Compare commits
No commits in common. "c9-beta" and "c8" have entirely different histories.
@ -1,2 +1 @@
|
|||||||
f7fe130511aeeac40270af38d6892ed63392c7f6 SOURCES/dbus-1.12.20.tar.gz
|
8e50e46796e8297eaa633da3a61cdc79a500e34a SOURCES/dbus-1.12.8.tar.gz
|
||||||
dfffbf214650cd4600454f930c1ebd9919327a11 SOURCES/gpgkey-36EC5A6448A4F5EF79BEFE98E05AE1478F814C4F.gpg
|
|
||||||
|
3
.gitignore
vendored
3
.gitignore
vendored
@ -1,2 +1 @@
|
|||||||
SOURCES/dbus-1.12.20.tar.gz
|
SOURCES/dbus-1.12.8.tar.gz
|
||||||
SOURCES/gpgkey-36EC5A6448A4F5EF79BEFE98E05AE1478F814C4F.gpg
|
|
||||||
|
@ -1,16 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl793S8ACgkQ4FrhR4+B
|
|
||||||
TE8Cfg//Ysb9qT9xLUvCCHdmg+efz1DCks9W21MnZ9EN7qIx/mJPZhqpy9nbaHGy
|
|
||||||
xQl2hnYagPZXWy7ly8HpakvzYfjtyRMCd7570n/cMmVXTF5bnfOr1feScrNEEJPc
|
|
||||||
R6LreRPVDPdiKak1bF8VeVLpil89WrtU4xRzcpWxhZLlPiN1ebOSjEKtzaW4sDYB
|
|
||||||
KdLXLRqcVgdm44NZrTB/xic0hJrO6fhTqiJVx6Lc/CoE9FNO+/60/H2PYIWRedSm
|
|
||||||
bEx76RmUJEn1c/+wCyixmiTE0aEWGbKIsTR5mZmnw5BFI9SegQk7cD67kLvqMgpz
|
|
||||||
c+SMl0ivihTgcaH9jPKeg6fEvTTMkuxHQyMgYV5Rwoq0ukTgQ+b+/MjYa5OX0QqY
|
|
||||||
4YLDqNdgVfdNabxAeGvtNoDLwIHuveB151W9/ANTd420uqkWlCjzriEAjyYv8AJt
|
|
||||||
O53dQn6KGos8QmAKyF3dmKKZb7d2XfJLa0byHt84DeM0kAabq7P9ypf4YkbmqLCC
|
|
||||||
Eb8kiP8FbNYaQs9i1L2D4RXK8fnZA88aQVf7yBcILJBsQDI/plZuxmSzZLMBF3dw
|
|
||||||
SxhcGN3ArsoOqqqWnJt65Sxtt95vO9mpOvrHMB9iQWM3X2zVXh+Et8P2QY9HVhCp
|
|
||||||
Xmj3TH9Oc6OjBipqdR8OzdTtc7lnBwjuzMhw6g2S08ZQJovniOE=
|
|
||||||
=cwnZ
|
|
||||||
-----END PGP SIGNATURE-----
|
|
119
SOURCES/dbus-1.12.8-fix-CVE-2019-12749.patch
Normal file
119
SOURCES/dbus-1.12.8-fix-CVE-2019-12749.patch
Normal file
@ -0,0 +1,119 @@
|
|||||||
|
From 47b1a4c41004bf494b87370987b222c934b19016 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simon McVittie <smcv@collabora.com>
|
||||||
|
Date: Thu, 30 May 2019 12:53:03 +0100
|
||||||
|
Subject: [PATCH] auth: Reject DBUS_COOKIE_SHA1 for users other than the server
|
||||||
|
owner
|
||||||
|
|
||||||
|
The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
|
||||||
|
of a shared home directory by having the server write a secret "cookie"
|
||||||
|
into a .dbus-keyrings subdirectory of the desired identity's home
|
||||||
|
directory with 0700 permissions, and having the client prove that it can
|
||||||
|
read the cookie. This never actually worked for non-malicious clients in
|
||||||
|
the case where server uid != client uid (unless the server and client
|
||||||
|
both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
|
||||||
|
Unix uid 0) because an unprivileged server would fail to write out the
|
||||||
|
cookie, and an unprivileged client would be unable to read the resulting
|
||||||
|
file owned by the server.
|
||||||
|
|
||||||
|
Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
|
||||||
|
is owned by the uid of the server (a side-effect of a check added to
|
||||||
|
harden our use of XDG_RUNTIME_DIR), further ruling out successful use
|
||||||
|
by a non-malicious client with a uid differing from the server's.
|
||||||
|
|
||||||
|
Joe Vennix of Apple Information Security discovered that the
|
||||||
|
implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
|
||||||
|
attack: a malicious client with write access to its own home directory
|
||||||
|
could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
|
||||||
|
read and write in unintended locations. In the worst case this could
|
||||||
|
result in the DBusServer reusing a cookie that is known to the
|
||||||
|
malicious client, and treating that cookie as evidence that a subsequent
|
||||||
|
client connection came from an attacker-chosen uid, allowing
|
||||||
|
authentication bypass.
|
||||||
|
|
||||||
|
This is mitigated by the fact that by default, the well-known system
|
||||||
|
dbus-daemon (since 2003) and the well-known session dbus-daemon (in
|
||||||
|
stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
|
||||||
|
authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
|
||||||
|
at an early stage, before manipulating cookies. As a result, this
|
||||||
|
vulnerability only applies to:
|
||||||
|
|
||||||
|
* system or session dbus-daemons with non-standard configuration
|
||||||
|
* third-party dbus-daemon invocations such as at-spi2-core (although
|
||||||
|
in practice at-spi2-core also only accepts EXTERNAL by default)
|
||||||
|
* third-party uses of DBusServer such as the one in Upstart
|
||||||
|
|
||||||
|
Avoiding symlink attacks in a portable way is difficult, because APIs
|
||||||
|
like openat() and Linux /proc/self/fd are not universally available.
|
||||||
|
However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
|
||||||
|
a non-matching uid, we can solve this vulnerability in an easier way
|
||||||
|
without regressions, by rejecting it early (before looking at
|
||||||
|
~/.dbus-keyrings) whenever the requested identity doesn't match the
|
||||||
|
identity of the process hosting the DBusServer.
|
||||||
|
|
||||||
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||||
|
Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
|
||||||
|
Closes: CVE-2019-12749
|
||||||
|
---
|
||||||
|
dbus/dbus-auth.c | 32 ++++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 32 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c
|
||||||
|
index 37d8d4c9..7390a9d5 100644
|
||||||
|
--- a/dbus/dbus-auth.c
|
||||||
|
+++ b/dbus/dbus-auth.c
|
||||||
|
@@ -529,6 +529,7 @@ sha1_handle_first_client_response (DBusAuth *auth,
|
||||||
|
DBusString tmp2;
|
||||||
|
dbus_bool_t retval = FALSE;
|
||||||
|
DBusError error = DBUS_ERROR_INIT;
|
||||||
|
+ DBusCredentials *myself = NULL;
|
||||||
|
|
||||||
|
_dbus_string_set_length (&auth->challenge, 0);
|
||||||
|
|
||||||
|
@@ -565,6 +566,34 @@ sha1_handle_first_client_response (DBusAuth *auth,
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ myself = _dbus_credentials_new_from_current_process ();
|
||||||
|
+
|
||||||
|
+ if (myself == NULL)
|
||||||
|
+ goto out;
|
||||||
|
+
|
||||||
|
+ if (!_dbus_credentials_same_user (myself, auth->desired_identity))
|
||||||
|
+ {
|
||||||
|
+ /*
|
||||||
|
+ * DBUS_COOKIE_SHA1 is not suitable for authenticating that the
|
||||||
|
+ * client is anyone other than the user owning the process
|
||||||
|
+ * containing the DBusServer: we probably aren't allowed to write
|
||||||
|
+ * to other users' home directories. Even if we can (for example
|
||||||
|
+ * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we
|
||||||
|
+ * must not, because the other user controls their home directory,
|
||||||
|
+ * and could carry out symlink attacks to make us read from or
|
||||||
|
+ * write to unintended locations. It's difficult to avoid symlink
|
||||||
|
+ * attacks in a portable way, so we just don't try. This isn't a
|
||||||
|
+ * regression, because DBUS_COOKIE_SHA1 never worked for other
|
||||||
|
+ * users anyway.
|
||||||
|
+ */
|
||||||
|
+ _dbus_verbose ("%s: client tried to authenticate as \"%s\", "
|
||||||
|
+ "but that doesn't match this process",
|
||||||
|
+ DBUS_AUTH_NAME (auth),
|
||||||
|
+ _dbus_string_get_const_data (data));
|
||||||
|
+ retval = send_rejected (auth);
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* we cache the keyring for speed, so here we drop it if it's the
|
||||||
|
* wrong one. FIXME caching the keyring here is useless since we use
|
||||||
|
* a different DBusAuth for every connection.
|
||||||
|
@@ -679,6 +708,9 @@ sha1_handle_first_client_response (DBusAuth *auth,
|
||||||
|
_dbus_string_zero (&tmp2);
|
||||||
|
_dbus_string_free (&tmp2);
|
||||||
|
|
||||||
|
+ if (myself != NULL)
|
||||||
|
+ _dbus_credentials_unref (myself);
|
||||||
|
+
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
74
SOURCES/dbus-1.12.8-fix-CVE-2020-12049.patch
Normal file
74
SOURCES/dbus-1.12.8-fix-CVE-2020-12049.patch
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
From 872b085f12f56da25a2dbd9bd0b2dff31d5aea63 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simon McVittie <smcv@collabora.com>
|
||||||
|
Date: Thu, 16 Apr 2020 14:45:11 +0100
|
||||||
|
Subject: [PATCH] sysdeps-unix: On MSG_CTRUNC, close the fds we did receive
|
||||||
|
|
||||||
|
MSG_CTRUNC indicates that we have received fewer fds that we should
|
||||||
|
have done because the buffer was too small, but we were treating it
|
||||||
|
as though it indicated that we received *no* fds. If we received any,
|
||||||
|
we still have to make sure we close them, otherwise they will be leaked.
|
||||||
|
|
||||||
|
On the system bus, if an attacker can induce us to leak fds in this
|
||||||
|
way, that's a local denial of service via resource exhaustion.
|
||||||
|
|
||||||
|
Reported-by: Kevin Backhouse, GitHub Security Lab
|
||||||
|
Fixes: dbus#294
|
||||||
|
Fixes: CVE-2020-12049
|
||||||
|
Fixes: GHSL-2020-057
|
||||||
|
---
|
||||||
|
dbus/dbus-sysdeps-unix.c | 32 ++++++++++++++++++++------------
|
||||||
|
1 file changed, 20 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
|
||||||
|
index b5fc24663..b176dae1a 100644
|
||||||
|
--- a/dbus/dbus-sysdeps-unix.c
|
||||||
|
+++ b/dbus/dbus-sysdeps-unix.c
|
||||||
|
@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
|
||||||
|
struct cmsghdr *cm;
|
||||||
|
dbus_bool_t found = FALSE;
|
||||||
|
|
||||||
|
- if (m.msg_flags & MSG_CTRUNC)
|
||||||
|
- {
|
||||||
|
- /* Hmm, apparently the control data was truncated. The bad
|
||||||
|
- thing is that we might have completely lost a couple of fds
|
||||||
|
- without chance to recover them. Hence let's treat this as a
|
||||||
|
- serious error. */
|
||||||
|
-
|
||||||
|
- errno = ENOSPC;
|
||||||
|
- _dbus_string_set_length (buffer, start);
|
||||||
|
- return -1;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
|
||||||
|
if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
|
||||||
|
{
|
||||||
|
@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
|
||||||
|
if (!found)
|
||||||
|
*n_fds = 0;
|
||||||
|
|
||||||
|
+ if (m.msg_flags & MSG_CTRUNC)
|
||||||
|
+ {
|
||||||
|
+ unsigned int i;
|
||||||
|
+
|
||||||
|
+ /* Hmm, apparently the control data was truncated. The bad
|
||||||
|
+ thing is that we might have completely lost a couple of fds
|
||||||
|
+ without chance to recover them. Hence let's treat this as a
|
||||||
|
+ serious error. */
|
||||||
|
+
|
||||||
|
+ /* We still need to close whatever fds we *did* receive,
|
||||||
|
+ * otherwise they'll never get closed. (CVE-2020-12049) */
|
||||||
|
+ for (i = 0; i < *n_fds; i++)
|
||||||
|
+ close (fds[i]);
|
||||||
|
+
|
||||||
|
+ *n_fds = 0;
|
||||||
|
+ errno = ENOSPC;
|
||||||
|
+ _dbus_string_set_length (buffer, start);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* put length back (doesn't actually realloc) */
|
||||||
|
_dbus_string_set_length (buffer, start + bytes_read);
|
||||||
|
|
||||||
|
--
|
||||||
|
GitLab
|
||||||
|
|
@ -1,7 +1,50 @@
|
|||||||
From b159849e031000d1dbc1ab876b5fc78a3ce9b534 Mon Sep 17 00:00:00 2001
|
From 3a1b1e9a4010e581e2e940e61d37c4f617eb5eff Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simon McVittie <smcv@collabora.com>
|
||||||
|
Date: Mon, 5 Jun 2023 17:56:33 +0100
|
||||||
|
Subject: [PATCH 1/3] monitor test: Log the messages that we monitored
|
||||||
|
|
||||||
|
This is helpful while debugging test failures.
|
||||||
|
|
||||||
|
Helps: dbus/dbus#457
|
||||||
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||||
|
(cherry picked from commit 8ee5d3e04420975107c27073b50f8758871a998b)
|
||||||
|
---
|
||||||
|
test/monitor.c | 7 +++++++
|
||||||
|
1 file changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/test/monitor.c b/test/monitor.c
|
||||||
|
index df5a7180..182110f8 100644
|
||||||
|
--- a/test/monitor.c
|
||||||
|
+++ b/test/monitor.c
|
||||||
|
@@ -196,6 +196,10 @@ _log_message (DBusMessage *m,
|
||||||
|
not_null (dbus_message_get_signature (m)));
|
||||||
|
g_test_message ("\terror name: %s",
|
||||||
|
not_null (dbus_message_get_error_name (m)));
|
||||||
|
+ g_test_message ("\tserial number: %u",
|
||||||
|
+ dbus_message_get_serial (m));
|
||||||
|
+ g_test_message ("\tin reply to: %u",
|
||||||
|
+ dbus_message_get_reply_serial (m));
|
||||||
|
|
||||||
|
if (strcmp ("s", dbus_message_get_signature (m)) == 0)
|
||||||
|
{
|
||||||
|
@@ -339,6 +343,9 @@ monitor_filter (DBusConnection *connection,
|
||||||
|
{
|
||||||
|
Fixture *f = user_data;
|
||||||
|
|
||||||
|
+ g_test_message ("Monitor received message:");
|
||||||
|
+ log_message (message);
|
||||||
|
+
|
||||||
|
g_assert_cmpstr (dbus_message_get_interface (message), !=,
|
||||||
|
"com.example.Tedious");
|
||||||
|
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
|
From 37a4dc5835731a1f7a81f1b67c45b8dfb556dd1c Mon Sep 17 00:00:00 2001
|
||||||
From: hongjinghao <q1204531485@163.com>
|
From: hongjinghao <q1204531485@163.com>
|
||||||
Date: Mon, 5 Jun 2023 18:17:06 +0100
|
Date: Mon, 5 Jun 2023 18:17:06 +0100
|
||||||
Subject: [PATCH 1/2] bus: Assign a serial number for messages from the driver
|
Subject: [PATCH 2/3] bus: Assign a serial number for messages from the driver
|
||||||
|
|
||||||
Normally, it's enough to rely on a message being given a serial number
|
Normally, it's enough to rely on a message being given a serial number
|
||||||
by the DBusConnection just before it is actually sent. However, in the
|
by the DBusConnection just before it is actually sent. However, in the
|
||||||
@ -23,6 +66,7 @@ the vulnerable code is not reached.
|
|||||||
|
|
||||||
Co-authored-by: Simon McVittie <smcv@collabora.com>
|
Co-authored-by: Simon McVittie <smcv@collabora.com>
|
||||||
Resolves: dbus/dbus#457
|
Resolves: dbus/dbus#457
|
||||||
|
(cherry picked from commit b159849e031000d1dbc1ab876b5fc78a3ce9b534)
|
||||||
---
|
---
|
||||||
bus/connection.c | 15 +++++++++++++++
|
bus/connection.c | 15 +++++++++++++++
|
||||||
dbus/dbus-connection-internal.h | 2 ++
|
dbus/dbus-connection-internal.h | 2 ++
|
||||||
@ -30,10 +74,10 @@ Resolves: dbus/dbus#457
|
|||||||
3 files changed, 27 insertions(+), 1 deletion(-)
|
3 files changed, 27 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/bus/connection.c b/bus/connection.c
|
diff --git a/bus/connection.c b/bus/connection.c
|
||||||
index a41b790b..4d46992c 100644
|
index b3583433..215f0230 100644
|
||||||
--- a/bus/connection.c
|
--- a/bus/connection.c
|
||||||
+++ b/bus/connection.c
|
+++ b/bus/connection.c
|
||||||
@@ -2376,6 +2376,21 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
|
@@ -2350,6 +2350,21 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
|
||||||
if (!dbus_message_set_sender (message, DBUS_SERVICE_DBUS))
|
if (!dbus_message_set_sender (message, DBUS_SERVICE_DBUS))
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
@ -56,10 +100,10 @@ index a41b790b..4d46992c 100644
|
|||||||
{
|
{
|
||||||
if (!dbus_message_set_destination (message,
|
if (!dbus_message_set_destination (message,
|
||||||
diff --git a/dbus/dbus-connection-internal.h b/dbus/dbus-connection-internal.h
|
diff --git a/dbus/dbus-connection-internal.h b/dbus/dbus-connection-internal.h
|
||||||
index 912b546e..747e6e54 100644
|
index 48357321..ba79b192 100644
|
||||||
--- a/dbus/dbus-connection-internal.h
|
--- a/dbus/dbus-connection-internal.h
|
||||||
+++ b/dbus/dbus-connection-internal.h
|
+++ b/dbus/dbus-connection-internal.h
|
||||||
@@ -57,6 +57,8 @@ DBUS_PRIVATE_EXPORT
|
@@ -54,6 +54,8 @@ DBUS_PRIVATE_EXPORT
|
||||||
DBusConnection * _dbus_connection_ref_unlocked (DBusConnection *connection);
|
DBusConnection * _dbus_connection_ref_unlocked (DBusConnection *connection);
|
||||||
DBUS_PRIVATE_EXPORT
|
DBUS_PRIVATE_EXPORT
|
||||||
void _dbus_connection_unref_unlocked (DBusConnection *connection);
|
void _dbus_connection_unref_unlocked (DBusConnection *connection);
|
||||||
@ -69,10 +113,10 @@ index 912b546e..747e6e54 100644
|
|||||||
DBusList *link);
|
DBusList *link);
|
||||||
dbus_bool_t _dbus_connection_has_messages_to_send_unlocked (DBusConnection *connection);
|
dbus_bool_t _dbus_connection_has_messages_to_send_unlocked (DBusConnection *connection);
|
||||||
diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c
|
diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c
|
||||||
index 105bdf4e..34380293 100644
|
index c525b6dc..09cef278 100644
|
||||||
--- a/dbus/dbus-connection.c
|
--- a/dbus/dbus-connection.c
|
||||||
+++ b/dbus/dbus-connection.c
|
+++ b/dbus/dbus-connection.c
|
||||||
@@ -1461,7 +1461,16 @@ _dbus_connection_unref_unlocked (DBusConnection *connection)
|
@@ -1456,7 +1456,16 @@ _dbus_connection_unref_unlocked (DBusConnection *connection)
|
||||||
_dbus_connection_last_unref (connection);
|
_dbus_connection_last_unref (connection);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -91,13 +135,13 @@ index 105bdf4e..34380293 100644
|
|||||||
{
|
{
|
||||||
dbus_uint32_t serial;
|
dbus_uint32_t serial;
|
||||||
--
|
--
|
||||||
2.40.1
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
From 986611ad0f7f67a3693e5672cd66bc608c00b228 Mon Sep 17 00:00:00 2001
|
From 2c699f6ba9c162878c69d0728298c1ab7308db72 Mon Sep 17 00:00:00 2001
|
||||||
From: Simon McVittie <smcv@collabora.com>
|
From: Simon McVittie <smcv@collabora.com>
|
||||||
Date: Mon, 5 Jun 2023 18:51:22 +0100
|
Date: Mon, 5 Jun 2023 18:51:22 +0100
|
||||||
Subject: [PATCH 2/2] monitor test: Reproduce dbus/dbus#457
|
Subject: [PATCH 3/3] monitor test: Reproduce dbus/dbus#457
|
||||||
|
|
||||||
The exact failure mode reported in dbus/dbus#457 is quite difficult
|
The exact failure mode reported in dbus/dbus#457 is quite difficult
|
||||||
to achieve in a reliable way in a unit test, because we'd have to send
|
to achieve in a reliable way in a unit test, because we'd have to send
|
||||||
@ -108,6 +152,7 @@ slightly different way by not allowing the client to receive a
|
|||||||
particular message. I chose NameAcquired.
|
particular message. I chose NameAcquired.
|
||||||
|
|
||||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||||
|
(cherry picked from commit 986611ad0f7f67a3693e5672cd66bc608c00b228)
|
||||||
---
|
---
|
||||||
.../valid-config-files/forbidding.conf.in | 3 +
|
.../valid-config-files/forbidding.conf.in | 3 +
|
||||||
test/monitor.c | 77 ++++++++++++++++---
|
test/monitor.c | 77 ++++++++++++++++---
|
||||||
@ -127,7 +172,7 @@ index d145613c..58b3cc6a 100644
|
|||||||
</policy>
|
</policy>
|
||||||
</busconfig>
|
</busconfig>
|
||||||
diff --git a/test/monitor.c b/test/monitor.c
|
diff --git a/test/monitor.c b/test/monitor.c
|
||||||
index d5a54b00..846a980c 100644
|
index 182110f8..42e0734d 100644
|
||||||
--- a/test/monitor.c
|
--- a/test/monitor.c
|
||||||
+++ b/test/monitor.c
|
+++ b/test/monitor.c
|
||||||
@@ -155,6 +155,21 @@ static Config side_effects_config = {
|
@@ -155,6 +155,21 @@ static Config side_effects_config = {
|
||||||
@ -199,7 +244,7 @@ index d5a54b00..846a980c 100644
|
|||||||
/* This is called after processing pending replies to our own method
|
/* This is called after processing pending replies to our own method
|
||||||
* calls, but before anything else.
|
* calls, but before anything else.
|
||||||
*/
|
*/
|
||||||
@@ -727,6 +761,11 @@ test_become_monitor (Fixture *f,
|
@@ -797,6 +831,11 @@ test_become_monitor (Fixture *f,
|
||||||
test_assert_no_error (&f->e);
|
test_assert_no_error (&f->e);
|
||||||
g_assert_cmpint (ret, ==, DBUS_REQUEST_NAME_REPLY_PRIMARY_OWNER);
|
g_assert_cmpint (ret, ==, DBUS_REQUEST_NAME_REPLY_PRIMARY_OWNER);
|
||||||
|
|
||||||
@ -211,7 +256,7 @@ index d5a54b00..846a980c 100644
|
|||||||
while (!got_unique || !got_a || !got_b || !got_c)
|
while (!got_unique || !got_a || !got_b || !got_c)
|
||||||
{
|
{
|
||||||
if (g_queue_is_empty (&f->monitored))
|
if (g_queue_is_empty (&f->monitored))
|
||||||
@@ -1378,6 +1417,7 @@ test_dbus_daemon (Fixture *f,
|
@@ -1448,6 +1487,7 @@ test_dbus_daemon (Fixture *f,
|
||||||
{
|
{
|
||||||
DBusMessage *m;
|
DBusMessage *m;
|
||||||
int res;
|
int res;
|
||||||
@ -219,7 +264,7 @@ index d5a54b00..846a980c 100644
|
|||||||
|
|
||||||
if (f->address == NULL)
|
if (f->address == NULL)
|
||||||
return;
|
return;
|
||||||
@@ -1393,7 +1433,12 @@ test_dbus_daemon (Fixture *f,
|
@@ -1463,7 +1503,12 @@ test_dbus_daemon (Fixture *f,
|
||||||
test_assert_no_error (&f->e);
|
test_assert_no_error (&f->e);
|
||||||
g_assert_cmpint (res, ==, DBUS_RELEASE_NAME_REPLY_RELEASED);
|
g_assert_cmpint (res, ==, DBUS_RELEASE_NAME_REPLY_RELEASED);
|
||||||
|
|
||||||
@ -233,7 +278,7 @@ index d5a54b00..846a980c 100644
|
|||||||
test_main_context_iterate (f->ctx, TRUE);
|
test_main_context_iterate (f->ctx, TRUE);
|
||||||
|
|
||||||
m = g_queue_pop_head (&f->monitored);
|
m = g_queue_pop_head (&f->monitored);
|
||||||
@@ -1406,10 +1451,12 @@ test_dbus_daemon (Fixture *f,
|
@@ -1476,10 +1521,12 @@ test_dbus_daemon (Fixture *f,
|
||||||
"NameOwnerChanged", "sss", NULL);
|
"NameOwnerChanged", "sss", NULL);
|
||||||
dbus_message_unref (m);
|
dbus_message_unref (m);
|
||||||
|
|
||||||
@ -249,7 +294,7 @@ index d5a54b00..846a980c 100644
|
|||||||
dbus_message_unref (m);
|
dbus_message_unref (m);
|
||||||
|
|
||||||
m = g_queue_pop_head (&f->monitored);
|
m = g_queue_pop_head (&f->monitored);
|
||||||
@@ -1631,8 +1678,14 @@ static void
|
@@ -1701,8 +1748,14 @@ static void
|
||||||
expect_new_connection (Fixture *f)
|
expect_new_connection (Fixture *f)
|
||||||
{
|
{
|
||||||
DBusMessage *m;
|
DBusMessage *m;
|
||||||
@ -265,7 +310,7 @@ index d5a54b00..846a980c 100644
|
|||||||
test_main_context_iterate (f->ctx, TRUE);
|
test_main_context_iterate (f->ctx, TRUE);
|
||||||
|
|
||||||
m = g_queue_pop_head (&f->monitored);
|
m = g_queue_pop_head (&f->monitored);
|
||||||
@@ -1649,7 +1702,11 @@ expect_new_connection (Fixture *f)
|
@@ -1719,7 +1772,11 @@ expect_new_connection (Fixture *f)
|
||||||
dbus_message_unref (m);
|
dbus_message_unref (m);
|
||||||
|
|
||||||
m = g_queue_pop_head (&f->monitored);
|
m = g_queue_pop_head (&f->monitored);
|
||||||
@ -278,7 +323,7 @@ index d5a54b00..846a980c 100644
|
|||||||
dbus_message_unref (m);
|
dbus_message_unref (m);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1988,6 +2045,8 @@ main (int argc,
|
@@ -2044,6 +2101,8 @@ main (int argc,
|
||||||
setup, test_method_call, teardown);
|
setup, test_method_call, teardown);
|
||||||
g_test_add ("/monitor/forbidden-method", Fixture, &forbidding_config,
|
g_test_add ("/monitor/forbidden-method", Fixture, &forbidding_config,
|
||||||
setup, test_forbidden_method_call, teardown);
|
setup, test_forbidden_method_call, teardown);
|
||||||
@ -288,5 +333,5 @@ index d5a54b00..846a980c 100644
|
|||||||
setup, test_dbus_daemon, teardown);
|
setup, test_dbus_daemon, teardown);
|
||||||
g_test_add ("/monitor/selective", Fixture, &selective_config,
|
g_test_add ("/monitor/selective", Fixture, &selective_config,
|
||||||
--
|
--
|
||||||
2.40.1
|
2.41.0
|
||||||
|
|
201
SOURCES/dbus-1.12.8-fix-fd-limit-change.patch
Normal file
201
SOURCES/dbus-1.12.8-fix-fd-limit-change.patch
Normal file
@ -0,0 +1,201 @@
|
|||||||
|
From 94bacc6955e563a7e698e53151a75323279a9f45 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simon McVittie <smcv@collabora.com>
|
||||||
|
Date: Mon, 11 Mar 2019 09:03:39 +0000
|
||||||
|
Subject: [PATCH] bus: Try to raise soft fd limit to match hard limit
|
||||||
|
|
||||||
|
Linux systems have traditionally set the soft limit to 1024 and the hard
|
||||||
|
limit to 4096. Recent versions of systemd keep the soft fd limit at
|
||||||
|
1024 to avoid breaking programs that still use select(), but raise the
|
||||||
|
hard limit to 512*1024, while in recent Debian versions a complicated
|
||||||
|
interaction between components gives a soft limit of 1024 and a hard
|
||||||
|
limit of 1024*1024. If we can, we might as well elevate our soft limit
|
||||||
|
to match the hard limit, minimizing the chance that we will run out of
|
||||||
|
file descriptor slots.
|
||||||
|
|
||||||
|
Unlike the previous code to raise the hard and soft limits to at least
|
||||||
|
65536, we do this even if we don't have privileges: privileges are
|
||||||
|
unnecessary to raise the soft limit up to the hard limit.
|
||||||
|
|
||||||
|
If we *do* have privileges, we also continue to raise the hard and soft
|
||||||
|
limits to at least 65536 if they weren't already that high, making
|
||||||
|
it harder to carry out a denial of service attack on the system bus on
|
||||||
|
systems that use the traditional limit (CVE-2014-7824).
|
||||||
|
|
||||||
|
As was previously the case on the system bus, we'll drop the limits back
|
||||||
|
to our initial limits before we execute a subprocess for traditional
|
||||||
|
(non-systemd) activation, if enabled.
|
||||||
|
|
||||||
|
systemd activation doesn't involve us starting subprocesses at all,
|
||||||
|
so in both cases activated services will still inherit the same limits
|
||||||
|
they did previously.
|
||||||
|
|
||||||
|
This change also fixes a bug when the hard limit is very large but
|
||||||
|
the soft limit is not, for example seen as a regression when upgrading
|
||||||
|
to systemd >= 240 (Debian #928877). In such environments, dbus-daemon
|
||||||
|
would previously have changed its fd limit to 64K soft/64K hard. Because
|
||||||
|
this hard limit is less than its original hard limit, it was unable to
|
||||||
|
restore its original hard limit as intended when carrying out traditional
|
||||||
|
activation, leaving activated subprocesses with unintended limits (while
|
||||||
|
logging a warning).
|
||||||
|
|
||||||
|
Reviewed-by: Lennart Poettering <lennart@poettering.net>
|
||||||
|
[smcv: Correct a comment based on Lennart's review, reword commit message]
|
||||||
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||||
|
(cherry picked from commit 7eacbfece70f16bb54d0f3ac51f87ae398759ef5)
|
||||||
|
[smcv: Mention that this also fixes Debian #928877]
|
||||||
|
---
|
||||||
|
bus/bus.c | 8 ++---
|
||||||
|
dbus/dbus-sysdeps-util-unix.c | 64 +++++++++++++++++++++--------------
|
||||||
|
dbus/dbus-sysdeps-util-win.c | 3 +-
|
||||||
|
dbus/dbus-sysdeps.h | 3 +-
|
||||||
|
4 files changed, 44 insertions(+), 34 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/bus/bus.c b/bus/bus.c
|
||||||
|
index 30ce4e10..2ad8e789 100644
|
||||||
|
--- a/bus/bus.c
|
||||||
|
+++ b/bus/bus.c
|
||||||
|
@@ -693,11 +693,11 @@ raise_file_descriptor_limit (BusContext *context)
|
||||||
|
/* We used to compute a suitable rlimit based on the configured number
|
||||||
|
* of connections, but that breaks down as soon as we allow fd-passing,
|
||||||
|
* because each connection is allowed to pass 64 fds to us, and if
|
||||||
|
- * they all did, we'd hit kernel limits. We now hard-code 64k as a
|
||||||
|
- * good limit, like systemd does: that's enough to avoid DoS from
|
||||||
|
- * anything short of multiple uids conspiring against us.
|
||||||
|
+ * they all did, we'd hit kernel limits. We now hard-code a good
|
||||||
|
+ * limit that is enough to avoid DoS from anything short of multiple
|
||||||
|
+ * uids conspiring against us, much like systemd does.
|
||||||
|
*/
|
||||||
|
- if (!_dbus_rlimit_raise_fd_limit_if_privileged (65536, &error))
|
||||||
|
+ if (!_dbus_rlimit_raise_fd_limit (&error))
|
||||||
|
{
|
||||||
|
bus_context_log (context, DBUS_SYSTEM_LOG_WARNING,
|
||||||
|
"%s: %s", error.name, error.message);
|
||||||
|
diff --git a/dbus/dbus-sysdeps-util-unix.c b/dbus/dbus-sysdeps-util-unix.c
|
||||||
|
index 2be5b779..7c4c3604 100644
|
||||||
|
--- a/dbus/dbus-sysdeps-util-unix.c
|
||||||
|
+++ b/dbus/dbus-sysdeps-util-unix.c
|
||||||
|
@@ -406,23 +406,15 @@ _dbus_rlimit_save_fd_limit (DBusError *error)
|
||||||
|
return self;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Enough fds that we shouldn't run out, even if several uids work
|
||||||
|
+ * together to carry out a denial-of-service attack. This happens to be
|
||||||
|
+ * the same number that systemd < 234 would normally use. */
|
||||||
|
+#define ENOUGH_FDS 65536
|
||||||
|
+
|
||||||
|
dbus_bool_t
|
||||||
|
-_dbus_rlimit_raise_fd_limit_if_privileged (unsigned int desired,
|
||||||
|
- DBusError *error)
|
||||||
|
+_dbus_rlimit_raise_fd_limit (DBusError *error)
|
||||||
|
{
|
||||||
|
- struct rlimit lim;
|
||||||
|
-
|
||||||
|
- /* No point to doing this practically speaking
|
||||||
|
- * if we're not uid 0. We expect the system
|
||||||
|
- * bus to use this before we change UID, and
|
||||||
|
- * the session bus takes the Linux default,
|
||||||
|
- * currently 1024 for cur and 4096 for max.
|
||||||
|
- */
|
||||||
|
- if (getuid () != 0)
|
||||||
|
- {
|
||||||
|
- /* not an error, we're probably the session bus */
|
||||||
|
- return TRUE;
|
||||||
|
- }
|
||||||
|
+ struct rlimit old, lim;
|
||||||
|
|
||||||
|
if (getrlimit (RLIMIT_NOFILE, &lim) < 0)
|
||||||
|
{
|
||||||
|
@@ -431,22 +423,43 @@ _dbus_rlimit_raise_fd_limit_if_privileged (unsigned int desired,
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (lim.rlim_cur == RLIM_INFINITY || lim.rlim_cur >= desired)
|
||||||
|
+ old = lim;
|
||||||
|
+
|
||||||
|
+ if (getuid () == 0)
|
||||||
|
{
|
||||||
|
- /* not an error, everything is fine */
|
||||||
|
- return TRUE;
|
||||||
|
+ /* We are privileged, so raise the soft limit to at least
|
||||||
|
+ * ENOUGH_FDS, and the hard limit to at least the desired soft
|
||||||
|
+ * limit. This assumes we can exercise CAP_SYS_RESOURCE on Linux,
|
||||||
|
+ * or other OSs' equivalents. */
|
||||||
|
+ if (lim.rlim_cur != RLIM_INFINITY &&
|
||||||
|
+ lim.rlim_cur < ENOUGH_FDS)
|
||||||
|
+ lim.rlim_cur = ENOUGH_FDS;
|
||||||
|
+
|
||||||
|
+ if (lim.rlim_max != RLIM_INFINITY &&
|
||||||
|
+ lim.rlim_max < lim.rlim_cur)
|
||||||
|
+ lim.rlim_max = lim.rlim_cur;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Ignore "maximum limit", assume we have the "superuser"
|
||||||
|
- * privileges. On Linux this is CAP_SYS_RESOURCE.
|
||||||
|
- */
|
||||||
|
- lim.rlim_cur = lim.rlim_max = desired;
|
||||||
|
+ /* Raise the soft limit to match the hard limit, which we can do even
|
||||||
|
+ * if we are unprivileged. In particular, systemd >= 240 will normally
|
||||||
|
+ * set rlim_cur to 1024 and rlim_max to 512*1024, recent Debian
|
||||||
|
+ * versions end up setting rlim_cur to 1024 and rlim_max to 1024*1024,
|
||||||
|
+ * and older and non-systemd Linux systems would typically set rlim_cur
|
||||||
|
+ * to 1024 and rlim_max to 4096. */
|
||||||
|
+ if (lim.rlim_max == RLIM_INFINITY || lim.rlim_cur < lim.rlim_max)
|
||||||
|
+ lim.rlim_cur = lim.rlim_max;
|
||||||
|
+
|
||||||
|
+ /* Early-return if there is nothing to do. */
|
||||||
|
+ if (lim.rlim_max == old.rlim_max &&
|
||||||
|
+ lim.rlim_cur == old.rlim_cur)
|
||||||
|
+ return TRUE;
|
||||||
|
|
||||||
|
if (setrlimit (RLIMIT_NOFILE, &lim) < 0)
|
||||||
|
{
|
||||||
|
dbus_set_error (error, _dbus_error_from_errno (errno),
|
||||||
|
- "Failed to set fd limit to %u: %s",
|
||||||
|
- desired, _dbus_strerror (errno));
|
||||||
|
+ "Failed to set fd limit to %lu: %s",
|
||||||
|
+ (unsigned long) lim.rlim_cur,
|
||||||
|
+ _dbus_strerror (errno));
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -485,8 +498,7 @@ _dbus_rlimit_save_fd_limit (DBusError *error)
|
||||||
|
}
|
||||||
|
|
||||||
|
dbus_bool_t
|
||||||
|
-_dbus_rlimit_raise_fd_limit_if_privileged (unsigned int desired,
|
||||||
|
- DBusError *error)
|
||||||
|
+_dbus_rlimit_raise_fd_limit (DBusError *error)
|
||||||
|
{
|
||||||
|
fd_limit_not_supported (error);
|
||||||
|
return FALSE;
|
||||||
|
diff --git a/dbus/dbus-sysdeps-util-win.c b/dbus/dbus-sysdeps-util-win.c
|
||||||
|
index 1ef4ae6c..1c1d9f7d 100644
|
||||||
|
--- a/dbus/dbus-sysdeps-util-win.c
|
||||||
|
+++ b/dbus/dbus-sysdeps-util-win.c
|
||||||
|
@@ -273,8 +273,7 @@ _dbus_rlimit_save_fd_limit (DBusError *error)
|
||||||
|
}
|
||||||
|
|
||||||
|
dbus_bool_t
|
||||||
|
-_dbus_rlimit_raise_fd_limit_if_privileged (unsigned int desired,
|
||||||
|
- DBusError *error)
|
||||||
|
+_dbus_rlimit_raise_fd_limit (DBusError *error)
|
||||||
|
{
|
||||||
|
fd_limit_not_supported (error);
|
||||||
|
return FALSE;
|
||||||
|
diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h
|
||||||
|
index ef786ecc..0b9d7696 100644
|
||||||
|
--- a/dbus/dbus-sysdeps.h
|
||||||
|
+++ b/dbus/dbus-sysdeps.h
|
||||||
|
@@ -698,8 +698,7 @@ dbus_bool_t _dbus_replace_install_prefix (DBusString *path);
|
||||||
|
typedef struct DBusRLimit DBusRLimit;
|
||||||
|
|
||||||
|
DBusRLimit *_dbus_rlimit_save_fd_limit (DBusError *error);
|
||||||
|
-dbus_bool_t _dbus_rlimit_raise_fd_limit_if_privileged (unsigned int desired,
|
||||||
|
- DBusError *error);
|
||||||
|
+dbus_bool_t _dbus_rlimit_raise_fd_limit (DBusError *error);
|
||||||
|
dbus_bool_t _dbus_rlimit_restore_fd_limit (DBusRLimit *saved,
|
||||||
|
DBusError *error);
|
||||||
|
void _dbus_rlimit_free (DBusRLimit *lim);
|
||||||
|
--
|
||||||
|
GitLab
|
||||||
|
|
@ -1,15 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=D-Bus System Message Bus
|
|
||||||
Documentation=man:dbus-daemon(1)
|
|
||||||
Requires=dbus.socket
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
ExecStart=/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
|
|
||||||
ExecReload=/usr/bin/dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig
|
|
||||||
OOMScoreAdjust=-900
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
# Make sure that services can still refer to this under the name of the
|
|
||||||
# old SysV script (messagebus).
|
|
||||||
Alias=dbus.service messagebus.service
|
|
||||||
WantedBy=multi-user.target
|
|
@ -1,11 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=D-Bus User Message Bus
|
|
||||||
Documentation=man:dbus-daemon(1)
|
|
||||||
Requires=dbus.socket
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
ExecStart=/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
|
|
||||||
ExecReload=/usr/bin/dbus-send --print-reply --session --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
Alias=dbus.service
|
|
30
SOURCES/dbus-kill-process-with-session
Normal file
30
SOURCES/dbus-kill-process-with-session
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# This script ensures the dbus-daemon is killed when the session closes.
|
||||||
|
# It's used by SSH sessions that have X forwarding (since the X display
|
||||||
|
# may outlive the session in those cases)
|
||||||
|
[ $# != 1 ] && exit 1
|
||||||
|
|
||||||
|
exec >& /dev/null
|
||||||
|
|
||||||
|
MONITOR_READY_FILE=$(mktemp dbus-session-monitor.XXXXXX --tmpdir)
|
||||||
|
DBUS_SESSIONS="${XDG_RUNTIME_DIR}/dbus-1/sessions"
|
||||||
|
DBUS_SESSION_ADDRESS_FILE="${DBUS_SESSIONS}/${XDG_SESSION_ID}"
|
||||||
|
|
||||||
|
trap 'rm -f "${MONITOR_READY_FILE}"; rm -f "${DBUS_SESSION_ADDRESS_FILE}"; kill -TERM $1; kill -HUP $(jobs -p)' EXIT
|
||||||
|
|
||||||
|
export GVFS_DISABLE_FUSE=1
|
||||||
|
coproc SESSION_MONITOR (gio monitor -f "/run/systemd/sessions/${XDG_SESSION_ID}" "${MONITOR_READY_FILE}")
|
||||||
|
|
||||||
|
# Poll until the gio monitor command is actively monitoring
|
||||||
|
until
|
||||||
|
touch "${MONITOR_READY_FILE}"
|
||||||
|
read -t 0.5 -u ${SESSION_MONITOR[0]}
|
||||||
|
do
|
||||||
|
continue
|
||||||
|
done
|
||||||
|
|
||||||
|
# Block until the session is closed
|
||||||
|
while grep -q ^State=active <(loginctl show-session $XDG_SESSION_ID)
|
||||||
|
do
|
||||||
|
read -u ${SESSION_MONITOR[0]}
|
||||||
|
done
|
@ -1,8 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=D-Bus System Message Bus Socket
|
|
||||||
|
|
||||||
[Socket]
|
|
||||||
ListenStream=/run/dbus/system_bus_socket
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=sockets.target
|
|
@ -1,9 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=D-Bus User Message Bus Socket
|
|
||||||
|
|
||||||
[Socket]
|
|
||||||
ListenStream=%t/bus
|
|
||||||
ExecStartPost=-/usr/bin/systemctl --user set-environment DBUS_SESSION_BUS_ADDRESS=unix:path=%t/bus
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=sockets.target
|
|
24
SOURCES/ssh-x-forwarding.csh
Normal file
24
SOURCES/ssh-x-forwarding.csh
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
# DBus session bus over SSH with X11 forwarding
|
||||||
|
if ( $?SSH_CONNECTION == 0 ) exit
|
||||||
|
if ( $?XDG_SESSION_ID == 0) exit
|
||||||
|
if ( $?DISPLAY == 0 ) exit
|
||||||
|
if ( $SHLVL > 1 ) exit
|
||||||
|
|
||||||
|
set DBUS_SESSIONS = "${XDG_RUNTIME_DIR}/dbus-1/sessions"
|
||||||
|
set DBUS_SESSION_ADDRESS_FILE = "${DBUS_SESSIONS}/${XDG_SESSION_ID}"
|
||||||
|
|
||||||
|
if ( -e "${DBUS_SESSION_ADDRESS_FILE}" ) then
|
||||||
|
setenv DBUS_SESSION_BUS_ADDRESS "`cat ${DBUS_SESSION_ADDRESS_FILE}`"
|
||||||
|
exit
|
||||||
|
endif
|
||||||
|
|
||||||
|
setenv GDK_BACKEND x11
|
||||||
|
|
||||||
|
eval `dbus-launch --csh-syntax`
|
||||||
|
|
||||||
|
if ( $?DBUS_SESSION_BUS_PID == 0 ) exit
|
||||||
|
|
||||||
|
mkdir -p "${DBUS_SESSIONS}"
|
||||||
|
echo "${DBUS_SESSION_BUS_ADDRESS}" > "${DBUS_SESSION_ADDRESS_FILE}"
|
||||||
|
|
||||||
|
setsid -f /usr/libexec/dbus-1/dbus-kill-process-with-session $DBUS_SESSION_BUS_PID
|
25
SOURCES/ssh-x-forwarding.sh
Normal file
25
SOURCES/ssh-x-forwarding.sh
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
# DBus session bus over SSH with X11 forwarding
|
||||||
|
[ -z "$SSH_CONNECTION" ] && return
|
||||||
|
[ -z "$XDG_SESSION_ID" ] && return
|
||||||
|
[ -z "$DISPLAY" ] && return
|
||||||
|
[ "${DISPLAY:0:1}" = ":" ] && return
|
||||||
|
[ "$SHLVL" -ne 1 ] && return
|
||||||
|
|
||||||
|
DBUS_SESSIONS="${XDG_RUNTIME_DIR}/dbus-1/sessions"
|
||||||
|
DBUS_SESSION_ADDRESS_FILE="${DBUS_SESSIONS}/${XDG_SESSION_ID}"
|
||||||
|
|
||||||
|
if [ -e "${DBUS_SESSION_ADDRESS_FILE}" ]; then
|
||||||
|
export DBUS_SESSION_BUS_ADDRESS="$(cat ${DBUS_SESSION_ADDRESS_FILE})"
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
export GDK_BACKEND=x11
|
||||||
|
|
||||||
|
eval `dbus-launch --sh-syntax`
|
||||||
|
|
||||||
|
[ -z "$DBUS_SESSION_BUS_PID" ] && return
|
||||||
|
|
||||||
|
mkdir -p "${DBUS_SESSIONS}"
|
||||||
|
echo "${DBUS_SESSION_BUS_ADDRESS}" > "${DBUS_SESSION_ADDRESS_FILE}"
|
||||||
|
|
||||||
|
setsid -f /usr/libexec/dbus-1/dbus-kill-process-with-session "$DBUS_SESSION_BUS_PID"
|
336
SPECS/dbus.spec
336
SPECS/dbus.spec
@ -5,10 +5,6 @@
|
|||||||
|
|
||||||
%global libselinux_version 2.0.86
|
%global libselinux_version 2.0.86
|
||||||
|
|
||||||
# fedora-release-30-0.2 and generic-release-0.1 added required presets to enable systemd-unit symlinks
|
|
||||||
%global fedora_release_version 30-0.2
|
|
||||||
%global generic_release_version 30-0.1
|
|
||||||
|
|
||||||
%global dbus_user_uid 81
|
%global dbus_user_uid 81
|
||||||
|
|
||||||
%global dbus_common_config_opts --enable-libaudit --enable-selinux=yes --with-system-socket=/run/dbus/system_bus_socket --with-dbus-user=dbus --libexecdir=/%{_libexecdir}/dbus-1 --enable-user-session --docdir=%{_pkgdocdir} --enable-installed-tests
|
%global dbus_common_config_opts --enable-libaudit --enable-selinux=yes --with-system-socket=/run/dbus/system_bus_socket --with-dbus-user=dbus --libexecdir=/%{_libexecdir}/dbus-1 --enable-user-session --docdir=%{_pkgdocdir} --enable-installed-tests
|
||||||
@ -22,40 +18,41 @@
|
|||||||
|
|
||||||
Name: dbus
|
Name: dbus
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 1.12.20
|
Version: 1.12.8
|
||||||
Release: 8%{?dist}
|
Release: 26%{?dist}
|
||||||
Summary: D-BUS message bus
|
Summary: D-BUS message bus
|
||||||
|
|
||||||
|
Group: System Environment/Libraries
|
||||||
# The effective license of the majority of the package, including the shared
|
# The effective license of the majority of the package, including the shared
|
||||||
# library, is "GPL-2+ or AFL-2.1". Certain utilities are "GPL-2+" only.
|
# library, is "GPL-2+ or AFL-2.1". Certain utilities are "GPL-2+" only.
|
||||||
License: (GPLv2+ or AFL) and GPLv2+
|
License: (GPLv2+ or AFL) and GPLv2+
|
||||||
URL: http://www.freedesktop.org/Software/dbus/
|
URL: http://www.freedesktop.org/Software/dbus/
|
||||||
#VCS: git:git://git.freedesktop.org/git/dbus/dbus
|
#VCS: git:git://git.freedesktop.org/git/dbus/dbus
|
||||||
Source0: https://dbus.freedesktop.org/releases/%{name}/%{name}-%{version}.tar.gz
|
Source0: https://dbus.freedesktop.org/releases/%{name}/%{name}-%{version}.tar.gz
|
||||||
Source1: https://dbus.freedesktop.org/releases/%{name}/%{name}-%{version}.tar.gz.asc
|
Source1: 00-start-message-bus.sh
|
||||||
# gpg --keyserver keyring.debian.org --recv-keys 36EC5A6448A4F5EF79BEFE98E05AE1478F814C4F
|
Source2: ssh-x-forwarding.csh
|
||||||
# gpg --export --export-options export-minimal > gpgkey-36EC5A6448A4F5EF79BEFE98E05AE1478F814C4F.gpg
|
Source3: ssh-x-forwarding.sh
|
||||||
Source2: gpgkey-36EC5A6448A4F5EF79BEFE98E05AE1478F814C4F.gpg
|
Source4: dbus-kill-process-with-session
|
||||||
Source3: 00-start-message-bus.sh
|
Source5: dbus-systemd-sysusers.conf
|
||||||
Source4: dbus.socket
|
|
||||||
Source5: dbus-daemon.service
|
|
||||||
Source6: dbus.user.socket
|
|
||||||
Source7: dbus-daemon.user.service
|
|
||||||
Source8: dbus-systemd-sysusers.conf
|
|
||||||
Patch0: 0001-tools-Use-Python3-for-GetAllMatchRules.patch
|
Patch0: 0001-tools-Use-Python3-for-GetAllMatchRules.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2133647
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1725570
|
||||||
Patch1: dbus-1.12.20-CVE-2022-42010.patch
|
Patch1: dbus-1.12.8-fix-CVE-2019-12749.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2133641
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1851997
|
||||||
Patch2: dbus-1.12.20-CVE-2022-42011.patch
|
Patch2: dbus-1.12.8-fix-CVE-2020-12049.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2133635
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1839753
|
||||||
Patch3: dbus-1.12.20-CVE-2022-42012.patch
|
Patch3: dbus-1.12.8-fix-fd-limit-change.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2213402
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2133645
|
||||||
Patch4: dbus-1.12.20-CVE-2023-34969.patch
|
Patch4: dbus-1.20.8-CVE-2022-42010.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2133639
|
||||||
|
Patch5: dbus-1.20.8-CVE-2022-42011.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2133633
|
||||||
|
Patch6: dbus-1.20.8-CVE-2022-42012.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2213400
|
||||||
|
Patch7: dbus-1.12.8-fix-CVE-2023-34969.patch
|
||||||
|
|
||||||
BuildRequires: autoconf-archive
|
BuildRequires: autoconf-archive
|
||||||
BuildRequires: libtool
|
BuildRequires: libtool
|
||||||
BuildRequires: audit-libs-devel >= 0.9
|
BuildRequires: audit-libs-devel >= 0.9
|
||||||
BuildRequires: gnupg2
|
|
||||||
BuildRequires: libX11-devel
|
BuildRequires: libX11-devel
|
||||||
BuildRequires: libcap-ng-devel
|
BuildRequires: libcap-ng-devel
|
||||||
BuildRequires: pkgconfig(expat)
|
BuildRequires: pkgconfig(expat)
|
||||||
@ -75,6 +72,7 @@ BuildRequires: cmake
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
#For macroized scriptlets.
|
#For macroized scriptlets.
|
||||||
|
%{?systemd_requires}
|
||||||
BuildRequires: systemd
|
BuildRequires: systemd
|
||||||
|
|
||||||
# Note: These is only required for --with-tests; when bootstrapping, you can
|
# Note: These is only required for --with-tests; when bootstrapping, you can
|
||||||
@ -87,10 +85,8 @@ BuildRequires: python3-gobject
|
|||||||
%if %{with check}
|
%if %{with check}
|
||||||
BuildRequires: /usr/bin/Xvfb
|
BuildRequires: /usr/bin/Xvfb
|
||||||
%endif
|
%endif
|
||||||
BuildRequires: make
|
|
||||||
|
|
||||||
# Since F30 the default implementation is dbus-broker over dbus-daemon
|
Requires: %{name}-daemon = %{epoch}:%{version}-%{release}
|
||||||
Requires: dbus-broker >= 16-4
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
D-BUS is a system for sending messages between applications. It is
|
D-BUS is a system for sending messages between applications. It is
|
||||||
@ -99,10 +95,8 @@ per-user-login-session messaging facility.
|
|||||||
|
|
||||||
%package common
|
%package common
|
||||||
Summary: D-BUS message bus configuration
|
Summary: D-BUS message bus configuration
|
||||||
|
Group: System Environment/Libraries
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
%{?systemd_requires}
|
|
||||||
Conflicts: fedora-release < %{fedora_release_version}
|
|
||||||
Conflicts: generic-release < %{generic_release_version}
|
|
||||||
Requires: /usr/bin/systemctl
|
Requires: /usr/bin/systemctl
|
||||||
|
|
||||||
%description common
|
%description common
|
||||||
@ -111,14 +105,12 @@ implementations to provide a System and User Message Bus.
|
|||||||
|
|
||||||
%package daemon
|
%package daemon
|
||||||
Summary: D-BUS message bus
|
Summary: D-BUS message bus
|
||||||
%{?systemd_requires}
|
Group: System Environment/Libraries
|
||||||
Conflicts: fedora-release < %{fedora_release_version}
|
Requires(pre): /usr/sbin/useradd
|
||||||
Conflicts: generic-release < %{generic_release_version}
|
|
||||||
Requires: libselinux%{?_isa} >= %{libselinux_version}
|
Requires: libselinux%{?_isa} >= %{libselinux_version}
|
||||||
Requires: dbus-common = %{epoch}:%{version}-%{release}
|
Requires: dbus-common = %{epoch}:%{version}-%{release}
|
||||||
Requires: dbus-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
Requires: dbus-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||||
Requires: dbus-tools = %{epoch}:%{version}-%{release}
|
Requires: dbus-tools = %{epoch}:%{version}-%{release}
|
||||||
Requires: /usr/bin/systemctl
|
|
||||||
|
|
||||||
%description daemon
|
%description daemon
|
||||||
D-BUS is a system for sending messages between applications. It is
|
D-BUS is a system for sending messages between applications. It is
|
||||||
@ -127,6 +119,7 @@ per-user-login-session messaging facility.
|
|||||||
|
|
||||||
%package tools
|
%package tools
|
||||||
Summary: D-BUS Tools and Utilities
|
Summary: D-BUS Tools and Utilities
|
||||||
|
Group: Development/Libraries
|
||||||
Requires: dbus-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
Requires: dbus-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||||
|
|
||||||
%description tools
|
%description tools
|
||||||
@ -135,22 +128,16 @@ the reference implementation.
|
|||||||
|
|
||||||
%package libs
|
%package libs
|
||||||
Summary: Libraries for accessing D-BUS
|
Summary: Libraries for accessing D-BUS
|
||||||
|
Group: Development/Libraries
|
||||||
|
|
||||||
%description libs
|
%description libs
|
||||||
This package contains lowlevel libraries for accessing D-BUS.
|
This package contains lowlevel libraries for accessing D-BUS.
|
||||||
|
|
||||||
%package doc
|
|
||||||
Summary: Developer documentation for D-BUS
|
|
||||||
Requires: %{name}-daemon = %{epoch}:%{version}-%{release}
|
|
||||||
BuildArch: noarch
|
|
||||||
|
|
||||||
%description doc
|
|
||||||
This package contains developer documentation for D-Bus along with
|
|
||||||
other supporting documentation such as the introspect dtd file.
|
|
||||||
|
|
||||||
%package devel
|
%package devel
|
||||||
Summary: Development files for D-BUS
|
Summary: Development files for D-BUS
|
||||||
Requires: dbus-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
Group: Development/Libraries
|
||||||
|
# The server package can be a different architecture.
|
||||||
|
Requires: %{name}-daemon = %{epoch}:%{version}-%{release}
|
||||||
# For xml directory ownership.
|
# For xml directory ownership.
|
||||||
Requires: xml-common
|
Requires: xml-common
|
||||||
|
|
||||||
@ -160,6 +147,7 @@ developing software that uses D-BUS.
|
|||||||
|
|
||||||
%package tests
|
%package tests
|
||||||
Summary: Tests for the %{name}-daemon package
|
Summary: Tests for the %{name}-daemon package
|
||||||
|
Group: Development/Libraries
|
||||||
Requires: %{name}-daemon%{?_isa} = %{epoch}:%{version}-%{release}
|
Requires: %{name}-daemon%{?_isa} = %{epoch}:%{version}-%{release}
|
||||||
|
|
||||||
%description tests
|
%description tests
|
||||||
@ -168,8 +156,11 @@ the functionality of the installed %{name}-daemon package.
|
|||||||
|
|
||||||
%package x11
|
%package x11
|
||||||
Summary: X11-requiring add-ons for D-BUS
|
Summary: X11-requiring add-ons for D-BUS
|
||||||
|
Group: Development/Libraries
|
||||||
# The server package can be a different architecture.
|
# The server package can be a different architecture.
|
||||||
Requires: %{name}-daemon = %{epoch}:%{version}-%{release}
|
Requires: %{name}-daemon = %{epoch}:%{version}-%{release}
|
||||||
|
# Used by SSH daemon helper script.
|
||||||
|
Requires: /usr/bin/gio
|
||||||
|
|
||||||
%description x11
|
%description x11
|
||||||
D-BUS contains some tools that require Xlib to be installed, those are
|
D-BUS contains some tools that require Xlib to be installed, those are
|
||||||
@ -177,7 +168,6 @@ in this separate package so server systems need not install X.
|
|||||||
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
|
|
||||||
%autosetup -p1
|
%autosetup -p1
|
||||||
|
|
||||||
|
|
||||||
@ -188,14 +178,14 @@ if test -f autogen.sh; then env NOCONFIGURE=1 ./autogen.sh; else autoreconf --ve
|
|||||||
# Call configure here (before the extra directories for the multiple builds
|
# Call configure here (before the extra directories for the multiple builds
|
||||||
# have been created) to ensure that the hardening flag hack is applied to
|
# have been created) to ensure that the hardening flag hack is applied to
|
||||||
# ltmain.sh
|
# ltmain.sh
|
||||||
%configure %{dbus_common_config_opts} --enable-doxygen-docs --enable-ducktype-docs --enable-xml-docs --disable-asserts
|
%configure %{dbus_common_config_opts} --disable-doxygen-docs %--enable-ducktype-docs --enable-xml-docs --disable-asserts
|
||||||
make distclean
|
make distclean
|
||||||
|
|
||||||
mkdir build
|
mkdir build
|
||||||
pushd build
|
pushd build
|
||||||
# See /usr/lib/rpm/macros
|
# See /usr/lib/rpm/macros
|
||||||
%global _configure ../configure
|
%global _configure ../configure
|
||||||
%configure %{dbus_common_config_opts} --enable-doxygen-docs --enable-ducktype-docs --enable-xml-docs --disable-asserts
|
%configure %{dbus_common_config_opts} --disable-doxygen-docs --enable-ducktype-docs --enable-xml-docs --disable-asserts
|
||||||
make V=1 %{?_smp_mflags}
|
make V=1 %{?_smp_mflags}
|
||||||
popd
|
popd
|
||||||
|
|
||||||
@ -216,6 +206,10 @@ popd
|
|||||||
# Delete python2 code
|
# Delete python2 code
|
||||||
rm -f %{buildroot}/%{_pkgdocdir}/examples/GetAllMatchRules.py
|
rm -f %{buildroot}/%{_pkgdocdir}/examples/GetAllMatchRules.py
|
||||||
|
|
||||||
|
# Delete docs
|
||||||
|
rm -f %{buildroot}/%{_pkgdocdir}/examples/*.conf
|
||||||
|
rm -f %{buildroot}/%{_datadir}/gtk-doc
|
||||||
|
|
||||||
find %{buildroot} -name '*.a' -type f -delete
|
find %{buildroot} -name '*.a' -type f -delete
|
||||||
find %{buildroot} -name '*.la' -type f -delete
|
find %{buildroot} -name '*.la' -type f -delete
|
||||||
|
|
||||||
@ -223,21 +217,13 @@ find %{buildroot} -name '*.la' -type f -delete
|
|||||||
rm -rf %{buildroot}%{_libdir}/cmake
|
rm -rf %{buildroot}%{_libdir}/cmake
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Delete upstream units
|
|
||||||
rm -f %{buildroot}%{_unitdir}/dbus.{socket,service}
|
|
||||||
rm -f %{buildroot}%{_unitdir}/sockets.target.wants/dbus.socket
|
|
||||||
rm -f %{buildroot}%{_unitdir}/multi-user.target.wants/dbus.service
|
|
||||||
rm -f %{buildroot}%{_userunitdir}/dbus.{socket,service}
|
|
||||||
rm -f %{buildroot}%{_userunitdir}/sockets.target.wants/dbus.socket
|
|
||||||
rm -f %{buildroot}%{_sysusersdir}/dbus.conf
|
rm -f %{buildroot}%{_sysusersdir}/dbus.conf
|
||||||
|
|
||||||
# Install downstream units
|
install -Dp -m755 %{SOURCE1} %{buildroot}%{_sysconfdir}/X11/xinit/xinitrc.d/00-start-message-bus.sh
|
||||||
install -Dp -m755 %{SOURCE3} %{buildroot}%{_sysconfdir}/X11/xinit/xinitrc.d/00-start-message-bus.sh
|
install -Dp -m644 %{SOURCE2} %{buildroot}%{_sysconfdir}/profile.d/ssh-x-forwarding.csh
|
||||||
install -Dp -m644 %{SOURCE4} %{buildroot}%{_unitdir}/dbus.socket
|
install -p -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/profile.d/
|
||||||
install -Dp -m644 %{SOURCE5} %{buildroot}%{_unitdir}/dbus-daemon.service
|
install -Dp -m755 %{SOURCE4} %{buildroot}%{_libexecdir}/dbus-1/dbus-kill-process-with-session
|
||||||
install -Dp -m644 %{SOURCE6} %{buildroot}%{_userunitdir}/dbus.socket
|
install -Dp -m644 %{SOURCE5} %{buildroot}%{_sysusersdir}/dbus.conf
|
||||||
install -Dp -m644 %{SOURCE7} %{buildroot}%{_userunitdir}/dbus-daemon.service
|
|
||||||
install -Dp -m644 %{SOURCE8} %{buildroot}%{_sysusersdir}/dbus.conf
|
|
||||||
|
|
||||||
# Obsolete, but still widely used, for drop-in configuration snippets.
|
# Obsolete, but still widely used, for drop-in configuration snippets.
|
||||||
install --directory %{buildroot}%{_sysconfdir}/dbus-1/session.d
|
install --directory %{buildroot}%{_sysconfdir}/dbus-1/session.d
|
||||||
@ -245,6 +231,11 @@ install --directory %{buildroot}%{_sysconfdir}/dbus-1/system.d
|
|||||||
|
|
||||||
install --directory %{buildroot}%{_datadir}/dbus-1/interfaces
|
install --directory %{buildroot}%{_datadir}/dbus-1/interfaces
|
||||||
|
|
||||||
|
# Make sure that when somebody asks for D-Bus under the name of the
|
||||||
|
# old SysV script, that he ends up with the standard dbus.service name
|
||||||
|
# now.
|
||||||
|
ln -s dbus.service %{buildroot}%{_unitdir}/messagebus.service
|
||||||
|
|
||||||
## %find_lang %{gettext_package}
|
## %find_lang %{gettext_package}
|
||||||
|
|
||||||
install --directory %{buildroot}/var/lib/dbus
|
install --directory %{buildroot}/var/lib/dbus
|
||||||
@ -253,10 +244,6 @@ install --directory %{buildroot}/run/dbus
|
|||||||
install -pm 644 -t %{buildroot}%{_pkgdocdir} \
|
install -pm 644 -t %{buildroot}%{_pkgdocdir} \
|
||||||
doc/introspect.dtd doc/introspect.xsl doc/system-activation.txt
|
doc/introspect.dtd doc/introspect.xsl doc/system-activation.txt
|
||||||
|
|
||||||
# Make sure that the documentation shows up in Devhelp.
|
|
||||||
install --directory %{buildroot}%{_datadir}/gtk-doc/html
|
|
||||||
ln -s %{_pkgdocdir} %{buildroot}%{_datadir}/gtk-doc/html/dbus
|
|
||||||
|
|
||||||
# Shell wrapper for installed tests, modified from Debian package.
|
# Shell wrapper for installed tests, modified from Debian package.
|
||||||
cat > dbus-run-installed-tests <<EOF
|
cat > dbus-run-installed-tests <<EOF
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
@ -316,39 +303,27 @@ popd
|
|||||||
|
|
||||||
|
|
||||||
%pre daemon
|
%pre daemon
|
||||||
%sysusers_create_compat %{SOURCE8}
|
# Add the "dbus" user and group
|
||||||
|
/usr/sbin/groupadd -r -g %{dbus_user_uid} dbus 2>/dev/null || :
|
||||||
%post common
|
/usr/sbin/useradd -c 'System message bus' -u %{dbus_user_uid} -g %{dbus_user_uid} \
|
||||||
%systemd_post dbus.socket
|
-s /sbin/nologin -r -d '/' dbus 2> /dev/null || :
|
||||||
%systemd_user_post dbus.socket
|
|
||||||
|
|
||||||
%post daemon
|
%post daemon
|
||||||
%systemd_post dbus-daemon.service
|
%systemd_post dbus.service dbus.socket
|
||||||
%systemd_user_post dbus-daemon.service
|
%systemd_user_post dbus.service dbus.socket
|
||||||
|
|
||||||
%preun common
|
%post libs -p /sbin/ldconfig
|
||||||
%systemd_preun dbus.socket
|
|
||||||
%systemd_user_preun dbus.socket
|
|
||||||
|
|
||||||
%preun daemon
|
%preun daemon
|
||||||
%systemd_preun dbus-daemon.service
|
%systemd_preun dbus.service dbus.socket
|
||||||
%systemd_user_preun dbus-daemon.service
|
%systemd_user_preun dbus.service dbus.socket
|
||||||
|
|
||||||
%postun common
|
|
||||||
%systemd_postun dbus.socket
|
|
||||||
%systemd_user_postun dbus.socket
|
|
||||||
|
|
||||||
%postun daemon
|
%postun daemon
|
||||||
%systemd_postun dbus-daemon.service
|
%systemd_postun dbus.service dbus.socket
|
||||||
%systemd_user_postun dbus-daemon.service
|
%systemd_user_postun dbus.service dbus.socket
|
||||||
|
|
||||||
%triggerpostun common -- dbus-common < 1:1.12.10-4
|
%postun libs -p /sbin/ldconfig
|
||||||
systemctl --no-reload preset dbus.socket &>/dev/null || :
|
|
||||||
systemctl --no-reload --global preset dbus.socket &>/dev/null || :
|
|
||||||
|
|
||||||
%triggerpostun daemon -- dbus-daemon < 1:1.12.10-7
|
|
||||||
systemctl --no-reload preset dbus-daemon.service &>/dev/null || :
|
|
||||||
systemctl --no-reload --global preset dbus-daemon.service &>/dev/null || :
|
|
||||||
|
|
||||||
%files
|
%files
|
||||||
# The 'dbus' package is only retained for compatibility purposes. It will
|
# The 'dbus' package is only retained for compatibility purposes. It will
|
||||||
@ -365,25 +340,19 @@ systemctl --no-reload --global preset dbus-daemon.service &>/dev/null || :
|
|||||||
%config %{_sysconfdir}/dbus-1/session.conf
|
%config %{_sysconfdir}/dbus-1/session.conf
|
||||||
%config %{_sysconfdir}/dbus-1/system.conf
|
%config %{_sysconfdir}/dbus-1/system.conf
|
||||||
%dir %{_datadir}/dbus-1
|
%dir %{_datadir}/dbus-1
|
||||||
%dir %{_datadir}/dbus-1/session.d
|
|
||||||
%dir %{_datadir}/dbus-1/system.d
|
|
||||||
%{_datadir}/dbus-1/session.conf
|
%{_datadir}/dbus-1/session.conf
|
||||||
%{_datadir}/dbus-1/system.conf
|
%{_datadir}/dbus-1/system.conf
|
||||||
%{_datadir}/dbus-1/services
|
%{_datadir}/dbus-1/services
|
||||||
%{_datadir}/dbus-1/system-services
|
%{_datadir}/dbus-1/system-services
|
||||||
%{_datadir}/dbus-1/interfaces
|
%{_datadir}/dbus-1/interfaces
|
||||||
%{_sysusersdir}/dbus.conf
|
%{_sysusersdir}/dbus.conf
|
||||||
%{_unitdir}/dbus.socket
|
|
||||||
%{_userunitdir}/dbus.socket
|
|
||||||
|
|
||||||
%files daemon
|
%files daemon
|
||||||
# Strictly speaking, we could remove the COPYING from this subpackage and
|
# Strictly speaking, we could remove the COPYING from this subpackage and
|
||||||
# just have it be in libs, because dbus Requires dbus-libs.
|
# just have it be in libs, because dbus Requires dbus-libs.
|
||||||
%{!?_licensedir:%global license %%doc}
|
%{!?_licensedir:%global license %%doc}
|
||||||
%license COPYING
|
%license COPYING
|
||||||
%doc AUTHORS ChangeLog CONTRIBUTING.md NEWS README
|
%doc AUTHORS ChangeLog HACKING NEWS README
|
||||||
%exclude %{_pkgdocdir}/api
|
|
||||||
%exclude %{_pkgdocdir}/dbus.devhelp
|
|
||||||
%exclude %{_pkgdocdir}/diagram.*
|
%exclude %{_pkgdocdir}/diagram.*
|
||||||
%exclude %{_pkgdocdir}/introspect.*
|
%exclude %{_pkgdocdir}/introspect.*
|
||||||
%exclude %{_pkgdocdir}/system-activation.txt
|
%exclude %{_pkgdocdir}/system-activation.txt
|
||||||
@ -404,8 +373,14 @@ systemctl --no-reload --global preset dbus-daemon.service &>/dev/null || :
|
|||||||
%attr(4750,root,dbus) %{_libexecdir}/dbus-1/dbus-daemon-launch-helper
|
%attr(4750,root,dbus) %{_libexecdir}/dbus-1/dbus-daemon-launch-helper
|
||||||
%exclude %{_libexecdir}/dbus-1/dbus-run-installed-tests
|
%exclude %{_libexecdir}/dbus-1/dbus-run-installed-tests
|
||||||
%{_tmpfilesdir}/dbus.conf
|
%{_tmpfilesdir}/dbus.conf
|
||||||
%{_unitdir}/dbus-daemon.service
|
%{_unitdir}/dbus.service
|
||||||
%{_userunitdir}/dbus-daemon.service
|
%{_unitdir}/dbus.socket
|
||||||
|
%{_unitdir}/messagebus.service
|
||||||
|
%{_unitdir}/multi-user.target.wants/dbus.service
|
||||||
|
%{_unitdir}/sockets.target.wants/dbus.socket
|
||||||
|
%{_userunitdir}/dbus.service
|
||||||
|
%{_userunitdir}/dbus.socket
|
||||||
|
%{_userunitdir}/sockets.target.wants/dbus.socket
|
||||||
|
|
||||||
%files tools
|
%files tools
|
||||||
%{!?_licensedir:%global license %%doc}
|
%{!?_licensedir:%global license %%doc}
|
||||||
@ -431,18 +406,11 @@ systemctl --no-reload --global preset dbus-daemon.service &>/dev/null || :
|
|||||||
|
|
||||||
%files x11
|
%files x11
|
||||||
%{_bindir}/dbus-launch
|
%{_bindir}/dbus-launch
|
||||||
|
%{_libexecdir}/dbus-1/dbus-kill-process-with-session
|
||||||
%{_mandir}/man1/dbus-launch.1*
|
%{_mandir}/man1/dbus-launch.1*
|
||||||
|
%{_sysconfdir}/profile.d/ssh-x-forwarding.*
|
||||||
%{_sysconfdir}/X11/xinit/xinitrc.d/00-start-message-bus.sh
|
%{_sysconfdir}/X11/xinit/xinitrc.d/00-start-message-bus.sh
|
||||||
|
|
||||||
%files doc
|
|
||||||
%{_pkgdocdir}/*
|
|
||||||
%{_datadir}/gtk-doc
|
|
||||||
%exclude %{_pkgdocdir}/AUTHORS
|
|
||||||
%exclude %{_pkgdocdir}/ChangeLog
|
|
||||||
%exclude %{_pkgdocdir}/HACKING
|
|
||||||
%exclude %{_pkgdocdir}/NEWS
|
|
||||||
%exclude %{_pkgdocdir}/README
|
|
||||||
|
|
||||||
%files devel
|
%files devel
|
||||||
%{_datadir}/xml/dbus-1
|
%{_datadir}/xml/dbus-1
|
||||||
%{_libdir}/lib*.so
|
%{_libdir}/lib*.so
|
||||||
@ -454,124 +422,84 @@ systemctl --no-reload --global preset dbus-daemon.service &>/dev/null || :
|
|||||||
%{_libdir}/pkgconfig/dbus-1.pc
|
%{_libdir}/pkgconfig/dbus-1.pc
|
||||||
%{_includedir}/*
|
%{_includedir}/*
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Jun 12 2023 David King <amigadave@amigadave.com> - 1:1.12.20-8
|
* Mon Jun 19 2023 David King <amigadave@amigadave.com> - 1.12.8-26
|
||||||
- Fix CVE-2023-34969 (#2213402)
|
- Fix CVE-2023-34969 (#2213400)
|
||||||
|
|
||||||
* Tue Oct 18 2022 David King <amigadave@amigadave.com> - 1:1.12.20-7
|
* Mon Apr 24 2023 Ray Strode <rstrode@redhat.com> - 1.12.8-25
|
||||||
- Fix CVE-2022-42010 (#2133647)
|
- Ensure only one dbus-daemon is spawned for all shells sharing
|
||||||
- Fix CVE-2022-42011 (#2133641)
|
a single connection.
|
||||||
- Fix CVE-2022-42012 (#2133635)
|
Resolves: #2189201
|
||||||
|
|
||||||
* Wed Aug 17 2022 David King <amigadave@amigadave.com> - 1:1.12.20-6
|
* Wed Oct 19 2022 David King <dking@redhat.com> - 1:1.12.8-24
|
||||||
- Override upstream sysusers.d confguration (#2118226)
|
- Fix CVE-2022-42010 (#2133645)
|
||||||
|
- Fix CVE-2022-42011 (#2133639)
|
||||||
|
- Fix CVE-2022-42011 (#2133633)
|
||||||
|
|
||||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.12.20-5
|
* Tue Sep 06 2022 Ray Strode <rstrode@redhat.com> - 1:1.12.8-23
|
||||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
- Address race for very short running sessions in SSH
|
||||||
Related: rhbz#1991688
|
session monitoring script.
|
||||||
|
Related: #2089362
|
||||||
|
|
||||||
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.12.20-4
|
* Tue Aug 09 2022 Ray Strode <rstrode@redhat.com> - 1:1.12.8-22
|
||||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
- Use hangup signal instead of termination signal to
|
||||||
|
kill sesssion monitoring script to appeach tcsh.
|
||||||
|
Related: #2089362
|
||||||
|
|
||||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.12.20-3
|
* Mon Aug 08 2022 David King <dking@redhat.com> - 1:1.12.8-20
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
- Override sysusers configuration (#2090397)
|
||||||
|
|
||||||
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.12.20-2
|
* Thu Jun 16 2022 Ray Strode <rstrode@redhat.com> - 1:1.12.8-19
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
- Ensure SSH session monitoring script is cleaned up when the
|
||||||
|
session exits.
|
||||||
|
Resolves: #2089362
|
||||||
|
|
||||||
* Thu Jul 02 2020 David King <amigadave@amigadave.com> - 1:1.12.20-1
|
* Mon Dec 06 2021 Ray Strode <rstrode@redhat.com> - 1.12.8-18
|
||||||
- Update to 1.12.20
|
- Ensure session bus started for SSH sessions gets used by those
|
||||||
|
sessions.
|
||||||
|
Related: #1940067
|
||||||
|
|
||||||
* Tue Jun 02 2020 David King <amigadave@amigadave.com> - 1:1.12.18-1
|
* Mon Nov 08 2021 David King <dking@redhat.com> - 1:1.12.8-17
|
||||||
- Update to 1.12.18
|
- Improve SSH session bus starting (#1940067)
|
||||||
|
|
||||||
* Wed Feb 19 2020 David King <amigadave@amigadave.com> - 1:1.12.16-5
|
* Thu Jun 10 2021 David King <dking@redhat.com> - 1:1.12.8-16
|
||||||
- Verify GPG signature of sources
|
- Add Conflicts on older redhat-release versions (#1941642)
|
||||||
- Improve permissions on ghosted /run/dbus
|
|
||||||
|
|
||||||
* Fri Jan 31 2020 David King <amigadave@amigadave.com> - 1:1.12.16-4
|
* Wed May 26 2021 David King <dking@redhat.com> - 1:1.12.8-15
|
||||||
- Update python2- to python3-gobject
|
- Packaging updates from Fedora (#1941642)
|
||||||
|
|
||||||
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.12.16-4
|
* Tue Apr 27 2021 David King <dking@redhat.com> - 1:1.12.8-14
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
- Fix dbus-launch call in sh snippet (#1940348)
|
||||||
|
|
||||||
* Thu Aug 01 2019 David King <amigadave@amigadave.com> - 1:1.12.16-3
|
* Tue Mar 23 2021 David King <dking@redhat.com> - 1:1.12.8-13
|
||||||
- Ensure that patches are applied
|
- Fix raising hard fd limit (#1839753)
|
||||||
|
|
||||||
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.12.16-2
|
* Mon Nov 23 2020 David King <dking@redhat.com> - 1:1.12.8-12
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
- Install X11 SSH forwarding snippets (#1874282)
|
||||||
|
|
||||||
* Tue Jun 11 2019 David King <amigadave@amigadave.com> - 1:1.12.16-1
|
* Tue Jun 30 2020 David King <dking@redhat.com> - 1:1.12.8-11
|
||||||
- Update to 1.12.16
|
- Fix CVE-2020-12049 (#1851997)
|
||||||
|
|
||||||
* Fri May 17 2019 David King <amigadave@amigadave.com> - 1:1.12.14-1
|
* Mon Apr 06 2020 David King <dking@redhat.com> - 1:1.12.8-10
|
||||||
- Update to 1.12.14
|
- Improve permissions on ghosted /run/dbus (#1797833)
|
||||||
|
|
||||||
* Tue Apr 09 2019 David King <amigadave@amigadave.com> - 1:1.12.12-7
|
* Thu Aug 01 2019 David King <dking@redhat.com> - 1:1.12.8-9
|
||||||
- Improve user and group creation (#1698001)
|
- Ensure that patches are applied (#1725570)
|
||||||
|
|
||||||
* Thu Apr 04 2019 David King <amigadave@amigadave.com> - 1:1.12.12-6
|
* Tue Jul 09 2019 David King <dking@redhat.com> - 1:1.12.8-8
|
||||||
- Own system.d and session.d directories (#1696385)
|
- Fix CVE-2019-12749 (#1725570)
|
||||||
|
|
||||||
* Sun Mar 03 2019 Leigh Scott <leigh123linux@googlemail.com> - 1:1.12.12-5
|
* Wed Oct 24 2018 Martin Pitt <mpitt@redhat.com> - 1:1.12.8-7
|
||||||
- Fix f30 FTBFS
|
- Fix useradd dependency of dbus-daemon rhbz#1634496
|
||||||
|
|
||||||
* Mon Feb 04 2019 Kalev Lember <klember@redhat.com> - 1:1.12.12-4
|
* Thu Oct 18 2018 Martin Pitt <mpitt@redhat.com>
|
||||||
- Update requires for pygobject3 -> python2-gobject rename
|
- Drop unpublished -doc package to fix FTBFS rhbz#1640736
|
||||||
|
- Add dist-git smoketest rhbz#1625683
|
||||||
|
- Move dbus system user creation to correct package rhbz#1634496
|
||||||
|
|
||||||
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.12.12-3
|
* Sat Aug 11 2018 Troy Dawson <tdawson@redhat.com>
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
- BuildRequire python3-gobject instead of pygobject3
|
||||||
|
- Related: bug#1614611
|
||||||
* Fri Dec 14 2018 David King <amigadave@amigadave.com> - 1:1.12.12-2
|
|
||||||
- Change -devel subpackage to depend on -libs
|
|
||||||
|
|
||||||
* Tue Dec 04 2018 David King <amigadave@amigadave.com> - 1:1.12.12-1
|
|
||||||
- Update to 1.12.12
|
|
||||||
|
|
||||||
* Thu Nov 22 2018 David Herrmann <dh.herrmann@gmail.com> - 1:1.12.10-9
|
|
||||||
- Switch to dbus-broker as the default implementation
|
|
||||||
|
|
||||||
* Wed Nov 07 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:1.12.10-8
|
|
||||||
- Fix requirement on system-release
|
|
||||||
|
|
||||||
* Tue Nov 06 2018 Tom Gundersen <teg@jklm.no> - 1:1.12.10-7
|
|
||||||
- Fix the messagebus.service alias
|
|
||||||
|
|
||||||
* Mon Nov 05 2018 David King <amigadave@amigadave.com> - 1:1.12.10-6
|
|
||||||
- Add further Requires to subpackages
|
|
||||||
|
|
||||||
* Tue Oct 23 2018 David Herrmann <dh.herrmann@gmail.com> - 1:1.12.10-5
|
|
||||||
- Move useradd dependency to daemon subpackage
|
|
||||||
|
|
||||||
* Fri Oct 19 2018 David King <amigadave@amigadave.com> - 1:1.12.10-4
|
|
||||||
- Move user and group creation to daemon subpackage
|
|
||||||
- Move systemd to Requires of common subpackage (#1638910)
|
|
||||||
- Remove unnecessary ldconfig calls
|
|
||||||
|
|
||||||
* Fri Aug 31 2018 Tom Gundersen <teg@jklm.no> - 1:1.12.10-3
|
|
||||||
- Make sure presets are applied when upgrading from packages before the presets
|
|
||||||
existed
|
|
||||||
|
|
||||||
* Thu Aug 30 2018 David Herrmann <dh.herrmann@gmail.com> - 1:1.12.10-2
|
|
||||||
- Change 'system-release' dependency to 'fedora-release', since otherwise hard
|
|
||||||
version dependencies are ignored.
|
|
||||||
|
|
||||||
* Fri Aug 10 2018 David Herrmann <dh.herrmann@gmail.com> - 1:1.12.10-2
|
|
||||||
- Move generic units into 'dbus-common', so other dbus implementations can use
|
|
||||||
them as well.
|
|
||||||
|
|
||||||
* Fri Aug 10 2018 David Herrmann <dh.herrmann@gmail.com> - 1:1.12.10-1
|
|
||||||
- Add [Install] sections to unit files, rather than creating the symlinks
|
|
||||||
manually during the installation. This will pick up the systemd-presets
|
|
||||||
global to Fedora from the 'fedora-release' package.
|
|
||||||
|
|
||||||
* Fri Aug 10 2018 David Herrmann <dh.herrmann@gmail.com> - 1:1.12.10-1
|
|
||||||
- Provide custom systemd unit files to replace the upstream units. Also rename
|
|
||||||
the service to 'dbus-daemon.service', but provide an alias to 'dbus.service'.
|
|
||||||
|
|
||||||
* Fri Aug 03 2018 David King <amigadave@amigadave.com> - 1:1.12.10-1
|
|
||||||
- Update to 1.12.10
|
|
||||||
|
|
||||||
* Tue Jul 31 2018 Colin Walters <walters@verbum.org> - 1:1.12.8-5
|
* Tue Jul 31 2018 Colin Walters <walters@verbum.org> - 1:1.12.8-5
|
||||||
- More python3
|
- More python3
|
||||||
|
Loading…
Reference in New Issue
Block a user