Announcing dbus 1.14.8 (security update)
Simon McVittie
smcv at collabora.com
Tue Jun 6 17:01:50 UTC 2023
dbus is the reference implementation of D-Bus, a message bus for
communication between applications and system services.
This is a maintenance update for the dbus 1.14.x stable branch. It fixes
a denial-of-service issue in dbus-daemon for systems where the Monitoring
interface is used (tracked as dbus#457, CVE ID not yet available).
<http://dbus.freedesktop.org/releases/dbus/dbus-1.14.8.tar.xz>
<http://dbus.freedesktop.org/releases/dbus/dbus-1.14.8.tar.xz.asc>
git tag: dbus-1.14.8
Denial-of-service fixes:
• Fix an assertion failure in dbus-daemon when a privileged Monitoring
connection (dbus-monitor, busctl monitor, gdbus monitor or similar)
is active, and a message from the bus driver cannot be delivered to a
client connection due to <deny> rules or outgoing message quota. This
is a denial of service if triggered maliciously by a local attacker.
(dbus#457; hongjinghao, Simon McVittie)
Other fixes:
• Fix compilation on compilers not supporting __FUNCTION__
(dbus!404, Barnabás Pőcze)
• Fix some memory leaks on out-of-memory conditions
(dbus!403, Barnabás Pőcze)
• Documentation:
· Fix syntax of a code sample in dbus-api-design
(dbus!396; Yen-Chin, Lee)
Tests and CI enhancements:
• Fix CI pipelines after freedesktop/freedesktop#540
(dbus!405, dbus#456; Simon McVittie)
--
Simon McVittie, Collabora Ltd. / Debian
on behalf of the dbus maintainers
More information about the dbus
mailing list