering
> being more aggressive about uploading 1.odd.z releases to unstable
> so they get early testing, and switching to a 1.even.z branch (if
> necessarily releasing one specifically for Debian) at or before the
> transition freeze date. Would that be good to have?
> 
> S
> 

Depends on how unstable the development releases are and how good we are
at catching the regressions before they reach testing. :)  Anyhow, the
early phases of the development cycle would be the time to experiment
with that. :)

Thanks,
~Niels

Bug#858635: unblock (pre-approval): dbus/1.10.18-1 with #857660 fixed

[Simon McVittie]

On Wed, 05 Apr 2017 at 10:23:00 +, Niels Thykier wrote:
> Simon McVittie:
> > I would like to check whether the fix for #857660 (fd.o #92832) is
> > something the release team would be comfortable with seeing in stretch,
> > or whether it should be deferred to buster. I was recently able to get
> > it tested and reviewed by SELinux users other than its author.
>
> I believe we have 1.11 now, so this should already be fixed via that,
> correct?

No, we only have 1.11 in experimental. dbus uses a GNOME-like odd/even
versioning scheme, so 1.odd branches are unsuitable for stable - at the
moment they only go to testing/unstable rather briefly while I'm
preparing to release a new 1.even branch, as a release candidate for
the .0 release of that branch.

The proposed fix for #857660 is a backport from the 1.11 branch.

I'm intending to release 1.12.0 sometime after stretch is released, with
buster probably shipping with 1.12.z or 1.14.z for some large number z.

Please let me know whether you'd prefer me to release this change to
1.10.z for stretch, or exclude it from 1.10.z.

Based on typical release frequency and freeze times, I expect to have
dbus 1.10.16 or 1.10.18 (or possibly 1.10.20) in stretch. I'll continue
to make subsequent 1.10.z releases intended for stretch-security or
stretch-p-u.

For the buster cycle (or at least the first part of it), I'm considering
being more aggressive about uploading 1.odd.z releases to unstable
so they get early testing, and switching to a 1.even.z branch (if
necessarily releasing one specifically for Debian) at or before the
transition freeze date. Would that be good to have?

S

Bug#858635: unblock (pre-approval): dbus/1.10.18-1 with #857660 fixed

[Niels Thykier]

Control: tags -1 confirmed moreinfo

Simon McVittie:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> I would like to check whether the fix for #857660 (fd.o #92832) is
> something the release team would be comfortable with seeing in stretch,
> or whether it should be deferred to buster. I was recently able to get
> it tested and reviewed by SELinux users other than its author.
> It is already fixed in experimental (1.11.x, targeted to become 1.12.x in
> buster), and I haven't had bug reports about 1.11.x from Fedora (who
> adopted it early for some reason).
> 
> If the release team approves in principle, I'll either release just
> this change as 1.10.18, or include it in a 1.10.18 that fixes some more
> serious bug or vulnerability if one comes up. If not, I'll revert it
> from the 1.10.x branch, and it can wait for buster. I have no particular
> horse in this race: I don't use SELinux, and it's only a normal-severity
> bug, so I'm happy to either fix it or revert.
> 
> Git diff attached; the actual debdiff would be this, plus debian/changelog,
> plus some Autotools noise.
> 
> Thanks,
> S
> 

Hi,

I believe we have 1.11 now, so this should already be fixed via that,
correct?

Thanks,
~Niels

Bug#858635: unblock (pre-approval): dbus/1.10.18-1 with #857660 fixed

[Simon McVittie]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

I would like to check whether the fix for #857660 (fd.o #92832) is
something the release team would be comfortable with seeing in stretch,
or whether it should be deferred to buster. I was recently able to get
it tested and reviewed by SELinux users other than its author.
It is already fixed in experimental (1.11.x, targeted to become 1.12.x in
buster), and I haven't had bug reports about 1.11.x from Fedora (who
adopted it early for some reason).

If the release team approves in principle, I'll either release just
this change as 1.10.18, or include it in a 1.10.18 that fixes some more
serious bug or vulnerability if one comes up. If not, I'll revert it
from the 1.10.x branch, and it can wait for buster. I have no particular
horse in this race: I don't use SELinux, and it's only a normal-severity
bug, so I'm happy to either fix it or revert.

Git diff attached; the actual debdiff would be this, plus debian/changelog,
plus some Autotools noise.

Thanks,
S
diff --git a/NEWS b/NEWS
index 59efcfa7..27fe726d 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,12 @@
+D-Bus 1.10.18 (UNRELEASED)
+==
+
+Fixes:
+
+• Re-order dbus-daemon startup so that on SELinux systems, the thread
+  that reads AVC notifications retains the ability to write to the
+  audit log (fd.o #92832, Debian #857660; Laurent Bigonville)
+
 D-Bus 1.10.16 (2017-02-16)
 ==
 
@@ -24,7 +33,7 @@ Fixes:
 
   On Unix systems we strongly recommend using only the unix: and systemd:
   transports, together with EXTERNAL authentication. These are the only
-  transports and authentication mechanisms enabled by default,
+  transports and authentication mechanisms enabled by default.
 
   (fd.o #99828, Simon McVittie)
 
diff --git a/bus/bus.c b/bus/bus.c
index 128ae3c2..fd4ab9e4 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -931,6 +931,27 @@ bus_context_new (const DBusString *config_file,
   !_dbus_pipe_is_stdout_or_stderr (print_pid_pipe))
 _dbus_pipe_close (print_pid_pipe, NULL);
 
+  /* Here we change our credentials if required,
+   * as soon as we've set up our sockets and pidfile.
+   * This must be done before initializing LSMs, so that the netlink
+   * monitoring thread started by avc_init() will not lose CAP_AUDIT_WRITE
+   * when the main thread calls setuid().
+   * https://bugs.freedesktop.org/show_bug.cgi?id=92832
+   */
+  if (context->user != NULL)
+{
+  if (!_dbus_change_to_daemon_user (context->user, error))
+	{
+	  _DBUS_ASSERT_ERROR_IS_SET (error);
+	  goto failed;
+	}
+}
+
+  /* Auditing should be initialized before LSMs, so that the LSMs are able
+   * to log audit-events that happen during their initialization.
+   */
+  bus_audit_init (context);
+
   if (!bus_selinux_full_init ())
 {
   bus_context_log (context, DBUS_SYSTEM_LOG_FATAL, "SELinux enabled but D-Bus initialization failed; check system log\n");
@@ -950,6 +971,11 @@ bus_context_new (const DBusString *config_file,
  "AppArmor D-Bus mediation is enabled\n");
 }
 
+  /* When SELinux is used, this must happen after bus_selinux_full_init()
+   * so that it has access to the access vector cache, which is required
+   * to process  elements.
+   * http://lists.freedesktop.org/archives/dbus/2008-October/010491.html
+   */
   if (!process_config_postinit (context, parser, error))
 {
   _DBUS_ASSERT_ERROR_IS_SET (error);
@@ -962,20 +988,6 @@ bus_context_new (const DBusString *config_file,
   parser = NULL;
 }
 
-  /* Here we change our credentials if required,
-   * as soon as we've set up our sockets and pidfile
-   */
-  if (context->user != NULL)
-{
-  if (!_dbus_change_to_daemon_user (context->user, error))
-	{
-	  _DBUS_ASSERT_ERROR_IS_SET (error);
-	  goto failed;
-	}
-}
-
-  bus_audit_init (context);
-
   dbus_server_free_data_slot (_data_slot);
 
   return context;
diff --git a/configure.ac b/configure.ac
index 9ad52fff..db4679d4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3,7 +3,7 @@ AC_PREREQ([2.63])
 
 m4_define([dbus_major_version], [1])
 m4_define([dbus_minor_version], [10])
-m4_define([dbus_micro_version], [16])
+m4_define([dbus_micro_version], [17])
 m4_define([dbus_version],
   [dbus_major_version.dbus_minor_version.dbus_micro_version])
 AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])