Fixes the following security issues:
- CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
authentication for identities that differ from the user running the
DBusServer. Previously, a local attacker could manipulate symbolic links
in their own home directory to bypass authentication and connect to a
DBusServer with elevated privileges. The standard system and session
dbus-daemons in their default configuration were immune to this attack
because they did not allow DBUS_COOKIE_SHA1, but third-party users of
DBusServer such as Upstart could be vulnerable. Thanks to Joe Vennix of
Apple Information Security.
For details, see the advisory:
https://www.openwall.com/lists/oss-security/2019/06/11/2
Also contains a number of other smaller fixes, including fixes for memory
leaks. For details, see NEWS:
https://gitlab.freedesktop.org/dbus/dbus/blob/dbus-1.12/NEWS
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Remove --enable-abstract-sockets; dropped upstream. Remove
ac_cv_have_abstract_sockets that is dropped as well.
Remove --disable-selinux; we handle selinux as an optional dependency
below.
Remove --{enable,disable}-dnotify; this options has been removed in
version 1.7.6, broken since 2010.
Remove --with-init-scripts; dropped upstream.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From http://www.openwall.com/lists/oss-security/2017/02/16/4
The latest dbus release 1.10.16 fixes two symlink attacks in
non-production-suitable configurations. I am treating these as bugs
rather than practical vulnerabilities, and very much hope neither of
these is going to affect any real users, but I'm reporting them to
oss-security in case there's an attack vector that I've missed.
No CVEs assigned so far.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2014-8148 - If a system service installs unsafe security
policy rules that allow arbitrary method calls then this prevents memory
consumption and possible privilege escalation via
UpdateActivationEnvironment.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2014-7824 - Denial of service via incomplete fix for CVE-2014-3636
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
