oss-sec mailing list archives
Announcing D-Bus 1.8.14
From: Simon McVittie <simon.mcvittie () collabora co uk>
Date: Mon, 05 Jan 2015 15:04:05 +0000
The “40lb of roofing nails” release. This is a bugfix release for the current stable branch, 1.8.x, adding security hardening to mitigate faulty third-party security policy files such as CVE-2014-8148. Please upgrade unless you have a reason to keep using an older branch. http://dbus.freedesktop.org/releases/dbus/dbus-1.8.14.tar.gz http://dbus.freedesktop.org/releases/dbus/dbus-1.8.14.tar.gz.asc git tag: dbus-1.8.14 git branch: dbus-1.8 Security hardening: • Do not allow calls to UpdateActivationEnvironment from uids other than the uid of the dbus-daemon. If a system service installs unsafe security policy rules that allow arbitrary method calls (such as CVE-2014-8148) then this prevents memory consumption and possible privilege escalation via UpdateActivationEnvironment. We believe that in practice, privilege escalation here is avoided by dbus-daemon-launch-helper sanitizing its environment; but it seems better to be safe. • Do not allow calls to UpdateActivationEnvironment or the Stats interface on object paths other than /org/freedesktop/DBus. Some system services install unsafe security policy rules that allow arbitrary method calls to any destination, method and interface with a specified object path; while less bad than allowing arbitrary method calls, these security policies are still harmful, since dbus-daemon normally offers the same API on all object paths and other system services might behave similarly. Other fixes: • Add missing initialization so GetExtendedTcpTable doesn't crash on Windows Vista SP0 (fd.o #77008, Илья А. Ткаченко) -- Simon McVittie, Collabora Ltd. / Debian
Current thread:
- Announcing D-Bus 1.8.14 Simon McVittie (Jan 05)