Also apply system.conf and session.conf updates to dbus-broker.
License file is changed due to:
-D-Bus is licensed to you under your choice of the Academic Free
+dbus is licensed to you under your choice of the Academic Free
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
- CVE-2023-34969: Fix an assertion failure in dbus-daemon when a privileged
Monitoring connection (dbus-monitor, busctl monitor, gdbus monitor or
similar) is active, and a message from the bus driver cannot be delivered
to a client connection due to <deny> rules or outgoing message quota.
This is a denial of service if triggered maliciously by a local attacker.
- Fix an incorrect assertion that could be used to crash dbus-daemon or
other users of DBusServer prior to authentication, if libdbus was compiled
with assertions enabled.
For details, see the NEWS file:
https://gitlab.freedesktop.org/dbus/dbus/blob/dbus-1.12/NEWS
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Denial of service fixes:
Evgeny Vereshchagin discovered several ways in which an authenticated
local attacker could cause a crash (denial of service) in
dbus-daemon --system or a custom DBusServer. In uncommon configurations
these could potentially be carried out by an authenticated remote
attacker.
• An invalid array of fixed-length elements where the length of the
array is not a multiple of the length of the element would cause an
assertion failure in debug builds or an out-of-bounds read in
production builds. This was a regression in version 1.3.0.
(dbus#413, CVE-2022-42011; Simon McVittie)
• A syntactically invalid type signature with incorrectly nested
parentheses and curly brackets would cause an assertion failure in
debug builds. Similar messages could potentially result in a crash or
incorrect message processing in a production build, although we are
not aware of a practical example. (dbus#418, CVE-2022-42010;
Simon McVittie)
• A message in non-native endianness with out-of-band Unix file
descriptors would cause a use-after-free and possible memory
corruption in production builds, or an assertion failure in debug
builds. This was a regression in version 1.3.0. (dbus#417,
CVE-2022-42012; Simon McVittie)
https://gitlab.freedesktop.org/dbus/dbus/-/blob/dbus-1.12.24/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
dbus-broker is an alternate implementation of a dbus daemon. It can be
used as a drop-in replacement for the system bus daemon, as well as the
session bus daemon.
dbus-broker is (basically, and as far as we're concerned in Buildroot)
split in two components:
- the actual message bus daemon, that relays messages across clients
- a launcher, which is responsible for setting various aspects of the
bus, like setting the policy et al. and opening the socket(s) the
message bus daemon will have to listen on...
The launcher can only be used in a systemd setup (it makes heavy use of
systemd facilities), while the message bus is generic. However, the
message bus daemon is useless without a launcher. There does not exist a
non-systemd launcher, which makes dbus-broker actually a systemd-only
package; this can be revisited when/if a non-systemd launcher appears.
Note, however, that libdbus is not provided by dbus-broker. People who
want to use dbus-broker as the bus daemon, and need libdbus, will have
to enable both.
If only original dbus is enabled, things stay as they are now. This is
for the moment still the default, though we should change that once
dbus-broker has proven to work.
If only dbus-broker is enabled, it installs the necessary socket
activation units and dbus configuration files. The daemon is not
launched at boot time; instead it is socket-activated when a client
connects to the bus the first time.
If both original dbus and dbus-broker are enabled, we have a conflict
with the configuration files, the socket activation file. Also, original
dbus activates the daemon as a service in multi-user.target.wants, so it
is not socket-activated and dbus-broker would never get the opportunity
to start.
Therefore, original dbus is updated to remove the conflicting files and
the activation of dbus-daemon. Since dbus-broker installs some of the
same file that original dbus removes, we have to add a dependency to
make sure that the ones installed by dbus-broker aren't removed.
If both are installed, it is still possible to revert back to using
original dbus as system bus:
- at build-time: by calling systemctl enable/disable from a
post-build script (preferred), or by providing drop-in units
or presets in an overlay (less preferred) or custom skeleton
(as a last resort),
- at runtime (on a RW filesystem): by calling systemctl
enable/disable
Note about the user: the path to the system bus socket is a so-called
"well-known location": it is expected to be there, by spec. Moving it
elsewhere is going to break existing programs. So, the user running the
system bus daemon must be able to create that socket.
As we may have two packages providing a system bus daemon, they have to
be both able to create the socket, and thus must both be able to write
in the directory containing the socket. And since they can be switched
at runtime, they must be running as the same user.
We can't just reference the original dbus user, so we duplicate the
entry. What is important, is that the user be named 'dbus', as that's
what we use in both cases.
If both original dbus and dbus-broker are selected, the dbus user is
included twice, but the specifications are identical so that's fine.
mkusers will create the user only once.
Finally, the licensing terms are pretty trivial for dbus-broker itself,
but it makes use of third-party code that it inherits as git submodules
(that are bundled in the release archive). Thus the licensing is a bit
convoluted... The third-party codes claim to be licensed as "Apache-2.0
and LGP-2.1+" in their AUTHORS files, but at the same time claim
"**Apache-2.0** OR **LGPL-2.1-or-later**" in their README files. The
individual source files (that are used) do not seem to have any
licensing header to clarify the situation. So we represent the situation
with "Apache-2.0 and/or LGPL-2.1+".
Signed-off-by: Norbert Lange <nolange79@gmail.com>
[yann.morin.1998@free.fr:
- don't select systemd; depend on it instead
- only install config files and systemd units without original dbus
- install a user to run the message bus as
- fix licensing info
- entirely reword and extend the commit log
- add myself to DEVELOPERS as well
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
[Arnout:
- Use dbus-broker as system bus if both are selected.
- Remove conflicting files from dbus installation.
- Simplify symbolic link creation.
- Add comment to remind update of session.conf and system.conf.
]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This patch adds CPE ID information for a significant number of
packages.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
--with-xml option has been dropped seven years ago in version 1.7.4 and
46602768c5
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Select the dbus SElinux module so that it will be compiled in the
refpolicy. This way, if an SELinux policy is generated, dbus will be
supported.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This fixes an issue if host-dbus happens to be rebuilt after systemd, in
which case it autodetects systemd support but then ignored the prefix
when installing unit files. That means that is tries to write to the
host system's /usr/lib/ which fails.
There is no reason to build and install systemd support in the host
build, so disable it explicitly.
Signed-off-by: John Keeping <john@metanate.com>
Tested-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
All init systems supported by Buildroot have a /run directory and have
a symlink for /var/run -> /run.
Use the /run directory directly.
Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Fix CVE-2020-12049: An issue was discovered in dbus >= 1.3.0 before
1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file
descriptors when a message exceeds the per-message file descriptor
limit. A local attacker with access to the D-Bus system bus or another
system service's private AF_UNIX socket could use this to make the
system service reach its file descriptor limit, denying service to
subsequent D-Bus clients.
- Also update indentation in hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The D-Bus installation process installs dbus-daemon-launch-helper as
follows:
chown root:$(DBUS_USER) $(DESTDIR)$(libexecdir)/dbus-daemon-launch-helper$(EXEEXT); \
chmod 4750 $(DESTDIR)$(libexecdir)/dbus-daemon-launch-helper$(EXEEXT); \
And when the installation does not take place as root (like is the
case in the context of Buildroot), it prints:
echo "Not installing $(DESTDIR)$(libexecdir)/dbus-daemon-launch-helper binary setuid!"; \
echo "You'll need to manually set permissions to root:$(DBUS_USER) and permissions 4750"; \
So let's adjust the installation logic of dbus-daemon-launch-helper to
match these requirements.
Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
- CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
authentication for identities that differ from the user running the
DBusServer. Previously, a local attacker could manipulate symbolic links
in their own home directory to bypass authentication and connect to a
DBusServer with elevated privileges. The standard system and session
dbus-daemons in their default configuration were immune to this attack
because they did not allow DBUS_COOKIE_SHA1, but third-party users of
DBusServer such as Upstart could be vulnerable. Thanks to Joe Vennix of
Apple Information Security.
For details, see the advisory:
https://www.openwall.com/lists/oss-security/2019/06/11/2
Also contains a number of other smaller fixes, including fixes for memory
leaks. For details, see NEWS:
https://gitlab.freedesktop.org/dbus/dbus/blob/dbus-1.12/NEWS
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Remove --enable-abstract-sockets; dropped upstream. Remove
ac_cv_have_abstract_sockets that is dropped as well.
Remove --disable-selinux; we handle selinux as an optional dependency
below.
Remove --{enable,disable}-dnotify; this options has been removed in
version 1.7.6, broken since 2010.
Remove --with-init-scripts; dropped upstream.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
After c0ad6ded01 expat: security bump to version 2.2.1
the system can hang on startup under certain circumstances.
This happens when:
* we use systemd as init system
* the random nonblocking pool takes a while to initialize
* this apparently doesn't happen on qemu, so this would not have
been caught by the runtime testing infrastructure
* it also doesn't seem to happen when network booting
For a more detailed description of the bug see here:
https://bugs.freedesktop.org/show_bug.cgi?id=101858
The patch should be in next dbus version 1.10.24
Set DBUS_AUTORECONF = YES because configure.ac is changed.
Signed-off-by: Marcus Hoffmann <m.hoffmann@cartelsol.com>
[Arnout: add upstream commit sha + Marcus's Sob to the patch]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Change site to https to avoid a redirection.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Since things are no longer installed in $(HOST_DIR)/usr, the callers
should also not refer to it.
This is a mechanical change with
git grep -l '$(HOST_DIR)/usr/bin' | xargs sed -i 's%$(HOST_DIR)/usr/bin%$(HOST_DIR)/bin%g'
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
There was already a post-build hook to delete the /var/lib/dbus symlink
created by buildroot after the package's own installation, to prevent
a dbus installation error during "make dbus-rebuild". However, this
misses the case for when one might delete the .stamp_target_installed
file manually, outside of dbus-rebuild. This can be fixed by changing
the post-build hook to a pre-install hook. This seems appropriate,
since it is really addressing an installation issue, not a build issue.
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for AFLv2.1 is AFL-2.1.
This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/AFLv2.1(\+)?/AFL-2.1\1/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We want to use SPDX identifier for license strings as much as possible.
SPDX short identifier for GPLv2/GPLv2+ is GPL-2.0/GPL-2.0+.
This change is done by using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/\<GPLv2\>/GPL-2.0/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
>From http://www.openwall.com/lists/oss-security/2017/02/16/4
The latest dbus release 1.10.16 fixes two symlink attacks in
non-production-suitable configurations. I am treating these as bugs
rather than practical vulnerabilities, and very much hope neither of
these is going to affect any real users, but I'm reporting them to
oss-security in case there's an attack vector that I've missed.
No CVEs assigned so far.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Otherwise it will install $(TARGET_DIR)/etc/rc.d/init.d/messagebus when
building on a redhat/fedora host.
Regardless of that we provide our own initscript.
Signed-off-by: Gustavo Zacarias <gustavo.zacarias@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Library and some tools (dbus-lanuch, dbus-run-session) are dual
licensed under GPLv2 or AFLv2.1 and others (dbus-monitor, dbus-send,
dbus-cleanup-sockets, dbus-uuidgen) are licensed under GPLv2+
only.
Reviewed-by: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
Signed-off-by: Rahul Bedarkar <rahul.bedarkar@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
As was suggested by the <pkg>_DEPENDENCIES variable, the audit support
in DBus requires both audit and libcap-ng. However, it didn't take
care of the fact that libcap-ng must be enabled in the configuration
to depend on it, causing some build failures with the newly added
check.
DBus configure.ac confirms that both packages are needed to enable
audit support, so we simply fix the condition to only be true when
both BR2_PACKAGE_AUDIT *and* BR2_PACKAGE_LIBCAP_NG are true.
Fixes:
http://autobuild.buildroot.org/results/239/23953cc66faecb65e9ebf1f6980924f823d736a2/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
To detect X11 support dbus uses the autoconf macro AC_PATH_XTRA
http://cgit.freedesktop.org/dbus/dbus/tree/configure.ac#n1264
This macro checks for the optional presence of libICE:
http://git.savannah.gnu.org/gitweb/?p=autoconf.git;a=blob;f=lib/autoconf/libs.m4;h=d2040d731f81fc1693e01d118c45d51ad169d56a;hb=HEAD#l472
quoting dbus configure with libICE not present:
checking for IceConnectionNumber in -lICE... no
quoting dbus configure with libICE being present:
checking for IceConnectionNumber in -lICE... yes
The binary usr/bin/dbus-launch is being linked to libICE and libSM if
the packages are available:
$ output/host/usr/bin/i586-buildroot-linux-uclibc-readelf -a
output/target/usr/bin/dbus-launch | grep NEEDED
0x00000001 (NEEDED) Shared library: [libdbus-1.so.3]
0x00000001 (NEEDED) Shared library: [libSM.so.6]
0x00000001 (NEEDED) Shared library: [libICE.so.6]
0x00000001 (NEEDED) Shared library: [libX11.so.6]
0x00000001 (NEEDED) Shared library: [libc.so.1]
To get a reproducable build add libSM as optional dependency to dbus,
libSM pulls in the dependency to libICE.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Thomas: remove S30dbus changes.]
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Reviewed-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
When systemd is used, /var/lib/dbus becomes dangling symlink, because
nobody does mkdir /tmp/dbus, so /var/lib/dbus/machine-id could not be
written. On SysVinit systems there is init script that creates
/tmp/dbus.
This patch preserves old behavior for SysVinit systems, and introduces
new one for systemd-booted systems: /var/lib/dbus is a persistent
directory, it holds symlink /var/lib/dbus/machine-id -> /etc/machine-id
as machine-id(5) suggests, and /etc/machine-id is managed by systemd.
Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes CVE-2014-8148 - If a system service installs unsafe security
policy rules that allow arbitrary method calls then this prevents memory
consumption and possible privilege escalation via
UpdateActivationEnvironment.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
