-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 09 Jun 2019 22:42:06 +0100 Source: dbus Binary: dbus dbus-1-dbg dbus-1-doc dbus-tests dbus-udeb dbus-user-session dbus-x11 libdbus-1-3 libdbus-1-3-udeb libdbus-1-dev Architecture: source Version: 1.10.28-0+deb9u1 Distribution: stretch-security Urgency: medium Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org> Changed-By: Simon McVittie <smcv@debian.org> Description: dbus - simple interprocess messaging system (daemon and utilities) dbus-1-dbg - simple interprocess messaging system (debug symbols) dbus-1-doc - simple interprocess messaging system (documentation) dbus-tests - simple interprocess messaging system (test infrastructure) dbus-udeb - simple interprocess messaging system (minimal runtime) (udeb) dbus-user-session - simple interprocess messaging system (systemd --user integration) dbus-x11 - simple interprocess messaging system (X11 deps) libdbus-1-3 - simple interprocess messaging system (library) libdbus-1-3-udeb - simple interprocess messaging system (minimal library) (udeb) libdbus-1-dev - simple interprocess messaging system (development headers) Changes: dbus (1.10.28-0+deb9u1) stretch-security; urgency=medium . * New upstream stable release - CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1 authentication for identities that differ from the user running the DBusServer. Previously, a local attacker could manipulate symbolic links in their own home directory to bypass authentication and connect to a DBusServer with elevated privileges. The standard system and session dbus-daemons in their default configuration were immune to this attack because they did not allow DBUS_COOKIE_SHA1, but third-party users of DBusServer such as Upstart could be vulnerable. - Prevent reading up to 3 bytes beyond the end of a truncated message. This could in principle be an information leak or denial of service on the system bus, but is not believed to be exploitable to crash the system bus or leak interesting information in practice. - Stop the dbus-daemon leaking memory (an error message) if delivering the message that triggered auto-activation is forbidden. This is technically a denial of service because the dbus-daemon will run out of memory eventually, but it's a very slow and noisy one, because all the rejected messages are also very likely to have been logged to the system log, and its scope is typically limited by the finite number of activatable services available. - Remove __attribute__((__malloc__)) attribute on dbus_realloc(), which does not meet the criteria for that attribute in gcc 4.7+, potentially leading to miscompilation. - Fix build with gcc 8 -Werror=cast-function-type - Fix warning from gcc 8 about suspicious use of strncpy() when populating struct sockaddr_un - Fix installation of Ducktype documentation with newer yelp-build versions * d/control: Update Vcs-Git, Vcs-Browser Checksums-Sha1: 90601f09ea799f8f73742263a29223a50234d0fc 3345 dbus_1.10.28-0+deb9u1.dsc 3177c3f8e65629dd6be7b60002da80d6bf5366f4 1998830 dbus_1.10.28.orig.tar.gz 5a7d04e09c0c220b1d035d6a03dab96655cfdbee 833 dbus_1.10.28.orig.tar.gz.asc 88373bc62a77b94a24893399e62d5e44dea135c1 57500 dbus_1.10.28-0+deb9u1.debian.tar.xz f90bb1acac6c403a7ae9c472e49d653dd2309479 8031 dbus_1.10.28-0+deb9u1_source.buildinfo Checksums-Sha256: a4758356f5a71e87804f3b55e1f83f41c10b19ddb84595e322eeb2cd44cdb367 3345 dbus_1.10.28-0+deb9u1.dsc 63f5b1d57360be5c147ef561e67f8efdd9034e1f12b7aba41feb42b376324552 1998830 dbus_1.10.28.orig.tar.gz 5da985dafdf223b7f5e0c6e51c608fd7d87e681e0c1eccfa2970be2978c0bed9 833 dbus_1.10.28.orig.tar.gz.asc 83c883431ee58fbfd7dcae4c763baa904e14b835023edff0dd495270d56d59b3 57500 dbus_1.10.28-0+deb9u1.debian.tar.xz f6cf9cfa2d44a4759ab174a38c97808729c09e9c6c292cd1ee30484d8080c34f 8031 dbus_1.10.28-0+deb9u1_source.buildinfo Files: 38180eef98e7ca9f6c33e6b5742f087c 3345 admin optional dbus_1.10.28-0+deb9u1.dsc 9c853418bdc44df243e51aacfa6257c3 1998830 admin optional dbus_1.10.28.orig.tar.gz b51f95419107e9b0f52485498df5589e 833 admin optional dbus_1.10.28.orig.tar.gz.asc 5477e85465b0697f4ca759e8774280e0 57500 admin optional dbus_1.10.28-0+deb9u1.debian.tar.xz 620d351fbf97d418e600493f8981e0f1 8031 admin optional dbus_1.10.28-0+deb9u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl0BQNkACgkQ4FrhR4+B TE/7/w//WmqVkiGJslULEoy9b45IF4d3OMCkO6ztAphi/S7d52W8+iRh/J/VRsJs 8ZJnpXC+xgBKei35+oj2XGUjyxtV8IR6qKh4lxgjIzQLDTUqrVxWboNDgXELrY59 KoSWV/E9lBlpsYBSFqFui/C1s7uPgID8RndQMhgHNEHmJLD1jhEzQKAEOZLemuWX A0kblQnCTb+OEhfn6FeaGGPB5BSbLoNgMkx0Lj1e0Gne5CFxgU4w5cDuCuFXZIQC PBR3PvwzhsW22HZW3i5qpjKLj++dzRpg4h5ACq55Pf/zyof7ZDtS2R4Ew+A3xADm ADQMNCw++LBvhI/Ij3LeZ57ltyHDioRjOz5sX6UEZ3/jtaNd5wSwgP1snJzFb2pI WVCP+B0n3t85F9um4daU0PEpIOyIcCDCFFXypxwXfF+mz9Fzyz+Y4KHk0M+uknk7 oxsM+hwrdIToOBJRIQBToGd1BNiJrrTRIZE+kC+PC2xBlswnzdcdHZW+CDDlDrC8 s/WIkVQY2XTf9/KgnB0/iJIjFAgIQCiSUhqu2KUd14L5o42YBA8IJMrzfw/7/b4o rF9QB664Y3lm85MJ5z23Wfog+aEI89dm5NTbZXFG9RxIBDKi4QmYr12Hd1kIo55m 2WUl5hIDmr6hFgrndcdqbOoGmK/8C8aK4c9yj8msEDYJHBmrEww= =XtYc -----END PGP SIGNATURE-----