From 29586aed965844ffb35b4d859e02f6973a67f33c Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Sat, 15 Oct 2022 00:20:51 +0200 Subject: [PATCH] package/dbus: security bump to version 1.12.24 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Denial of service fixes: Evgeny Vereshchagin discovered several ways in which an authenticated local attacker could cause a crash (denial of service) in dbus-daemon --system or a custom DBusServer. In uncommon configurations these could potentially be carried out by an authenticated remote attacker. • An invalid array of fixed-length elements where the length of the array is not a multiple of the length of the element would cause an assertion failure in debug builds or an out-of-bounds read in production builds. This was a regression in version 1.3.0. (dbus#413, CVE-2022-42011; Simon McVittie) • A syntactically invalid type signature with incorrectly nested parentheses and curly brackets would cause an assertion failure in debug builds. Similar messages could potentially result in a crash or incorrect message processing in a production build, although we are not aware of a practical example. (dbus#418, CVE-2022-42010; Simon McVittie) • A message in non-native endianness with out-of-band Unix file descriptors would cause a use-after-free and possible memory corruption in production builds, or an assertion failure in debug builds. This was a regression in version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie) https://gitlab.freedesktop.org/dbus/dbus/-/blob/dbus-1.12.24/NEWS Signed-off-by: Fabrice Fontaine Signed-off-by: Peter Korsgaard --- package/dbus/dbus.hash | 4 ++-- package/dbus/dbus.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package/dbus/dbus.hash b/package/dbus/dbus.hash index 176396fe2f..17c70004ba 100644 --- a/package/dbus/dbus.hash +++ b/package/dbus/dbus.hash @@ -1,7 +1,7 @@ # Locally calculated after checking pgp signature -# https://dbus.freedesktop.org/releases/dbus/dbus-1.12.22.tar.gz.asc +# https://dbus.freedesktop.org/releases/dbus/dbus-1.12.24.tar.gz.asc # using key 36EC5A6448A4F5EF79BEFE98E05AE1478F814C4F -sha256 8d25785c798ec4f892e6f9d177fb0ceeb8b29867b119798f9d5228561d3ad474 dbus-1.12.22.tar.gz +sha256 bc42d196c1756ac520d61bf3ccd6f42013617def45dd1e591a6091abf51dca38 dbus-1.12.24.tar.gz # Locally calculated sha256 0e46f54efb12d04ab5c33713bacd0e140c9a35b57ae29e03c853203266e8f3a1 COPYING diff --git a/package/dbus/dbus.mk b/package/dbus/dbus.mk index a3a21c1bcc..b3a79c431d 100644 --- a/package/dbus/dbus.mk +++ b/package/dbus/dbus.mk @@ -6,7 +6,7 @@ # When updating dbus, check if there are changes in session.conf and # system.conf, and update the versions in the dbus-broker package accordingly. -DBUS_VERSION = 1.12.22 +DBUS_VERSION = 1.12.24 DBUS_SITE = https://dbus.freedesktop.org/releases/dbus DBUS_LICENSE = AFL-2.1 or GPL-2.0+ (library, tools), GPL-2.0+ (tools) DBUS_LICENSE_FILES = COPYING