diff --git a/dbus -1.12.20 Changelog b/dbus-1.12.20-Changelog similarity index 97% rename from dbus -1.12.20 Changelog rename to dbus-1.12.20-Changelog index 6247e1f50708c9c16587fb0682dd029c8ee1c660..36617359d2d38646da37df1ee7051bc24ef5b4d7 100644 --- a/dbus -1.12.20 Changelog +++ b/dbus-1.12.20-Changelog @@ -1,80 +1,80 @@ -dbus 1.12.20 (2020-07-02) -========================= - -The “temporary nemesis” release. - -Maybe security fixes: - -• On Unix, avoid a use-after-free if two usernames have the same - numeric uid. In older versions this could lead to a crash (denial of - service) or other undefined behaviour, possibly including incorrect - authorization decisions if is used. - Like Unix filesystems, D-Bus' model of identity cannot distinguish - between users of different names with the same numeric uid, so this - configuration is not advisable on systems where D-Bus will be used. - Thanks to Daniel Onaca. - (dbus#305, dbus!166; Simon McVittie) - -Other fixes: - -• On Solaris and its derivatives, if a cmsg header is truncated, ensure - that we do not overrun the buffer used for fd-passing, even if the - kernel tells us to. - (dbus#304, dbus!165; Andy Fiddaman) - -dbus 1.12.18 (2020-06-02) -========================= - -The “telepathic vines” release. - -Denial of service fixes: - -• CVE-2020-12049: If a message contains more file descriptors than can - be sent, close those that did get through before reporting error. - Previously, a local attacker could cause the system dbus-daemon (or - another system service with its own DBusServer) to run out of file - descriptors, by repeatedly connecting to the server and sending fds that - would get leaked. - Thanks to Kevin Backhouse of GitHub Security Lab. - (dbus#294, GHSL-2020-057; Simon McVittie) - -Other fixes: - -• Fix a crash when the dbus-daemon is terminated while one or more - monitors are active (dbus#291, dbus!140; Simon McVittie) - -• The dbus-send(1) man page now documents --bus and --peer instead of - the old --address synonym for --peer, which has been deprecated since - the introduction of --bus and --peer in 1.7.6 - (fd.o #48816, dbus!115; Chris Morin) - -• Fix a wrong environment variable name in dbus-daemon(1) - (dbus#275, dbus!122; Mubin, Philip Withnall) - -• Fix formatting of dbus_message_append_args example - (dbus!126, Felipe Franciosi) - -• Avoid a test failure on Linux when built in a container as uid 0, but - without the necessary privileges to increase resource limits - (dbus!58, Debian #908092; Simon McVittie) - -• When building with CMake, cope with libX11 in a non-standard location - (dbus!129, Tuomo Rinne) - -dbus 1.12.16 (2019-06-11) -========================= - -The “tree cat” release. - -Security fixes: - -• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1 - authentication for identities that differ from the user running the - DBusServer. Previously, a local attacker could manipulate symbolic - links in their own home directory to bypass authentication and connect - to a DBusServer with elevated privileges. The standard system and - session dbus-daemons in their default configuration were immune to this - attack because they did not allow DBUS_COOKIE_SHA1, but third-party - users of DBusServer such as Upstart could be vulnerable. - Thanks to Joe Vennix of Apple Information Security. +dbus 1.12.20 (2020-07-02) +========================= + +The “temporary nemesis” release. + +Maybe security fixes: + +• On Unix, avoid a use-after-free if two usernames have the same + numeric uid. In older versions this could lead to a crash (denial of + service) or other undefined behaviour, possibly including incorrect + authorization decisions if is used. + Like Unix filesystems, D-Bus' model of identity cannot distinguish + between users of different names with the same numeric uid, so this + configuration is not advisable on systems where D-Bus will be used. + Thanks to Daniel Onaca. + (dbus#305, dbus!166; Simon McVittie) + +Other fixes: + +• On Solaris and its derivatives, if a cmsg header is truncated, ensure + that we do not overrun the buffer used for fd-passing, even if the + kernel tells us to. + (dbus#304, dbus!165; Andy Fiddaman) + +dbus 1.12.18 (2020-06-02) +========================= + +The “telepathic vines” release. + +Denial of service fixes: + +• CVE-2020-12049: If a message contains more file descriptors than can + be sent, close those that did get through before reporting error. + Previously, a local attacker could cause the system dbus-daemon (or + another system service with its own DBusServer) to run out of file + descriptors, by repeatedly connecting to the server and sending fds that + would get leaked. + Thanks to Kevin Backhouse of GitHub Security Lab. + (dbus#294, GHSL-2020-057; Simon McVittie) + +Other fixes: + +• Fix a crash when the dbus-daemon is terminated while one or more + monitors are active (dbus#291, dbus!140; Simon McVittie) + +• The dbus-send(1) man page now documents --bus and --peer instead of + the old --address synonym for --peer, which has been deprecated since + the introduction of --bus and --peer in 1.7.6 + (fd.o #48816, dbus!115; Chris Morin) + +• Fix a wrong environment variable name in dbus-daemon(1) + (dbus#275, dbus!122; Mubin, Philip Withnall) + +• Fix formatting of dbus_message_append_args example + (dbus!126, Felipe Franciosi) + +• Avoid a test failure on Linux when built in a container as uid 0, but + without the necessary privileges to increase resource limits + (dbus!58, Debian #908092; Simon McVittie) + +• When building with CMake, cope with libX11 in a non-standard location + (dbus!129, Tuomo Rinne) + +dbus 1.12.16 (2019-06-11) +========================= + +The “tree cat” release. + +Security fixes: + +• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1 + authentication for identities that differ from the user running the + DBusServer. Previously, a local attacker could manipulate symbolic + links in their own home directory to bypass authentication and connect + to a DBusServer with elevated privileges. The standard system and + session dbus-daemons in their default configuration were immune to this + attack because they did not allow DBUS_COOKIE_SHA1, but third-party + users of DBusServer such as Upstart could be vulnerable. + Thanks to Joe Vennix of Apple Information Security. (dbus#269, Simon McVittie) \ No newline at end of file diff --git a/dbus.spec b/dbus.spec index 3f5acb6f68a5738cc45659f384771d8b2f03b2ea..411057780cb41f70a175c50c1cea495bbf4f9b50 100644 --- a/dbus.spec +++ b/dbus.spec @@ -1,9 +1,9 @@ Name: dbus Epoch: 1 Version: 1.12.20 -Release: 2 +Release: 3 Summary: System Message Bus -License: AFLv2.1 or GPLv2+ +License: AFLv3.0 or GPLv2+ URL: http://www.freedesktop.org/Software/dbus/ Source0: https://dbus.freedesktop.org/releases/dbus/%{name}-%{version}.tar.gz Source1: 00-start-message-bus.sh @@ -120,8 +120,14 @@ make check %pre daemon # Add the "dbus" user and group -%{_sbindir}/groupadd -r dbus 2>/dev/null || : -%{_sbindir}/useradd -r -c 'D-Bus' -g dbus -s /sbin/nologin -d %{_localstatedir}/run/dbus dbus 2> /dev/null || : +getent group dbus > /dev/null || groupadd -f -g 81 -r dbus +if ! getent passwd dbus > /dev/null ; then + if ! getent passwd 81 > /dev/null ; then + useradd -r -u 81 -c 'D-Bus' -g dbus -s /sbin/nologin -d %{_localstatedir}/run/dbus dbus + else + useradd -r -g dbus -c 'D-Bus' -s /sbin/nologin -d %{_localstatedir}/run/dbus dbus + fi +fi %preun daemon %systemd_preun dbus.service dbus.socket @@ -215,6 +221,9 @@ make check %exclude %{_pkgdocdir}/README %changelog +* Tue Mar 16 2021 Anakin Zhang - 1:1.12.20-3 +- change dbus group ID to 81 + * Tue Nov 13 2020 xielh2000 - 1:1.12.20-2 - Add from 1.12.16 to 1.12.20 of changelog and README.en