dbus 1.12.16 (2019-06-11) ========================= The “tree cat” release. Security fixes: • CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1 authentication for identities that differ from the user running the DBusServer. Previously, a local attacker could manipulate symbolic links in their own home directory to bypass authentication and connect to a DBusServer with elevated privileges. The standard system and session dbus-daemons in their default configuration were immune to this attack because they did not allow DBUS_COOKIE_SHA1, but third-party users of DBusServer such as Upstart could be vulnerable. Thanks to Joe Vennix of Apple Information Security. (dbus#269, Simon McVittie)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f9ebc0d9df37658801b5f733f6865d7d49cebab commit 3f9ebc0d9df37658801b5f733f6865d7d49cebab Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2019-06-12 07:29:39 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2019-06-12 07:30:13 +0000 sys-apps/dbus: Security bump to version 1.12.16 Bug: https://bugs.gentoo.org/687900 Package-Manager: Portage-2.3.67, Repoman-2.3.14 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> sys-apps/dbus/Manifest | 1 + sys-apps/dbus/dbus-1.12.16.ebuild | 286 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 287 insertions(+)
Arches, please stabilize...
sparc stable
amd64 stable
hppa stable
x86 stable
s390 stable
ia64 stable
ppc stable
ppc64 stable
alpha stable
arm64 stable
sh stable
arm stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=833afb297c0c28a7c8110ceb1c8d380e46700661 commit 833afb297c0c28a7c8110ceb1c8d380e46700661 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2019-07-28 11:22:37 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2019-07-28 11:23:32 +0000 sys-apps/dbus: Security cleanup Bug: https://bugs.gentoo.org/687900 Package-Manager: Portage-2.3.69, Repoman-2.3.16 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> sys-apps/dbus/Manifest | 2 - sys-apps/dbus/dbus-1.12.12-r1.ebuild | 281 ---------------------------------- sys-apps/dbus/dbus-1.12.12-r2.ebuild | 287 ----------------------------------- sys-apps/dbus/dbus-1.12.14.ebuild | 286 ---------------------------------- 4 files changed, 856 deletions(-)
This issue was resolved and addressed in GLSA 201909-08 at https://security.gentoo.org/glsa/201909-08 by GLSA coordinator Thomas Deutschmann (whissi).