[Pkg-utopia-maintainers] Bug#1037194: bookworm-pu: package dbus/1.14.8-1~deb12u1
Simon McVittie
smcv at debian.org
Wed Jun 7 14:11:05 BST 2023
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: dbus at packages.debian.org, debian-boot at lists.debian.org
Control: affects -1 + src:dbus
[ Reason ]
Fix a local denial of service for which the security team does not intend
to do a DSA (dbus#457, #1037151; CVE assignment pending).
[ Impact ]
While a sysadmin is using `dbus-monitor --system` or similar tools,
an unprivileged local user can cause denial of service by crashing the
`dbus-daemon --system`.
The new upstream release also fixes some smaller bugs:
- minor memory leaks if malloc() returns NULL
- interop with non-Debian compilers
- a documentation typo
The packaging also makes dbus-daemon and dbus-bin correctly Multi-Arch:
foreign, like the larger dbus package already was, which is useful in
some cross-compiling scenarios (#1033056). I can revert this if you want,
but it seems like a low-risk and useful change to sneak into 12.1.
[ Tests ]
Build-time tests and autopkgtests pass. There is new test coverage for the
denial of service, which was able to reproduce the bug. I also smoke-tested
this on a GNOME virtual machine, and I'll be uploading to unstable to get
wider user testing as soon as the trixie cycle opens.
I avoided uploading to unstable right now because one of dbus' udebs
is included in the installer - although as far as I can see, it's only
an enabler for a feature that never happened (a11y in the graphical
installer), and isn't actually practically useful.
[ Risks ]
It's a key package, so any regressions would be highly visible.
Technically dbus has udebs, although as noted above they are not directly
useful for anything.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
- the debdiff is for what I'll upload to unstable, for bookworm
it'll get a new 1.14.8-1~deb12u1 changelog entry at the top
[ ] the issue is verified as fixed in unstable
- intentionally not done yet due to the full freeze
[ Changes ]
d/control: let dbus-bin:amd64 satisfy Depends: dbus-bin from a non-amd64
package, and the same for dbus-daemon, to help with cross-compiling
bus/connection.c: fix the denial of service, #1037151
dbus/dbus-connection{.c,-internal.h}: enablers for #1037151
dbus/dbus-internals.h: interop with non-gcc compilers
dbus/dbus-*-win.c: interop with non-gcc compilers, not compiled on Debian
dbus/dbus-message.c: fix minor memory leaks if out-of-memory
doc/dbus-api-design.duck: fix a typo in some sample code, not functionally
significant
AUTHORS, NEWS, configure.ac: release administrivia
test/data, test/monitor.c: reproducer for the denial of service bug
[ Other info ]
I'm the de facto upstream release manager for dbus, and I intend to keep
1.14.x suitable for Debian security updates and stable point releases
throughout the non-LTS lifetime of Debian 12, the same as I did for
older branches for the last few years.
After the packaging in unstable diverges from what's appropriate for
stable, I'll do the stable updates as 1.14.x-0+deb12u1, similar to how
we handled 1.12.x in buster and bullseye.
Please let me know if any of the changes are considered inappropriate.
smcv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dbus_1.14.6_1.14.8.diff
Type: text/x-diff
Size: 21217 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20230607/badbec20/attachment-0001.diff>
More information about the Pkg-utopia-maintainers
mailing list