New changelog entries:
* SECURITY UPDATE: denial of service via ActivationFailure signal race
- debian/patches/CVE-2015-0245.patch: prevent forged ActivationFailure
from non-root processes in bus/system.conf.in.
- CVE-2015-0245
* SECURITY UPDATE: arbitrary code execution or denial of service via
format string vulnerability
- debian/patches/format_string.patch: do not use non-literal format
string in bus/activation.c.
- No CVE number
New changelog entries:
* SECURITY UPDATE: denial of service via large number of fds
- debian/patches/CVE-2014-7824.patch: raise rlimit and restore it for
activated services in bus/activation.c, bus/bus.*,
dbus/dbus-sysdeps-util-unix.c, dbus/dbus-sysdeps-util-win.c,
dbus/dbus-sysdeps.h.
- debian/dbus.init: don't launch daemon as a user so the rlimit can be
raised.
- CVE-2014-7824
* SECURITY REGRESSION: authentication timeout on certain slower systems
- debian/patches/CVE-2014-3639-regression.patch: raise auth_timeout
back up to 30 secs in bus/config-parser.c, add a warning to
bus/connection.c.
- CVE-2014-3639
New changelog entries:
* SECURITY UPDATE: buffer overrun via odd max_message_unix_fds
- debian/patches/CVE-2014-3635.patch: do not extra fds in cmsg padding
in dbus/dbus-sysdeps-unix.c, allow using _DBUS_STATIC_ASSERT at a
non-global scope in dbus/dbus-internals.h, dbus/dbus-macros.h.
- CVE-2014-3635
* SECURITY UPDATE: denial of service via large number of fds
- debian/patches/CVE-2014-3636.patch: reduce max number of fds in
bus/config-parser.c, bus/session.conf.in, dbus/dbus-message.c,
dbus/dbus-sysdeps.h.
- CVE-2014-3636
* SECURITY UPDATE: denial of service via persistent file descriptiors
- debian/patches/CVE-2014-3637.patch: add a timeout to expire pending
fds in bus/bus.*, bus/config-parser.c, bus/connection.c,
bus/session.conf.in, cmake/bus/dbus-daemon.xml,
dbus/dbus-connection-internal.h, dbus/dbus-connection.c,
dbus/dbus-message-internal.h, dbus/dbus-message-private.h,
dbus/dbus-message.c, dbus/dbus-transport.*.
- CVE-2014-3637
* SECURITY UPDATE: denial of service via large number of pending replies
- debian/patches/CVE-2014-3638.patch: reduce max_replies_per_connection
to 128 in bus/config-parser.c.
- CVE-2014-3638
* SECURITY UPDATE: denial of service via incomplete connections
- debian/patches/CVE-2014-3639.patch: reduce auth_timeout in
bus/config-parser.c, stop listening on DBusServer sockets when
reaching max_incomplete_connections in bus/bus.*, bus/connection.*,
dbus/dbus-server-protected.h, dbus/dbus-server.c, dbus/dbus-watch.*.
- CVE-2014-3639
New changelog entries:
* SECURITY UPDATE: denial of service via activation errors
- debian/patches/CVE-2014-3477.patch: improve error handling in
bus/activation.*, bus/services.c.
- CVE-2014-3477
* SECURITY UPDATE: denial of service via ETOOMANYREFS
- debian/patches/CVE-2014-3532.patch: drop message on ETOOMANYREFS in
dbus/dbus-sysdeps.*, dbus/dbus-transport-socket.c.
- CVE-2014-3532
* SECURITY UPDATE: denial of service via invalid file descriptor
- debian/patches/CVE-2014-3533.patch: fix memory handling in
dbus/dbus-message.c.
- CVE-2014-3533
New changelog entries:
* SECURITY UPDATE: denial of service via _dbus_printf_string_upper_bound()
length.
- debian/patches/CVE-2013-2168.patch: use a copy of va_list in
dbus/dbus-sysdeps-unix.c, dbus/dbus-sysdeps-win.c, added test to
test/Makefile.am, test/internals/printf.c.
- CVE-2013-2168
New changelog entries:
* REGRESSION FIX: some applications launched with the activation helper
may need DBUS_STARTER_ADDRESS. (LP: #1058343)
- debian/patches/CVE-2012-3524-regression-fix.patch: hardcode the
starter address to the default system bus address.
* REGRESSION FIX: unclean shutdown after dbus upgrade (LP: #740390)
- debian/libdbus-1-3.postinst: trigger an upstart re-exec before
shutdown or reboot so that it can safely unmount the root
filesystem.
New changelog entries:
* SECURITY UPDATE: privilege escalation via unsanitized environment
- debian/patches/CVE-2012-3524-dbus.patch: Don't access environment
variables or run dbus-launch when setuid in configure.ac,
dbus/dbus-keyring.c, dbus/dbus-sysdeps*
- CVE-2012-3524
New changelog entries:
* Merge with Debian unstable to pick up the new bug fix release. Remaining
Ubuntu changes:
- Install binaries into / rather than /usr:
+ debian/rules: Set --exec-prefix=/
+ debian/dbus.install, debian/dbus-x11.install: Install from /bin
- Use upstart to start:
+ Add debian/dbus.upstart.
+ debian/control: Add upstart dependency.
+ debian/dbus.postinst: Use upstart call instead of invoking the init.d
script for checking if we are already running.
+ debian/control: versioned dependency on netbase that emits the new deconfiguring-networking event used in upstart script.
- 20_system_conf_limit.patch: Increase max_match_rules_per_connection for
the system bus to 5000 (LP #454093)
- 81-session.conf-timeout.patch: Raise the service startup timeout from 25
to 60 seconds. It may be too short on the live CD with slow machines.
- Add 0001-activation-allow-for-more-variation-than-just-system.patch,
0002-bus-change-systemd-activation-to-activation-systemd.patch,
0003-upstart-add-upstart-as-a-possible-activation-type.patch,
0004-upstart-add-UpstartJob-to-service-desktop-files.patch,
0005-activation-implement-upstart-activation.patch: Patches from Scott
James Remnant to implement Upstart service activation. Not upstream.
New changelog entries:
* debian/rules, debian/dbus-1-dbg.install: Only set --exec-prefix=/ in
the production build. This prevents the debug version of dbus-daemon
from overwriting the non-debug version, which crashes the dbus-python
test suite. This leaves the debug version in a somewhat bogus path,
but we won't worry about that for now. Solution given by Jason Conti.
Also closes https://bugs.freedesktop.org/show_bug.cgi?id=43303
(LP: #913991)