[ANNOUNCE] D-Bus 1.4.1 (fixing CVE-2010-4352)

Will Thompson will.thompson at collabora.co.uk
Mon Dec 20 13:44:48 PST 2010 

A new stable release of D-Bus is now available, fixing a
denial-of-service issue.

http://dbus.freedesktop.org/releases/dbus/dbus-1.4.1.tar.gz

This release contains a fix for
<https://bugs.freedesktop.org/show_bug.cgi?id=32321>, originally
reported on this list by Rémi Denis-Courmont, who has an analysis at
<http://www.remlab.net/op/dbus-variant-recursion.shtml>.

This bug allows a local user to crash the bus daemon, but not to execute
arbitrary code, by sending it a specially-crafted message. Once the bus
daemon has been upgraded, it will reject such messages without relaying
them; thus, services besides the bus daemon itself do not need to be
restarted.

This release also includes Windows and OS X portability fixes, and other
minor bugfixes. The fix for the major issue has commit ID '7d65a3a',
should you wish to distribute it without the other fixes.

The changes from 1.4.0 are as follows:

Andre Heinecke (1):
      Dist Readme.win instead of Readme.windbus

Benjamin Reed (3):
      Add launchd implementation.
      Look up DISPLAY from launchd if not initialized.
      Enable launchd.

Christian Dywan (6):
      Add return_if_fail watch != NULL in public DBusWatch API
      Free envvar and args in pass_info in the oom case
      Take care to free windows_sid in cache_peer_loginfo_string
      Always get current time in _dbus_connection_block_pending_call
      Don't pretend to free lock if it was never allocated
      Only use signature directly inside _dbus_verbose

Colin Walters (1):
      Added a test-autolaunch.

Havoc Pennington (1):
      CVE 2010-4352: Reject deeply nested variants

Lennart Poettering (1):
      post release version bump

Marcus Brinkmann (2):
      Fix use of _dbus_make_file_world_readable.
      Fix typo in creating temp file.

Mike McQuaid (6):
      Fix PROFILE_TIMED_FORMAT printf warning on OSX.
      test-autolaunch is only known to work in launchd environments.
      Fix test failures on OSX.
      libtoolize is called glibtoolize on OSX so check for it too.
      10.4 is old so set more sensible launchd defaults.
      Add launchd section to specification.

Ralf Habacker (24):
      Unix compile fix.
      Include cmake subdirectory in source distribution.
      Extended autolaunch protocol with scope attribute.
      Fixed case when no scope attribute is used.
      Added documentation for autolaunch transport.
      Keep unix autolaunch functions in sync.
      When launching dbus-daemon be more verbose in error case.
      Revert "Added documentation for autolaunch transport."
      Merge branch 'master' of ssh://git.freedesktop.org/git/dbus/dbus
      keep version in sync with automake
      Fixed reference to cmake configure options.
      Cleaned up windows related README's.
      Service dir related bug fix on windows.
      Added revision history.
      Keep in sync with automake.
      Fixed wrong libtoolize presence check.
      Fix bus-test failure with cmake on unix.
      Variables and functions name cleanup on Windows.
      Fixed bug not freeing mutex handle on Windows.
      Implements user limited session bus on Windows.
      Add documentation for autolaunch meta transport on Windows.
      Be more verbose when publishing or requesting session bus address on Windo
      Windows fix: In install path scope case add hashed install path to mutex/s
      Handle case when autolaunched daemon address is already pulished on window

Romain Pokrzywka (3):
      tentative workaround for the random hangs on windows
      Tentative workaround for the random hangs on windows.
      Restore the close_on_exec flag on windows.

Scott James Remnant (1):
      sysdeps-unix: use MSG_NOSIGNAL when sending creds

Thiago Macieira (1):
      Documentated autolaunch implementation for X Windowing system.

Will Thompson (19):
      Explicitly require the daemon to respect destination=''
      Use Automake 1.11, if available, for silent rules
      Squash warnings and spurious output from autogen.sh
      Silence silent build a bit more.
      Update a load of .gitignores
      Build Doxygen documentation for `make all`.
      Move manpages to doc/
      Report correct result of doxygen/xml doc checks
      Integrate building HTML-ified manpages with the build system
      Move uploading docs into build system.
      Merge branch 'documentation-build-system'
      Fix malformed specification XML.
      policy tests: Use 'nogroup' rather than 'wheel' or 'root'
      Ignore generated bus/org.freedesktop.dbus-session.plist
      Revert "test-autolaunch is only known to work in launchd environments."
      sysdeps-unix: check for HAVE_DECL_MSG_NOSIGNAL
      policy tests: Use bin rather than nogroup, wheel, or root
      NEWS for 1.4.1
      Bump LT_REVISION for this new release.

Regards,
-- 
Will

More information about the dbus mailing list