diff --git a/.dbus.metadata b/.dbus.metadata deleted file mode 100644 index b643206..0000000 --- a/.dbus.metadata +++ /dev/null @@ -1 +0,0 @@ -8e50e46796e8297eaa633da3a61cdc79a500e34a SOURCES/dbus-1.12.8.tar.gz diff --git a/.gitignore b/.gitignore index 3a43390..10e643a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -SOURCES/dbus-1.12.8.tar.gz +dbus-1.14.10.tar.xz +gpgkey-36EC5A6448A4F5EF79BEFE98E05AE1478F814C4F.gpg diff --git a/SOURCES/00-start-message-bus.sh b/00-start-message-bus.sh similarity index 100% rename from SOURCES/00-start-message-bus.sh rename to 00-start-message-bus.sh diff --git a/SOURCES/0001-tools-Use-Python3-for-GetAllMatchRules.patch b/0001-tools-Use-Python3-for-GetAllMatchRules.patch similarity index 100% rename from SOURCES/0001-tools-Use-Python3-for-GetAllMatchRules.patch rename to 0001-tools-Use-Python3-for-GetAllMatchRules.patch diff --git a/SOURCES/dbus-1.12.8-fix-CVE-2019-12749.patch b/SOURCES/dbus-1.12.8-fix-CVE-2019-12749.patch deleted file mode 100644 index 36cc3f1..0000000 --- a/SOURCES/dbus-1.12.8-fix-CVE-2019-12749.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 47b1a4c41004bf494b87370987b222c934b19016 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Thu, 30 May 2019 12:53:03 +0100 -Subject: [PATCH] auth: Reject DBUS_COOKIE_SHA1 for users other than the server - owner - -The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership -of a shared home directory by having the server write a secret "cookie" -into a .dbus-keyrings subdirectory of the desired identity's home -directory with 0700 permissions, and having the client prove that it can -read the cookie. This never actually worked for non-malicious clients in -the case where server uid != client uid (unless the server and client -both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional -Unix uid 0) because an unprivileged server would fail to write out the -cookie, and an unprivileged client would be unable to read the resulting -file owned by the server. - -Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings -is owned by the uid of the server (a side-effect of a check added to -harden our use of XDG_RUNTIME_DIR), further ruling out successful use -by a non-malicious client with a uid differing from the server's. - -Joe Vennix of Apple Information Security discovered that the -implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link -attack: a malicious client with write access to its own home directory -could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to -read and write in unintended locations. In the worst case this could -result in the DBusServer reusing a cookie that is known to the -malicious client, and treating that cookie as evidence that a subsequent -client connection came from an attacker-chosen uid, allowing -authentication bypass. - -This is mitigated by the fact that by default, the well-known system -dbus-daemon (since 2003) and the well-known session dbus-daemon (in -stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL -authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1 -at an early stage, before manipulating cookies. As a result, this -vulnerability only applies to: - -* system or session dbus-daemons with non-standard configuration -* third-party dbus-daemon invocations such as at-spi2-core (although - in practice at-spi2-core also only accepts EXTERNAL by default) -* third-party uses of DBusServer such as the one in Upstart - -Avoiding symlink attacks in a portable way is difficult, because APIs -like openat() and Linux /proc/self/fd are not universally available. -However, because DBUS_COOKIE_SHA1 already doesn't work in practice for -a non-matching uid, we can solve this vulnerability in an easier way -without regressions, by rejecting it early (before looking at -~/.dbus-keyrings) whenever the requested identity doesn't match the -identity of the process hosting the DBusServer. - -Signed-off-by: Simon McVittie -Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269 -Closes: CVE-2019-12749 ---- - dbus/dbus-auth.c | 32 ++++++++++++++++++++++++++++++++ - 1 file changed, 32 insertions(+) - -diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c -index 37d8d4c9..7390a9d5 100644 ---- a/dbus/dbus-auth.c -+++ b/dbus/dbus-auth.c -@@ -529,6 +529,7 @@ sha1_handle_first_client_response (DBusAuth *auth, - DBusString tmp2; - dbus_bool_t retval = FALSE; - DBusError error = DBUS_ERROR_INIT; -+ DBusCredentials *myself = NULL; - - _dbus_string_set_length (&auth->challenge, 0); - -@@ -565,6 +566,34 @@ sha1_handle_first_client_response (DBusAuth *auth, - return FALSE; - } - -+ myself = _dbus_credentials_new_from_current_process (); -+ -+ if (myself == NULL) -+ goto out; -+ -+ if (!_dbus_credentials_same_user (myself, auth->desired_identity)) -+ { -+ /* -+ * DBUS_COOKIE_SHA1 is not suitable for authenticating that the -+ * client is anyone other than the user owning the process -+ * containing the DBusServer: we probably aren't allowed to write -+ * to other users' home directories. Even if we can (for example -+ * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we -+ * must not, because the other user controls their home directory, -+ * and could carry out symlink attacks to make us read from or -+ * write to unintended locations. It's difficult to avoid symlink -+ * attacks in a portable way, so we just don't try. This isn't a -+ * regression, because DBUS_COOKIE_SHA1 never worked for other -+ * users anyway. -+ */ -+ _dbus_verbose ("%s: client tried to authenticate as \"%s\", " -+ "but that doesn't match this process", -+ DBUS_AUTH_NAME (auth), -+ _dbus_string_get_const_data (data)); -+ retval = send_rejected (auth); -+ goto out; -+ } -+ - /* we cache the keyring for speed, so here we drop it if it's the - * wrong one. FIXME caching the keyring here is useless since we use - * a different DBusAuth for every connection. -@@ -679,6 +708,9 @@ sha1_handle_first_client_response (DBusAuth *auth, - _dbus_string_zero (&tmp2); - _dbus_string_free (&tmp2); - -+ if (myself != NULL) -+ _dbus_credentials_unref (myself); -+ - return retval; - } - --- -2.21.0 - diff --git a/SOURCES/dbus-1.12.8-fix-CVE-2020-12049.patch b/SOURCES/dbus-1.12.8-fix-CVE-2020-12049.patch deleted file mode 100644 index 181751f..0000000 --- a/SOURCES/dbus-1.12.8-fix-CVE-2020-12049.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 872b085f12f56da25a2dbd9bd0b2dff31d5aea63 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Thu, 16 Apr 2020 14:45:11 +0100 -Subject: [PATCH] sysdeps-unix: On MSG_CTRUNC, close the fds we did receive - -MSG_CTRUNC indicates that we have received fewer fds that we should -have done because the buffer was too small, but we were treating it -as though it indicated that we received *no* fds. If we received any, -we still have to make sure we close them, otherwise they will be leaked. - -On the system bus, if an attacker can induce us to leak fds in this -way, that's a local denial of service via resource exhaustion. - -Reported-by: Kevin Backhouse, GitHub Security Lab -Fixes: dbus#294 -Fixes: CVE-2020-12049 -Fixes: GHSL-2020-057 ---- - dbus/dbus-sysdeps-unix.c | 32 ++++++++++++++++++++------------ - 1 file changed, 20 insertions(+), 12 deletions(-) - -diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c -index b5fc24663..b176dae1a 100644 ---- a/dbus/dbus-sysdeps-unix.c -+++ b/dbus/dbus-sysdeps-unix.c -@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd, - struct cmsghdr *cm; - dbus_bool_t found = FALSE; - -- if (m.msg_flags & MSG_CTRUNC) -- { -- /* Hmm, apparently the control data was truncated. The bad -- thing is that we might have completely lost a couple of fds -- without chance to recover them. Hence let's treat this as a -- serious error. */ -- -- errno = ENOSPC; -- _dbus_string_set_length (buffer, start); -- return -1; -- } -- - for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm)) - if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS) - { -@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd, - if (!found) - *n_fds = 0; - -+ if (m.msg_flags & MSG_CTRUNC) -+ { -+ unsigned int i; -+ -+ /* Hmm, apparently the control data was truncated. The bad -+ thing is that we might have completely lost a couple of fds -+ without chance to recover them. Hence let's treat this as a -+ serious error. */ -+ -+ /* We still need to close whatever fds we *did* receive, -+ * otherwise they'll never get closed. (CVE-2020-12049) */ -+ for (i = 0; i < *n_fds; i++) -+ close (fds[i]); -+ -+ *n_fds = 0; -+ errno = ENOSPC; -+ _dbus_string_set_length (buffer, start); -+ return -1; -+ } -+ - /* put length back (doesn't actually realloc) */ - _dbus_string_set_length (buffer, start + bytes_read); - --- -GitLab - diff --git a/SOURCES/dbus-1.12.8-fix-CVE-2023-34969.patch b/SOURCES/dbus-1.12.8-fix-CVE-2023-34969.patch deleted file mode 100644 index 535cd18..0000000 --- a/SOURCES/dbus-1.12.8-fix-CVE-2023-34969.patch +++ /dev/null @@ -1,337 +0,0 @@ -From 3a1b1e9a4010e581e2e940e61d37c4f617eb5eff Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 5 Jun 2023 17:56:33 +0100 -Subject: [PATCH 1/3] monitor test: Log the messages that we monitored - -This is helpful while debugging test failures. - -Helps: dbus/dbus#457 -Signed-off-by: Simon McVittie -(cherry picked from commit 8ee5d3e04420975107c27073b50f8758871a998b) ---- - test/monitor.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/test/monitor.c b/test/monitor.c -index df5a7180..182110f8 100644 ---- a/test/monitor.c -+++ b/test/monitor.c -@@ -196,6 +196,10 @@ _log_message (DBusMessage *m, - not_null (dbus_message_get_signature (m))); - g_test_message ("\terror name: %s", - not_null (dbus_message_get_error_name (m))); -+ g_test_message ("\tserial number: %u", -+ dbus_message_get_serial (m)); -+ g_test_message ("\tin reply to: %u", -+ dbus_message_get_reply_serial (m)); - - if (strcmp ("s", dbus_message_get_signature (m)) == 0) - { -@@ -339,6 +343,9 @@ monitor_filter (DBusConnection *connection, - { - Fixture *f = user_data; - -+ g_test_message ("Monitor received message:"); -+ log_message (message); -+ - g_assert_cmpstr (dbus_message_get_interface (message), !=, - "com.example.Tedious"); - --- -2.41.0 - - -From 37a4dc5835731a1f7a81f1b67c45b8dfb556dd1c Mon Sep 17 00:00:00 2001 -From: hongjinghao -Date: Mon, 5 Jun 2023 18:17:06 +0100 -Subject: [PATCH 2/3] bus: Assign a serial number for messages from the driver - -Normally, it's enough to rely on a message being given a serial number -by the DBusConnection just before it is actually sent. However, in the -rare case where the policy blocks the driver from sending a message -(due to a deny rule or the outgoing message quota being full), we need -to get a valid serial number sooner, so that we can copy it into the -DBUS_HEADER_FIELD_REPLY_SERIAL field (which is mandatory) in the error -message sent to monitors. Otherwise, the dbus-daemon will crash with -an assertion failure if at least one Monitoring client is attached, -because zero is not a valid serial number to copy. - -This fixes a denial-of-service vulnerability: if a privileged user is -monitoring the well-known system bus using a Monitoring client like -dbus-monitor or `busctl monitor`, then an unprivileged user can cause -denial-of-service by triggering this crash. A mitigation for this -vulnerability is to avoid attaching Monitoring clients to the system -bus when they are not needed. If there are no Monitoring clients, then -the vulnerable code is not reached. - -Co-authored-by: Simon McVittie -Resolves: dbus/dbus#457 -(cherry picked from commit b159849e031000d1dbc1ab876b5fc78a3ce9b534) ---- - bus/connection.c | 15 +++++++++++++++ - dbus/dbus-connection-internal.h | 2 ++ - dbus/dbus-connection.c | 11 ++++++++++- - 3 files changed, 27 insertions(+), 1 deletion(-) - -diff --git a/bus/connection.c b/bus/connection.c -index b3583433..215f0230 100644 ---- a/bus/connection.c -+++ b/bus/connection.c -@@ -2350,6 +2350,21 @@ bus_transaction_send_from_driver (BusTransaction *transaction, - if (!dbus_message_set_sender (message, DBUS_SERVICE_DBUS)) - return FALSE; - -+ /* Make sure the message has a non-zero serial number, otherwise -+ * bus_transaction_capture_error_reply() will not be able to mock up -+ * a corresponding reply for it. Normally this would be delayed until -+ * the first time we actually send the message out from a -+ * connection, when the transaction is committed, but that's too late -+ * in this case. -+ */ -+ if (dbus_message_get_serial (message) == 0) -+ { -+ dbus_uint32_t next_serial; -+ -+ next_serial = _dbus_connection_get_next_client_serial (connection); -+ dbus_message_set_serial (message, next_serial); -+ } -+ - if (bus_connection_is_active (connection)) - { - if (!dbus_message_set_destination (message, -diff --git a/dbus/dbus-connection-internal.h b/dbus/dbus-connection-internal.h -index 48357321..ba79b192 100644 ---- a/dbus/dbus-connection-internal.h -+++ b/dbus/dbus-connection-internal.h -@@ -54,6 +54,8 @@ DBUS_PRIVATE_EXPORT - DBusConnection * _dbus_connection_ref_unlocked (DBusConnection *connection); - DBUS_PRIVATE_EXPORT - void _dbus_connection_unref_unlocked (DBusConnection *connection); -+DBUS_PRIVATE_EXPORT -+dbus_uint32_t _dbus_connection_get_next_client_serial (DBusConnection *connection); - void _dbus_connection_queue_received_message_link (DBusConnection *connection, - DBusList *link); - dbus_bool_t _dbus_connection_has_messages_to_send_unlocked (DBusConnection *connection); -diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c -index c525b6dc..09cef278 100644 ---- a/dbus/dbus-connection.c -+++ b/dbus/dbus-connection.c -@@ -1456,7 +1456,16 @@ _dbus_connection_unref_unlocked (DBusConnection *connection) - _dbus_connection_last_unref (connection); - } - --static dbus_uint32_t -+/** -+ * Allocate and return the next non-zero serial number for outgoing messages. -+ * -+ * This method is only valid to call from single-threaded code, such as -+ * the dbus-daemon, or with the connection lock held. -+ * -+ * @param connection the connection -+ * @returns A suitable serial number for the next message to be sent on the connection. -+ */ -+dbus_uint32_t - _dbus_connection_get_next_client_serial (DBusConnection *connection) - { - dbus_uint32_t serial; --- -2.41.0 - - -From 2c699f6ba9c162878c69d0728298c1ab7308db72 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 5 Jun 2023 18:51:22 +0100 -Subject: [PATCH 3/3] monitor test: Reproduce dbus/dbus#457 - -The exact failure mode reported in dbus/dbus#457 is quite difficult -to achieve in a reliable way in a unit test, because we'd have to send -enough messages to a client to fill up its queue, then stop that client -from draining its queue, while still triggering a message that gets a -reply from the bus driver. However, we can trigger the same crash in a -slightly different way by not allowing the client to receive a -particular message. I chose NameAcquired. - -Signed-off-by: Simon McVittie -(cherry picked from commit 986611ad0f7f67a3693e5672cd66bc608c00b228) ---- - .../valid-config-files/forbidding.conf.in | 3 + - test/monitor.c | 77 ++++++++++++++++--- - 2 files changed, 71 insertions(+), 9 deletions(-) - -diff --git a/test/data/valid-config-files/forbidding.conf.in b/test/data/valid-config-files/forbidding.conf.in -index d145613c..58b3cc6a 100644 ---- a/test/data/valid-config-files/forbidding.conf.in -+++ b/test/data/valid-config-files/forbidding.conf.in -@@ -24,5 +24,8 @@ - - - -+ -+ -+ - - -diff --git a/test/monitor.c b/test/monitor.c -index 182110f8..42e0734d 100644 ---- a/test/monitor.c -+++ b/test/monitor.c -@@ -155,6 +155,21 @@ static Config side_effects_config = { - TRUE - }; - -+static dbus_bool_t -+config_forbids_name_acquired_signal (const Config *config) -+{ -+ if (config == NULL) -+ return FALSE; -+ -+ if (config->config_file == NULL) -+ return FALSE; -+ -+ if (strcmp (config->config_file, forbidding_config.config_file) == 0) -+ return TRUE; -+ -+ return FALSE; -+} -+ - static inline const char * - not_null2 (const char *x, - const char *fallback) -@@ -253,9 +268,6 @@ do { \ - - #define assert_name_acquired(m) \ - do { \ -- DBusError _e = DBUS_ERROR_INIT; \ -- const char *_s; \ -- \ - g_assert_cmpstr (dbus_message_type_to_string (dbus_message_get_type (m)), \ - ==, dbus_message_type_to_string (DBUS_MESSAGE_TYPE_SIGNAL)); \ - g_assert_cmpstr (dbus_message_get_sender (m), ==, DBUS_SERVICE_DBUS); \ -@@ -265,7 +277,14 @@ do { \ - g_assert_cmpstr (dbus_message_get_signature (m), ==, "s"); \ - g_assert_cmpint (dbus_message_get_serial (m), !=, 0); \ - g_assert_cmpint (dbus_message_get_reply_serial (m), ==, 0); \ -+} while (0) -+ -+#define assert_unique_name_acquired(m) \ -+do { \ -+ DBusError _e = DBUS_ERROR_INIT; \ -+ const char *_s; \ - \ -+ assert_name_acquired (m); \ - dbus_message_get_args (m, &_e, \ - DBUS_TYPE_STRING, &_s, \ - DBUS_TYPE_INVALID); \ -@@ -333,6 +352,21 @@ do { \ - g_assert_cmpint (dbus_message_get_reply_serial (m), !=, 0); \ - } while (0) - -+/* forbidding.conf does not allow receiving NameAcquired, so if we are in -+ * that configuration, then dbus-daemon synthesizes an error reply to itself -+ * and sends that to monitors */ -+#define expect_name_acquired_error(queue, in_reply_to) \ -+do { \ -+ DBusMessage *message; \ -+ \ -+ message = g_queue_pop_head (queue); \ -+ assert_error_reply (message, DBUS_SERVICE_DBUS, DBUS_SERVICE_DBUS, \ -+ DBUS_ERROR_ACCESS_DENIED); \ -+ g_assert_cmpint (dbus_message_get_reply_serial (message), ==, \ -+ dbus_message_get_serial (in_reply_to)); \ -+ dbus_message_unref (message); \ -+} while (0) -+ - /* This is called after processing pending replies to our own method - * calls, but before anything else. - */ -@@ -797,6 +831,11 @@ test_become_monitor (Fixture *f, - test_assert_no_error (&f->e); - g_assert_cmpint (ret, ==, DBUS_REQUEST_NAME_REPLY_PRIMARY_OWNER); - -+ /* If the policy forbids receiving NameAcquired, then we'll never -+ * receive it, so behave as though we had */ -+ if (config_forbids_name_acquired_signal (f->config)) -+ got_unique = got_a = got_b = got_c = TRUE; -+ - while (!got_unique || !got_a || !got_b || !got_c) - { - if (g_queue_is_empty (&f->monitored)) -@@ -1448,6 +1487,7 @@ test_dbus_daemon (Fixture *f, - { - DBusMessage *m; - int res; -+ size_t n_expected; - - if (f->address == NULL) - return; -@@ -1463,7 +1503,12 @@ test_dbus_daemon (Fixture *f, - test_assert_no_error (&f->e); - g_assert_cmpint (res, ==, DBUS_RELEASE_NAME_REPLY_RELEASED); - -- while (g_queue_get_length (&f->monitored) < 8) -+ n_expected = 8; -+ -+ if (config_forbids_name_acquired_signal (context)) -+ n_expected += 1; -+ -+ while (g_queue_get_length (&f->monitored) < n_expected) - test_main_context_iterate (f->ctx, TRUE); - - m = g_queue_pop_head (&f->monitored); -@@ -1476,10 +1521,12 @@ test_dbus_daemon (Fixture *f, - "NameOwnerChanged", "sss", NULL); - dbus_message_unref (m); - -- /* FIXME: should we get this? */ - m = g_queue_pop_head (&f->monitored); -- assert_signal (m, DBUS_SERVICE_DBUS, DBUS_PATH_DBUS, DBUS_INTERFACE_DBUS, -- "NameAcquired", "s", f->sender_name); -+ assert_name_acquired (m); -+ -+ if (config_forbids_name_acquired_signal (f->config)) -+ expect_name_acquired_error (&f->monitored, m); -+ - dbus_message_unref (m); - - m = g_queue_pop_head (&f->monitored); -@@ -1701,8 +1748,14 @@ static void - expect_new_connection (Fixture *f) - { - DBusMessage *m; -+ size_t n_expected; - -- while (g_queue_get_length (&f->monitored) < 4) -+ n_expected = 4; -+ -+ if (config_forbids_name_acquired_signal (f->config)) -+ n_expected += 1; -+ -+ while (g_queue_get_length (&f->monitored) < n_expected) - test_main_context_iterate (f->ctx, TRUE); - - m = g_queue_pop_head (&f->monitored); -@@ -1719,7 +1772,11 @@ expect_new_connection (Fixture *f) - dbus_message_unref (m); - - m = g_queue_pop_head (&f->monitored); -- assert_name_acquired (m); -+ assert_unique_name_acquired (m); -+ -+ if (config_forbids_name_acquired_signal (f->config)) -+ expect_name_acquired_error (&f->monitored, m); -+ - dbus_message_unref (m); - } - -@@ -2044,6 +2101,8 @@ main (int argc, - setup, test_method_call, teardown); - g_test_add ("/monitor/forbidden-method", Fixture, &forbidding_config, - setup, test_forbidden_method_call, teardown); -+ g_test_add ("/monitor/forbidden-reply", Fixture, &forbidding_config, -+ setup, test_dbus_daemon, teardown); - g_test_add ("/monitor/dbus-daemon", Fixture, NULL, - setup, test_dbus_daemon, teardown); - g_test_add ("/monitor/selective", Fixture, &selective_config, --- -2.41.0 - diff --git a/SOURCES/dbus-1.12.8-fix-fd-limit-change.patch b/SOURCES/dbus-1.12.8-fix-fd-limit-change.patch deleted file mode 100644 index 8a564b7..0000000 --- a/SOURCES/dbus-1.12.8-fix-fd-limit-change.patch +++ /dev/null @@ -1,201 +0,0 @@ -From 94bacc6955e563a7e698e53151a75323279a9f45 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 11 Mar 2019 09:03:39 +0000 -Subject: [PATCH] bus: Try to raise soft fd limit to match hard limit - -Linux systems have traditionally set the soft limit to 1024 and the hard -limit to 4096. Recent versions of systemd keep the soft fd limit at -1024 to avoid breaking programs that still use select(), but raise the -hard limit to 512*1024, while in recent Debian versions a complicated -interaction between components gives a soft limit of 1024 and a hard -limit of 1024*1024. If we can, we might as well elevate our soft limit -to match the hard limit, minimizing the chance that we will run out of -file descriptor slots. - -Unlike the previous code to raise the hard and soft limits to at least -65536, we do this even if we don't have privileges: privileges are -unnecessary to raise the soft limit up to the hard limit. - -If we *do* have privileges, we also continue to raise the hard and soft -limits to at least 65536 if they weren't already that high, making -it harder to carry out a denial of service attack on the system bus on -systems that use the traditional limit (CVE-2014-7824). - -As was previously the case on the system bus, we'll drop the limits back -to our initial limits before we execute a subprocess for traditional -(non-systemd) activation, if enabled. - -systemd activation doesn't involve us starting subprocesses at all, -so in both cases activated services will still inherit the same limits -they did previously. - -This change also fixes a bug when the hard limit is very large but -the soft limit is not, for example seen as a regression when upgrading -to systemd >= 240 (Debian #928877). In such environments, dbus-daemon -would previously have changed its fd limit to 64K soft/64K hard. Because -this hard limit is less than its original hard limit, it was unable to -restore its original hard limit as intended when carrying out traditional -activation, leaving activated subprocesses with unintended limits (while -logging a warning). - -Reviewed-by: Lennart Poettering -[smcv: Correct a comment based on Lennart's review, reword commit message] -Signed-off-by: Simon McVittie -(cherry picked from commit 7eacbfece70f16bb54d0f3ac51f87ae398759ef5) -[smcv: Mention that this also fixes Debian #928877] ---- - bus/bus.c | 8 ++--- - dbus/dbus-sysdeps-util-unix.c | 64 +++++++++++++++++++++-------------- - dbus/dbus-sysdeps-util-win.c | 3 +- - dbus/dbus-sysdeps.h | 3 +- - 4 files changed, 44 insertions(+), 34 deletions(-) - -diff --git a/bus/bus.c b/bus/bus.c -index 30ce4e10..2ad8e789 100644 ---- a/bus/bus.c -+++ b/bus/bus.c -@@ -693,11 +693,11 @@ raise_file_descriptor_limit (BusContext *context) - /* We used to compute a suitable rlimit based on the configured number - * of connections, but that breaks down as soon as we allow fd-passing, - * because each connection is allowed to pass 64 fds to us, and if -- * they all did, we'd hit kernel limits. We now hard-code 64k as a -- * good limit, like systemd does: that's enough to avoid DoS from -- * anything short of multiple uids conspiring against us. -+ * they all did, we'd hit kernel limits. We now hard-code a good -+ * limit that is enough to avoid DoS from anything short of multiple -+ * uids conspiring against us, much like systemd does. - */ -- if (!_dbus_rlimit_raise_fd_limit_if_privileged (65536, &error)) -+ if (!_dbus_rlimit_raise_fd_limit (&error)) - { - bus_context_log (context, DBUS_SYSTEM_LOG_WARNING, - "%s: %s", error.name, error.message); -diff --git a/dbus/dbus-sysdeps-util-unix.c b/dbus/dbus-sysdeps-util-unix.c -index 2be5b779..7c4c3604 100644 ---- a/dbus/dbus-sysdeps-util-unix.c -+++ b/dbus/dbus-sysdeps-util-unix.c -@@ -406,23 +406,15 @@ _dbus_rlimit_save_fd_limit (DBusError *error) - return self; - } - -+/* Enough fds that we shouldn't run out, even if several uids work -+ * together to carry out a denial-of-service attack. This happens to be -+ * the same number that systemd < 234 would normally use. */ -+#define ENOUGH_FDS 65536 -+ - dbus_bool_t --_dbus_rlimit_raise_fd_limit_if_privileged (unsigned int desired, -- DBusError *error) -+_dbus_rlimit_raise_fd_limit (DBusError *error) - { -- struct rlimit lim; -- -- /* No point to doing this practically speaking -- * if we're not uid 0. We expect the system -- * bus to use this before we change UID, and -- * the session bus takes the Linux default, -- * currently 1024 for cur and 4096 for max. -- */ -- if (getuid () != 0) -- { -- /* not an error, we're probably the session bus */ -- return TRUE; -- } -+ struct rlimit old, lim; - - if (getrlimit (RLIMIT_NOFILE, &lim) < 0) - { -@@ -431,22 +423,43 @@ _dbus_rlimit_raise_fd_limit_if_privileged (unsigned int desired, - return FALSE; - } - -- if (lim.rlim_cur == RLIM_INFINITY || lim.rlim_cur >= desired) -+ old = lim; -+ -+ if (getuid () == 0) - { -- /* not an error, everything is fine */ -- return TRUE; -+ /* We are privileged, so raise the soft limit to at least -+ * ENOUGH_FDS, and the hard limit to at least the desired soft -+ * limit. This assumes we can exercise CAP_SYS_RESOURCE on Linux, -+ * or other OSs' equivalents. */ -+ if (lim.rlim_cur != RLIM_INFINITY && -+ lim.rlim_cur < ENOUGH_FDS) -+ lim.rlim_cur = ENOUGH_FDS; -+ -+ if (lim.rlim_max != RLIM_INFINITY && -+ lim.rlim_max < lim.rlim_cur) -+ lim.rlim_max = lim.rlim_cur; - } - -- /* Ignore "maximum limit", assume we have the "superuser" -- * privileges. On Linux this is CAP_SYS_RESOURCE. -- */ -- lim.rlim_cur = lim.rlim_max = desired; -+ /* Raise the soft limit to match the hard limit, which we can do even -+ * if we are unprivileged. In particular, systemd >= 240 will normally -+ * set rlim_cur to 1024 and rlim_max to 512*1024, recent Debian -+ * versions end up setting rlim_cur to 1024 and rlim_max to 1024*1024, -+ * and older and non-systemd Linux systems would typically set rlim_cur -+ * to 1024 and rlim_max to 4096. */ -+ if (lim.rlim_max == RLIM_INFINITY || lim.rlim_cur < lim.rlim_max) -+ lim.rlim_cur = lim.rlim_max; -+ -+ /* Early-return if there is nothing to do. */ -+ if (lim.rlim_max == old.rlim_max && -+ lim.rlim_cur == old.rlim_cur) -+ return TRUE; - - if (setrlimit (RLIMIT_NOFILE, &lim) < 0) - { - dbus_set_error (error, _dbus_error_from_errno (errno), -- "Failed to set fd limit to %u: %s", -- desired, _dbus_strerror (errno)); -+ "Failed to set fd limit to %lu: %s", -+ (unsigned long) lim.rlim_cur, -+ _dbus_strerror (errno)); - return FALSE; - } - -@@ -485,8 +498,7 @@ _dbus_rlimit_save_fd_limit (DBusError *error) - } - - dbus_bool_t --_dbus_rlimit_raise_fd_limit_if_privileged (unsigned int desired, -- DBusError *error) -+_dbus_rlimit_raise_fd_limit (DBusError *error) - { - fd_limit_not_supported (error); - return FALSE; -diff --git a/dbus/dbus-sysdeps-util-win.c b/dbus/dbus-sysdeps-util-win.c -index 1ef4ae6c..1c1d9f7d 100644 ---- a/dbus/dbus-sysdeps-util-win.c -+++ b/dbus/dbus-sysdeps-util-win.c -@@ -273,8 +273,7 @@ _dbus_rlimit_save_fd_limit (DBusError *error) - } - - dbus_bool_t --_dbus_rlimit_raise_fd_limit_if_privileged (unsigned int desired, -- DBusError *error) -+_dbus_rlimit_raise_fd_limit (DBusError *error) - { - fd_limit_not_supported (error); - return FALSE; -diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h -index ef786ecc..0b9d7696 100644 ---- a/dbus/dbus-sysdeps.h -+++ b/dbus/dbus-sysdeps.h -@@ -698,8 +698,7 @@ dbus_bool_t _dbus_replace_install_prefix (DBusString *path); - typedef struct DBusRLimit DBusRLimit; - - DBusRLimit *_dbus_rlimit_save_fd_limit (DBusError *error); --dbus_bool_t _dbus_rlimit_raise_fd_limit_if_privileged (unsigned int desired, -- DBusError *error); -+dbus_bool_t _dbus_rlimit_raise_fd_limit (DBusError *error); - dbus_bool_t _dbus_rlimit_restore_fd_limit (DBusRLimit *saved, - DBusError *error); - void _dbus_rlimit_free (DBusRLimit *lim); --- -GitLab - diff --git a/SOURCES/dbus-1.20.8-CVE-2022-42010.patch b/SOURCES/dbus-1.20.8-CVE-2022-42010.patch deleted file mode 100644 index ce387c7..0000000 --- a/SOURCES/dbus-1.20.8-CVE-2022-42010.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 8f382ee405ec68850866298ba0574f12e261a6fa Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Tue, 13 Sep 2022 15:10:22 +0100 -Subject: [PATCH] dbus-marshal-validate: Check brackets in signature nest - correctly - -In debug builds with assertions enabled, a signature with incorrectly -nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result -in an assertion failure. - -In production builds without assertions enabled, a signature with -incorrectly nested `()` and `{}` could potentially result in a crash -or incorrect message parsing, although we do not have a concrete example -of either of these failure modes. - -Thanks: Evgeny Vereshchagin -Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418 -Resolves: CVE-2022-42010 -Signed-off-by: Simon McVittie -(cherry picked from commit 9d07424e9011e3bbe535e83043d335f3093d2916) -(cherry picked from commit 3e53a785dee8d1432156188a2c4260e4cbc78c4d) ---- - dbus/dbus-marshal-validate.c | 38 +++++++++++++++++++++++++++++++++++- - 1 file changed, 37 insertions(+), 1 deletion(-) - -diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c -index 4d492f3f3..ae68414dd 100644 ---- a/dbus/dbus-marshal-validate.c -+++ b/dbus/dbus-marshal-validate.c -@@ -62,6 +62,8 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, - - int element_count; - DBusList *element_count_stack; -+ char opened_brackets[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2 + 1] = { '\0' }; -+ char last_bracket; - - result = DBUS_VALID; - element_count_stack = NULL; -@@ -93,6 +95,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, - - while (p != end) - { -+ _dbus_assert (struct_depth + dict_entry_depth >= 0); -+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); -+ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth] == '\0'); -+ - switch (*p) - { - case DBUS_TYPE_BYTE: -@@ -136,6 +142,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, - goto out; - } - -+ _dbus_assert (struct_depth + dict_entry_depth >= 1); -+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); -+ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0'); -+ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_STRUCT_BEGIN_CHAR; - break; - - case DBUS_STRUCT_END_CHAR: -@@ -151,9 +161,20 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, - goto out; - } - -+ _dbus_assert (struct_depth + dict_entry_depth >= 1); -+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); -+ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1]; -+ -+ if (last_bracket != DBUS_STRUCT_BEGIN_CHAR) -+ { -+ result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED; -+ goto out; -+ } -+ - _dbus_list_pop_last (&element_count_stack); - - struct_depth -= 1; -+ opened_brackets[struct_depth + dict_entry_depth] = '\0'; - break; - - case DBUS_DICT_ENTRY_BEGIN_CHAR: -@@ -178,6 +199,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, - goto out; - } - -+ _dbus_assert (struct_depth + dict_entry_depth >= 1); -+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); -+ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0'); -+ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_DICT_ENTRY_BEGIN_CHAR; - break; - - case DBUS_DICT_ENTRY_END_CHAR: -@@ -186,8 +211,19 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, - result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED; - goto out; - } -- -+ -+ _dbus_assert (struct_depth + dict_entry_depth >= 1); -+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); -+ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1]; -+ -+ if (last_bracket != DBUS_DICT_ENTRY_BEGIN_CHAR) -+ { -+ result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED; -+ goto out; -+ } -+ - dict_entry_depth -= 1; -+ opened_brackets[struct_depth + dict_entry_depth] = '\0'; - - element_count = - _DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack)); --- -GitLab - diff --git a/SOURCES/dbus-1.20.8-CVE-2022-42011.patch b/SOURCES/dbus-1.20.8-CVE-2022-42011.patch deleted file mode 100644 index d0a5510..0000000 --- a/SOURCES/dbus-1.20.8-CVE-2022-42011.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 3b8a7aff228770f4f7b478db606b10cceacea875 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 12 Sep 2022 13:14:18 +0100 -Subject: [PATCH] dbus-marshal-validate: Validate length of arrays of - fixed-length items - -This fast-path previously did not check that the array was made up -of an integer number of items. This could lead to assertion failures -and out-of-bounds accesses during subsequent message processing (which -assumes that the message has already been validated), particularly after -the addition of _dbus_header_remove_unknown_fields(), which makes it -more likely that dbus-daemon will apply non-trivial edits to messages. - -Thanks: Evgeny Vereshchagin -Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays" -Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413 -Resolves: CVE-2022-42011 -Signed-off-by: Simon McVittie -(cherry picked from commit 079bbf16186e87fb0157adf8951f19864bc2ed69) -(cherry picked from commit b9e6a7523085a2cfceaffca7ba1ab4251f12a984) ---- - dbus/dbus-marshal-validate.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c -index ae68414dd..7d0d6cf72 100644 ---- a/dbus/dbus-marshal-validate.c -+++ b/dbus/dbus-marshal-validate.c -@@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader *reader, - */ - if (dbus_type_is_fixed (array_elem_type)) - { -+ /* Note that fixed-size types all have sizes equal to -+ * their alignments, so this is really the item size. */ -+ alignment = _dbus_type_get_alignment (array_elem_type); -+ _dbus_assert (alignment == 1 || alignment == 2 || -+ alignment == 4 || alignment == 8); -+ -+ /* Because the alignment is a power of 2, this is -+ * equivalent to: (claimed_len % alignment) != 0, -+ * but avoids slower integer division */ -+ if ((claimed_len & (alignment - 1)) != 0) -+ return DBUS_INVALID_ARRAY_LENGTH_INCORRECT; -+ - /* bools need to be handled differently, because they can - * have an invalid value - */ - if (array_elem_type == DBUS_TYPE_BOOLEAN) - { - dbus_uint32_t v; -- alignment = _dbus_type_get_alignment (array_elem_type); - - while (p < array_end) - { --- -GitLab - diff --git a/SOURCES/dbus-1.20.8-CVE-2022-42012.patch b/SOURCES/dbus-1.20.8-CVE-2022-42012.patch deleted file mode 100644 index 29ff781..0000000 --- a/SOURCES/dbus-1.20.8-CVE-2022-42012.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 51a5bbf9074855b0f4a353ed309938b196c13525 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Fri, 30 Sep 2022 13:46:31 +0100 -Subject: [PATCH] dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed - -When a D-Bus message includes attached file descriptors, the body of the -message contains unsigned 32-bit indexes pointing into an out-of-band -array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to -these indexes as "handles" for the associated fds (not to be confused -with a Windows HANDLE, which is a kernel object). - -The assertion message removed by this commit is arguably correct up to -a point: fd-passing is only reasonable on a local machine, and no known -operating system allows processes of differing endianness even on a -multi-endian ARM or PowerPC CPU, so it makes little sense for the sender -to specify a byte-order that differs from the byte-order of the recipient. - -However, this doesn't account for the fact that a malicious sender -doesn't have to restrict itself to only doing things that make sense. -On a system with untrusted local users, a message sender could crash -the system dbus-daemon (a denial of service) by sending a message in -the opposite endianness that contains handles to file descriptors. - -Before this commit, if assertions are enabled, attempting to byteswap -a fd index would cleanly crash the message recipient with an assertion -failure. If assertions are disabled, attempting to byteswap a fd index -would silently do nothing without advancing the pointer p, causing the -message's type and the pointer into its contents to go out of sync, which -can result in a subsequent crash (the crash demonstrated by fuzzing was -a use-after-free, but other failure modes might be possible). - -In principle we could resolve this by rejecting wrong-endianness messages -from a local sender, but it's actually simpler and less code to treat -wrong-endianness messages as valid and byteswap them. - -Thanks: Evgeny Vereshchagin -Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds" -Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417 -Resolves: CVE-2022-42012 -Signed-off-by: Simon McVittie -(cherry picked from commit 236f16e444e88a984cf12b09225e0f8efa6c5b44) -(cherry picked from commit 3fb065b0752db1e298e4ada52cf4adc414f5e946) ---- - dbus/dbus-marshal-byteswap.c | 6 +----- - 1 file changed, 1 insertion(+), 5 deletions(-) - -diff --git a/dbus/dbus-marshal-byteswap.c b/dbus/dbus-marshal-byteswap.c -index 27695aafb..7104e9c63 100644 ---- a/dbus/dbus-marshal-byteswap.c -+++ b/dbus/dbus-marshal-byteswap.c -@@ -61,6 +61,7 @@ byteswap_body_helper (DBusTypeReader *reader, - case DBUS_TYPE_BOOLEAN: - case DBUS_TYPE_INT32: - case DBUS_TYPE_UINT32: -+ case DBUS_TYPE_UNIX_FD: - { - p = _DBUS_ALIGN_ADDRESS (p, 4); - *((dbus_uint32_t*)p) = DBUS_UINT32_SWAP_LE_BE (*((dbus_uint32_t*)p)); -@@ -188,11 +189,6 @@ byteswap_body_helper (DBusTypeReader *reader, - } - break; - -- case DBUS_TYPE_UNIX_FD: -- /* fds can only be passed on a local machine, so byte order must always match */ -- _dbus_assert_not_reached("attempted to byteswap unix fds which makes no sense"); -- break; -- - default: - _dbus_assert_not_reached ("invalid typecode in supposedly-validated signature"); - break; --- -GitLab - diff --git a/SOURCES/dbus-kill-process-with-session b/SOURCES/dbus-kill-process-with-session deleted file mode 100644 index 6adfee9..0000000 --- a/SOURCES/dbus-kill-process-with-session +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -# This script ensures the dbus-daemon is killed when the session closes. -# It's used by SSH sessions that have X forwarding (since the X display -# may outlive the session in those cases) -[ $# != 1 ] && exit 1 - -exec >& /dev/null - -MONITOR_READY_FILE=$(mktemp dbus-session-monitor.XXXXXX --tmpdir) -DBUS_SESSIONS="${XDG_RUNTIME_DIR}/dbus-1/sessions" -DBUS_SESSION_ADDRESS_FILE="${DBUS_SESSIONS}/${XDG_SESSION_ID}" - -trap 'rm -f "${MONITOR_READY_FILE}"; rm -f "${DBUS_SESSION_ADDRESS_FILE}"; kill -TERM $1; kill -HUP $(jobs -p)' EXIT - -export GVFS_DISABLE_FUSE=1 -coproc SESSION_MONITOR (gio monitor -f "/run/systemd/sessions/${XDG_SESSION_ID}" "${MONITOR_READY_FILE}") - -# Poll until the gio monitor command is actively monitoring -until - touch "${MONITOR_READY_FILE}" - read -t 0.5 -u ${SESSION_MONITOR[0]} -do - continue -done - -# Block until the session is closed -while grep -q ^State=active <(loginctl show-session $XDG_SESSION_ID) -do - read -u ${SESSION_MONITOR[0]} -done diff --git a/SOURCES/ssh-x-forwarding.csh b/SOURCES/ssh-x-forwarding.csh deleted file mode 100644 index 47424e5..0000000 --- a/SOURCES/ssh-x-forwarding.csh +++ /dev/null @@ -1,24 +0,0 @@ -# DBus session bus over SSH with X11 forwarding -if ( $?SSH_CONNECTION == 0 ) exit -if ( $?XDG_SESSION_ID == 0) exit -if ( $?DISPLAY == 0 ) exit -if ( $SHLVL > 1 ) exit - -set DBUS_SESSIONS = "${XDG_RUNTIME_DIR}/dbus-1/sessions" -set DBUS_SESSION_ADDRESS_FILE = "${DBUS_SESSIONS}/${XDG_SESSION_ID}" - -if ( -e "${DBUS_SESSION_ADDRESS_FILE}" ) then - setenv DBUS_SESSION_BUS_ADDRESS "`cat ${DBUS_SESSION_ADDRESS_FILE}`" - exit -endif - -setenv GDK_BACKEND x11 - -eval `dbus-launch --csh-syntax` - -if ( $?DBUS_SESSION_BUS_PID == 0 ) exit - -mkdir -p "${DBUS_SESSIONS}" -echo "${DBUS_SESSION_BUS_ADDRESS}" > "${DBUS_SESSION_ADDRESS_FILE}" - -setsid -f /usr/libexec/dbus-1/dbus-kill-process-with-session $DBUS_SESSION_BUS_PID diff --git a/SOURCES/ssh-x-forwarding.sh b/SOURCES/ssh-x-forwarding.sh deleted file mode 100644 index 9fbb8d1..0000000 --- a/SOURCES/ssh-x-forwarding.sh +++ /dev/null @@ -1,25 +0,0 @@ -# DBus session bus over SSH with X11 forwarding -[ -z "$SSH_CONNECTION" ] && return -[ -z "$XDG_SESSION_ID" ] && return -[ -z "$DISPLAY" ] && return -[ "${DISPLAY:0:1}" = ":" ] && return -[ "$SHLVL" -ne 1 ] && return - -DBUS_SESSIONS="${XDG_RUNTIME_DIR}/dbus-1/sessions" -DBUS_SESSION_ADDRESS_FILE="${DBUS_SESSIONS}/${XDG_SESSION_ID}" - -if [ -e "${DBUS_SESSION_ADDRESS_FILE}" ]; then - export DBUS_SESSION_BUS_ADDRESS="$(cat ${DBUS_SESSION_ADDRESS_FILE})" - return -fi - -export GDK_BACKEND=x11 - -eval `dbus-launch --sh-syntax` - -[ -z "$DBUS_SESSION_BUS_PID" ] && return - -mkdir -p "${DBUS_SESSIONS}" -echo "${DBUS_SESSION_BUS_ADDRESS}" > "${DBUS_SESSION_ADDRESS_FILE}" - -setsid -f /usr/libexec/dbus-1/dbus-kill-process-with-session "$DBUS_SESSION_BUS_PID" diff --git a/dbus-1.14.10.tar.xz.asc b/dbus-1.14.10.tar.xz.asc new file mode 100644 index 0000000..8b94fd0 --- /dev/null +++ b/dbus-1.14.10.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmTx9gwACgkQ4FrhR4+B +TE/2pg/+Ir3SDeg9BOhbX5BvKGrxlQbGJgkrSPKPm+KHDhOZ4NmTsS4a+YYhhjBm +27E2/vFK+pDwTwFhYmygZAgLPQVl9RRVuW/Alq1dgabmdIBVaAfnL5jG+isjD+dV +mRXwipJcacrHQtUQoUNWkSI9OxDT+zWY08m8eKQMp2iEfupG7RZkn0BQ0+1+i808 +Ep6rgbvkI7+eKhrpkmxHnEPSKRWe2qQ74agRoazbhCP0M9VObQsx5J9mTnMTIKOy +KVaFVi385nHYj1/igGnpH/XNWhwV7aU8exngiA1Fmoc69ttPaEXvV5JJ0Gf8eXeK +LqvZbl5nJotGG3hAkdo9bUQRIXWz9zJ1ZJxTM0tAyk+phwD/2r03tOdSVQ/tNJuW +tQOYq7pnHLMiAhiR8+P5mI3FYbKj2BYgJXf1FKu8B+ZQLuiRxGfYzUgIf2SirQk/ +Tg2axWYnNZZ0X6fWrw5CyiH1fX2uDkGypEMMF6W5Rdd7DFchk4CZm3xlRkPIDEI0 +9WK4/Y+XLn053V01q1z8vvOruOeecAUsp+/wwk+TpHoyC8XXA4RVFZg1erbxMqZ6 +zkgs4IBSK3T/NUMpWqkGqtTzfHvmVc796AWCFpJMrB6syX2Mz/DLRQ7itWfL7vgc +Af/ybyOCvfZl6nmCLbTUL0kzmJkT0M9uCtSrXEUO9gMBwtOcOIc= +=/5FJ +-----END PGP SIGNATURE----- diff --git a/dbus-daemon.service b/dbus-daemon.service new file mode 100644 index 0000000..171d4c4 --- /dev/null +++ b/dbus-daemon.service @@ -0,0 +1,15 @@ +[Unit] +Description=D-Bus System Message Bus +Documentation=man:dbus-daemon(1) +Requires=dbus.socket + +[Service] +ExecStart=/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only +ExecReload=/usr/bin/dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig +OOMScoreAdjust=-900 + +[Install] +# Make sure that services can still refer to this under the name of the +# old SysV script (messagebus). +Alias=dbus.service messagebus.service +WantedBy=multi-user.target diff --git a/dbus-daemon.user.service b/dbus-daemon.user.service new file mode 100644 index 0000000..2d96f62 --- /dev/null +++ b/dbus-daemon.user.service @@ -0,0 +1,11 @@ +[Unit] +Description=D-Bus User Message Bus +Documentation=man:dbus-daemon(1) +Requires=dbus.socket + +[Service] +ExecStart=/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only +ExecReload=/usr/bin/dbus-send --print-reply --session --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig + +[Install] +Alias=dbus.service diff --git a/SOURCES/dbus-systemd-sysusers.conf b/dbus-systemd-sysusers.conf similarity index 100% rename from SOURCES/dbus-systemd-sysusers.conf rename to dbus-systemd-sysusers.conf diff --git a/dbus.socket b/dbus.socket new file mode 100644 index 0000000..e1e4a65 --- /dev/null +++ b/dbus.socket @@ -0,0 +1,8 @@ +[Unit] +Description=D-Bus System Message Bus Socket + +[Socket] +ListenStream=/run/dbus/system_bus_socket + +[Install] +WantedBy=sockets.target diff --git a/SPECS/dbus.spec b/dbus.spec similarity index 81% rename from SPECS/dbus.spec rename to dbus.spec index 9205421..331cdf9 100644 --- a/SPECS/dbus.spec +++ b/dbus.spec @@ -5,9 +5,11 @@ %global libselinux_version 2.0.86 -%global dbus_user_uid 81 +# fedora-release-30-0.2 and generic-release-0.1 added required presets to enable systemd-unit symlinks +%global fedora_release_version 30-0.2 +%global generic_release_version 30-0.1 -%global dbus_common_config_opts --enable-libaudit --enable-selinux=yes --with-system-socket=/run/dbus/system_bus_socket --with-dbus-user=dbus --libexecdir=/%{_libexecdir}/dbus-1 --enable-user-session --docdir=%{_pkgdocdir} --enable-installed-tests +%global dbus_common_config_opts --enable-libaudit --enable-selinux=yes --with-system-socket=/run/dbus/system_bus_socket --with-dbus-user=dbus --libexecdir=/%{_libexecdir}/dbus-1 --runstatedir=/run --enable-user-session --docdir=%{_pkgdocdir} --enable-installed-tests # Allow extra dependencies required for some tests to be disabled. %bcond_without tests @@ -18,41 +20,31 @@ Name: dbus Epoch: 1 -Version: 1.12.8 -Release: 26%{?dist} +Version: 1.14.10 +Release: 5%{?dist} Summary: D-BUS message bus -Group: System Environment/Libraries # The effective license of the majority of the package, including the shared # library, is "GPL-2+ or AFL-2.1". Certain utilities are "GPL-2+" only. -License: (GPLv2+ or AFL) and GPLv2+ -URL: http://www.freedesktop.org/Software/dbus/ -#VCS: git:git://git.freedesktop.org/git/dbus/dbus -Source0: https://dbus.freedesktop.org/releases/%{name}/%{name}-%{version}.tar.gz -Source1: 00-start-message-bus.sh -Source2: ssh-x-forwarding.csh -Source3: ssh-x-forwarding.sh -Source4: dbus-kill-process-with-session -Source5: dbus-systemd-sysusers.conf +License: (AFL-2.1 OR GPL-2.0-or-later) AND GPL-2.0-or-later +URL: https://www.freedesktop.org/wiki/Software/dbus/ +Source0: https://dbus.freedesktop.org/releases/%{name}/%{name}-%{version}.tar.xz +Source1: https://dbus.freedesktop.org/releases/%{name}/%{name}-%{version}.tar.xz.asc +# gpg --keyserver keyring.debian.org --recv-keys 36EC5A6448A4F5EF79BEFE98E05AE1478F814C4F +# gpg --export --export-options export-minimal > gpgkey-36EC5A6448A4F5EF79BEFE98E05AE1478F814C4F.gpg +Source2: gpgkey-36EC5A6448A4F5EF79BEFE98E05AE1478F814C4F.gpg +Source3: 00-start-message-bus.sh +Source4: dbus.socket +Source5: dbus-daemon.service +Source6: dbus.user.socket +Source7: dbus-daemon.user.service +Source8: dbus-systemd-sysusers.conf Patch0: 0001-tools-Use-Python3-for-GetAllMatchRules.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1725570 -Patch1: dbus-1.12.8-fix-CVE-2019-12749.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1851997 -Patch2: dbus-1.12.8-fix-CVE-2020-12049.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1839753 -Patch3: dbus-1.12.8-fix-fd-limit-change.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2133645 -Patch4: dbus-1.20.8-CVE-2022-42010.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2133639 -Patch5: dbus-1.20.8-CVE-2022-42011.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2133633 -Patch6: dbus-1.20.8-CVE-2022-42012.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2213400 -Patch7: dbus-1.12.8-fix-CVE-2023-34969.patch BuildRequires: autoconf-archive BuildRequires: libtool BuildRequires: audit-libs-devel >= 0.9 +BuildRequires: gnupg2 BuildRequires: libX11-devel BuildRequires: libcap-ng-devel BuildRequires: pkgconfig(expat) @@ -72,7 +64,6 @@ BuildRequires: cmake %endif #For macroized scriptlets. -%{?systemd_requires} BuildRequires: systemd # Note: These is only required for --with-tests; when bootstrapping, you can @@ -85,8 +76,10 @@ BuildRequires: python3-gobject %if %{with check} BuildRequires: /usr/bin/Xvfb %endif +BuildRequires: make -Requires: %{name}-daemon = %{epoch}:%{version}-%{release} +# Since F30 the default implementation is dbus-broker over dbus-daemon +Requires: dbus-broker >= 16-4 %description D-BUS is a system for sending messages between applications. It is @@ -95,9 +88,9 @@ per-user-login-session messaging facility. %package common Summary: D-BUS message bus configuration -Group: System Environment/Libraries BuildArch: noarch -Requires: /usr/bin/systemctl +Conflicts: fedora-release < %{fedora_release_version} +Conflicts: generic-release < %{generic_release_version} %description common The %{name}-common package provides the configuration and setup files for D-Bus @@ -105,12 +98,13 @@ implementations to provide a System and User Message Bus. %package daemon Summary: D-BUS message bus -Group: System Environment/Libraries -Requires(pre): /usr/sbin/useradd +Conflicts: fedora-release < %{fedora_release_version} +Conflicts: generic-release < %{generic_release_version} Requires: libselinux%{?_isa} >= %{libselinux_version} Requires: dbus-common = %{epoch}:%{version}-%{release} Requires: dbus-libs%{?_isa} = %{epoch}:%{version}-%{release} Requires: dbus-tools = %{epoch}:%{version}-%{release} +%{?sysusers_requires_compat} %description daemon D-BUS is a system for sending messages between applications. It is @@ -119,7 +113,6 @@ per-user-login-session messaging facility. %package tools Summary: D-BUS Tools and Utilities -Group: Development/Libraries Requires: dbus-libs%{?_isa} = %{epoch}:%{version}-%{release} %description tools @@ -128,16 +121,22 @@ the reference implementation. %package libs Summary: Libraries for accessing D-BUS -Group: Development/Libraries %description libs This package contains lowlevel libraries for accessing D-BUS. +%package doc +Summary: Developer documentation for D-BUS +Requires: %{name}-daemon = %{epoch}:%{version}-%{release} +BuildArch: noarch + +%description doc +This package contains developer documentation for D-Bus along with +other supporting documentation such as the introspect dtd file. + %package devel Summary: Development files for D-BUS -Group: Development/Libraries -# The server package can be a different architecture. -Requires: %{name}-daemon = %{epoch}:%{version}-%{release} +Requires: dbus-libs%{?_isa} = %{epoch}:%{version}-%{release} # For xml directory ownership. Requires: xml-common @@ -147,7 +146,6 @@ developing software that uses D-BUS. %package tests Summary: Tests for the %{name}-daemon package -Group: Development/Libraries Requires: %{name}-daemon%{?_isa} = %{epoch}:%{version}-%{release} %description tests @@ -156,11 +154,8 @@ the functionality of the installed %{name}-daemon package. %package x11 Summary: X11-requiring add-ons for D-BUS -Group: Development/Libraries # The server package can be a different architecture. Requires: %{name}-daemon = %{epoch}:%{version}-%{release} -# Used by SSH daemon helper script. -Requires: /usr/bin/gio %description x11 D-BUS contains some tools that require Xlib to be installed, those are @@ -168,6 +163,7 @@ in this separate package so server systems need not install X. %prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 @@ -178,38 +174,34 @@ if test -f autogen.sh; then env NOCONFIGURE=1 ./autogen.sh; else autoreconf --ve # Call configure here (before the extra directories for the multiple builds # have been created) to ensure that the hardening flag hack is applied to # ltmain.sh -%configure %{dbus_common_config_opts} --disable-doxygen-docs %--enable-ducktype-docs --enable-xml-docs --disable-asserts +%configure %{dbus_common_config_opts} --enable-doxygen-docs --enable-ducktype-docs --enable-xml-docs --disable-asserts make distclean mkdir build pushd build # See /usr/lib/rpm/macros %global _configure ../configure -%configure %{dbus_common_config_opts} --disable-doxygen-docs --enable-ducktype-docs --enable-xml-docs --disable-asserts -make V=1 %{?_smp_mflags} +%configure %{dbus_common_config_opts} --enable-doxygen-docs --enable-ducktype-docs --enable-xml-docs --disable-asserts +%make_build popd %if %{with check} mkdir build-check pushd build-check %configure %{dbus_common_config_opts} --enable-asserts --enable-verbose-mode --enable-tests -make V=1 %{?_smp_mflags} +%make_build popd %endif %install pushd build -make install DESTDIR=%{buildroot} INSTALL="install -p" +%make_install popd # Delete python2 code rm -f %{buildroot}/%{_pkgdocdir}/examples/GetAllMatchRules.py -# Delete docs -rm -f %{buildroot}/%{_pkgdocdir}/examples/*.conf -rm -f %{buildroot}/%{_datadir}/gtk-doc - find %{buildroot} -name '*.a' -type f -delete find %{buildroot} -name '*.la' -type f -delete @@ -217,13 +209,21 @@ find %{buildroot} -name '*.la' -type f -delete rm -rf %{buildroot}%{_libdir}/cmake %endif +# Delete upstream units +rm -f %{buildroot}%{_unitdir}/dbus.{socket,service} +rm -f %{buildroot}%{_unitdir}/sockets.target.wants/dbus.socket +rm -f %{buildroot}%{_unitdir}/multi-user.target.wants/dbus.service +rm -f %{buildroot}%{_userunitdir}/dbus.{socket,service} +rm -f %{buildroot}%{_userunitdir}/sockets.target.wants/dbus.socket rm -f %{buildroot}%{_sysusersdir}/dbus.conf -install -Dp -m755 %{SOURCE1} %{buildroot}%{_sysconfdir}/X11/xinit/xinitrc.d/00-start-message-bus.sh -install -Dp -m644 %{SOURCE2} %{buildroot}%{_sysconfdir}/profile.d/ssh-x-forwarding.csh -install -p -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/profile.d/ -install -Dp -m755 %{SOURCE4} %{buildroot}%{_libexecdir}/dbus-1/dbus-kill-process-with-session -install -Dp -m644 %{SOURCE5} %{buildroot}%{_sysusersdir}/dbus.conf +# Install downstream units +install -Dp -m755 %{SOURCE3} %{buildroot}%{_sysconfdir}/X11/xinit/xinitrc.d/00-start-message-bus.sh +install -Dp -m644 %{SOURCE4} %{buildroot}%{_unitdir}/dbus.socket +install -Dp -m644 %{SOURCE5} %{buildroot}%{_unitdir}/dbus-daemon.service +install -Dp -m644 %{SOURCE6} %{buildroot}%{_userunitdir}/dbus.socket +install -Dp -m644 %{SOURCE7} %{buildroot}%{_userunitdir}/dbus-daemon.service +install -Dp -m644 %{SOURCE8} %{buildroot}%{_sysusersdir}/dbus.conf # Obsolete, but still widely used, for drop-in configuration snippets. install --directory %{buildroot}%{_sysconfdir}/dbus-1/session.d @@ -231,11 +231,6 @@ install --directory %{buildroot}%{_sysconfdir}/dbus-1/system.d install --directory %{buildroot}%{_datadir}/dbus-1/interfaces -# Make sure that when somebody asks for D-Bus under the name of the -# old SysV script, that he ends up with the standard dbus.service name -# now. -ln -s dbus.service %{buildroot}%{_unitdir}/messagebus.service - ## %find_lang %{gettext_package} install --directory %{buildroot}/var/lib/dbus @@ -244,6 +239,10 @@ install --directory %{buildroot}/run/dbus install -pm 644 -t %{buildroot}%{_pkgdocdir} \ doc/introspect.dtd doc/introspect.xsl doc/system-activation.txt +# Make sure that the documentation shows up in Devhelp. +install --directory %{buildroot}%{_datadir}/gtk-doc/html +ln -s %{_pkgdocdir} %{buildroot}%{_datadir}/gtk-doc/html/dbus + # Shell wrapper for installed tests, modified from Debian package. cat > dbus-run-installed-tests </dev/null || : -/usr/sbin/useradd -c 'System message bus' -u %{dbus_user_uid} -g %{dbus_user_uid} \ - -s /sbin/nologin -r -d '/' dbus 2> /dev/null || : +%sysusers_create_compat %{SOURCE8} + +%post common +%systemd_post dbus.socket +%systemd_user_post dbus.socket %post daemon -%systemd_post dbus.service dbus.socket -%systemd_user_post dbus.service dbus.socket +%systemd_post dbus-daemon.service +%systemd_user_post dbus-daemon.service -%post libs -p /sbin/ldconfig +%preun common +%systemd_preun dbus.socket +%systemd_user_preun dbus.socket %preun daemon -%systemd_preun dbus.service dbus.socket -%systemd_user_preun dbus.service dbus.socket +%systemd_preun dbus-daemon.service +%systemd_user_preun dbus-daemon.service + +%postun common +%systemd_postun dbus.socket +%systemd_user_postun dbus.socket %postun daemon -%systemd_postun dbus.service dbus.socket -%systemd_user_postun dbus.service dbus.socket +%systemd_postun dbus-daemon.service +%systemd_user_postun dbus-daemon.service -%postun libs -p /sbin/ldconfig +%triggerpostun common -- dbus-common < 1:1.12.10-4 +if [ -x /usr/bin/systemctl ]; then + systemctl --no-reload preset dbus.socket &>/dev/null || : + systemctl --no-reload --global preset dbus.socket &>/dev/null || : +fi +%triggerpostun daemon -- dbus-daemon < 1:1.12.10-7 +if [ -x /usr/bin/systemctl ]; then + systemctl --no-reload preset dbus-daemon.service &>/dev/null || : + systemctl --no-reload --global preset dbus-daemon.service &>/dev/null || : +fi %files # The 'dbus' package is only retained for compatibility purposes. It will @@ -340,19 +356,24 @@ popd %config %{_sysconfdir}/dbus-1/session.conf %config %{_sysconfdir}/dbus-1/system.conf %dir %{_datadir}/dbus-1 +%dir %{_datadir}/dbus-1/session.d +%dir %{_datadir}/dbus-1/system.d %{_datadir}/dbus-1/session.conf %{_datadir}/dbus-1/system.conf %{_datadir}/dbus-1/services %{_datadir}/dbus-1/system-services %{_datadir}/dbus-1/interfaces %{_sysusersdir}/dbus.conf +%{_unitdir}/dbus.socket +%{_userunitdir}/dbus.socket %files daemon # Strictly speaking, we could remove the COPYING from this subpackage and # just have it be in libs, because dbus Requires dbus-libs. %{!?_licensedir:%global license %%doc} %license COPYING -%doc AUTHORS ChangeLog HACKING NEWS README +%doc AUTHORS CONTRIBUTING.md NEWS README +%exclude %{_pkgdocdir}/api %exclude %{_pkgdocdir}/diagram.* %exclude %{_pkgdocdir}/introspect.* %exclude %{_pkgdocdir}/system-activation.txt @@ -373,14 +394,8 @@ popd %attr(4750,root,dbus) %{_libexecdir}/dbus-1/dbus-daemon-launch-helper %exclude %{_libexecdir}/dbus-1/dbus-run-installed-tests %{_tmpfilesdir}/dbus.conf -%{_unitdir}/dbus.service -%{_unitdir}/dbus.socket -%{_unitdir}/messagebus.service -%{_unitdir}/multi-user.target.wants/dbus.service -%{_unitdir}/sockets.target.wants/dbus.socket -%{_userunitdir}/dbus.service -%{_userunitdir}/dbus.socket -%{_userunitdir}/sockets.target.wants/dbus.socket +%{_unitdir}/dbus-daemon.service +%{_userunitdir}/dbus-daemon.service %files tools %{!?_licensedir:%global license %%doc} @@ -406,11 +421,13 @@ popd %files x11 %{_bindir}/dbus-launch -%{_libexecdir}/dbus-1/dbus-kill-process-with-session %{_mandir}/man1/dbus-launch.1* -%{_sysconfdir}/profile.d/ssh-x-forwarding.* %{_sysconfdir}/X11/xinit/xinitrc.d/00-start-message-bus.sh +%files doc +%{_pkgdocdir}/* +%{_datadir}/gtk-doc + %files devel %{_datadir}/xml/dbus-1 %{_libdir}/lib*.so @@ -422,84 +439,173 @@ popd %{_libdir}/pkgconfig/dbus-1.pc %{_includedir}/* + %changelog -* Mon Jun 19 2023 David King - 1.12.8-26 -- Fix CVE-2023-34969 (#2213400) +* Tue Oct 29 2024 Troy Dawson - 1:1.14.10-5 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 -* Mon Apr 24 2023 Ray Strode - 1.12.8-25 -- Ensure only one dbus-daemon is spawned for all shells sharing - a single connection. - Resolves: #2189201 +* Mon Jun 24 2024 Troy Dawson - 1:1.14.10-4 +- Bump release for June 2024 mass rebuild -* Wed Oct 19 2022 David King - 1:1.12.8-24 -- Fix CVE-2022-42010 (#2133645) -- Fix CVE-2022-42011 (#2133639) -- Fix CVE-2022-42011 (#2133633) +* Wed Jan 24 2024 Fedora Release Engineering - 1:1.14.10-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Tue Sep 06 2022 Ray Strode - 1:1.12.8-23 -- Address race for very short running sessions in SSH - session monitoring script. - Related: #2089362 +* Fri Jan 19 2024 Fedora Release Engineering - 1:1.14.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Tue Aug 09 2022 Ray Strode - 1:1.12.8-22 -- Use hangup signal instead of termination signal to - kill sesssion monitoring script to appeach tcsh. - Related: #2089362 +* Fri Sep 01 2023 David King - 1:1.14.10-1 +- Update to 1.14.10 -* Mon Aug 08 2022 David King - 1:1.12.8-20 -- Override sysusers configuration (#2090397) +* Wed Jul 19 2023 Fedora Release Engineering - 1:1.14.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild -* Thu Jun 16 2022 Ray Strode - 1:1.12.8-19 -- Ensure SSH session monitoring script is cleaned up when the - session exits. - Resolves: #2089362 +* Tue Jun 06 2023 David King - 1:1.14.8-1 +- Update to 1.14.8 -* Mon Dec 06 2021 Ray Strode - 1.12.8-18 -- Ensure session bus started for SSH sessions gets used by those - sessions. - Related: #1940067 +* Wed Feb 08 2023 David King - 1:1.14.6-1 +- Update to 1.14.6 -* Mon Nov 08 2021 David King - 1:1.12.8-17 -- Improve SSH session bus starting (#1940067) +* Thu Jan 19 2023 Fedora Release Engineering - 1:1.14.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild -* Thu Jun 10 2021 David King - 1:1.12.8-16 -- Add Conflicts on older redhat-release versions (#1941642) +* Thu Oct 06 2022 David King - 1:1.14.4-1 +- Update to 1.14.4 -* Wed May 26 2021 David King - 1:1.12.8-15 -- Packaging updates from Fedora (#1941642) +* Tue Sep 27 2022 David King - 1:1.14.2-1 +- Update to 1.14.2 -* Tue Apr 27 2021 David King - 1:1.12.8-14 -- Fix dbus-launch call in sh snippet (#1940348) +* Mon Aug 22 2022 Debarshi Ray - 1:1.14.0-5 +- Restore Requires(pre) through %%sysusers_requires_compat -* Tue Mar 23 2021 David King - 1:1.12.8-13 -- Fix raising hard fd limit (#1839753) +* Wed Aug 03 2022 Luca BRUNO - 1:1.14.0-4 +- Align sysusers.d configuration to Fedora user/group allocation (rhbz#2105177) -* Mon Nov 23 2020 David King - 1:1.12.8-12 -- Install X11 SSH forwarding snippets (#1874282) +* Thu Jul 21 2022 Fedora Release Engineering - 1:1.14.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild -* Tue Jun 30 2020 David King - 1:1.12.8-11 -- Fix CVE-2020-12049 (#1851997) +* Tue Jul 12 2022 David King - 1:1.14.0-2 +- Use sysusers.d snippet for user configuration (#2105177) -* Mon Apr 06 2020 David King - 1:1.12.8-10 -- Improve permissions on ghosted /run/dbus (#1797833) +* Thu Mar 10 2022 David King - 1:1.14.0-1 +- Update to 1.14.0 -* Thu Aug 01 2019 David King - 1:1.12.8-9 -- Ensure that patches are applied (#1725570) +* Thu Feb 24 2022 David King - 1:1.13.22-1 +- Update to 1.13.22 -* Tue Jul 09 2019 David King - 1:1.12.8-8 -- Fix CVE-2019-12749 (#1725570) +* Thu Jan 20 2022 Fedora Release Engineering - 1:1.13.20-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild -* Wed Oct 24 2018 Martin Pitt - 1:1.12.8-7 -- Fix useradd dependency of dbus-daemon rhbz#1634496 +* Tue Jan 04 2022 David King - 1:1.13.20-2 +- Explicitly specify runstatedir (#2036943) -* Thu Oct 18 2018 Martin Pitt -- Drop unpublished -doc package to fix FTBFS rhbz#1640736 -- Add dist-git smoketest rhbz#1625683 -- Move dbus system user creation to correct package rhbz#1634496 +* Fri Dec 17 2021 David King - 1:1.13.20-1 +- Update to 1.13.20 -* Sat Aug 11 2018 Troy Dawson -- BuildRequire python3-gobject instead of pygobject3 -- Related: bug#1614611 +* Fri Oct 01 2021 Kalev Lember - 1:1.12.20-5 +- Avoid systemd_requires as per updated packaging guidelines + +* Wed Jul 21 2021 Fedora Release Engineering - 1:1.12.20-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Jan 26 2021 Fedora Release Engineering - 1:1.12.20-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Jul 27 2020 Fedora Release Engineering - 1:1.12.20-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu Jul 02 2020 David King - 1:1.12.20-1 +- Update to 1.12.20 + +* Tue Jun 02 2020 David King - 1:1.12.18-1 +- Update to 1.12.18 + +* Wed Feb 19 2020 David King - 1:1.12.16-5 +- Verify GPG signature of sources +- Improve permissions on ghosted /run/dbus + +* Fri Jan 31 2020 David King - 1:1.12.16-4 +- Update python2- to python3-gobject + +* Tue Jan 28 2020 Fedora Release Engineering - 1:1.12.16-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Aug 01 2019 David King - 1:1.12.16-3 +- Ensure that patches are applied + +* Wed Jul 24 2019 Fedora Release Engineering - 1:1.12.16-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Jun 11 2019 David King - 1:1.12.16-1 +- Update to 1.12.16 + +* Fri May 17 2019 David King - 1:1.12.14-1 +- Update to 1.12.14 + +* Tue Apr 09 2019 David King - 1:1.12.12-7 +- Improve user and group creation (#1698001) + +* Thu Apr 04 2019 David King - 1:1.12.12-6 +- Own system.d and session.d directories (#1696385) + +* Sun Mar 03 2019 Leigh Scott - 1:1.12.12-5 +- Fix f30 FTBFS + +* Mon Feb 04 2019 Kalev Lember - 1:1.12.12-4 +- Update requires for pygobject3 -> python2-gobject rename + +* Thu Jan 31 2019 Fedora Release Engineering - 1:1.12.12-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Dec 14 2018 David King - 1:1.12.12-2 +- Change -devel subpackage to depend on -libs + +* Tue Dec 04 2018 David King - 1:1.12.12-1 +- Update to 1.12.12 + +* Thu Nov 22 2018 David Herrmann - 1:1.12.10-9 +- Switch to dbus-broker as the default implementation + +* Wed Nov 07 2018 Stephen Gallagher - 1:1.12.10-8 +- Fix requirement on system-release + +* Tue Nov 06 2018 Tom Gundersen - 1:1.12.10-7 +- Fix the messagebus.service alias + +* Mon Nov 05 2018 David King - 1:1.12.10-6 +- Add further Requires to subpackages + +* Tue Oct 23 2018 David Herrmann - 1:1.12.10-5 +- Move useradd dependency to daemon subpackage + +* Fri Oct 19 2018 David King - 1:1.12.10-4 +- Move user and group creation to daemon subpackage +- Move systemd to Requires of common subpackage (#1638910) +- Remove unnecessary ldconfig calls + +* Fri Aug 31 2018 Tom Gundersen - 1:1.12.10-3 +- Make sure presets are applied when upgrading from packages before the presets + existed + +* Thu Aug 30 2018 David Herrmann - 1:1.12.10-2 +- Change 'system-release' dependency to 'fedora-release', since otherwise hard + version dependencies are ignored. + +* Fri Aug 10 2018 David Herrmann - 1:1.12.10-2 +- Move generic units into 'dbus-common', so other dbus implementations can use + them as well. + +* Fri Aug 10 2018 David Herrmann - 1:1.12.10-1 +- Add [Install] sections to unit files, rather than creating the symlinks + manually during the installation. This will pick up the systemd-presets + global to Fedora from the 'fedora-release' package. + +* Fri Aug 10 2018 David Herrmann - 1:1.12.10-1 +- Provide custom systemd unit files to replace the upstream units. Also rename + the service to 'dbus-daemon.service', but provide an alias to 'dbus.service'. + +* Fri Aug 03 2018 David King - 1:1.12.10-1 +- Update to 1.12.10 * Tue Jul 31 2018 Colin Walters - 1:1.12.8-5 - More python3 diff --git a/dbus.user.socket b/dbus.user.socket new file mode 100644 index 0000000..ad38e34 --- /dev/null +++ b/dbus.user.socket @@ -0,0 +1,9 @@ +[Unit] +Description=D-Bus User Message Bus Socket + +[Socket] +ListenStream=%t/bus +ExecStartPost=-/usr/bin/systemctl --user set-environment DBUS_SESSION_BUS_ADDRESS=unix:path=%t/bus + +[Install] +WantedBy=sockets.target diff --git a/sources b/sources new file mode 100644 index 0000000..dc7e010 --- /dev/null +++ b/sources @@ -0,0 +1,2 @@ +SHA512 (dbus-1.14.10.tar.xz) = 775b708326059692937acb69d4ce1a89e69878501166655b5d1b1628ac31b50dd53d979d93c84e57f95e90b15e25aa33893e51a7421d3537e9c2f02b1b91bfae +SHA512 (gpgkey-36EC5A6448A4F5EF79BEFE98E05AE1478F814C4F.gpg) = f607d7ba7dd932b71b4710b8c9d99bcaf45d8d8b40a4c2aa54416798fdfbc5bbaa26f94b74b1cb4abc84042e44c4037dedead108f7c677c4ef0b3ad6aac0d212