[Ftp-release] Announcing dbus 1.12.24 (security update)
Simon McVittie
smcv at collabora.com
Wed Oct 5 14:07:19 UTC 2022
dbus is the reference implementation of D-Bus, a message bus for
communication between applications and system services.
This is a security update for the dbus 1.12.x old-stable branch, fixing
the same issues as 1.14.4. It also backports some non-security fixes
from 1.14.x, most of which were required by the tests for the CVE fixes.
The recommended production branch of dbus is 1.14.x. 1.12.x remains
supported for the benefit of long-term-stable distributions that have
chosen to stay on the 1.12.x branch, such as Debian 11 and Ubuntu 22.04.
<http://dbus.freedesktop.org/releases/dbus/dbus-1.12.24.tar.gz>
<http://dbus.freedesktop.org/releases/dbus/dbus-1.12.24.tar.gz.asc>
git tag: dbus-1.12.24
Behaviour changes:
• On Linux, dbus-daemon and other uses of DBusServer now create a
path-based Unix socket, unix:path=..., when asked to listen on a
unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to
unix:dir=... on all platforms.
Previous versions would have created an abstract socket, unix:abstract=...,
in this situation.
This change primarily affects the well-known session bus when run via
dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring
dbus with --enable-user-session and running it on a systemd system,
already used path-based Unix sockets and is unaffected by this change.
This behaviour change prevents a sandbox escape via the session bus socket
in sandboxing frameworks that can share the network namespace with the host
system, such as Flatpak.
This change might cause a regression in situations where the abstract socket
is intentionally shared between the host system and a chroot or container,
such as some use-cases of schroot(1). That regression can be resolved by
using a bind-mount to share either the D-Bus socket, or the whole /tmp
directory, with the chroot or container.
(dbus#416, Simon McVittie)
Denial of service fixes:
Evgeny Vereshchagin discovered several ways in which an authenticated
local attacker could cause a crash (denial of service) in
dbus-daemon --system or a custom DBusServer. In uncommon configurations
these could potentially be carried out by an authenticated remote attacker.
• An invalid array of fixed-length elements where the length of the array
is not a multiple of the length of the element would cause an assertion
failure in debug builds or an out-of-bounds read in production builds.
This was a regression in version 1.3.0.
(dbus#413, CVE-2022-42011; Simon McVittie)
• A syntactically invalid type signature with incorrectly nested parentheses
and curly brackets would cause an assertion failure in debug builds.
Similar messages could potentially result in a crash or incorrect message
processing in a production build, although we are not aware of a practical
example. (dbus#418, CVE-2022-42010; Simon McVittie)
• A message in non-native endianness with out-of-band Unix file descriptors
would cause a use-after-free and possible memory corruption in production
builds, or an assertion failure in debug builds. This was a regression in
version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie)
Non-security bug fixes:
• Don't crash if dbus-daemon is asked to watch more than 128 directories
for changes (dbus!302, Jan Tojnar)
• Correctly set error indicator if out-of-memory is reached while
demarshalling a message (fdo#100317, Simon McVittie)
• On Windows, consistently use msvcrt.dll-style printf formats, fixing
builds with mingw-w64 8.0.0 (dbus#380, Simon McVittie)
• Use the latest MSYS2 packages for CI, fixing failure to download older
packages
(Ralf Habacker, Simon McVittie)
--
Simon McVittie, Collabora Ltd. / Debian
on behalf of the dbus maintainers
More information about the Ftp-release
mailing list