-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 09 Jun 2019 22:42:06 +0100 Source: dbus Binary: dbus dbus-1-dbg dbus-1-doc dbus-tests dbus-udeb dbus-user-session dbus-x11 libdbus-1-3 libdbus-1-3-udeb libdbus-1-dev Architecture: i386 Version: 1.10.28-0+deb9u1 Distribution: stretch-security Urgency: medium Maintainer: i386 Build Daemon (x86-grnet-01) Changed-By: Simon McVittie Description: dbus - simple interprocess messaging system (daemon and utilities) dbus-1-dbg - simple interprocess messaging system (debug symbols) dbus-1-doc - simple interprocess messaging system (documentation) dbus-tests - simple interprocess messaging system (test infrastructure) dbus-udeb - simple interprocess messaging system (minimal runtime) (udeb) dbus-user-session - simple interprocess messaging system (systemd --user integration) dbus-x11 - simple interprocess messaging system (X11 deps) libdbus-1-3 - simple interprocess messaging system (library) libdbus-1-3-udeb - simple interprocess messaging system (minimal library) (udeb) libdbus-1-dev - simple interprocess messaging system (development headers) Changes: dbus (1.10.28-0+deb9u1) stretch-security; urgency=medium . * New upstream stable release - CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1 authentication for identities that differ from the user running the DBusServer. Previously, a local attacker could manipulate symbolic links in their own home directory to bypass authentication and connect to a DBusServer with elevated privileges. The standard system and session dbus-daemons in their default configuration were immune to this attack because they did not allow DBUS_COOKIE_SHA1, but third-party users of DBusServer such as Upstart could be vulnerable. - Prevent reading up to 3 bytes beyond the end of a truncated message. This could in principle be an information leak or denial of service on the system bus, but is not believed to be exploitable to crash the system bus or leak interesting information in practice. - Stop the dbus-daemon leaking memory (an error message) if delivering the message that triggered auto-activation is forbidden. This is technically a denial of service because the dbus-daemon will run out of memory eventually, but it's a very slow and noisy one, because all the rejected messages are also very likely to have been logged to the system log, and its scope is typically limited by the finite number of activatable services available. - Remove __attribute__((__malloc__)) attribute on dbus_realloc(), which does not meet the criteria for that attribute in gcc 4.7+, potentially leading to miscompilation. - Fix build with gcc 8 -Werror=cast-function-type - Fix warning from gcc 8 about suspicious use of strncpy() when populating struct sockaddr_un - Fix installation of Ducktype documentation with newer yelp-build versions * d/control: Update Vcs-Git, Vcs-Browser Checksums-Sha1: 50be780d5d16abd2fdd73251459d7b650ace156f 3705648 dbus-1-dbg_1.10.28-0+deb9u1_i386.deb ec376bf53e080062a0961c227cf7ba3b10865573 341848 dbus-tests_1.10.28-0+deb9u1_i386.deb 0ae1b9f9b4d29bdb9a2ba8f81b7e857ceae06c35 76554 dbus-udeb_1.10.28-0+deb9u1_i386.udeb 337c8198be2853b4c55992639e0b27c7693b2631 91978 dbus-x11_1.10.28-0+deb9u1_i386.deb e06b420d378914812ce23133d043c9080b893c77 9919 dbus_1.10.28-0+deb9u1_i386.buildinfo 712dd78f58a8c70f4100a6b1d07edada68212369 224720 dbus_1.10.28-0+deb9u1_i386.deb 5960870572f5f459ac2a4f22ff06f8f5ad787fa4 95102 libdbus-1-3-udeb_1.10.28-0+deb9u1_i386.udeb 3d1d06c0ec40f7fc26eb6be555135fc23cd83d57 208350 libdbus-1-3_1.10.28-0+deb9u1_i386.deb c03f28087d86d3356fcd17001231ac63d4631ae6 247332 libdbus-1-dev_1.10.28-0+deb9u1_i386.deb Checksums-Sha256: 03fa2abab8bac238f446c1c0be53f1b1f4bcde7b8c3a2ec54ad2e947b72139f1 3705648 dbus-1-dbg_1.10.28-0+deb9u1_i386.deb 0119b2e73665484640021c74de09aaf5fd07e320aab03801e09f63f90adb6fca 341848 dbus-tests_1.10.28-0+deb9u1_i386.deb 0ba9825c893c6b411c371803ecb066bc787dbdeb1775c13a3b5aa812a20efef1 76554 dbus-udeb_1.10.28-0+deb9u1_i386.udeb cfe7127f28cc9ffcd1511e7f18d5673639f667fcc24e126c6b4448de4e79a63a 91978 dbus-x11_1.10.28-0+deb9u1_i386.deb 4defc58899f07d857db631255e2705148d1caff9900f98347db550ea98e68318 9919 dbus_1.10.28-0+deb9u1_i386.buildinfo a34f945d85eccf58bdc0f2bb3878179054aad8d1ced181180b4887bf98f2cc9c 224720 dbus_1.10.28-0+deb9u1_i386.deb cd57f3ebde5f9bcc74ef16db60ebe4e3eee9a9d3ae924be7b3ea54cd3071269d 95102 libdbus-1-3-udeb_1.10.28-0+deb9u1_i386.udeb 77770ab886a3117ca30ae864b08c946e57e823467cff2924fa3d161a7bbf773b 208350 libdbus-1-3_1.10.28-0+deb9u1_i386.deb ccc2977c3cefade11c003fc4caff2f55a4c0d18f4820cde92d7b3b0155ab5e03 247332 libdbus-1-dev_1.10.28-0+deb9u1_i386.deb Files: 1a0413fe760d996ba99d4ad7c5333107 3705648 debug extra dbus-1-dbg_1.10.28-0+deb9u1_i386.deb 47419601c58396c3875db09ce2f5a973 341848 misc extra dbus-tests_1.10.28-0+deb9u1_i386.deb 3c39478cc328d2adf78580e98a935b94 76554 debian-installer extra dbus-udeb_1.10.28-0+deb9u1_i386.udeb abb8d0f719b44d60f1d3e79cbb7701ae 91978 x11 optional dbus-x11_1.10.28-0+deb9u1_i386.deb f44e32fd57b84d57a7370576f27e8499 9919 admin optional dbus_1.10.28-0+deb9u1_i386.buildinfo d0b51430b999c422f628bbf1b5724041 224720 admin standard dbus_1.10.28-0+deb9u1_i386.deb 606b88a6e717dd86893b1e6bc79c56ff 95102 debian-installer extra libdbus-1-3-udeb_1.10.28-0+deb9u1_i386.udeb f9eb70ae0dd0a62a9aff4991b685be27 208350 libs optional libdbus-1-3_1.10.28-0+deb9u1_i386.deb 5347830d4491536bff2fbabef81f4ccc 247332 libdevel optional libdbus-1-dev_1.10.28-0+deb9u1_i386.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE56RkdImmGnu/qTMEtnmMmMOJfQ0FAl0BWEUACgkQtnmMmMOJ fQ3cWg//XkHzf8pVZCr3zebvEQrR4eyCVzgbqRTIhMq/v13bC1OgMAcH2F11woya +4WZA1vChFKCE51SXgL1UR6oPjl1DuQDkcrJA80sk3Zb/tucXpAeYydNFTKVkJo0 2WhQCOZRJhCpnROolAiMv5kfe62izWuTcwxHh7WKK4ZVU+CdcikFLF+gs/AiQJkv rk6aEMNn5kWC8r7Ea2FfwKgm2u8j4H4pVjyLDDqMwRPrjcB/GYPmU5gmMMU+ctY2 /7NEfF1Ld5Il8HP/mKgb8iucjMnkIDCbk592o3pLryYM2LD9XJk3UTmk/LupEaEp PtqVMAaKoSQmyHrf8e7pkMz/w1ww7Rt46Q5hKfZtnA1Ymw3RkI723UVnyurj1emD Lf9uUf8kOUvd7K9ibonoHGR+EBiNhR5zMGVQcD0fNnJo72azfUXbO5FHJNsP8bVo xhCMy6Q89sceFN0d1dTJBEIGset4PGro4o2G0TaMj+3T3aiCFv6OBvZEcltjqth/ 5MisF5oqdoI4dbKnFZgoeYqAJDZUa4Fs5pHNEMFPIytHVe/71Eh5dQ0v+YiVvv9A VNwQrPetYwaYQ5sdMW/1FhHaTv3wuuc6SHTZGb2L1cKrs9kUM2Ba5Y/eqDnWGjtT RMOS7v2SYECFAY6POOgOwqkzDbN7iVmN3h8aND+aVBEcj9WyOV4= =qh1k -----END PGP SIGNATURE-----