From 1.14.4 release notes (https://lists.freedesktop.org/archives/ftp-release/2022-October/000777.html): Denial of service fixes: Evgeny Vereshchagin discovered several ways in which an authenticated local attacker could cause a crash (denial of service) in dbus-daemon --system or a custom DBusServer. In uncommon configurations these could potentially be carried out by an authenticated remote attacker. • An invalid array of fixed-length elements where the length of the array is not a multiple of the length of the element would cause an assertion failure in debug builds or an out-of-bounds read in production builds. This was a regression in version 1.3.0. (dbus#413, CVE-2022-42011; Simon McVittie) • A syntactically invalid type signature with incorrectly nested parentheses and curly brackets would cause an assertion failure in debug builds. Similar messages could potentially result in a crash or incorrect message processing in a production build, although we are not aware of a practical example. (dbus#418, CVE-2022-42010; Simon McVittie) • A message in non-native endianness with out-of-band Unix file descriptors would cause a use-after-free and possible memory corruption in production builds, or an assertion failure in debug builds. This was a regression in version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie)
(On it.)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=42b645e918ddd5fd999926bc8c0a417a9f8c3be4 commit 42b645e918ddd5fd999926bc8c0a417a9f8c3be4 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-05 19:15:56 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-05 19:20:33 +0000 sys-apps/dbus: add 1.15.2 Bug: https://bugs.gentoo.org/875518 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/dbus/Manifest | 1 + sys-apps/dbus/dbus-1.15.2.ebuild | 294 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 295 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e1fa38837253f0b617e96b68458ab3efbfaa693a commit e1fa38837253f0b617e96b68458ab3efbfaa693a Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-05 19:13:37 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-05 19:20:32 +0000 sys-apps/dbus: add 1.14.4 Bug: https://bugs.gentoo.org/875518 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/dbus/Manifest | 1 + sys-apps/dbus/dbus-1.14.4.ebuild | 290 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 291 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be9616872f947959db5449ad8aedd495c4d5ba6f commit be9616872f947959db5449ad8aedd495c4d5ba6f Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-05 19:11:11 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-05 19:20:32 +0000 sys-apps/dbus: drop 1.14.0-r7 Bug: https://bugs.gentoo.org/875518 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/dbus/dbus-1.14.0-r7.ebuild | 298 ------------------------------------ 1 file changed, 298 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4f6365bcf6b4a0d7804d169344cbae1b4292f1b2 commit 4f6365bcf6b4a0d7804d169344cbae1b4292f1b2 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-05 19:10:44 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-05 19:20:31 +0000 sys-apps/dbus: drop 1.12.22-r2 Bug: https://bugs.gentoo.org/875518 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/dbus/Manifest | 1 - sys-apps/dbus/dbus-1.12.22-r2.ebuild | 290 ----------------------------------- 2 files changed, 291 deletions(-)
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=781ba70f2dfac3bd2f5c2bb46e99e007120b40db commit 781ba70f2dfac3bd2f5c2bb46e99e007120b40db Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2022-11-08 21:01:47 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2022-11-08 21:03:20 +0000 sys-apps/dbus: drop 1.14.0-r4, 1.14.2, 1.14.4, 1.15.0-r1 Bug: https://bugs.gentoo.org/875518 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> sys-apps/dbus/Manifest | 4 - sys-apps/dbus/dbus-1.14.0-r4.ebuild | 292 -------------------- sys-apps/dbus/dbus-1.14.2.ebuild | 290 -------------------- sys-apps/dbus/dbus-1.14.4.ebuild | 290 -------------------- sys-apps/dbus/dbus-1.15.0-r1.ebuild | 294 --------------------- sys-apps/dbus/files/80-dbus | 13 - sys-apps/dbus/files/dbus-1.12.22-check-fd.patch | 33 --- .../dbus/files/dbus-1.14.0-oom_score_adj.patch | 115 -------- .../dbus/files/dbus-1.14.0-x-autoconf-fixes.patch | 147 ----------- 9 files changed, 1478 deletions(-)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=e8a6fa90ab1db6938ef2fe3acd6468091589ae2d commit e8a6fa90ab1db6938ef2fe3acd6468091589ae2d Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-03 09:52:25 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-03 09:54:22 +0000 [ GLSA 202305-08 ] D-Bus: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/875518 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202305-08.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+)
