841c274200
Fixes the following security issues:
- CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
authentication for identities that differ from the user running the
DBusServer. Previously, a local attacker could manipulate symbolic links
in their own home directory to bypass authentication and connect to a
DBusServer with elevated privileges. The standard system and session
dbus-daemons in their default configuration were immune to this attack
because they did not allow DBUS_COOKIE_SHA1, but third-party users of
DBusServer such as Upstart could be vulnerable. Thanks to Joe Vennix of
Apple Information Security.
For details, see the advisory:
https://www.openwall.com/lists/oss-security/2019/06/11/2
Also contains a number of other smaller fixes, including fixes for memory
leaks. For details, see NEWS:
https://gitlab.freedesktop.org/dbus/dbus/blob/dbus-1.12/NEWS
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 992b106d1d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
7 lines
367 B
Plaintext
7 lines
367 B
Plaintext
# Locally calculated after checking pgp signature
|
|
# https://dbus.freedesktop.org/releases/dbus/dbus-1.12.16.tar.gz.asc
|
|
# using key 36EC5A6448A4F5EF79BEFE98E05AE1478F814C4F
|
|
sha256 54a22d2fa42f2eb2a871f32811c6005b531b9613b1b93a0d269b05e7549fec80 dbus-1.12.16.tar.gz
|
|
# Locally calculated
|
|
sha256 0e46f54efb12d04ab5c33713bacd0e140c9a35b57ae29e03c853203266e8f3a1 COPYING
|