[no description] https://git.osdyson.ru/mirror/pkgsrc/atom?h=trunk 2022-10-06T21:29:56Z 2022-10-06T21:29:56Z wiz wiz@pkgsrc.org 2022-10-06T21:29:56Z urn:sha1:78c0ba60e5ea10e0b1b8c6fb469dd8ef040bbd71 dbus 1.14.4 (2022-10-05) ======================== This is a security update for the dbus 1.14.x stable branch, fixing denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying security hardening (dbus#416). Behaviour changes: • On Linux, dbus-daemon and other uses of DBusServer now create a path-based Unix socket, unix:path=..., when asked to listen on a unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to unix:dir=... on all platforms. Previous versions would have created an abstract socket, unix:abstract=..., in this situation. This change primarily affects the well-known session bus when run via dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring dbus with --enable-user-session and running it on a systemd system, already used path-based Unix sockets and is unaffected by this change. This behaviour change prevents a sandbox escape via the session bus socket in sandboxing frameworks that can share the network namespace with the host system, such as Flatpak. This change might cause a regression in situations where the abstract socket is intentionally shared between the host system and a chroot or container, such as some use-cases of schroot(1). That regression can be resolved by using a bind-mount to share either the D-Bus socket, or the whole /tmp directory, with the chroot or container. (dbus#416, Simon McVittie) Denial of service fixes: Evgeny Vereshchagin discovered several ways in which an authenticated local attacker could cause a crash (denial of service) in dbus-daemon --system or a custom DBusServer. In uncommon configurations these could potentially be carried out by an authenticated remote attacker. • An invalid array of fixed-length elements where the length of the array is not a multiple of the length of the element would cause an assertion failure in debug builds or an out-of-bounds read in production builds. This was a regression in version 1.3.0. (dbus#413, CVE-2022-42011; Simon McVittie) • A syntactically invalid type signature with incorrectly nested parentheses and curly brackets would cause an assertion failure in debug builds. Similar messages could potentially result in a crash or incorrect message processing in a production build, although we are not aware of a practical example. (dbus#418, CVE-2022-42010; Simon McVittie) • A message in non-native endianness with out-of-band Unix file descriptors would cause a use-after-free and possible memory corruption in production builds, or an assertion failure in debug builds. This was a regression in version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie) 2022-10-03T12:44:00Z wiz wiz@pkgsrc.org 2022-10-03T12:44:00Z urn:sha1:c950e81ab087c82d6d05e112cd3085908e5cc6f2 dbus 1.14.2 (2022-09-26) ======================== Fixes: • Fix build failure on FreeBSD (dbus!277, Alex Richardson) • Fix build failure on macOS with launchd enabled (dbus!287, Dawid Wróbel) • Preserve errno on failure to open /proc/self/oom_score_adj (dbus!285, Gentoo#834725; Mike Gilbert) • On Linux, don't log warnings if oom_score_adj is read-only but does not need to be changed (dbus!291, Simon McVittie) • Slightly improve error-handling for inotify (dbus!235, Simon McVittie) • Don't crash if dbus-daemon is asked to watch more than 128 directories for changes (dbus!302, Jan Tojnar) • Autotools build system fixes: · Don't treat --with-x or --with-x=yes as a request to disable X11, fixing a regression in 1.13.20. Instead, require X11 libraries and fail if they cannot be detected. (dbus!263, Lars Wendler) · When a CMake project uses an Autotools-built libdbus in a non-standard prefix, find dbus-arch-deps.h successfully (dbus#314, Simon McVittie) · Don't include generated XML catalog in source releases (dbus!317, Jan Tojnar) · Improve robustness of detecting gcc __sync atomic builtins (dbus!320, Alex Richardson) • CMake build system fixes: · Detect endianness correctly, fixing interoperability with other D-Bus implementations on big-endian systems (dbus#375, Ralf Habacker) · When building for Unix, install session and system bus setup in the intended locations (dbus!267, dbus!297; Ralf Habacker, Alex Richardson) · Detect setresuid() and getresuid() (dbus!319, Alex Richardson) · Detect backtrace() on FreeBSD (dbus!281, Alex Richardson) · Don't include headers from parent directory (dbus!282, Alex Richardson) · Distinguish between host and target TMPDIR when cross-compiling (dbus!279, Alex Richardson) · Fix detection of atomic operations (dbus!306, Alex Richardson) Tests and CI enhancements: • On Unix, skip tests that switch uid if run in a container that is unable to do so, instead of failing (dbus#407, Simon McVittie) • Use the latest MSYS2 packages for CI (Ralf Habacker, Simon McVittie) 2022-05-25T09:33:53Z jperkin jperkin@pkgsrc.org 2022-05-25T09:33:53Z urn:sha1:04c5fce474b5e3953e88dc7a95507ce41355cb4c Bump PKGREVISION as this was a configure test that was failing. The build would succeed, but the resulting binaries would just break at runtime with a "you do not have socketpair support" error. Thanks for that, dbus. 2022-03-20T15:19:21Z wiz wiz@pkgsrc.org 2022-03-20T15:19:21Z urn:sha1:d6060a06a1bae49e5e1481cbdbbd05b026043e91 2022-03-20T13:37:13Z wiz wiz@pkgsrc.org 2022-03-20T13:37:13Z urn:sha1:34fe0e76de8bdd861851d1ef48d56ffb3cf50983 To fix interaction between dbus and xfce4. Debugging by martin@ Bump PKGREVISION. 2022-03-08T19:23:48Z wiz wiz@pkgsrc.org 2022-03-08T19:23:48Z urn:sha1:6746545c5a785c85b5600a4c9fe0e17e6f6869bd 2022-03-08T11:16:00Z wiz wiz@pkgsrc.org 2022-03-08T11:16:00Z urn:sha1:509bde234bed57869ff9e792ae426cca1be4c8a3 1.14.x is a new stable branch, superseding 1.12.x. Summary of major changes between 1.12.x and 1.14.0 -------------------------------------------------- Dependencies: • On Unix platforms, if getpwnam_r() and getgrnam_r() are implemented, they must be POSIX-conformant. The non-POSIX signature seen in ancient Solaris versions will no longer work. ... Deprecations: • Third-party software should install default dbus policies for the system bus into ${datadir}/dbus-1/system.d (this has been supported since dbus 1.10, released in August 2015). Installing default dbus policies in ${sysconfdir}/dbus-1/system.d is now considered to be deprecated. Policy files in ${sysconfdir}/dbus-1/system.d continue to be read, but this directory should only be used by system administrators wishing to override the default policies. The ${datadir} applicable to dbus is usually /usr/share and the ${sysconfdir} is usually /etc. • A similar pattern applies to the session bus policies in session.d. • The dbus-send(1) man page now documents --bus and --peer instead of the old --address synonym for --peer, which has been deprecated since the introduction of --bus and --peer in 1.7.6 • The dbus-daemon man page now has scarier warnings about <allow_anonymous/> and non-local TCP, which are insecure and should not be used, particularly for the standard system and session buses • DBusServer (and hence the dbus-daemon) no longer accepts usernames (login names) for the recommended EXTERNAL authentication mechanism, only numeric user IDs or the empty string. See 1.13.0 release notes for full details. New features: • On Linux 4.13 or later when built against a suitable glibc version, GetConnectionCredentials() now includes UnixGroupIDs, the effective group IDs of the initiator of the connection, taken from SO_PEERGROUPS. • On Linux 4.13 or later, <policy group="…"> now uses the SO_PEERGROUPS credentials-passing socket option to get the effective group IDs of the initiator of the connection. See 1.13.4 release notes for details. • Add a --sender option to dbus-send, which requests a name and holds it until the signal has been sent • dbus-daemon <allow> and <deny> rules can now specify a send_destination_prefix attribute, which is like a combination of send_destination and the arg0namespace keyword in match rules. See 1.13.12 release notes for more details • The dbus-daemon now filters the messages that it relays, removing header fields that it does not understand. Clients must not rely on this behaviour unless they have confirmed that they are connected to a suitable message bus implementation, for example by querying its Features property. • The dbus-daemon now emits a signal, ActivatableServicesChanged, when the list of activatable services may have changed. Support for this signal can be discovered by querying the Features property. • It is now possible to disable traditional (non-systemd) service activation at build-time (Autotools: --disable-traditional-activation, CMake: -DENABLE_TRADITIONAL_ACTIVATION=OFF). See 1.13.10 release notes for details. • The API reference manual can be built as a Qt compiled help file if qhelpgenerator(-qt5) is available. See 1.13.16 release notes for details. Miscellaneous behaviour changes: • When using the "user bus" (--enable-user-session), put the dbus-daemon in the session slice • Several environment variables set by systemd are no longer passed on to activated services • If the dbus-daemon is compiled for Linux with systemd support, it now informs systemd that it is ready for use via the sd_notify() mechanism 2022-01-27T09:02:58Z nros nros@pkgsrc.org 2022-01-27T09:02:58Z urn:sha1:c30342c98e884e7de5f35affff2bb43f3068ceab 2022-01-20T16:38:21Z nros nros@pkgsrc.org 2022-01-20T16:38:21Z urn:sha1:8b4af520b078ac3ea6a66e9c19ad4d05c05f8290 Only remove -fPIE and -pie when PKGSRC_MKPIE is no. The buildlink transforms make the tools become non-pie. This causes the PIE checks to fail. 2021-11-07T19:14:15Z khorben khorben@pkgsrc.org 2021-11-07T19:14:15Z urn:sha1:150ff9559ea4a95710e0313ff55fb3f320bd150b This takes advantage of the introduction of the SYSCONFBASE variable. Tested on NetBSD/amd64. Bumps PKGREVISION.