Announcing dbus 1.15.4

Simon McVittie smcv at collabora.com
Wed Feb 8 17:19:24 UTC 2023 

This is a development branch for the adventurous, and comes with a risk
of regressions. OS distributions should stay with the 1.14.x branch,
unless they can commit to following the 1.15.x branch until it reaches
a 1.16.0 stable release at an unspecified point in the future.

This development release incorporates the same bug fixes as the dbus
1.14.6 stable release.

<http://dbus.freedesktop.org/releases/dbus/dbus-1.15.4.tar.xz>
<http://dbus.freedesktop.org/releases/dbus/dbus-1.15.4.tar.xz.asc>
git tag: dbus-1.15.4

Dependencies:

• Building with CMake now requires CMake ≥ 3.9.

Build-time configuration changes:

• On Unix platforms, a path in the runtime state directory (often /run)
  is now used for the well-known system bus socket by default. OS
  distributors should check that the path used is equivalent to the
  interoperable path /var/run/dbus/system_bus_socket, especially if
  running on an OS where /var/run is not guaranteed to be a symbolic
  link to /run.
  (dbus#180; Issam E. Maghni, Simon McVittie)
  · With Autotools, this is controlled by --runstatedir, which defaults
    to ${localstatedir}/run but is often set to /run by OS distributors.
    The path to the system bus socket can be overridden with the
    --with-system-socket option if required.
  · With CMake, this is controlled by the RUNSTATEDIR option, which has
    behaviour similar to Autotools. There is no separate option for the
    path to the system bus socket.
  · With Meson, this is controlled by the runtime_dir option, which
    defaults to /run if the installation prefix is set to /usr, or has
    behaviour similar to Autotools otherwise. The path to the system bus
    socket can be overridden with the system_socket option if required.

Denial of service fixes:

• Fix an incorrect assertion that could be used to crash dbus-daemon or
  other users of DBusServer prior to authentication, if libdbus was compiled
  with assertions enabled.
  We recommend that production builds of dbus, for example in OS distributions,
  should be compiled with checks but without assertions.
  (dbus#421, Ralf Habacker; thanks to Evgeny Vereshchagin)

Enhancements:

• D-Bus Specification 0.41:
  · Clarify handling of /run vs. /var/run on Unix systems
    (dbus#180, Simon McVittie)

• Add dbus_connection_set_builtin_filters_enabled(), intended to be called
  by tools that use BecomeMonitor() such as dbus-monitor
  (dbus#301, Kai A. Hiller)

• When using the Meson build system, dbus can now be used as a subproject.
  To avoid colliding with a separate system copy of dbus, building it as a
  static library with tests, tools and the message bus disabled is
  strongly recommended. See test/use-as-subproject for sample code.
  (dbus!368, dbus!388; Daniel Wagner)

Other fixes:

• When connected to a dbus-broker, stop dbus-monitor from incorrectly
  replying to Peer method calls that were sent to the dbus-broker with
  a NULL destination (dbus#301, Kai A. Hiller)

• Fix out-of-bounds varargs read in the dbus-daemon's config-parser.
  This is not attacker-triggerable and appears to be harmless in practice,
  but is technically undefined behaviour and is detected as such by
  AddressSanitizer. (dbus!357, Evgeny Vereshchagin)

• Avoid a data race in multi-threaded use of DBusCounter
  (dbus#426, Ralf Habacker)

• Fix a crash with some glibc versions when non-auditable SELinux events
  are logged (dbus!386, Jeremi Piotrowski)

• If dbus_message_demarshal() runs out of memory while validating a message,
  report it as NoMemory rather than InvalidArgs (dbus#420, Simon McVittie)

• Use C11 _Alignof if available, for better standards-compliance
  (dbus!389, Khem Raj)

• Stop including an outdated copy of pkg.m4 in the git tree
  (dbus!365, Simon McVittie)

• Meson build fixes:
  · Use -fvisibility=hidden on Unix if supported, in particular on Linux
    (dbus!383, dbus#437; Simon McVittie)
  · Fix build on macOS, and any other platform that has
    CLOCK_MONOTONIC but not pthread_condattr_setclock()
    (dbus#419, Jordan Williams)

• Documentation:
  · Consistently use Gitlab bug reporting URL (dbus!372, Marco Trevisan)

• Licensing:
  · Use MIT license for some test files that did not previous specify a
    license, with permission from their authors (dbus!359, Simon McVittie)
  · Add more SPDX/REUSE license markers
    (dbus!311, dbus!369, dbus!370, dbus!371, dbus!375, dbus!376;
    Ralf Habacker, Simon McVittie)
  · Correct syntax of some SPDX license markers (dbus!360, Ralf Habacker)

• Tests fixes:
  · Fix an assertion failure in test-autolaunch-win
    (dbus#422, Ralf Habacker)
  · Expand test coverage under CMake (dbus!322, Ralf Habacker)
  · Fix the test-apparmor-activation test after dbus#416
    (dbus!380, Dave Jones)

Internal changes:

• Add static assertions for some things we assume about pointers
  (dbus!345, Simon McVittie)

• Refactoring (dbus!356, dbus#430, dbus#431; Simon McVittie, Xin Shi)

• Fix CI builds with recent git versions (dbus#447, Simon McVittie)

• Build dbus with clang during CI (dbus!358, Evgeny Vereshchagin)

-- 
Simon McVittie, Collabora Ltd. / Debian
on behalf of the dbus maintainers

More information about the dbus mailing list