[Ftp-release] Announcing dbus 1.14.8 (security update)

Simon McVittie smcv at collabora.com
Tue Jun 6 17:01:50 UTC 2023

dbus is the reference implementation of D-Bus, a message bus for
communication between applications and system services.

This is a maintenance update for the dbus 1.14.x stable branch. It fixes
a denial-of-service issue in dbus-daemon for systems where the Monitoring
interface is used (tracked as dbus#457, CVE ID not yet available).

git tag: dbus-1.14.8

Denial-of-service fixes:

• Fix an assertion failure in dbus-daemon when a privileged Monitoring
  connection (dbus-monitor, busctl monitor, gdbus monitor or similar)
  is active, and a message from the bus driver cannot be delivered to a
  client connection due to <deny> rules or outgoing message quota. This
  is a denial of service if triggered maliciously by a local attacker.
  (dbus#457; hongjinghao, Simon McVittie)

Other fixes:

• Fix compilation on compilers not supporting __FUNCTION__
  (dbus!404, Barnabás Pőcze)

• Fix some memory leaks on out-of-memory conditions
  (dbus!403, Barnabás Pőcze)

• Documentation:
  · Fix syntax of a code sample in dbus-api-design
    (dbus!396; Yen-Chin, Lee)

Tests and CI enhancements:

• Fix CI pipelines after freedesktop/freedesktop#540
  (dbus!405, dbus#456; Simon McVittie)

Simon McVittie, Collabora Ltd. / Debian
on behalf of the dbus maintainers

More information about the Ftp-release mailing list