New changelog entries:
* debian/patches/unrequested-reply-mediation.patch: Don't let unrequested
reply messages through and don't audit them. Unrequested reply messages
are error or method_return messages that are sent from D-Bus connection A
to D-Bus connection B that do not correspond to any message ever sent by
D-Bus connection B. They should be quietly dropped as there's no use for
them outside of malicious activity. Patch based on upstream patches.
(LP: #1641243)
New changelog entries:
* SECURITY UPDATE: denial of service via ActivationFailure signal race
- debian/patches/CVE-2015-0245.patch: prevent forged ActivationFailure
from non-root processes in bus/system.conf.in.
- CVE-2015-0245
* SECURITY UPDATE: arbitrary code execution or denial of service via
format string vulnerability
- debian/patches/format_string.patch: do not use non-literal format
string in bus/activation.c.
- No CVE number
New changelog entries:
* SECURITY UPDATE: denial of service via large number of fds
- debian/patches/CVE-2014-7824.patch: raise rlimit and restore it for
activated services in bus/activation.c, bus/bus.*,
dbus/dbus-sysdeps-util-unix.c, dbus/dbus-sysdeps-util-win.c,
dbus/dbus-sysdeps.h.
- debian/dbus.init: don't launch daemon as a user so the rlimit can be
raised.
- CVE-2014-7824
* SECURITY REGRESSION: authentication timeout on certain slower systems
- debian/patches/CVE-2014-3639-regression.patch: raise auth_timeout
back up to 30 secs in bus/config-parser.c, add a warning to
bus/connection.c.
- CVE-2014-3639
New changelog entries:
* SECURITY UPDATE: buffer overrun via odd max_message_unix_fds
- debian/patches/CVE-2014-3635.patch: do not extra fds in cmsg padding
in dbus/dbus-sysdeps-unix.c, allow using _DBUS_STATIC_ASSERT at a
non-global scope in dbus/dbus-internals.h, dbus/dbus-macros.h.
- CVE-2014-3635
* SECURITY UPDATE: denial of service via large number of fds
- debian/patches/CVE-2014-3636.patch: reduce max number of fds in
bus/config-parser.c, bus/session.conf.in, dbus/dbus-message.c,
dbus/dbus-sysdeps.h.
- CVE-2014-3636
* SECURITY UPDATE: denial of service via persistent file descriptiors
- debian/patches/CVE-2014-3637.patch: add a timeout to expire pending
fds in bus/bus.*, bus/config-parser.c, bus/connection.c,
bus/session.conf.in, cmake/bus/dbus-daemon.xml,
dbus/dbus-connection-internal.h, dbus/dbus-connection.c,
dbus/dbus-message-internal.h, dbus/dbus-message-private.h,
dbus/dbus-message.c, dbus/dbus-transport.*.
- CVE-2014-3637
* SECURITY UPDATE: denial of service via large number of pending replies
- debian/patches/CVE-2014-3638.patch: reduce max_replies_per_connection
to 128 in bus/config-parser.c.
- CVE-2014-3638
* SECURITY UPDATE: denial of service via incomplete connections
- debian/patches/CVE-2014-3639.patch: reduce auth_timeout in
bus/config-parser.c, stop listening on DBusServer sockets when
reaching max_incomplete_connections in bus/bus.*, bus/connection.*,
dbus/dbus-server-protected.h, dbus/dbus-server.c, dbus/dbus-watch.*.
- CVE-2014-3639
New changelog entries:
* SECURITY UPDATE: denial of service via activation errors
- debian/patches/CVE-2014-3477.patch: improve error handling in
bus/activation.*, bus/services.c.
- CVE-2014-3477
* SECURITY UPDATE: denial of service via ETOOMANYREFS
- debian/patches/CVE-2014-3532.patch: drop message on ETOOMANYREFS in
dbus/dbus-sysdeps.*, dbus/dbus-transport-socket.c.
- CVE-2014-3532
* SECURITY UPDATE: denial of service via invalid file descriptor
- debian/patches/CVE-2014-3533.patch: fix memory handling in
dbus/dbus-message.c.
- CVE-2014-3533
New changelog entries:
* aa-mediate-eavesdropping.patch: Query AppArmor when confined applications
attempt to eavesdrop on the bus. See the apparmor.d(5) man page for
AppArmor syntax details. (LP: #1262440)
* debian/control: Depend on the apparmor version containing the new
eavesdrop permission