Bug#962067: buster-pu: package dbus/1.12.20-0+deb10u1

[Cyril Brulebois]

Adam D. Barratt  (2020-07-05):
> I'd be OK with that from the SRM side (with the remaining d-i caveat).

No objections, thanks.
 

Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Re: Processed: Re: Bug#962067: buster-pu: package dbus/1.12.20-0+deb10u1

[R hertoric]

On Sun, Jul 5, 2020, 7:27 AM Debian Bug Tracking System <
ow...@bugs.debian.org> wrote:

> Processing control commands:
>
> > retitle -1 buster-pu: package dbus/1.12.20-0+deb10u1
> Bug #962067 [release.debian.org] buster-pu: package dbus/1.12.18-0+deb10u1
> Changed Bug title to 'buster-pu: package dbus/1.12.20-0+deb10u1' from
> 'buster-pu: package dbus/1.12.18-0+deb10u1'.
>
> --
> 962067: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962067
> Debian Bug Tracking System
> Contact ow...@bugs.debian.org with problems
>
>

Bug#962067: buster-pu: package dbus/1.12.20-0+deb10u1

[Adam D. Barratt]

On Sun, 2020-07-05 at 13:24 +0100, Simon McVittie wrote:
> Control: retitle -1 buster-pu: package dbus/1.12.20-0+deb10u1
> 
> On Sat, 20 Jun 2020 at 20:26:24 +0100, Adam D. Barratt wrote:
> > On Tue, 2020-06-02 at 21:22 +0100, Simon McVittie wrote:
> > > dbus 1.12.18 fixes a local denial of service vulnerability for
> > > which the Security Team have indicated they do not intend to
> > > issue a DSA.
> > > 
> > > If possible I would like to use upstream 1.12.x versions of dbus
> > > for buster (security and) stable updates, similar to the policy
> > > used in stretch and jessie. This branch includes security fixes
> > > and selected non-intrusive bug fixes (and unfortunately also the
> > > usual Autotools noise).
> > > 
> > 
> > That sounds OK to me, but will need the usual KiBi-ack due to the
> > udeb.
> 
> I have now released 1.12.20 upstream. This fixes a long-standing
> use-after-free if two usernames have the same numeric uid (which is
> potentially a security fix if you have such usernames), and a
> regression on Solaris derivatives. Does this still look OK for
> buster-pu? (Diff since the version you already saw attached - I
> haven't bothered to filter out the Autotools noise this time, because
> there is much less of it.)

I'd be OK with that from the SRM side (with the remaining d-i caveat).

> I've asked the security team whether they will now want a DSA for the
> use-after-free, but I suspect the answer will be "no, talk to the
> stable release team" so I'm asking preemptively.
> 
> For #962068, dbus 1.10.30 -> 1.10.32 has a remarkably similar diff
> (it's a cherry-pick of the same commits as in 1.12.20). I assume the
> judgement on that from both the security team and the stable release
> team will be the same as for buster, unless the stretch EOL has
> already happened by the time we get there.

My understanding is that security support for stretch ended yesterday.
(We've ended up with an extra week for fixes via opu due to
availability of people for the point release.)

Regards,

Adam

Processed: Re: Bug#962067: buster-pu: package dbus/1.12.20-0+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> retitle -1 buster-pu: package dbus/1.12.20-0+deb10u1
Bug #962067 [release.debian.org] buster-pu: package dbus/1.12.18-0+deb10u1
Changed Bug title to 'buster-pu: package dbus/1.12.20-0+deb10u1' from 
'buster-pu: package dbus/1.12.18-0+deb10u1'.

-- 
962067: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962067
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#962067: buster-pu: package dbus/1.12.20-0+deb10u1

[Simon McVittie]

Control: retitle -1 buster-pu: package dbus/1.12.20-0+deb10u1

On Sat, 20 Jun 2020 at 20:26:24 +0100, Adam D. Barratt wrote:
> On Tue, 2020-06-02 at 21:22 +0100, Simon McVittie wrote:
> > dbus 1.12.18 fixes a local denial of service vulnerability for which
> > the Security Team have indicated they do not intend to issue a DSA.
> > 
> > If possible I would like to use upstream 1.12.x versions of dbus for
> > buster (security and) stable updates, similar to the policy used in
> > stretch and jessie. This branch includes security fixes and selected
> > non-intrusive bug fixes (and unfortunately also the usual Autotools
> > noise).
> > 
> 
> That sounds OK to me, but will need the usual KiBi-ack due to the udeb.

I have now released 1.12.20 upstream. This fixes a long-standing
use-after-free if two usernames have the same numeric uid (which is
potentially a security fix if you have such usernames), and a regression
on Solaris derivatives. Does this still look OK for buster-pu? (Diff since
the version you already saw attached - I haven't bothered to filter out
the Autotools noise this time, because there is much less of it.)

I've asked the security team whether they will now want a DSA for the
use-after-free, but I suspect the answer will be "no, talk to the
stable release team" so I'm asking preemptively.

For #962068, dbus 1.10.30 -> 1.10.32 has a remarkably similar diff (it's
a cherry-pick of the same commits as in 1.12.20). I assume the judgement
on that from both the security team and the stable release team will be
the same as for buster, unless the stretch EOL has already happened by
the time we get there.

smcv
diff --git a/Makefile.in b/Makefile.in
index 2ef174ae..c3973629 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -15,7 +15,7 @@
 @SET_MAKE@
 
 # aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Tue Jun  2 13:56:47 BST 2020
+# from AX_AM_MACROS_STATIC on Thu Jul  2 11:10:39 BST 2020
 
 VPATH = @srcdir@
 am__is_gnu_make = { \
diff --git a/NEWS b/NEWS
index a38c5992..2fca1455 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,27 @@
+dbus 1.12.20 (2020-07-02)
+=
+
+The “temporary nemesis” release.
+
+Maybe security fixes:
+
+• On Unix, avoid a use-after-free if two usernames have the same
+  numeric uid. In older versions this could lead to a crash (denial of
+  service) or other undefined behaviour, possibly including incorrect
+  authorization decisions if  is used.
+  Like Unix filesystems, D-Bus' model of identity cannot distinguish
+  between users of different names with the same numeric uid, so this
+  configuration is not advisable on systems where D-Bus will be used.
+  Thanks to Daniel Onaca.
+  (dbus#305, dbus!166; Simon McVittie)
+
+Other fixes:
+
+• On Solaris and its derivatives, if a cmsg header is truncated, ensure
+  that we do not overrun the buffer used for fd-passing, even if the
+  kernel tells us to.
+  (dbus#304, dbus!165; Andy Fiddaman)
+
 dbus 1.12.18 (2020-06-02)
 =
 
diff --git a/aminclude_static.am b/aminclude_static.am
index 7b415587..3dabd131 100644
--- a/aminclude_static.am
+++ b/aminclude_static.am
@@ -1,6 +1,6 @@
 
 # aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Tue Jun  2 13:56:47 BST 2020
+# from AX_AM_MACROS_STATIC on Thu Jul  2 11:10:39 BST 2020
 
 
 # Code coverage
diff --git a/bus/Makefile.in b/bus/Makefile.in
index 5367203e..fa44d2b6 100644
--- a/bus/Makefile.in
+++ b/bus/Makefile.in
@@ -15,7 +15,7 @@
 @SET_MAKE@
 
 # aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Tue Jun  2 13:56:47 BST 2020
+# from AX_AM_MACROS_STATIC on Thu Jul  2 11:10:39 BST 2020
 
 
 VPATH = @srcdir@
diff --git a/configure b/configure
index c1b736f4..38db1dd4 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for dbus 1.12.18.
+# Generated by GNU Autoconf 2.69 for dbus 1.12.20.
 #
 # Report bugs to .
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='dbus'
 PACKAGE_TARNAME='dbus'
-PACKAGE_VERSION='1.12.18'
-PACKAGE_STRING='dbus 1.12.18'
+PACKAGE_VERSION='1.12.20'
+PACKAGE_STRING='dbus 1.12.20'
 PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=dbus'
 PACKAGE_URL=''
 
@@ -1579,7 +1579,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures dbus 1.12.18 to adapt to many kinds of systems.
+\`configure' configures dbus 1.12.20 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1654,7 +1654,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
- short | recursive ) echo "Configuration of dbus