Package: dbus / 1.6.8-1+deb7u6
Metadata
Package | Version | Patches format |
---|---|---|
dbus | 1.6.8-1+deb7u6 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
01_no fatal warnings.patch | (download) |
dbus/dbus-internals.c |
2 1 + 1 - 0 ! |
don't abort on fatal warnings by default Date: 2006-11-14 15:35:00 +0100 This behaviour can be controlled by the DBUS_FATAL_WARNINGS enviroment variable. This will be set to upstream default again at some point so if you have an application that prints a DBus warning get it fixed. |
0001 CVE 2013 2168 _dbus_printf_string_upper_bound copy t.patch | (download) |
dbus/dbus-sysdeps-unix.c |
16 13 + 3 - 0 ! |
cve-2013-2168: _dbus_printf_string_upper_bound: copy the va_list for each use Using a va_list more than once is non-portable: it happens to work under the ABI of (for instance) x86 Linux, but not x86-64 Linux. This led to _dbus_printf_string_upper_bound() crashing if it should have returned exactly 1024 bytes. Many system services can be induced to process a caller-controlled string in ways that end up using _dbus_printf_string_upper_bound(), so this is a denial of service. |
0001 CVE 2014 3477 deliver activation errors correctly fi.patch | (download) |
bus/activation.c |
27 20 + 7 - 0 ! |
[patch] cve-2014-3477: deliver activation errors correctly, fixing Denial of Service How it should work: When a D-Bus message activates a service, LSMs (SELinux or AppArmor) check whether the message can be delivered after the service has been activated. The service is considered activated when its well-known name is requested with org.freedesktop.DBus.RequestName. When the message delivery is denied, the service stays activated but should not receive the activating message (the message which triggered the activation). dbus-daemon is supposed to drop the activating message and reply to the sender with a D-Bus error message. However, it does not work as expected: 1. The error message is delivered to the service instead of being delivered to the sender. As an example, the error message could be something like: An SELinux policy prevents this sender from sending this message to this recipient, [...] member="MaliciousMethod" If the sender and the service are malicious confederates and agree on a protocol to insert information in the member name, the sender can leak information to the service, even though the LSM attempted to block the communication between the sender and the service. 2. The error message is delivered as a reply to the RequestName call from service. It means the activated service will believe it cannot request the name and might exit. The sender could activate the service frequently and systemd will give up activating it. Thus the denial of service. The following changes fix the bug: - bus_activation_send_pending_auto_activation_messages() only returns an error in case of OOM. The prototype is changed to return TRUE, or FALSE on OOM (and its only caller sets the OOM error). - When a client is not allowed to talk to the service, a D-Bus error message is pre-allocated to be delivered to the client as part of the transaction. The error is not propagated to the caller so RequestName will not fail (except on OOM). [fixed a misleading comment -smcv] Bug: https://bugs.freedesktop.org/show_bug.cgi?id=78979 |
Handle ETOOMANYREFS when sending recursive fds SCM_R.patch | (download) |
dbus/dbus-sysdeps.c |
14 14 + 0 - 0 ! |
[patch 2/2] handle etoomanyrefs when sending recursive fds (SCM_RIGHTS) Since Linux commit 25888e (from 2.6.37-rc4, Nov 2010), sendmsg() on Unix sockets returns -1 errno=ETOOMANYREFS ("Too many references: cannot splice") when the passfd mechanism (SCM_RIGHTS) is "abusively" used recursively by applications. A malicious client could use this to force a victim system service to be disconnected from the system bus; the victim would likely respond by exiting. This is a denial of service (fd.o #80163, CVE-2014-3532). This patch silently drops the D-Bus message on ETOOMANYREFS and does not close the connection. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80163 |
If loader contains two messages with fds don t corru.patch | (download) |
dbus/dbus-message.c |
2 1 + 1 - 0 ! |
[patch 1/2] if loader contains two messages with fds, don't corrupt the second There were two bugs here: we would previously overwrite the unused fds with the already-used fds instead of the other way round, and we would copy n bytes where we should have copied n ints. Additionally, sending crafted messages in a chosen sequence to a victim system service could cause an invalid file descriptor to be present when dbus-daemon tries to forward one of those crafted messages to the victim, causing sendmsg() to fail with EBADF, which resulted in disconnecting the victim service, which would likely respond to that by exiting. This is a denial of service (fd.o #80469, CVE-2014-3533). Bug: https://bugs.freedesktop.org/show_bug.cgi?id=79694 Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80469 |
0001 system bus limit use max_replies_per_connection 128 .patch | (download) |
bus/config-parser.c |
2 1 + 1 - 0 ! |
[patch 01/10] system bus limit: use max_replies_per_connection=128 by default This addresses CVE-2014-3638. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=81053 |
0002 config change DEFAULT_MESSAGE_UNIX_FDS to 16.patch | (download) |
bus/config-parser.c |
6 3 + 3 - 0 ! |
[patch 02/11] config: change default_message_unix_fds to 16 Based on a patch by Alban Crequy. Now that it's the same on all platforms, there's little point in it being set by configure/cmake. This change fixes two distinct denials of service: fd.o#82820, part A |
0003 config change default auth_timeout to 5 seconds.patch | (download) |
bus/config-parser.c |
2 1 + 1 - 0 ! |
[patch 03/10] config: change default auth_timeout to 5 seconds This partially addresses CVE-2014-3639. This will change the default on the system bus where the limit <limit name="auth_timeout">...</limit> is not specified. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80919 |
0004 Stop listening on DBusServer sockets when reaching m.patch | (download) |
bus/bus.c |
37 37 + 0 - 0 ! |
[patch 04/10] stop listening on dbusserver sockets when reaching max_incomplete_connections This addresses the parts of CVE-2014-3639 not already addressed by reducing the default authentication timeout. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80851 Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80919 |
0005 config add new limit pending_fd_timeout.patch | (download) |
bus/bus.c |
6 6 + 0 - 0 ! |
[patch 05/10] config: add new limit: pending_fd_timeout This is one of four commits needed to address CVE-2014-3637. When a file descriptor is passed to dbus-daemon, the associated D-Bus message might not be fully sent to dbus-daemon yet. Dbus-daemon keeps the file descriptor in the DBusMessageLoader of the connection, waiting for the rest of the message. If the client stops sending the remaining bytes, dbus-daemon will wait forever and keep that file descriptor. This patch adds pending_fd_timeout (milliseconds) in the configuration to disconnect a connection after a timeout when a file descriptor was sent but not the remaining message. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559 |
0006 DBusConnection implements _dbus_connection_get_pendi.patch | (download) |
dbus/dbus-connection-internal.h |
1 1 + 0 - 0 ! |
[patch 06/10] dbusconnection: implements _dbus_connection_get_pending_fds_count This is one of four commits needed to address CVE-2014-3637. This will allow the bus to know whether there are pending file descriptors in a DBusConnection's DBusMessageLoader. https://bugs.freedesktop.org/show_bug.cgi?id=80559 |
0007 DBusConnection implements _dbus_connection_set_pendi.patch | (download) |
dbus/dbus-connection-internal.h |
5 5 + 0 - 0 ! |
[patch 07/10] dbusconnection: implements _dbus_connection_set_pending_fds_function This is one of four commits needed to address CVE-2014-3637. This will allow the bus to be notified whenever a file descriptor is added or removed from a DBusConnection's DBusMessageLoader. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559 |
0008 bus enforce pending_fd_timeout.patch | (download) |
bus/connection.c |
71 71 + 0 - 0 ! |
[patch 08/10] bus: enforce pending_fd_timeout This is one of four commits needed to address CVE-2014-3637. The bus uses _dbus_connection_set_pending_fds_function and _dbus_connection_get_pending_fds_count to be notified when there are pending file descriptors. A timeout per connection is armed and disarmed when the file descriptor list is used and emptied. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559 |
0010 _dbus_read_socket_with_unix_fds do not accept extra .patch | (download) |
dbus/dbus-sysdeps-unix.c |
49 43 + 6 - 0 ! |
[patch 10/10] _dbus_read_socket_with_unix_fds: do not accept extra fds in cmsg padding This addresses CVE-2014-3635. If (*n_fds * sizeof (int) % sizeof (size_t)) is nonzero, then CMSG_SPACE (*n_fds * sizeof (int)) > CMSG_LEN (*n_fds * sizeof (int) because the SPACE includes padding to a size_t boundary, whereas the LEN does not. We have to allocate the SPACE. Previously, we told the kernel that the buffer size we wanted was the SPACE, not the LEN, which meant it was free to fill the padding with additional fds: on a 64-bit platform with 32-bit int, that's one extra fd, if *n_fds happens to be odd. This meant that a malicious sender could send exactly 1 fd too many, which would make us fail an assertion if enabled, or overrun a buffer by 1 fd otherwise. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83622 |
0001 CVE 2014 7824 set fd rlimit to 64k for the system db.patch | (download) |
bus/activation.c |
28 27 + 1 - 0 ! |
[patch] cve-2014-7824: set fd rlimit to 64k for the system dbus-daemon This ensures that our rlimit is actually high enough to avoid the denial of service described in CVE-2014-3636 part A. CVE-2014-7824 has been allocated for this incomplete fix. Restore the original rlimit for activated services, to avoid them getting undesired higher limits. (Thanks to Alban Crequy for various adjustments which have been included in this commit.) Bug: https://bugs.freedesktop.org/show_bug.cgi?id=85105 |
0001 Log to syslog when auth_timeout drops an incomplete .patch | (download) |
bus/connection.c |
8 8 + 0 - 0 ! |
[patch 1/2] log to syslog when auth_timeout drops an incomplete connection This is a symptom of either a denial of service attack, or a serious performance problem. Either way, sysadmins should know. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86431 |
0002 Revert config change default auth_timeout to 5 secon.patch | (download) |
bus/config-parser.c |
2 1 + 1 - 0 ! |
[patch 2/2] revert "config: change default auth_timeout to 5 seconds" This reverts commit 54d26df52b6a394bea175651d1d7ad2ab3f87dea. It appears this change may cause intermittent slow or failed boot, more commonly on slower/older machines, in at least Mageia and possibly also Debian. This would indicate that while the system is under load, system services are not completing authentication within 5 seconds. This change was not the main part of fixing CVE-2014-3639, but does help to mitigate that attack. As such, increasing this timeout makes the denial of service attack described by CVE-2014-3639 somewhat more effective: a local user connecting to the system bus repeatedly from many parallel processes can cause other users' attempts to connect to take longer. If your machine boots reliably with the shorter timeout, and resilience against local denial of service attacks is important to you, putting this in /etc/dbus-1/system-local.conf or a file matching /etc/dbus-1/system.d/*.conf can restore the lower limit: <busconfig> <limit name="auth_timeout">5000</limit> </busconfig> Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86431 |
0001 CVE 2015 0245 prevent forged ActivationFailure from .patch | (download) |
bus/system.conf.in |
8 8 + 0 - 0 ! |
[patch] cve-2015-0245: prevent forged activationfailure from non-root processes Without either this rule or better checking in dbus-daemon, non-systemd processes can make dbus-daemon think systemd failed to activate a system service, resulting in an error reply back to the requester. This is redundant with the fix in the C code (which I consider to be the real solution), but is likely to be easier to backport. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88811 |