Announcing D-Bus 1.8.14

Simon McVittie simon.mcvittie at collabora.co.uk
Mon Jan 5 07:04:05 PST 2015


The “40lb of roofing nails” release.

This is a bugfix release for the current stable branch, 1.8.x, adding
security hardening to mitigate faulty third-party security policy files
such as CVE-2014-8148. Please upgrade unless you have a reason to keep
using an older branch.

http://dbus.freedesktop.org/releases/dbus/dbus-1.8.14.tar.gz
http://dbus.freedesktop.org/releases/dbus/dbus-1.8.14.tar.gz.asc
git tag: dbus-1.8.14
git branch: dbus-1.8

Security hardening:

• Do not allow calls to UpdateActivationEnvironment from uids other than
  the uid of the dbus-daemon. If a system service installs unsafe
  security policy rules that allow arbitrary method calls
  (such as CVE-2014-8148) then this prevents memory consumption and
  possible privilege escalation via UpdateActivationEnvironment.

  We believe that in practice, privilege escalation here is avoided
  by dbus-daemon-launch-helper sanitizing its environment; but
  it seems better to be safe.

• Do not allow calls to UpdateActivationEnvironment or the Stats
  interface on object paths other than /org/freedesktop/DBus. Some
  system services install unsafe security policy rules that allow
  arbitrary method calls to any destination, method and interface with
  a specified object path; while less bad than allowing arbitrary
  method calls, these security policies are still harmful, since
  dbus-daemon normally offers the same API on all object paths and
  other system services might behave similarly.

Other fixes:

• Add missing initialization so GetExtendedTcpTable doesn't crash on
  Windows Vista SP0 (fd.o #77008, Илья А. Ткаченко)

-- 
Simon McVittie, Collabora Ltd. / Debian


More information about the dbus mailing list