Opened 10 years ago

Closed 10 years ago

#46504 closed update (fixed)

Update: dbus 1.8.14

Reported by: Schamschula (Marius Schamschula) Owned by: MarcusCalhoun-Lopez (Marcus Calhoun-Lopez)
Priority: Normal Milestone:
Component: ports Version: 2.3.3
Keywords: haspatch Cc: scn@…
Port: dbus

Description

dbus has been updated to version 1.8.14:

The “40lb of roofing nails” release.

Security hardening:

• Do not allow calls to UpdateActivationEnvironment from uids other than
  the uid of the dbus-daemon. If a system service installs unsafe
  security policy rules that allow arbitrary method calls
  (such as CVE-2014-8148) then this prevents memory consumption and
  possible privilege escalation via UpdateActivationEnvironment.

  We believe that in practice, privilege escalation here is avoided
  by dbus-daemon-launch-helper sanitizing its environment; but
  it seems better to be safe.

• Do not allow calls to UpdateActivationEnvironment or the Stats interface
  on object paths other than /org/freedesktop/DBus. Some system services
  install unsafe security policy rules that allow arbitrary method calls
  to any destination, method and interface with a specified object path;
  while less bad than allowing arbitrary method calls, these security
  policies are still harmful, since dbus-daemon normally offers the
  same API on all object paths and other system services might behave
  similarly.

Attachments (1)

Portfile-dbus.diff (806 bytes) - added by Schamschula (Marius Schamschula) 10 years ago.

Download all attachments as: .zip

Change History (4)

comment:1 Changed 10 years ago by ryandesign (Ryan Carsten Schmidt)

Cc: mcalhoun@… removed
Owner: changed from macports-tickets@… to mcalhoun@…

Changed 10 years ago by Schamschula (Marius Schamschula)

Attachment: Portfile-dbus.diff added

comment:2 Changed 10 years ago by Schamschula (Marius Schamschula)

In the meantime dbus has been updated to version 1.8.16:

The “poorly concealed wrestlers” release.

Security fixes:

• Do not allow non-uid-0 processes to send forged ActivationFailure
  messages. On Linux systems with systemd activation, this would
  allow a local denial of service: unprivileged processes could
  flood the bus with these forged messages, winning the race with
  the actual service activation and causing an error reply
  to be sent back when service auto-activation was requested.
  This does not prevent the real service from being started,
  so it only works while the real service is not running.
  (CVE-2015-0245, fd.o #88811; Simon McVittie)

comment:3 Changed 10 years ago by nerdling (Jeremy Lavergne)

Cc: scn@… added
Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.