Announcing dbus 1.13.12

Simon McVittie smcv at
Tue Jun 11 15:05:14 UTC 2019

This is a development branch for the adventurous, and comes with a risk
of regressions. OS distributions should stay with the 1.12.x branch,
unless they can commit to following the 1.13.x branch until it reaches
a 1.14.0 stable release at an unspecified point in the future.

This version incorporates the same security fix as the 1.12.16 stable

git tag: dbus-1.13.12

The “patio squirrel” release.

Security fixes:

• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
  authentication for identities that differ from the user running the
  DBusServer. Previously, a local attacker could manipulate symbolic
  links in their own home directory to bypass authentication and connect
  to a DBusServer with elevated privileges. The standard system and
  session dbus-daemons in their default configuration were immune to this
  attack because they did not allow DBUS_COOKIE_SHA1, but third-party
  users of DBusServer such as Upstart could be vulnerable.
  Thanks to Joe Vennix of Apple Information Security.
  (dbus#269, Simon McVittie)


• dbus-daemon <allow> and <deny> rules can now specify a
  send_destination_prefix attribute, which is like a combination of
  send_destination and the arg0namespace keyword in match rules: a rule
  with send_destination_prefix="com.example.Foo" matches messages sent to
  any destination that is in the queue to own well-known names like
  com.example.Foo or com.example.Foo.A.B (but not com.example.Foobar).
  (dbus!85, Adrian Szyndela)

Simon McVittie, Collabora Ltd.
on behalf of the dbus maintainers

More information about the dbus mailing list