Upstream issued an advisory today (May 14): http://openwall.com/lists/oss-security/2015/05/14/4 They called it a security hardening, and not quite a vulnerability fix. The fix is in 1.8.18. I'll leave it up to you Thomas as to whether you want to update this. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
As it's an hardening and not a real security issue (atleast currently known) I probably wont push it to mga5 since the fallout of it is not known yet... As soon as cauldron re-opens I will push it there and watch the fallout... if nothing pop up I will maybe re-consider it then...
Ok, I leave MGA5TOO in the whiteboard for now, just in case.
Hardware: i586 => All
Ok, this has been running for 2 weeks on my systems, and one week in cauldron with no visible regressions AFAIK, so assigning to QA. SRPM: dbus-1.8.20-1.mga5.src.rpm i586: dbus-1.8.20-1.mga5.i586.rpm dbus-doc-1.8.20-1.mga5.noarch.rpm dbus-x11-1.8.20-1.mga5.i586.rpm libdbus1_3-1.8.20-1.mga5.i586.rpm libdbus-devel-1.8.20-1.mga5.i586.rpm x86_64: dbus-1.8.20-1.mga5.x86_64.rpm dbus-doc-1.8.20-1.mga5.noarch.rpm dbus-x11-1.8.20-1.mga5.x86_64.rpm lib64dbus1_3-1.8.20-1.mga5.x86_64.rpm lib64dbus-devel-1.8.20-1.mga5.x86_64.rpm Advisory: Updated dbus packages provides security hardening and fixes some bugs Security hardening: On Unix platforms, change the default configuration for the session bus to only allow EXTERNAL authentication (secure kernel-mediated credentials-passing), as was already done for the system bus. This avoids falling back to DBUS_COOKIE_SHA1, which relies on strongly unpredictable pseudo-random numbers; under certain circumstances (/dev/urandom unreadable or malloc() returns NULL), dbus could fall back to using rand(), which does not have the desired unpredictability. The fallback to rand() has not been changed in this stable-branch since the necessary code changes for correct error-handling are rather intrusive. If you are using D-Bus over the (unencrypted!) tcp: or nonce-tcp: transport, in conjunction with DBUS_COOKIE_SHA1 and a shared home directory using NFS or similar, you will need to reconfigure the session bus to accept DBUS_COOKIE_SHA1 by commenting out the <auth> element. This configuration is not recommended. Other fixes: Fix a memory leak when GetConnectionCredentials() succeeds (fd.o #91008, Jacek Bukarewicz) Ensure that dbus-monitor does not reply to messages intended for others (fd.o #90952, Simon McVittie) Add locking to DBusCounter's reference count and notify function (fd.o #89297, Adrian Szyndela) Ensure that DBusTransport's reference count is protected by the corresponding DBusConnection's lock (fd.o #90312, Adrian Szyndela) Correctly release DBusServer mutex before early-return if we run out of memory while copying authentication mechanisms (fd.o #90021, Ralf Habacker) Correctly initialize all fields of DBusTypeReader (fd.o #90021; Ralf Habacker, Simon McVittie) Clean up some memory leaks in test code (fd.o #90021, Ralf Habacker) References: - https://bugs.mageia.org/show_bug.cgi?id=15937 - http://cgit.freedesktop.org/dbus/dbus/plain/NEWS?h=dbus-1.8 - https://bugs.freedesktop.org/show_bug.cgi?id=89297 - https://bugs.freedesktop.org/show_bug.cgi?id=90021 - https://bugs.freedesktop.org/show_bug.cgi?id=90312 - https://bugs.freedesktop.org/show_bug.cgi?id=90414 - https://bugs.freedesktop.org/show_bug.cgi?id=90952 - https://bugs.freedesktop.org/show_bug.cgi?id=91008
Assignee: tmb => qa-bugsWhiteboard: MGA5TOO => (none)Summary: dbus security hardening in 1.8.18 => dbus security hardening in 1.8.18 + fixes in 1.8.20Version: Cauldron => 5
Any particular tests that would be good to run? I've rebooted with this and nothing blew up :o) I believe polkit things use dbus to communicate, and running drakconf as a normal user worked fine.
MGA5-64 on HP Probook 6555b KDE No installation issues. Rebooted and found no adverse effects as per Comment 4
CC: (none) => herman.viaene
(In reply to Herman Viaene from comment #5) > MGA5-64 on HP Probook 6555b KDE > No installation issues. > Rebooted and found no adverse effects as per Comment 4 Same here on MGA5-x86-64: I also have an Acer Aspire 5738DZG laptop with the following specs: Intel Pentium(R) Dual-Core CPU T4300 @ 2.10GHz. (x86-64). ATI Mobility Radeon⢠HD 4570 (r700) 15.6â³ 3D HD LCD Screen. 3 GB Memory 320 GB Hard Disk Drive. âDVD Super Multi DL driveâ Acer Nplify⢠802.11b/g/n.
CC: (none) => shlomif
Whiteboard: (none) => advisoryCC: (none) => davidwhodgins
Testing on mga5-32 Installed packages from testing: $ rpm -q dbus dbus-doc dbus-x11 libdbus1_3 dbus-1.8.20-1.mga5 dbus-doc-1.8.20-1.mga5 dbus-x11-1.8.20-1.mga5 libdbus1_3-1.8.20-1.mga5 System rebooted normally MCC is accessible from the panel icon No problems noted OK for mga5-32 Kernel: 4.1.8-server-1.mga5 i686 (32 bit) Desktop: KDE 4.14.5 Mobo: ECS model: GeForce7050M-M v: 1.0 CPU: Quad core AMD Phenom 9500 (-MCP-)
Testing on mga5-64 Installed packages from testing: $ rpm -q dbus dbus-doc dbus-x11 lib64dbus1_3 dbus-1.8.20-1.mga5 dbus-doc-1.8.20-1.mga5 dbus-x11-1.8.20-1.mga5 lib64dbus1_3-1.8.20-1.mga5 System rebooted normally MCC is accessible from the panel icon No problems noted OK for mga5-64 Kernel: 4.1.8-desktop-1.mga5 x86_64 (64 bit) Desktop: KDE 4.14.5 System: Hewlett-Packard product: CQ2925EA v: 1.00 Mobo: PEGATRON model: 2AE2 v: 1.02 CPU: Dual core Intel Pentium G645T (-MCP-)
Testing on mga5-64 Installed packages from testing: $ rpm -q dbus dbus-doc dbus-x11 lib64dbus1_3 dbus-1.8.20-1.mga5 dbus-doc-1.8.20-1.mga5 dbus-x11-1.8.20-1.mga5 lib64dbus1_3-1.8.20-1.mga5 System re-booted normally MCC is accessible from the menu No problems noted OK for mga5-64 Kernel: 4.1.8-desktop-1.mga5 x86_64 (64 bit) Desktop: Gnome 3.14.3 Mobo: ECS model: GeForce7050M-M v: 1.0 CPU: Quad core AMD Phenom 9500 (-MCP-)
Testing Mageia5 x64 real hardware. Kernel 4.1.8-desktop-1.mga5, XFCE desktop. dbus-1.8.20-1.mga5 dbus-x11-1.8.20-1.mga5 lib64dbus1_3-1.8.20-1.mga5 Several re-boots without problem. All ways of opening Mageia Control Centre work, with the root password prompt: - Taskbar icon - Menu - $ mcc - $ drakconf OK for me. In the light of earlier Comments 3-9, all favourable but mostly for x64, I am OKing this for x64. Another confirmation would be nice for x32.
CC: (none) => lewyssmithWhiteboard: advisory => advisory MGA5-64-OK
MGA5-32 on Acer D620 Xfce No installation issues. Rebooted twice and each time tested as per Comment 10, no problems found.
Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OK
Validating this update
Keywords: (none) => validated_updateCC: (none) => wilcal.int, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0405.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/662064/