[Ftp-release] Announcing dbus 1.12.24 (security update)

[Simon McVittie]

dbus is the reference implementation of D-Bus, a message bus for
communication between applications and system services.

This is a security update for the dbus 1.12.x old-stable branch, fixing
the same issues as 1.14.4. It also backports some non-security fixes
from 1.14.x, most of which were required by the tests for the CVE fixes.

The recommended production branch of dbus is 1.14.x. 1.12.x remains
supported for the benefit of long-term-stable distributions that have
chosen to stay on the 1.12.x branch, such as Debian 11 and Ubuntu 22.04.

<http://dbus.freedesktop.org/releases/dbus/dbus-1.12.24.tar.gz>
<http://dbus.freedesktop.org/releases/dbus/dbus-1.12.24.tar.gz.asc>
git tag: dbus-1.12.24

Behaviour changes:

• On Linux, dbus-daemon and other uses of DBusServer now create a
  path-based Unix socket, unix:path=..., when asked to listen on a
  unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to
  unix:dir=... on all platforms.
  Previous versions would have created an abstract socket, unix:abstract=...,
  in this situation.
  This change primarily affects the well-known session bus when run via
  dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring
  dbus with --enable-user-session and running it on a systemd system,
  already used path-based Unix sockets and is unaffected by this change.
  This behaviour change prevents a sandbox escape via the session bus socket
  in sandboxing frameworks that can share the network namespace with the host
  system, such as Flatpak.
  This change might cause a regression in situations where the abstract socket
  is intentionally shared between the host system and a chroot or container,
  such as some use-cases of schroot(1). That regression can be resolved by
  using a bind-mount to share either the D-Bus socket, or the whole /tmp
  directory, with the chroot or container.
  (dbus#416, Simon McVittie)

Denial of service fixes:

Evgeny Vereshchagin discovered several ways in which an authenticated
local attacker could cause a crash (denial of service) in
dbus-daemon --system or a custom DBusServer. In uncommon configurations
these could potentially be carried out by an authenticated remote attacker.

• An invalid array of fixed-length elements where the length of the array
  is not a multiple of the length of the element would cause an assertion
  failure in debug builds or an out-of-bounds read in production builds.
  This was a regression in version 1.3.0.
  (dbus#413, CVE-2022-42011; Simon McVittie)

• A syntactically invalid type signature with incorrectly nested parentheses
  and curly brackets would cause an assertion failure in debug builds.
  Similar messages could potentially result in a crash or incorrect message
  processing in a production build, although we are not aware of a practical
  example. (dbus#418, CVE-2022-42010; Simon McVittie)

• A message in non-native endianness with out-of-band Unix file descriptors
  would cause a use-after-free and possible memory corruption in production
  builds, or an assertion failure in debug builds. This was a regression in
  version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie)

Non-security bug fixes:

• Don't crash if dbus-daemon is asked to watch more than 128 directories
  for changes (dbus!302, Jan Tojnar)

• Correctly set error indicator if out-of-memory is reached while
  demarshalling a message (fdo#100317, Simon McVittie)

• On Windows, consistently use msvcrt.dll-style printf formats, fixing
  builds with mingw-w64 8.0.0 (dbus#380, Simon McVittie)

• Use the latest MSYS2 packages for CI, fixing failure to download older
  packages
  (Ralf Habacker, Simon McVittie)

-- 
Simon McVittie, Collabora Ltd. / Debian
on behalf of the dbus maintainers