Announcing dbus 1.10.32 security update
Simon McVittie
smcv at collabora.com
Thu Jul 2 20:02:49 UTC 2020
dbus is the reference implementation of D-Bus, a message bus for
communication between applications and system services.
The dbus 1.10.x branch was originally released in 2015. It currently
receives security-fix releases whenever necessary, but it is planned to
reach end-of-life status at the end of Debian 9's official security
support (approximately July 2020). If you are a dbus downstream
maintainer in a long-lived OS distribution and you want to use the
upstream dbus-1.10 git branch as a place to share backported security
fixes with other distributions, please contact the dbus maintainers via
the dbus-security mailing list on lists.freedesktop.org.
<http://dbus.freedesktop.org/releases/dbus/dbus-1.10.32.tar.gz>
<http://dbus.freedesktop.org/releases/dbus/dbus-1.10.32.tar.gz.asc>
git tag: dbus-1.10.32
The “technically a venom” release.
Maybe security fixes:
• On Unix, avoid a use-after-free if two usernames have the same
numeric uid. In older versions this could lead to a crash (denial of
service) or other undefined behaviour, possibly including incorrect
authorization decisions if <policy group=...> is used.
Like Unix filesystems, D-Bus' model of identity cannot distinguish
between users of different names with the same numeric uid, so this
configuration is not advisable on systems where D-Bus will be used.
Thanks to Daniel Onaca.
(dbus#305, dbus!166; Simon McVittie)
Other fixes:
• On Solaris and its derivatives, if a cmsg header is truncated, ensure
that we do not overrun the buffer used for fd-passing, even if the
kernel tells us to.
(dbus#304, dbus!165; Andy Fiddaman)
--
Simon McVittie, Collabora Ltd. / Debian
on behalf of the dbus maintainers
More information about the dbus
mailing list