01/14: gnu: dbus: Update to 1.12.16.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/14: gnu: dbus: Update to 1.12.16.

From:	guix-commits
Subject:	01/14: gnu: dbus: Update to 1.12.16.
Date:	Thu, 20 Jun 2019 18:01:11 -0400 (EDT)

mbakke pushed a commit to branch core-updates
in repository guix.

commit a9a78d8bfbabcd306115684c99d3b2aa8fc75be8
Author: Marius Bakke <address@hidden>
Date:   Thu Jun 20 23:40:52 2019 +0200

    gnu: dbus: Update to 1.12.16.
    
    * gnu/packages/patches/dbus-CVE-2019-12749.patch: Delete file.
    * gnu/local.mk (dist_patch_DATA): Adjust accordingly.
    * gnu/packages/glib.scm (dbus): Update to 1.12.16.
    [replacement]: Remove.
    (dbus/fixed): Remove variable.
---
 gnu/local.mk                                   |   1 -
 gnu/packages/glib.scm                          |  13 +--
 gnu/packages/patches/dbus-CVE-2019-12749.patch | 116 -------------------------
 3 files changed, 2 insertions(+), 128 deletions(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index 3be9c9d..42b34ab 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -740,7 +740,6 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/cursynth-wave-rand.patch                        \
   %D%/packages/patches/cvs-2017-12836.patch                    \
   %D%/packages/patches/dbus-helper-search-path.patch           \
-  %D%/packages/patches/dbus-CVE-2019-12749.patch               \
   %D%/packages/patches/dealii-mpi-deprecations.patch           \
   %D%/packages/patches/deja-dup-use-ref-keyword-for-iter.patch \
   %D%/packages/patches/dfu-programmer-fix-libusb.patch         \
diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index d93a928..9fba231 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -82,8 +82,7 @@
 (define dbus
   (package
     (name "dbus")
-    (version "1.12.14")
-    (replacement dbus/fixed)
+    (version "1.12.16")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -91,7 +90,7 @@
                     version ".tar.gz"))
               (sha256
                (base32
-                "13aca7gzgl7z1dfdipfs23773w8n6z01d4rj5kmssv4gms8c5ya4"))
+                "107ckxaff1cv4q6kmfdi2fb1nlsv03312a7kf6lb4biglhpjv8jl"))
               (patches (search-patches "dbus-helper-search-path.patch"))))
     (build-system gnu-build-system)
     (arguments
@@ -157,14 +156,6 @@ or through unencrypted TCP/IP suitable for use behind a 
firewall with
 shared NFS home directories.")
     (license license:gpl2+)))                     ; or Academic Free License 
2.1
 
-(define dbus/fixed
-  (package
-    (inherit dbus)
-    (source (origin
-              (inherit (package-source dbus))
-              (patches (append (search-patches "dbus-CVE-2019-12749.patch")
-                               (origin-patches (package-source dbus))))))))
-
 (define glib
   (package
    (name "glib")
diff --git a/gnu/packages/patches/dbus-CVE-2019-12749.patch 
b/gnu/packages/patches/dbus-CVE-2019-12749.patch
deleted file mode 100644
index 12106f4..0000000
--- a/gnu/packages/patches/dbus-CVE-2019-12749.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-From 47b1a4c41004bf494b87370987b222c934b19016 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <address@hidden>
-Date: Thu, 30 May 2019 12:53:03 +0100
-Subject: [PATCH] auth: Reject DBUS_COOKIE_SHA1 for users other than the server
- owner
-
-The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
-of a shared home directory by having the server write a secret "cookie"
-into a .dbus-keyrings subdirectory of the desired identity's home
-directory with 0700 permissions, and having the client prove that it can
-read the cookie. This never actually worked for non-malicious clients in
-the case where server uid != client uid (unless the server and client
-both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
-Unix uid 0) because an unprivileged server would fail to write out the
-cookie, and an unprivileged client would be unable to read the resulting
-file owned by the server.
-
-Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
-is owned by the uid of the server (a side-effect of a check added to
-harden our use of XDG_RUNTIME_DIR), further ruling out successful use
-by a non-malicious client with a uid differing from the server's.
-
-Joe Vennix of Apple Information Security discovered that the
-implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
-attack: a malicious client with write access to its own home directory
-could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
-read and write in unintended locations. In the worst case this could
-result in the DBusServer reusing a cookie that is known to the
-malicious client, and treating that cookie as evidence that a subsequent
-client connection came from an attacker-chosen uid, allowing
-authentication bypass.
-
-This is mitigated by the fact that by default, the well-known system
-dbus-daemon (since 2003) and the well-known session dbus-daemon (in
-stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
-authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
-at an early stage, before manipulating cookies. As a result, this
-vulnerability only applies to:
-
-* system or session dbus-daemons with non-standard configuration
-* third-party dbus-daemon invocations such as at-spi2-core (although
-  in practice at-spi2-core also only accepts EXTERNAL by default)
-* third-party uses of DBusServer such as the one in Upstart
-
-Avoiding symlink attacks in a portable way is difficult, because APIs
-like openat() and Linux /proc/self/fd are not universally available.
-However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
-a non-matching uid, we can solve this vulnerability in an easier way
-without regressions, by rejecting it early (before looking at
-~/.dbus-keyrings) whenever the requested identity doesn't match the
-identity of the process hosting the DBusServer.
-
-Signed-off-by: Simon McVittie <address@hidden>
-Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
-Closes: CVE-2019-12749
----
- dbus/dbus-auth.c | 32 ++++++++++++++++++++++++++++++++
- 1 file changed, 32 insertions(+)
-
-diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c
-index 37d8d4c9..7390a9d5 100644
---- a/dbus/dbus-auth.c
-+++ b/dbus/dbus-auth.c
-@@ -529,6 +529,7 @@ sha1_handle_first_client_response (DBusAuth         *auth,
-   DBusString tmp2;
-   dbus_bool_t retval = FALSE;
-   DBusError error = DBUS_ERROR_INIT;
-+  DBusCredentials *myself = NULL;
- 
-   _dbus_string_set_length (&auth->challenge, 0);
-   
-@@ -565,6 +566,34 @@ sha1_handle_first_client_response (DBusAuth         *auth,
-       return FALSE;
-     }
- 
-+  myself = _dbus_credentials_new_from_current_process ();
-+
-+  if (myself == NULL)
-+    goto out;
-+
-+  if (!_dbus_credentials_same_user (myself, auth->desired_identity))
-+    {
-+      /*
-+       * DBUS_COOKIE_SHA1 is not suitable for authenticating that the
-+       * client is anyone other than the user owning the process
-+       * containing the DBusServer: we probably aren't allowed to write
-+       * to other users' home directories. Even if we can (for example
-+       * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we
-+       * must not, because the other user controls their home directory,
-+       * and could carry out symlink attacks to make us read from or
-+       * write to unintended locations. It's difficult to avoid symlink
-+       * attacks in a portable way, so we just don't try. This isn't a
-+       * regression, because DBUS_COOKIE_SHA1 never worked for other
-+       * users anyway.
-+       */
-+      _dbus_verbose ("%s: client tried to authenticate as \"%s\", "
-+                     "but that doesn't match this process",
-+                     DBUS_AUTH_NAME (auth),
-+                     _dbus_string_get_const_data (data));
-+      retval = send_rejected (auth);
-+      goto out;
-+    }
-+
-   /* we cache the keyring for speed, so here we drop it if it's the
-    * wrong one. FIXME caching the keyring here is useless since we use
-    * a different DBusAuth for every connection.
-@@ -679,6 +708,9 @@ sha1_handle_first_client_response (DBusAuth         *auth,
-   _dbus_string_zero (&tmp2);
-   _dbus_string_free (&tmp2);
- 
-+  if (myself != NULL)
-+    _dbus_credentials_unref (myself);
-+
-   return retval;
- }
-

[Prev in Thread]

Current Thread

[Next in Thread]

14/14: gnu: python: Allow building on low-memory systems., (continued)
- 14/14: gnu: python: Allow building on low-memory systems., guix-commits, 2019/06/20
- 09/14: gnu: isl: Fix fallback URL., guix-commits, 2019/06/20
- 04/14: gnu: libx11: Update to 1.6.8., guix-commits, 2019/06/20
- 11/14: gnu: libxi: Update to 1.7.10., guix-commits, 2019/06/20
- 10/14: gnu: isl: Update to 0.21., guix-commits, 2019/06/20
- 05/14: gnu: util-linux: Update to 2.34., guix-commits, 2019/06/20
- 06/14: gnu: meson: Update to 0.51.0., guix-commits, 2019/06/20
- 12/14: gnu: xorgproto: Update to 2019.1., guix-commits, 2019/06/20
- 08/14: gnu: ncurses: Update to 6.1-20190909., guix-commits, 2019/06/20
- 07/14: gnu: commencement: Return #t from all phases., guix-commits, 2019/06/20
- 01/14: gnu: dbus: Update to 1.12.16., guix-commits <=
- 02/14: packages: Retain version in file name when repacking source checkouts., guix-commits, 2019/06/20
- 03/14: gnu: Replace uses of 'cmake' with 'cmake-minimal'., guix-commits, 2019/06/20

Prev by Date: 07/14: gnu: commencement: Return #t from all phases.
Next by Date: branch core-updates updated (6cb1ef9 -> e7041c8)
Previous by thread: 07/14: gnu: commencement: Return #t from all phases.
Next by thread: 02/14: packages: Retain version in file name when repacking source checkouts.
Index(es):
- Date
- Thread