Announcing dbus 1.10.28 security update
smcv at collabora.com
Tue Jun 11 15:04:58 UTC 2019
dbus is the reference implementation of D-Bus, a message bus for
communication between applications and system services.
This is a bugfix release for the old 1.10.x stable branch, with security
and build bug fixes backported from the 1.12.x branch. Upgrading
is recommended (but please use the 1.12.x branch instead if possible).
git tag: dbus-1.10.28
The “kitchen slug” release.
• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
authentication for identities that differ from the user running the
DBusServer. Previously, a local attacker could manipulate symbolic
links in their own home directory to bypass authentication and connect
to a DBusServer with elevated privileges. The standard system and
session dbus-daemons in their default configuration were immune to this
attack because they did not allow DBUS_COOKIE_SHA1, but third-party
users of DBusServer such as Upstart could be vulnerable.
Thanks to Joe Vennix of Apple Information Security.
(dbus#269, Simon McVittie)
• Prevent reading up to 3 bytes beyond the end of a truncated message.
This could in principle be an information leak or denial of service
on the system bus, but is not believed to be exploitable to crash
the system bus or leak interesting information in practice.
(fd.o #107332, Simon McVittie)
• Stop the dbus-daemon leaking memory (an error message) if delivering
the message that triggered auto-activation is forbidden. This is
technically a denial of service because the dbus-daemon will
run out of memory eventually, but it's a very slow and noisy one,
because all the rejected messages are also very likely to have
been logged to the system log, and its scope is typically limited by
the finite number of activatable services available.
(dbus#234, Simon McVittie)
• Remove __attribute__((__malloc__)) attribute on dbus_realloc(),
which does not meet the criteria for that attribute in gcc 4.7+,
potentially leading to miscompilation (fd.o #107741, Simon McVittie)
• Fix build with gcc 8 -Werror=cast-function-type
(fd.o #107349, Simon McVittie)
• Fix warning from gcc 8 about suspicious use of strncpy() when
populating struct sockaddr_un (fd.o #107350, Simon McVittie)
• Fix installation of Ducktype documentation with newer yelp-build
versions (fd.o #106171, Simon McVittie)
Tests and CI:
• Add Travis-CI builds for 64-bit Windows using mingw-w64
(fd.o #105662, Ralf Habacker)
• Add Gitlab-CI integration (fd.o #108177, Simon McVittie)
Simon McVittie, Collabora Ltd. / Debian
on behalf of the dbus maintainers
More information about the dbus