summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2015-01-31adjust changelog: point to the bug the triggers addressedSimon McVittie1-1/+1
2015-01-30Relax the triggers from interest to interest-noawait (Closes: #771989; ↵Simon McVittie2-2/+17
mitigates: #776063) This is not strictly correct, because the purpose of the triggers is to set up the .conf, .service files for system services before those services satisfy dependencies. However, it mitigates #776063 (apt getting into a stuck state during upgrades), and should in principle be redundant anyway, because dbus-daemon is meant to use inotify to keep up with configuration changes. See #771989, #776063 for details.
2015-01-02New upstream release to harden dbus-daemon against packages that install ↵Simon McVittie1-0/+7
unsafe security policy configurations.
2015-01-02Merge tag 'upstream/1.8.14'Simon McVittie9-19/+214
Upstream version 1.8.14
2015-01-02Imported Upstream version 1.8.14upstream/1.8.14Simon McVittie9-19/+214
2014-12-23preinst: partially revert change from 1.8.12-2debian/1.8.12-3Simon McVittie3-23/+14
* preinst: partially revert change from 1.8.12-2. It seems that the preinst is too late to add a useful dpkg-statoverride entry: dpkg has already loaded the statoverride database by this point, and if we add the entry in the preinst, dpkg-statoverride won't run and have its --update side-effect in the postinst. (Closes: #773107, #773838) * postinst: don't run dpkg-statoverride with 2>/dev/null: in the unlikely event that it fails for a reason other than "not overridden" (which results in silently exiting 1), we'll want to know about it.
2014-12-21Make dbus-daemon-launch-helper permissions more robust (Closes: #773107)debian/1.8.12-2Simon McVittie4-2/+42
* postinst: use dpkg-statoverride to set the permissions for dbus-daemon-launch-helper (expected to be 04754 root:messagebus) as suggested in Policy §10.9. This avoids a temporarily broken state when an upgraded dbus is unpacked but not yet configured (Closes: #773107) * preinst: opportunistically set up the same dpkg-statoverride entry if the group already exists, to avoid the same broken state during upgrades from older versions without needing Pre-Depends: adduser * postrm: delete the dpkg-statoverride entry on purge
2014-11-241.8.12-1debian/1.8.12-1Simon McVittie2-0/+44
2014-11-24Merge tag 'upstream/1.8.12'Simon McVittie9-19/+80
Upstream version 1.8.12
2014-11-24Imported Upstream version 1.8.12upstream/1.8.12Simon McVittie9-19/+80
2014-11-06prepare releasedebian/1.8.10-1Simon McVittie1-2/+2
2014-11-06Start 'dbus-daemon --system' as root under sysvinit, so it can increase its ↵Simon McVittie2-1/+4
file descriptor limit
2014-11-06New upstream release 1.8.10Simon McVittie1-0/+9
- raise dbus-daemon's file descriptor limit to 65536 to avoid an opportunity for denial of service (CVE-2014-7824, an incomplete fix for CVE-2014-3636)
2014-11-06Merge tag 'upstream/1.8.10'Simon McVittie11-65/+260
Upstream version 1.8.10
2014-11-06Imported Upstream version 1.8.10upstream/1.8.10Simon McVittie11-65/+260
2014-11-06Embargoed security release for MondaySimon McVittie2-4/+11
2014-11-06CVE-2014-7824: set fd rlimit to 64k for the system dbus-daemonSimon McVittie6-43/+227
This ensures that our rlimit is actually high enough to avoid the denial of service described in CVE-2014-3636 part A. CVE-2014-7824 has been allocated for this incomplete fix. Restore the original rlimit for activated services, to avoid them getting undesired higher limits. (Thanks to Alban Crequy for various adjustments which have been included in this commit.) Bug: https://bugs.freedesktop.org/show_bug.cgi?id=85105 Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
2014-10-06releasedebian/1.8.8-2Simon McVittie1-2/+2
2014-10-06Remove Build-Profiles control field until the syntax settles down (Closes: ↵Simon McVittie2-3/+2
#764222)
2014-10-06Use --with-valgrind=auto (supported since 1.7.6) for the debug buildSimon McVittie2-10/+2
2014-10-06Make Build-Profiles field comply with updated spec (patch from Johannes ↵Simon McVittie2-5/+7
Schauer, Closes: #764222)
2014-09-30Build against libsystemd-devMichael Biebl2-6/+7
In systemd v209 the various libraries were merged into a single libsystemd library.
2014-09-22debian/dbus.bug-control: when people report bugs against dbus, also report ↵Simon McVittie2-0/+10
the status of systemd and systemd-sysv (because those alter how system service activation works), and dbus-x11 (because that's responsible for normal session bus setup)
2014-09-161.8.9Simon McVittie2-1/+6
2014-09-15debian/copyright: fix glob syntax, .[ch] is not supporteddebian/1.8.8-1Simon McVittie2-3/+4
2014-09-15New upstream release fixes several security issuesSimon McVittie1-3/+19
- CVE-2014-3635: do not accept an extra fd in cmsg padding, avoiding a buffer overrun in dbus-daemon or system services - CVE-2014-3636: reduce maximum number of file descriptors per message from 1024 to 16, to avoid two separate denial-of-service attacks that could cause system services to be dropped from the bus - CVE-2014-3637: time out connections that have a partially-sent message containing a file descriptor, so that malicious processes cannot use self-referential file descriptors to make a connection that will never close - CVE-2014-3638: reduce maximum number of pending replies per connection to avoid algorithmic complexity DoS - CVE-2014-3639: reduce timeout for authentication and do not accept() new connections when all unauthenticated connection slots are in use, so that malicious processes cannot prevent new connections to the system bus
2014-09-15Merge tag 'upstream/1.8.8'Simon McVittie41-299/+697
Upstream version 1.8.8
2014-09-15Imported Upstream version 1.8.8upstream/1.8.8Simon McVittie41-299/+697
2014-09-15Prepare 1.8.8 (embargoed until tomorrow)dbus-1.8.8Simon McVittie2-4/+42
2014-09-15_dbus_read_socket_with_unix_fds: do not accept extra fds in cmsg paddingSimon McVittie1-6/+43
This addresses CVE-2014-3635. If (*n_fds * sizeof (int) % sizeof (size_t)) is nonzero, then CMSG_SPACE (*n_fds * sizeof (int)) > CMSG_LEN (*n_fds * sizeof (int) because the SPACE includes padding to a size_t boundary, whereas the LEN does not. We have to allocate the SPACE. Previously, we told the kernel that the buffer size we wanted was the SPACE, not the LEN, which meant it was free to fill the padding with additional fds: on a 64-bit platform with 32-bit int, that's one extra fd, if *n_fds happens to be odd. This meant that a malicious sender could send exactly 1 fd too many, which would make us fail an assertion if enabled, or overrun a buffer by 1 fd otherwise. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83622 Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
2014-09-15Add _DBUS_GNUC_UNUSED, and use it in _DBUS_STATIC_ASSERTSimon McVittie2-1/+4
This means we can use _DBUS_STATIC_ASSERT at non-global scope without tripping -Wunused-local-typedefs. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83767 Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk> (cherry picked from commit 0e3d08d45cb9a9ceb2c077875eeb38306dad37b8)
2014-09-15bus: enforce pending_fd_timeoutAlban Crequy1-0/+71
This is one of four commits needed to address CVE-2014-3637. The bus uses _dbus_connection_set_pending_fds_function and _dbus_connection_get_pending_fds_count to be notified when there are pending file descriptors. A timeout per connection is armed and disarmed when the file descriptor list is used and emptied. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
2014-09-15DBusConnection: implements _dbus_connection_set_pending_fds_functionAlban Crequy7-0/+70
This is one of four commits needed to address CVE-2014-3637. This will allow the bus to be notified whenever a file descriptor is added or removed from a DBusConnection's DBusMessageLoader. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
2014-09-15DBusConnection: implements _dbus_connection_get_pending_fds_countAlban Crequy6-0/+40
This is one of four commits needed to address CVE-2014-3637. This will allow the bus to know whether there are pending file descriptors in a DBusConnection's DBusMessageLoader. https://bugs.freedesktop.org/show_bug.cgi?id=80559 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk> [fix compilation on platforms that do not HAVE_UNIX_FD_PASSING -smcv] Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
2014-09-15config: add new limit: pending_fd_timeoutAlban Crequy5-0/+25
This is one of four commits needed to address CVE-2014-3637. When a file descriptor is passed to dbus-daemon, the associated D-Bus message might not be fully sent to dbus-daemon yet. Dbus-daemon keeps the file descriptor in the DBusMessageLoader of the connection, waiting for the rest of the message. If the client stops sending the remaining bytes, dbus-daemon will wait forever and keep that file descriptor. This patch adds pending_fd_timeout (milliseconds) in the configuration to disconnect a connection after a timeout when a file descriptor was sent but not the remaining message. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
2014-09-15Stop listening on DBusServer sockets when reaching max_incomplete_connectionsAlban Crequy8-42/+88
This addresses the parts of CVE-2014-3639 not already addressed by reducing the default authentication timeout. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80851 Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80919 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
2014-09-15config: change default auth_timeout to 5 secondsAlban Crequy1-1/+1
This partially addresses CVE-2014-3639. This will change the default on the system bus where the limit <limit name="auth_timeout">...</limit> is not specified. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80919 Reviewed-by: Thiago Macieira <thiago@kde.org> Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
2014-09-15config: change DEFAULT_MESSAGE_UNIX_FDS to 16Simon McVittie6-18/+11
This addresses CVE-2014-3636. Based on a patch by Alban Crequy. Now that it's the same on all platforms, there's little point in it being set by configure/cmake. This change fixes two distinct denials of service: fd.o#82820, part A ------------------ Before this patch, the system bus had the following default configuration: - max_connections_per_user: 256 - DBUS_DEFAULT_MESSAGE_UNIX_FDS: usually 1024 (or 256 on QNX, see fd.o#61176) as defined by configure.ac - max_incoming_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS*4 = usually 4096 - max_outgoing_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS*4 = usually 4096 - max_message_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS = usually 1024 This means that a single user could create 256 connections and transmit 256*4096 = 1048576 file descriptors. The file descriptors stay attached to the dbus-daemon process while they are in the message loader, in the outgoing queue or waiting to be dispatched before D-Bus activation. dbus-daemon is usually limited to 65536 file descriptors (ulimit -n). If the limit is reached and dbus-daemon needs to receive a message with a file descriptor attached, this is signalled by recvfrom with the flag MSG_CTRUNC. Dbus-daemon cannot recover from that error because the kernel does not have any API to retrieve a file descriptor which has been discarded with MSG_CTRUNC. Therefore, it closes the connection of the sender. This is not necessarily the connection which generated the most file descriptors so it can lead to denial-of-service attacks. In order to prevent DoS issues, this patch reduces DEFAULT_MESSAGE_UNIX_FDS to 16: max_connections_per_user * max_incoming_unix_fds = 256 * 64 = 16384 This is less than the usual "ulimit -n" (65536) with a good margin to accomodate the other sources of file descriptors (stdin/stdout/stderr, listening sockets, message loader, etc.). Distributors on non-Linux may need to configure a smaller limit in system.conf, if their limit on the number of fds is smaller than Linux's. fd.o#82820, part B ------------------ On Linux, it's not possible to send more than 253 fds in a single sendmsg() call: sendmsg() would return -EINVAL. #define SCM_MAX_FD 253 SCM_MAX_FD changed value during Linux history: - it used to be (OPEN_MAX-1) - commit c09edd6eb (Jul 2007) changed it to 255 - commit bba14de98 (Nov 2010) changed it to 253 Libdbus always sends all of a message's fds, and the beginning of the message itself, in a single sendmsg() call. Combining these two, a malicious sender could split a message across two or more sendmsg() calls to construct a composite message with 254 or more fds. When dbus-daemon attempted to relay that message to its recipient in a single sendmsg() call, it would receive EINVAL, interpret that as a fatal socket error and disconnect the recipient, resulting in denial of service. This is fixed by keeping max_message_unix_fds <= SCM_MAX_FD. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=82820 Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
2014-09-15system bus limit: use max_replies_per_connection=128 by defaultAlban Crequy1-1/+1
This addresses CVE-2014-3638. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=81053 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
2014-09-15NEWS for 1.8Simon McVittie1-0/+4
2014-09-15On Linux, call prctl to disable core dumpsSimon McVittie2-1/+21
Whenever I forget to turn off corekeeper, the regression tests take ages to record all test-segfault's crashes. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83772 Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
2014-09-12NEWS for 1.8.xSimon McVittie1-0/+7
2014-09-12enable build support without systemd compatibility librariesUmut Tezduyar Lindskog1-4/+7
systemd 209 merged all the libraries to libsystemd. Old libraries can still be enabled with --enable-compat-libs switch in systemd but this increases the binary size. Implement a fallback library check in case compat libraries dont exist. [Fixed underquoting; switched priority so we try libsystemd first -smcv] Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
2014-09-12Bump dbus up to Priority: standardSimon McVittie2-0/+7
Without it, systemd-logind does not run a getty on tty2..tty6. (Matching ftp-master action in #759293)
2014-09-07Fix windows doc for running tests.Ralf Habacker1-4/+9
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=41252 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
2014-09-05NEWS for 1.8Simon McVittie1-1/+4
2014-09-04Stats: fix compilation issueAlban Crequy1-1/+3
Bug-Gentoo: https://bugs.gentoo.org/show_bug.cgi?id=507232 Bug: https://bugs.freedesktop.org/show_bug.cgi?id=81043 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
2014-08-21Don't attempt config reload if dbus system bus is not running.Michael Biebl2-6/+8
There is no point to attemp a reload if the system bus is not running and we avoid a warning upon initial installation this way. Update the comment to reflect recent changes.
2014-08-13Target unstabledebian/1.8.6-2Sjoerd Simons1-2/+2
2014-08-13debian/dbus.posinst: When triggered only poke the dbus-daemon, don't run ↵Sjoerd Simons2-10/+29
update-rc.d/invoke-rc.d as added by dh_installinit. This prevent some odd-corner when being triggered during init system upgrade (Closes: #754404)