Announcing D-Bus 1.8.8 (security fix release)
Simon McVittie
simon.mcvittie at collabora.co.uk
Tue Sep 16 09:09:08 PDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
The "smashy smashy egg man" release.
This is a security fix release for the current stable branch, 1.8.x.
Please upgrade unless you have a reason to keep using an older branch.
http://dbus.freedesktop.org/releases/dbus/dbus-1.8.8.tar.gz
http://dbus.freedesktop.org/releases/dbus/dbus-1.8.8.tar.gz.asc
git tag: dbus-1.8.8
git branch: dbus-1.8
Security fixes:
• Do not accept an extra fd in the padding of a cmsg message, which
could lead to a 4-byte heap buffer overrun.
(CVE-2014-3635, fd.o #83622; Simon McVittie)
• Reduce default for maximum Unix file descriptors passed per message
from 1024 to 16, preventing a uid with the default maximum number of
connections from exhausting the system bus' file descriptors under
Linux's default rlimit. Distributors or system administrators with a
more restrictive fd limit may wish to reduce these limits further.
Additionally, on Linux this prevents a second denial of service
in which the dbus-daemon can be made to exceed the maximum number
of fds per sendmsg() and disconnect the process that would have
received them.
(CVE-2014-3636, fd.o #82820; Alban Crequy)
• Disconnect connections that still have a fd pending unmarshalling
after a new configurable limit, pending_fd_timeout (defaulting to 150
seconds), removing the possibility of creating an abusive connection
that cannot be disconnected by setting up a circular reference to a
connection's file descriptor.
(CVE-2014-3637, fd.o #80559; Alban Crequy)
• Reduce default for maximum pending replies per connection from 8192
to 128, mitigating an algorithmic complexity denial-of-service attack
(CVE-2014-3638, fd.o #81053; Alban Crequy)
• Reduce default for authentication timeout on the system bus from
30 seconds to 5 seconds, avoiding denial of service by using up
all unauthenticated connection slots; and when all unauthenticated
connection slots are used up, make new connection attempts block
instead of disconnecting them.
(CVE-2014-3639, fd.o #80919; Alban Crequy)
Other fixes:
â• Check for libsystemd from systemd >= 209, falling back to
the older separate libraries if not found (Umut Tezduyar Lindskog,
Simon McVittie)
• On Linux, use prctl() to disable core dumps from a test executable
that deliberately raises SIGSEGV to test dbus-daemon's handling
of that condition (fd.o #83772, Simon McVittie)
• Fix compilation with --enable-stats (fd.o #81043, Gentoo #507232;
Alban Crequy)
• Improve documentation for running tests on Windows (fd.o #41252,
Ralf Habacker)
- --
Simon McVittie, Collabora Ltd.
for the D-Bus maintainers
-----BEGIN PGP SIGNATURE-----
iQIVAwUBVBhgoU3o/ypjx8yQAQgZnRAAl9UNyGJHaymmcnFPIcPkP+b0ZsL9yv/G
c9rx6Go/UxsT46YFvLOOjFerpCCxTpK3zJY+jybWLNVj2Oku5u2pW8q+vOYD5yJz
AN8R/ryxeOEnw1Dsv4LtxZZqQGJX3ATe9x0NTeMjiy9G/9Ou6z1bDwhPw+qOPr5G
0W1sEfVCqdpWLr4fL451uVkcz8A5hFfL+gLIql72lKkAbd/XG2uA2ER1yqHqur8L
UeVxfgehBfYkj5odN0H7e+Hf5LL0suyQQ9XUNUEEdkcjp79sOJSb89t95HPikae6
6oH+q3AeUqwVoshD7zr9sQG6UK7dDD69gyxVQXg/6qjyJxt6zQKPTeOB4thNeOiU
QYv830s9Rycqp+GvGv2yOvAFLVvo/yN8wP09O9UdZoXD7ZPX51BY2xN3aye6iRW8
fePOY9psICdmQAU+CKB445qR6NpWHzDtCXLdvB/ExRSsr4i/kMdgH0HsoUw1yldf
mBWy9QV6MCaMSM0Xch5iqen76ZvE0C7mhoYGszIbTeC2viasLhpRnjNI1m+dmkK0
0mMCdFNzvu1QLigcysyni4StSzyBEND34H1dzgk7xicuYIcNUr083XP98k6Szfkn
fMvvW8Wx42I8QaYSviRz73OB/Rcsawqy4yYuEfvupsESMJfFQm/OJ9ihn3XwyKLh
XhbKRJQzojI=
=FPPX
-----END PGP SIGNATURE-----
More information about the dbus
mailing list