kumquat-buildroot/package/dbus
Fabrice Fontaine 29586aed96 package/dbus: security bump to version 1.12.24
Denial of service fixes:

Evgeny Vereshchagin discovered several ways in which an authenticated
local attacker could cause a crash (denial of service) in
dbus-daemon --system or a custom DBusServer. In uncommon configurations
these could potentially be carried out by an authenticated remote
attacker.

• An invalid array of fixed-length elements where the length of the
  array is not a multiple of the length of the element would cause an
  assertion failure in debug builds or an out-of-bounds read in
  production builds. This was a regression in version 1.3.0.
  (dbus#413, CVE-2022-42011; Simon McVittie)

• A syntactically invalid type signature with incorrectly nested
  parentheses and curly brackets would cause an assertion failure in
  debug builds. Similar messages could potentially result in a crash or
  incorrect message processing in a production build, although we are
  not aware of a practical example. (dbus#418, CVE-2022-42010;
  Simon McVittie)

• A message in non-native endianness with out-of-band Unix file
  descriptors would cause a use-after-free and possible memory
  corruption in production builds, or an assertion failure in debug
  builds. This was a regression in version 1.3.0. (dbus#417,
  CVE-2022-42012; Simon McVittie)

https://gitlab.freedesktop.org/dbus/dbus/-/blob/dbus-1.12.24/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2022-10-15 17:39:49 +02:00
..
Config.in
dbus.hash
dbus.mk
S30dbus