From: wangmy Date: Mon, 10 Oct 2022 08:43:09 +0000 (+0800) Subject: dbus: upgrade 1.14.0 -> 1.14.4 X-Git-Tag: 2022-10.3-langdale~146 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fbf8ea03aeb04e1efdc9693a66d618275bddc172;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git dbus: upgrade 1.14.0 -> 1.14.4 dbus 1.14.4 (2022-10-05) ======================== This is a security update for the dbus 1.14.x stable branch, fixing denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying security hardening (dbus#416). Behaviour changes: • On Linux, dbus-daemon and other uses of DBusServer now create a path-based Unix socket, unix:path=..., when asked to listen on a unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to unix:dir=... on all platforms. Previous versions would have created an abstract socket, unix:abstract=..., in this situation. This change primarily affects the well-known session bus when run via dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring dbus with --enable-user-session and running it on a systemd system, already used path-based Unix sockets and is unaffected by this change. This behaviour change prevents a sandbox escape via the session bus socket in sandboxing frameworks that can share the network namespace with the host system, such as Flatpak. This change might cause a regression in situations where the abstract socket is intentionally shared between the host system and a chroot or container, such as some use-cases of schroot(1). That regression can be resolved by using a bind-mount to share either the D-Bus socket, or the whole /tmp directory, with the chroot or container. (dbus#416, Simon McVittie) Denial of service fixes: Evgeny Vereshchagin discovered several ways in which an authenticated local attacker could cause a crash (denial of service) in dbus-daemon --system or a custom DBusServer. In uncommon configurations these could potentially be carried out by an authenticated remote attacker. • An invalid array of fixed-length elements where the length of the array is not a multiple of the length of the element would cause an assertion failure in debug builds or an out-of-bounds read in production builds. This was a regression in version 1.3.0. (dbus#413, CVE-2022-42011; Simon McVittie) • A syntactically invalid type signature with incorrectly nested parentheses and curly brackets would cause an assertion failure in debug builds. Similar messages could potentially result in a crash or incorrect message processing in a production build, although we are not aware of a practical example. (dbus#418, CVE-2022-42010; Simon McVittie) • A message in non-native endianness with out-of-band Unix file descriptors would cause a use-after-free and possible memory corruption in production builds, or an assertion failure in debug builds. This was a regression in version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie) dbus 1.14.2 (2022-09-26) ======================== Fixes: • Fix build failure on FreeBSD (dbus!277, Alex Richardson) • Fix build failure on macOS with launchd enabled (dbus!287, Dawid Wróbel) • Preserve errno on failure to open /proc/self/oom_score_adj (dbus!285, Gentoo#834725; Mike Gilbert) • On Linux, don't log warnings if oom_score_adj is read-only but does not need to be changed (dbus!291, Simon McVittie) • Slightly improve error-handling for inotify (dbus!235, Simon McVittie) • Don't crash if dbus-daemon is asked to watch more than 128 directories for changes (dbus!302, Jan Tojnar) • Autotools build system fixes: · Don't treat --with-x or --with-x=yes as a request to disable X11, fixing a regression in 1.13.20. Instead, require X11 libraries and fail if they cannot be detected. (dbus!263, Lars Wendler) · When a CMake project uses an Autotools-built libdbus in a non-standard prefix, find dbus-arch-deps.h successfully (dbus#314, Simon McVittie) · Don't include generated XML catalog in source releases (dbus!317, Jan Tojnar) · Improve robustness of detecting gcc __sync atomic builtins (dbus!320, Alex Richardson) • CMake build system fixes: · Detect endianness correctly, fixing interoperability with other D-Bus implementations on big-endian systems (dbus#375, Ralf Habacker) · When building for Unix, install session and system bus setup in the intended locations (dbus!267, dbus!297; Ralf Habacker, Alex Richardson) · Detect setresuid() and getresuid() (dbus!319, Alex Richardson) · Detect backtrace() on FreeBSD (dbus!281, Alex Richardson) · Don't include headers from parent directory (dbus!282, Alex Richardson) · Distinguish between host and target TMPDIR when cross-compiling (dbus!279, Alex Richardson) · Fix detection of atomic operations (dbus!306, Alex Richardson) Tests and CI enhancements: • On Unix, skip tests that switch uid if run in a container that is unable to do so, instead of failing (dbus#407, Simon McVittie) • Use the latest MSYS2 packages for CI (Ralf Habacker, Simon McVittie) License-Update: D-Bus changed to dbus. Signed-off-by: Wang Mingyu Signed-off-by: Alexandre Belloni (cherry picked from commit 8c2ab4c014807e2d8ad0fded4188578aa05e8c55) Signed-off-by: Steve Sakoman --- diff --git a/meta/recipes-core/dbus/dbus_1.14.0.bb b/meta/recipes-core/dbus/dbus_1.14.4.bb similarity index 96% rename from meta/recipes-core/dbus/dbus_1.14.0.bb rename to meta/recipes-core/dbus/dbus_1.14.4.bb index 863e35faf76..5f91ec2dc1e 100644 --- a/meta/recipes-core/dbus/dbus_1.14.0.bb +++ b/meta/recipes-core/dbus/dbus_1.14.4.bb @@ -6,8 +6,9 @@ SECTION = "base" inherit autotools pkgconfig gettext upstream-version-is-even ptest-gnome LICENSE = "AFL-2.1 | GPL-2.0-or-later" -LIC_FILES_CHKSUM = "file://COPYING;md5=10dded3b58148f3f1fd804b26354af3e \ - file://dbus/dbus.h;beginline=6;endline=20;md5=866739837ccd835350af94dccd6457d8" +LIC_FILES_CHKSUM = "file://COPYING;md5=6423dcd74d7be9715b0db247fd889da3 \ + file://dbus/dbus.h;beginline=6;endline=20;md5=866739837ccd835350af94dccd6457d8 \ + " SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.xz \ file://run-ptest \ @@ -15,7 +16,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.xz \ file://dbus-1.init \ " -SRC_URI[sha256sum] = "ccd7cce37596e0a19558fd6648d1272ab43f011d80c8635aea8fd0bad58aebd4" +SRC_URI[sha256sum] = "7c0f9b8e5ec0ff2479383e62c0084a3a29af99edf1514e9f659b81b30d4e353e" EXTRA_OECONF = "--disable-xml-docs \ --disable-doxygen-docs \