A security issue fixed upstream in dbus has been announced today (October 10): http://openwall.com/lists/oss-security/2016/10/10/9 I don't understand why our compiler flags didn't catch this one. The issue is fixed in 1.10.12 and 1.8.22. A patch is also available. It sounds like this is a very minor issue because we fixed CVE-2015-0245.
Whiteboard: (none) => MGA5TOO
Assigning to maintainer, but also CC'ing some dbus committers and pkg-bugs ml, because the maintainer might need his time for more urgent things.
CC: (none) => fundawang, marja11, pkg-bugs, thierry.vignaudAssignee: bugsquad => tmb
Fedora has issued an advisory for this on October 13: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YNEU3UPG7YBLXGQ4E4XVZ74PLHP4ZG56/
URL: (none) => http://lwn.net/Vulnerabilities/703606/
openSUSE has issued an advisory on March 27: https://lists.opensuse.org/opensuse-updates/2017-03/msg00091.html It fixes two additional security issues, already fixed in Cauldron in 1.10.16.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
pushed in updates_testing: src.rpm: dbus-1.8.22-1.mga5
CC: (none) => mageia
pushed in updates_testing: src.rpm: dbus-1.8.22-1.1.mga5 this new version fixes comment #3
(In reply to Nicolas Lécureuil from comment #5) > pushed in updates_testing: > > src.rpm: > dbus-1.8.22-1.1.mga5 > > > this new version fixes comment #3 It didn't build. It looks like it needs an autoreconf -fi.
now it is :)
Assignee: tmb => qa-bugs
Advisory: ======================== Updated dbus packages fix security vulnerabilities: A format string vulnerability in the reference bus implementation, dbus-daemon, could potentially allow local users to cause arbitrary code execution or denial of service. Symlink attack in nonce-tcp transport (bsc#1025950). Symlink attack in unit tests (bsc#1025951). References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YNEU3UPG7YBLXGQ4E4XVZ74PLHP4ZG56/ https://lists.opensuse.org/opensuse-updates/2017-03/msg00091.html ======================== Updated packages in core/updates_testing: ======================== dbus-1.8.22-1.1.mga5 libdbus1_3-1.8.22-1.1.mga5 libdbus-devel-1.8.22-1.1.mga5 dbus-x11-1.8.22-1.1.mga5 dbus-doc-1.8.22-1.1.mga5 from dbus-1.8.22-1.1.mga5.src.rpm
In VirtualBox, M5.1, KDE, 32-bit Package(s) under test: dbus dbus-x11 libdbus1_3 default install of dbus dbus-x11 & libdbus1_3 [root@localhost wilcal]# urpmi dbus Package dbus-1.8.20-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi dbus-x11 Package dbus-x11-1.8.20-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libdbus1_3 Package libdbus1_3-1.8.20-1.mga5.i586 is already installed boot system Boots back to a working desktop and common apps work [root@localhost wilcal]# systemctl status dbus.service ● dbus.service - D-Bus System Message Bus Loaded: loaded (/usr/lib/systemd/system/dbus.service; static) Active: active (running) since Sat 2017-08-26 10:46:23 PDT; 5min ago Docs: man:dbus-daemon(1) Main PID: 765 (dbus-daemon) CGroup: /system.slice/dbus.service └─765 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation Aug 26 10:46:24 localhost dbus[765]: [system] Successfully activated service 'org.freedesktop.systemd1' Aug 26 10:46:39 localhost dbus[765]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service' Aug 26 10:46:39 localhost dbus[765]: [system] Successfully activated service 'org.freedesktop.PolicyKit1' Aug 26 10:46:39 localhost dbus[765]: [system] Activating via systemd: service name='org.freedesktop.UDisks2' unit='udisks2.service' Aug 26 10:46:39 localhost dbus[765]: [system] Successfully activated service 'org.freedesktop.UDisks2' Aug 26 10:46:39 localhost dbus[765]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper) Aug 26 10:46:40 localhost org.kde.powerdevil.backlighthelper[765]: no kernel backlight interface found Aug 26 10:46:40 localhost dbus[765]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper' Aug 26 10:46:45 localhost dbus[765]: [system] Activating via systemd: service name='org.freedesktop.RealtimeKit1' unit='rtkit-daemon.service' Aug 26 10:46:45 localhost dbus[765]: [system] Successfully activated service 'org.freedesktop.RealtimeKit1' install dbus dbus-x11 & libdbus1_3 from updates_testing [root@localhost wilcal]# urpmi dbus Package dbus-1.8.22-1.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi dbus-x11 Package dbus-x11-1.8.22-1.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libdbus1_3 Package libdbus1_3-1.8.22-1.1.mga5.i586 is already installed reboot system reboots back to a working desktop and common apps work [root@localhost wilcal]# systemctl status dbus.service ● dbus.service - D-Bus System Message Bus Loaded: loaded (/usr/lib/systemd/system/dbus.service; static) Active: active (running) since Sat 2017-08-26 10:59:32 PDT; 1min 40s ago Docs: man:dbus-daemon(1) Main PID: 767 (dbus-daemon) CGroup: /system.slice/dbus.service └─767 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation Aug 26 10:59:33 localhost dbus[767]: [system] Successfully activated service 'org.freedesktop.login1' Aug 26 10:59:48 localhost dbus[767]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service' Aug 26 10:59:48 localhost dbus[767]: [system] Successfully activated service 'org.freedesktop.PolicyKit1' Aug 26 10:59:48 localhost dbus[767]: [system] Activating via systemd: service name='org.freedesktop.UDisks2' unit='udisks2.service' Aug 26 10:59:49 localhost dbus[767]: [system] Successfully activated service 'org.freedesktop.UDisks2' Aug 26 10:59:49 localhost dbus[767]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper) Aug 26 10:59:49 localhost org.kde.powerdevil.backlighthelper[767]: no kernel backlight interface found Aug 26 10:59:49 localhost dbus[767]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper' Aug 26 10:59:54 localhost dbus[767]: [system] Activating via systemd: service name='org.freedesktop.RealtimeKit1' unit='rtk...ervice' Aug 26 10:59:55 localhost dbus[767]: [system] Successfully activated service 'org.freedesktop.RealtimeKit1'
CC: (none) => wilcal.intWhiteboard: (none) => MGA5-32-OK
In VirtualBox, M5.1, KDE, 64-bit Package(s) under test: dbus dbus-x11 lib64dbus1_3 default install of dbus dbus-x11 & lib64dbus1_3 [root@localhost wilcal]# urpmi dbus Package dbus-1.8.20-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi dbus-x11 Package dbus-x11-1.8.20-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64dbus1_3 Package lib64dbus1_3-1.8.20-1.mga5.x86_64 is already installed boot system Boots back to a working desktop and common apps work [root@localhost wilcal]# systemctl status dbus.service ● dbus.service - D-Bus System Message Bus Loaded: loaded (/usr/lib/systemd/system/dbus.service; static) Active: active (running) since Sat 2017-08-26 11:10:29 PDT; 5min ago Docs: man:dbus-daemon(1) Main PID: 777 (dbus-daemon) CGroup: /system.slice/dbus.service └─777 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation Aug 26 11:10:46 localhost dbus[777]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service' Aug 26 11:10:46 localhost dbus[777]: [system] Successfully activated service 'org.freedesktop.PolicyKit1' Aug 26 11:10:46 localhost dbus[777]: [system] Activating via systemd: service name='org.freedesktop.UDisks2' unit='udisks2.service' Aug 26 11:10:46 localhost dbus[777]: [system] Successfully activated service 'org.freedesktop.UDisks2' Aug 26 11:10:46 localhost dbus[777]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper) Aug 26 11:10:46 localhost org.kde.powerdevil.backlighthelper[777]: no kernel backlight interface found Aug 26 11:10:47 localhost dbus[777]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper' Aug 26 11:10:51 localhost dbus[777]: [system] Activating via systemd: service name='org.freedesktop.RealtimeKit1' unit='rtkit-dae...service' Aug 26 11:10:52 localhost dbus[777]: [system] Successfully activated service 'org.freedesktop.RealtimeKit1' install dbus dbus-x11 & lib64dbus1_3 from updates_testing [root@localhost wilcal]# urpmi dbus Package dbus-1.8.22-1.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi dbus-x11 Package dbus-x11-1.8.22-1.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64dbus1_3 Package lib64dbus1_3-1.8.22-1.1.mga5.x86_64 is already installed reboot system reboots back to a working desktop and common apps work [root@localhost wilcal]# systemctl status dbus.service ● dbus.service - D-Bus System Message Bus Loaded: loaded (/usr/lib/systemd/system/dbus.service; static) Active: active (running) since Sat 2017-08-26 11:19:00 PDT; 2min 13s ago Docs: man:dbus-daemon(1) Main PID: 774 (dbus-daemon) CGroup: /system.slice/dbus.service └─774 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation Aug 26 11:19:01 localhost dbus[774]: [system] Successfully activated service 'org.freedesktop.login1' Aug 26 11:19:16 localhost dbus[774]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' un...rvice' Aug 26 11:19:16 localhost dbus[774]: [system] Successfully activated service 'org.freedesktop.PolicyKit1' Aug 26 11:19:16 localhost dbus[774]: [system] Activating via systemd: service name='org.freedesktop.UDisks2' unit=...rvice' Aug 26 11:19:17 localhost dbus[774]: [system] Successfully activated service 'org.freedesktop.UDisks2' Aug 26 11:19:17 localhost dbus[774]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using ...elper) Aug 26 11:19:17 localhost org.kde.powerdevil.backlighthelper[774]: no kernel backlight interface found Aug 26 11:19:17 localhost dbus[774]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper' Aug 26 11:19:22 localhost dbus[774]: [system] Activating via systemd: service name='org.freedesktop.RealtimeKit1' ...rvice' Aug 26 11:19:22 localhost dbus[774]: [system] Successfully activated service 'org.freedesktop.RealtimeKit1'
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Thanks Bill for testing both architectures - necessary for this update. Advisoried.
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisoryCC: (none) => lewyssmith
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0310.html
Status: NEW => RESOLVEDResolution: (none) => FIXED