Announcing D-Bus 1.8.8 (security fix release)

Simon McVittie simon.mcvittie at collabora.co.uk
Tue Sep 16 09:09:08 PDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The "smashy smashy egg man" release.

This is a security fix release for the current stable branch, 1.8.x.
Please upgrade unless you have a reason to keep using an older branch.

http://dbus.freedesktop.org/releases/dbus/dbus-1.8.8.tar.gz
http://dbus.freedesktop.org/releases/dbus/dbus-1.8.8.tar.gz.asc
git tag: dbus-1.8.8
git branch: dbus-1.8

Security fixes:

• Do not accept an extra fd in the padding of a cmsg message, which
  could lead to a 4-byte heap buffer overrun.
  (CVE-2014-3635, fd.o #83622; Simon McVittie)

• Reduce default for maximum Unix file descriptors passed per message
  from 1024 to 16, preventing a uid with the default maximum number of
  connections from exhausting the system bus' file descriptors under
  Linux's default rlimit. Distributors or system administrators with a
  more restrictive fd limit may wish to reduce these limits further.

  Additionally, on Linux this prevents a second denial of service
  in which the dbus-daemon can be made to exceed the maximum number
  of fds per sendmsg() and disconnect the process that would have
  received them.
  (CVE-2014-3636, fd.o #82820; Alban Crequy)

• Disconnect connections that still have a fd pending unmarshalling
  after a new configurable limit, pending_fd_timeout (defaulting to 150
  seconds), removing the possibility of creating an abusive connection
  that cannot be disconnected by setting up a circular reference to a
  connection's file descriptor.
  (CVE-2014-3637, fd.o #80559; Alban Crequy)

• Reduce default for maximum pending replies per connection from 8192
  to 128, mitigating an algorithmic complexity denial-of-service attack
  (CVE-2014-3638, fd.o #81053; Alban Crequy)

• Reduce default for authentication timeout on the system bus from
  30 seconds to 5 seconds, avoiding denial of service by using up
  all unauthenticated connection slots; and when all unauthenticated
  connection slots are used up, make new connection attempts block
  instead of disconnecting them.
  (CVE-2014-3639, fd.o #80919; Alban Crequy)

Other fixes:

â• Check for libsystemd from systemd >= 209, falling back to
  the older separate libraries if not found (Umut Tezduyar Lindskog,
  Simon McVittie)

• On Linux, use prctl() to disable core dumps from a test executable
  that deliberately raises SIGSEGV to test dbus-daemon's handling
  of that condition (fd.o #83772, Simon McVittie)

• Fix compilation with --enable-stats (fd.o #81043, Gentoo #507232;
  Alban Crequy)

• Improve documentation for running tests on Windows (fd.o #41252,
  Ralf Habacker)

- -- 
Simon McVittie, Collabora Ltd.
for the D-Bus maintainers

-----BEGIN PGP SIGNATURE-----

iQIVAwUBVBhgoU3o/ypjx8yQAQgZnRAAl9UNyGJHaymmcnFPIcPkP+b0ZsL9yv/G
c9rx6Go/UxsT46YFvLOOjFerpCCxTpK3zJY+jybWLNVj2Oku5u2pW8q+vOYD5yJz
AN8R/ryxeOEnw1Dsv4LtxZZqQGJX3ATe9x0NTeMjiy9G/9Ou6z1bDwhPw+qOPr5G
0W1sEfVCqdpWLr4fL451uVkcz8A5hFfL+gLIql72lKkAbd/XG2uA2ER1yqHqur8L
UeVxfgehBfYkj5odN0H7e+Hf5LL0suyQQ9XUNUEEdkcjp79sOJSb89t95HPikae6
6oH+q3AeUqwVoshD7zr9sQG6UK7dDD69gyxVQXg/6qjyJxt6zQKPTeOB4thNeOiU
QYv830s9Rycqp+GvGv2yOvAFLVvo/yN8wP09O9UdZoXD7ZPX51BY2xN3aye6iRW8
fePOY9psICdmQAU+CKB445qR6NpWHzDtCXLdvB/ExRSsr4i/kMdgH0HsoUw1yldf
mBWy9QV6MCaMSM0Xch5iqen76ZvE0C7mhoYGszIbTeC2viasLhpRnjNI1m+dmkK0
0mMCdFNzvu1QLigcysyni4StSzyBEND34H1dzgk7xicuYIcNUr083XP98k6Szfkn
fMvvW8Wx42I8QaYSviRz73OB/Rcsawqy4yYuEfvupsESMJfFQm/OJ9ihn3XwyKLh
XhbKRJQzojI=
=FPPX
-----END PGP SIGNATURE-----

More information about the dbus mailing list