Announcing security release D-Bus 1.10.12
Simon McVittie
simon.mcvittie at collabora.co.uk
Mon Oct 10 12:33:13 UTC 2016
The “not excessively inhospitable” release.
http://dbus.freedesktop.org/releases/dbus/dbus-1.10.12.tar.gz
http://dbus.freedesktop.org/releases/dbus/dbus-1.10.12.tar.gz.asc
git tag: dbus-1.10.12
Security fixes:
• Do not treat ActivationFailure message received from root-owned
systemd name as a format string. In principle this is a security
vulnerability, but we do not believe it is exploitable in practice,
because only privileged processes can own the
org.freedesktop.systemd1 bus name, and systemd does not appear to
send activation failures that contain "%".
Please note that this probably *was* exploitable in dbus versions
older than 1.6.30, 1.8.16 and 1.9.10 due to a missing check which at
the time was only thought to be a denial of service vulnerability
(CVE-2015-0245). If you are still running one of those versions,
patch or upgrade immediately.
(fd.o #98157, Simon McVittie)
Other fixes:
• Harden dbus-daemon against malicious or incorrect ActivationFailure
messages by rejecting them if they do not come from a privileged
process, or if systemd activation is not enabled
(fd.o #98157, Simon McVittie)
• Avoid undefined behaviour when setting reply serial number without
going via union DBusBasicValue (fd.o #98035, Marc Mutz)
• autogen.sh: fail cleanly if autoconf fails (Simon McVittie)
--
Simon McVittie, Collabora Ltd. <http://www.collabora.com/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 845 bytes
Desc: This is a digitally signed message part
URL: <https://lists.freedesktop.org/archives/dbus/attachments/20161010/e02b13f4/attachment.sig>
More information about the dbus
mailing list