Announcing D-Bus 1.8.14
Simon McVittie
simon.mcvittie at collabora.co.uk
Mon Jan 5 07:04:05 PST 2015
The “40lb of roofing nails” release.
This is a bugfix release for the current stable branch, 1.8.x, adding
security hardening to mitigate faulty third-party security policy files
such as CVE-2014-8148. Please upgrade unless you have a reason to keep
using an older branch.
http://dbus.freedesktop.org/releases/dbus/dbus-1.8.14.tar.gz
http://dbus.freedesktop.org/releases/dbus/dbus-1.8.14.tar.gz.asc
git tag: dbus-1.8.14
git branch: dbus-1.8
Security hardening:
• Do not allow calls to UpdateActivationEnvironment from uids other than
the uid of the dbus-daemon. If a system service installs unsafe
security policy rules that allow arbitrary method calls
(such as CVE-2014-8148) then this prevents memory consumption and
possible privilege escalation via UpdateActivationEnvironment.
We believe that in practice, privilege escalation here is avoided
by dbus-daemon-launch-helper sanitizing its environment; but
it seems better to be safe.
• Do not allow calls to UpdateActivationEnvironment or the Stats
interface on object paths other than /org/freedesktop/DBus. Some
system services install unsafe security policy rules that allow
arbitrary method calls to any destination, method and interface with
a specified object path; while less bad than allowing arbitrary
method calls, these security policies are still harmful, since
dbus-daemon normally offers the same API on all object paths and
other system services might behave similarly.
Other fixes:
• Add missing initialization so GetExtendedTcpTable doesn't crash on
Windows Vista SP0 (fd.o #77008, Илья А. Ткаченко)
--
Simon McVittie, Collabora Ltd. / Debian
More information about the dbus
mailing list