New changelog entries:
* Non-maintainer upload by the Security Team.
* Backport upstream patch to fix a possible call stack overflow and thus
denial of service, when processing messages with excessive nested variants.
This fix restricts the nesting level to 64 (52-CVE-2010-4352.patch).
New changelog entries:
* debian/patches/52-CVE-2009-1189.patch
- Security: The _dbus_validate_signature_with_reason function
(dbus-marshal-validate.c) uses incorrect logic to validate a basic type,
which allows remote attackers to spoof a signature via a crafted key.
NOTE: this is due to an incorrect fix for CVE-2008-3834
Closes: #532720
Fixes: CVE-2009-1189
* Urgency high for the security fix.
New changelog entries:
[ Sjoerd Simons ]
* debian/patches/CVE-2008-4311.patch:
+ Added, Fixes CVE-2008-4311. A mistake in the default configuration for
the system bus (system.conf) which made the default policy for both sent
and received messages effectively *allow*, and not deny as intended. This
patch fixes the send side permissions (Closes: #503532, #508032)
* Urgency high for the security fix
[ Simon McVittie ]
* Rename CVE-*.patch to prefix them with a sequence number so it's clear
what order they should apply in
* Add 51-CVE-2008-4311-but-allow-signals.patch, cherry-picked from upstream
git commit d899734475: after fixing CVE-2008-4311, re-allow emitting
signals
* debian/patches/3[0-4]*.patch, cherry-picked from upstream git (see patches
for commit IDs): add logging when permission to send a message is denied
* debian/patches/35-syslog-h.patch: #include <syslog.h> to fix compilation
with the logging patches applied
* Add myself to Uploaders
New changelog entries:
* debian/patches/CVE-2008-3834.patch
- The dbus_signature_validate function in the D-bus library allows
attackers to cause a denial of service (application abort) via a message
containing a malformed signature, which triggers a failed assertion
error. (Closes: #501443)
Fixes: CVE-2008-3834
- Urgency high for the security fix.
* debian/patches/20-dbus-alpha-unaligned.patch
- Fix misaligned memory access which causes "unaligned traps" on Alpha.
(Closes: #502408)
* debian/dbus.init
- Add "status" action to init script. (Closes: #470121)
* debian/control
- Bump Depends on lsb-base to >= 3.2-14, which provides status_of_proc().