Commit 61e47df2 authored by Simon McVittie's avatar Simon McVittie

Imported Upstream version 1.8.12

parent d9ad458c
......@@ -11,6 +11,11 @@ of patches, etc. should go there.
Security
===
If you find a security vulnerability that is not known to the public,
please report it privately to dbus-security@lists.freedesktop.org
or by reporting a freedesktop.org bug that is marked as
restricted to the "D-BUS security group".
Most of D-Bus is security sensitive. Guidelines related to that:
- avoid memcpy(), sprintf(), strlen(), snprintf, strlcat(),
......
D-Bus 1.8.12 (2014-11-24)
==
The “days of fuchsia passed” release.
Fixes:
• Partially revert the CVE-2014-3639 patch by increasing the default
authentication timeout on the system bus from 5 seconds back to 30
seconds, since this has been reported to cause boot regressions for
some users, mostly with parallel boot (systemd) on slower hardware.
On fast systems where local users are considered particularly hostile,
administrators can return to the 5 second timeout (or any other value
in milliseconds) by saving this as /etc/dbus-1/system-local.conf:
<busconfig>
<limit name="auth_timeout">5000</limit>
</busconfig>
(fd.o #86431, Simon McVittie)
• Add a message in syslog/the Journal when the auth_timeout is exceeded
(fd.o #86431, Simon McVittie)
• Send back an AccessDenied error if the addressed recipient is not allowed
to receive a message (and in builds with assertions enabled, don't
assert under the same conditions). (fd.o #86194, Jacek Bukarewicz)
D-Bus 1.8.10 (2014-11-10)
==
......
......@@ -29,6 +29,25 @@ If your use-case isn't one of these, D-Bus may still be useful, but
only by accident; so you should evaluate carefully whether D-Bus makes
sense for your project.
Security
==
If you find a security vulnerability that is not known to the public,
please report it privately to dbus-security@lists.freedesktop.org
or by reporting a freedesktop.org bug that is marked as
restricted to the "D-BUS security group" (you might need to "Show
Advanced Fields" to have that option).
On Unix systems, the system bus (dbus-daemon --system) is designed
to be a security boundary between users with different privileges.
On Unix systems, the session bus (dbus-daemon --session) is designed
to be used by a single user, and only accessible by that user.
We do not currently consider D-Bus on Windows to be security-supported,
and we do not recommend allowing untrusted users to access Windows
D-Bus via TCP.
Note: low-level API vs. high-level binding APIs
===
......
......@@ -1660,7 +1660,7 @@ bus_context_check_security_policy (BusContext *context,
complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
"Rejected receive message", toggles,
message, sender, proposed_recipient, requested_reply,
(addressed_recipient == proposed_recipient), NULL);
(addressed_recipient == proposed_recipient), error);
_dbus_verbose ("security policy disallowing message due to recipient policy\n");
return FALSE;
}
......
......@@ -438,7 +438,7 @@ bus_config_parser_new (const DBusString *basedir,
* and legitimate auth will fail. If interactive auth (ask user for
* password) is allowed, then potentially it has to be quite long.
*/
parser->limits.auth_timeout = 5000; /* 5 seconds */
parser->limits.auth_timeout = 30000; /* 30 seconds */
/* Do not allow a fd to stay forever in dbus-daemon
* https://bugs.freedesktop.org/show_bug.cgi?id=80559
......
......@@ -860,6 +860,14 @@ bus_connections_expire_incomplete (BusConnections *connections)
if (elapsed >= (double) auth_timeout)
{
/* Unfortunately, we can't identify the connection: it doesn't
* have a unique name yet, we don't know its uid/pid yet,
* and so on. */
bus_context_log (connections->context, DBUS_SYSTEM_LOG_INFO,
"Connection has not authenticated soon enough, closing it "
"(auth_timeout=%dms, elapsed: %.0fms)",
auth_timeout, elapsed);
_dbus_verbose ("Timing out authentication for connection %p\n", connection);
dbus_connection_close (connection);
}
......
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for dbus 1.8.10.
# Generated by GNU Autoconf 2.69 for dbus 1.8.12.
#
# Report bugs to <https://bugs.freedesktop.org/enter_bug.cgi?product=dbus>.
#
......@@ -591,8 +591,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='dbus'
PACKAGE_TARNAME='dbus'
PACKAGE_VERSION='1.8.10'
PACKAGE_STRING='dbus 1.8.10'
PACKAGE_VERSION='1.8.12'
PACKAGE_STRING='dbus 1.8.12'
PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=dbus'
PACKAGE_URL=''
......@@ -1513,7 +1513,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures dbus 1.8.10 to adapt to many kinds of systems.
\`configure' configures dbus 1.8.12 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
......@@ -1587,7 +1587,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of dbus 1.8.10:";;
short | recursive ) echo "Configuration of dbus 1.8.12:";;
esac
cat <<\_ACEOF
......@@ -1784,7 +1784,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
dbus configure 1.8.10
dbus configure 1.8.12
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
......@@ -2503,7 +2503,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by dbus $as_me 1.8.10, which was
It was created by dbus $as_me 1.8.12, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
......@@ -3446,7 +3446,7 @@ fi
# Define the identity of the package.
PACKAGE='dbus'
VERSION='1.8.10'
VERSION='1.8.12'
cat >>confdefs.h <<_ACEOF
......@@ -3746,7 +3746,7 @@ LT_CURRENT=11
## increment any time the source changes; set to
## 0 if you increment CURRENT
LT_REVISION=8
LT_REVISION=9
## increment if any interfaces have been added; set to 0
## if any interfaces have been changed or removed. removal has
......@@ -3759,8 +3759,8 @@ LT_AGE=8
DBUS_MAJOR_VERSION=1
DBUS_MINOR_VERSION=8
DBUS_MICRO_VERSION=10
DBUS_VERSION=1.8.10
DBUS_MICRO_VERSION=12
DBUS_VERSION=1.8.12
......@@ -23428,7 +23428,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by dbus $as_me 1.8.10, which was
This file was extended by dbus $as_me 1.8.12, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
......@@ -23494,7 +23494,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
dbus config.status 1.8.10
dbus config.status 1.8.12
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
......
......@@ -3,7 +3,7 @@ AC_PREREQ([2.63])
m4_define([dbus_major_version], [1])
m4_define([dbus_minor_version], [8])
m4_define([dbus_micro_version], [10])
m4_define([dbus_micro_version], [12])
m4_define([dbus_version],
[dbus_major_version.dbus_minor_version.dbus_micro_version])
AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])
......@@ -37,7 +37,7 @@ LT_CURRENT=11
## increment any time the source changes; set to
## 0 if you increment CURRENT
LT_REVISION=8
LT_REVISION=9
## increment if any interfaces have been added; set to 0
## if any interfaces have been changed or removed. removal has
......
......@@ -70,7 +70,7 @@
# compiler: $LTCC
# compiler flags: $LTCFLAGS
# linker: $LD (gnu? $with_gnu_ld)
# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1.10
# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1.11
# automake: $automake_version
# autoconf: $autoconf_version
#
......@@ -80,7 +80,7 @@
PROGRAM=libtool
PACKAGE=libtool
VERSION="2.4.2 Debian-2.4.2-1.10"
VERSION="2.4.2 Debian-2.4.2-1.11"
TIMESTAMP=""
package_revision=1.3337
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment