Simon McVittie [Mon, 25 Sep 2017 13:57:41 +0000 (14:57 +0100)]
NEWS for fd.o #92074; also note an earlier backport
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Mon, 25 Sep 2017 13:57:38 +0000 (14:57 +0100)]
monitor: use the addressed_recipient to select matches
This means we respect the destination keyword in arguments to
BecomeMonitor.
In bus_dispatch(), this means that we need to defer capturing until
we have decided whether there is an addressed recipient; so instead
of capturing once, we capture at each leaf of the decision tree.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92074
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Reviewed-by: Lars Uebernickel <lars@uebernic.de>
(cherry picked from commit
f3be583b40dadfd78ddefbc9fb3fa182bafde949)
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Tue, 15 Aug 2017 16:22:27 +0000 (12:22 -0400)]
NEWS for #102145
Alan Coopersmith [Fri, 11 Aug 2017 01:50:36 +0000 (18:50 -0700)]
Fix -Werror=declaration-after-statement build failure on Solaris
dbus-sysdeps-unix.c: In function ‘_dbus_read_credentials_socket’:
dbus-sysdeps-unix.c:2061:9: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
adt_session_data_t *adth = NULL;
^
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=102145
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Reviewed-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Tue, 15 Aug 2017 15:55:38 +0000 (11:55 -0400)]
Update NEWS for fd.o #95264
Signed-off-by: Simon McVittie <smcv@debian.org>
Lennart Poettering [Wed, 4 May 2016 16:06:17 +0000 (18:06 +0200)]
sysdeps: increase listen() backlog of AF_UNIX sockets to SOMAXCONN
Previously, the listen() backlog was set to an arbitrary 30. This means
that if dbus-daemon is overloaded only 30 more connections may be queued
by the kernel, before connect() fails with EAGAIN. (Note that EAGAIN !=
EINPROGRESS -- the latter is what is returned if a connection is queued
and being processed for asynchronous sockets; EAGAIN in this case is
really an error, that cannot be recovered from).
Most software simply sets SOMAXCONN as backlog for AF_UNIX sockets, to
allow queuing of as many connections as the kernel allows. SOMAXCONN is
128 on Linux, which is not particularly high, but at least higher than
30.
This patch changes dbus-daemon to do the same.
I noticed this when flooding dbus-daemon with a lot of connections,
where it pretty quickly ceased to respond, much earlier than it really
should.
Note that the backlog has nothing to do with the number of concurrent
connections allowed, it simply controls how many queued, but not
accept()ed connections there may be on the listening socket.
(cherry picked from commit
12bd6e893c91430fdbdf8a27087d4a792b04eef9)
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=95264
Bug-Debian: https://bugs.debian.org/872144
Reviewed-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Simon McVittie [Fri, 28 Jul 2017 10:21:07 +0000 (11:21 +0100)]
NEWS for #101858
Simon McVittie [Fri, 21 Jul 2017 09:46:39 +0000 (10:46 +0100)]
config-loader-expat: Tell Expat not to defend against hash collisions
By default, Expat uses cryptographic-quality random numbers as a salt for
its hash algorithm, and since 2.2.1 it gets them from the getrandom
syscall on Linux. That syscall refuses to return any entropy until the
kernel's CSPRNG (random pool) has been initialized. Unfortunately, this
can take as long as 40 seconds on embedded devices with few entropy
sources, which is too long: if the system dbus-daemon blocks for that
length of time, important D-Bus clients like systemd and systemd-logind
time out and fail to connect to it.
We're parsing small configuration files here, and we trust them
completely, so we don't need to defend against hash collisions: nobody
is going to be crafting them to cause pathological performance.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101858
Signed-off-by: Simon McVittie <smcv@debian.org>
Tested-by: Christopher Hewitt <hewitt@ieee.org>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Simon McVittie [Thu, 27 Jul 2017 20:55:32 +0000 (21:55 +0100)]
Start 1.10.24
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Thu, 27 Jul 2017 12:57:19 +0000 (13:57 +0100)]
1.10.22
Simon McVittie [Fri, 7 Jul 2017 12:16:09 +0000 (13:16 +0100)]
NEWS for fd.o#101716
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Fri, 7 Jul 2017 11:12:24 +0000 (12:12 +0100)]
test/name-test: Be compatible with Python 3
configure.ac will detect PYTHON=python3 if there is no python
executable in the PATH.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101716
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Fri, 7 Jul 2017 09:55:39 +0000 (10:55 +0100)]
NEWS for #101698
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Wed, 5 Jul 2017 14:32:40 +0000 (15:32 +0100)]
tests: Make tests fail if they try to connect to the real session bus
It is too easy for a developer working in an environment that has a
session bus to write tests that pass locally, but fail in minimal
environments. This is also risky because the tests might do
destructive things on the developer's real session bus. We can avoid
connecting to the session bus by consistently removing its address
from the environment, and replacing it with something that will
always fail.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101698
Simon McVittie [Wed, 5 Jul 2017 14:30:05 +0000 (15:30 +0100)]
test/dbus-daemon: Unset DBUS_SESSION_BUS_ADDRESS
When we intend to exercise the default behaviour in the absence of
DBUS_SESSION_BUS_ADDRESS (but with an XDG_RUNTIME_DIR present), it would
help if we unset DBUS_SESSION_BUS_ADDRESS. Otherwise we'll just connect
to the real session bus, if there is one.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101698
Simon McVittie [Thu, 6 Jul 2017 17:43:23 +0000 (18:43 +0100)]
Update NEWS for 1.10 branch
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Wed, 5 Jul 2017 14:28:08 +0000 (15:28 +0100)]
name-test: Backport dbus-run-session wrapper from git master
test-pending-call-disconnected relies on being run under a session bus.
On master, the TESTS in this directory all get that treatment, but
in dbus-1.10 they do not. This caused test-pending-call-disconnected
to fail in minimal environments like travis-ci where there is no
developer-initiated session bus.
Backport part of commit ec6b220 "name-test: run most C tests directly,
not via run-test.sh" to wrap it in dbus-run-session. This is better
than putting it in run-test.sh because this way, its TAP output is
parsed directly by Automake.
It also has the side benefit of exercising dbus-run-session in the
automated tests.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101698
Simon McVittie [Tue, 4 Jul 2017 14:38:57 +0000 (15:38 +0100)]
dbus_message_iter_open_container: Don't leak signature on failure
If we run out of memory while calling _dbus_type_writer_recurse()
(which is impossible for most contained types, but can happen for
structs and dict-entries), then the memory we allocated in the call to
_dbus_message_iter_open_signature() will still be allocated, and we
have to free it in order to return to the state of the world prior to
calling open_container().
One might reasonably worry that this change can break callers that use
this (incorrect) pattern:
if (!dbus_message_iter_open_container (outer, ..., inner))
{
dbus_message_iter_abandon_container (outer, inner);
goto fail;
}
/* now we know inner is open, and we must close it later */
However, testing that pattern with _dbus_test_oom_handling()
demonstrates that it already dies with a DBusString assertion failure
even before this commit.
This is all concerningly fragile, and I think the next step should be
to zero out DBusMessageIter instances when they are invalidated, so
that a "double-free" is always detected.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
(cherry picked from commit
031aa2ceb3dfff373e7b398dfc5d020d77262512)
Simon McVittie [Tue, 4 Jul 2017 13:13:15 +0000 (14:13 +0100)]
dbus_message_iter_append_basic: Don't leak signature if appending fd fails
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
(cherry picked from commit
8384e795516066960bb9fcfbfe138f569420edb9)
Simon McVittie [Tue, 4 Jul 2017 12:31:38 +0000 (13:31 +0100)]
dbus_message_append_args_valist: Don't leak memory on inappropriate type
Found by source code inspection while trying to debug an unrelated
leak.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
(cherry picked from commit
6b7bdb105b120b3db312de93af94af1bb6a2a474)
Simon McVittie [Thu, 29 Jun 2017 22:25:02 +0000 (23:25 +0100)]
Start on 1.10.22
Signed-off-by: Simon McVittie <smcv@debian.org>
Simon McVittie [Thu, 29 Jun 2017 17:46:36 +0000 (18:46 +0100)]
1.10.20
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Tue, 27 Jun 2017 18:26:59 +0000 (19:26 +0100)]
Update NEWS for 1.10.x branch
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Mon, 5 Jun 2017 17:16:42 +0000 (18:16 +0100)]
transport: Don't pile up errors for semicolon-separated components
If we somehow get an autolaunch address with multiple
semicolon-separated components, and one of them fails, then we will
hit an assertion failure when we try the next one.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101257
(cherry picked from commit
ecdcb86bff42d2bb9cac617bf79f0aa3d47676d9)
Simon McVittie [Wed, 6 May 2015 08:17:06 +0000 (09:17 +0100)]
Doxyfile.in: do not put timestamps in HTML
The build timestamp is not particularly useful (the version number of
the package is already present in the HTML), and it prevents the build
from being reproducible. See <https://reproducible-builds.org/> for more
information.
Signed-off-by: Simon McVittie <smcv@debian.org>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=100692
(cherry picked from commit
0310ead0022b3537392869cc2ed3296ba1a7c17d)
Shin-ichi MORITA [Sat, 17 Jun 2017 11:35:30 +0000 (20:35 +0900)]
Fix missing dbus_message_unref() in error reply path
The error message was leaked when blocking on a pending call after
the connection was disconnected.
Reviewed-by: Philip Withnall <withnall@endlessm.com>
[smcv: re-word commit message]
Reviewed-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101481
Simon McVittie [Wed, 19 Apr 2017 10:44:52 +0000 (11:44 +0100)]
HACKING: Update git URIs to sync up with cgit.freedesktop.org
git.freedesktop.org no longer offers anonymous checkouts; that facility
moved to anongit.freedesktop.org.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=100715
Simon McVittie [Fri, 7 Apr 2017 17:57:14 +0000 (18:57 +0100)]
Start changelog for 1.10.20
Simon McVittie [Wed, 5 Apr 2017 15:24:12 +0000 (16:24 +0100)]
1.10.18
Signed-off-by: Simon McVittie <smcv@debian.org>
Philip Withnall [Wed, 5 Apr 2017 10:36:12 +0000 (11:36 +0100)]
test: Fix a couple of memory leaks in test-corrupt
Spotted while testing bug #100568.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Reviewed-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=100568
Philip Withnall [Wed, 5 Apr 2017 10:35:27 +0000 (11:35 +0100)]
test: Fix reading off the end of an array in test-corrupt
One level of pointer indirection too many when passing the arguments to
dbus_message_append_args().
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=100568
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Reviewed-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Wed, 22 Mar 2017 10:01:53 +0000 (10:01 +0000)]
refer to Debian bug in NEWS
Simon McVittie [Wed, 22 Mar 2017 09:35:17 +0000 (09:35 +0000)]
NEWS
Laurent Bigonville [Tue, 17 Nov 2015 20:47:05 +0000 (21:47 +0100)]
Initialize SELinux and Apparmor after capabilities are set
avc_init() in the SELinux code path is creating a new thread, we need to
set to capabilities before it gets created so it has the permission to
send audit messages.
It also make more sense to open the audit netlink before the different
logging callbacks are set.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92832
[smcv: add comments explaining why initialization must happen in this
specific order]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857660
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
(cherry picked from commit
a3a5935a0a038c3b44c61ce5719f0f7e647b96c6)
Simon McVittie [Thu, 16 Feb 2017 15:57:46 +0000 (15:57 +0000)]
NEWS: fix typo
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Thu, 16 Feb 2017 15:57:30 +0000 (15:57 +0000)]
Start 1.10.18
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Thu, 16 Feb 2017 13:37:46 +0000 (13:37 +0000)]
Prepare 1.10.16
Simon McVittie [Wed, 15 Feb 2017 17:24:14 +0000 (17:24 +0000)]
activation test: Fix time-of-check/time-of-use bug waiting to happen
Creating a directory is atomic, stat'ing it to see whether to remove
it is very much not.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99828
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Simon McVittie [Wed, 15 Feb 2017 16:32:04 +0000 (16:32 +0000)]
Change _dbus_create_directory to fail for existing directories
If we don't trap EEXIST and its Windows equivalent, we are unable to
detect the situation where we create an ostensibly unique
subdirectory in a shared /tmp, but an attacker has already created it.
This affects dbus-nonce (the nonce-tcp transport) and the activation
reload test.
Add a new _dbus_ensure_directory() for the one case where we want it to
succeed even on EEXIST: the DBUS_COOKIE_SHA1 keyring, which we know
we are creating in our own trusted "official" $HOME. In the new
transient service support on Bug #99825, ensure_owned_directory()
would need the same treatment.
We are not treating this as a serious security problem, because the
nonce-tcp transport is rarely enabled on Unix and there are multiple
mitigations.
The nonce-tcp transport creates a new unique file with O_EXCL and 0600
(private to user) permissions, then overwrites the requested filename
via atomic-overwrite, so the worst that could happen there is that an
attacker could place a symbolic link matching the name of a directory
we are going to create, causing a dbus-daemon configured for nonce-tcp
to traverse the symlink and atomically overwrite a file named "nonce"
in a directory of the attacker's choice, with new random contents that
are not known to the attacker. This seems unlikely to be exploitable
for anything worse than denial of service in practice. In mainline
Linux since 3.6, this attack is also defeated by the
fs.protected_symlinks sysctl, which many distributions enable by default.
The activation reload test suffers from a classic symlink attack
due to time-of-check/time-of-use errors in its implementation, but as
part of the developer-only "embedded tests" that are only intended
to be run on a trusted machine, it is not treated as security-sensitive.
That code path will be fixed in a subsequent commit.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99828
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Simon McVittie [Tue, 14 Feb 2017 08:58:26 +0000 (08:58 +0000)]
Travis-CI: Get new autoconf-archive from Ubuntu
Hopefully this has better uptime than snapshot.debian.org, which is
really an archival service rather than a production component.
This particular autoconf-archive version was in Ubuntu 16.10, so it
should stay around for a while.
Signed-off-by: Simon McVittie <smcv@debian.org>
(cherry picked from commit
9935a5b7d177b2368506fa48e7fdfa94ea0151fa)
Simon McVittie [Wed, 1 Feb 2017 11:10:26 +0000 (11:10 +0000)]
Update NEWS for 1.10 branch
Simon McVittie [Tue, 29 Nov 2016 13:05:14 +0000 (13:05 +0000)]
ci-install, ci-build: add brief documentation for parameter variables
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889
Simon McVittie [Tue, 29 Nov 2016 12:47:01 +0000 (12:47 +0000)]
ci-install.sh: make ci_in_docker follow the yes/no convention too
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889
Simon McVittie [Mon, 28 Nov 2016 16:38:37 +0000 (16:38 +0000)]
travis-ci: Add and use infrastructure to build and test in Docker
Debian stable, Debian testing and Ubuntu LTS provide a reasonable
spectrum of old and new distributions. I'm only doing one build on
each to avoid a combinatorial explosion of options.
The Docker images don't have any deb-src apt sources set up, so don't
use `apt-get build-dep`; just include dependencies manually.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889
Simon McVittie [Mon, 28 Nov 2016 13:11:48 +0000 (13:11 +0000)]
travis-ci: add an install script instead of open-coding it in .travis.yml
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
[smcv: move comment to install script as suggested]
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889
Simon McVittie [Mon, 28 Nov 2016 13:04:13 +0000 (13:04 +0000)]
travis-ci: introduce maybe_fail_tests() to make test failure more obvious
Taken from the version I added to OSTree.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889
Simon McVittie [Mon, 28 Nov 2016 13:03:46 +0000 (13:03 +0000)]
travis-ci: run in bash, with the "unofficial strict mode"
set -u forces us to set all variables that we use (for example with the
${foo:=bar} syntax to take an existing value or set a default), or use the
${foo:-bar} syntax to make it explicit that the variable might be unset.
set -o pipefail (which is a bash feature) detects failure in non-last
elements of a pipeline.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889
Simon McVittie [Mon, 28 Nov 2016 12:58:53 +0000 (12:58 +0000)]
travis-ci: consistently use yes/no instead of yes/empty
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889
Simon McVittie [Mon, 28 Nov 2016 12:56:53 +0000 (12:56 +0000)]
travis-ci: consistently use ci_* for parameter variables
This aligns it with the more generic script based on this one that
I sent to OSTree.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889
Simon McVittie [Mon, 28 Nov 2016 12:54:21 +0000 (12:54 +0000)]
ci-build: retab with 4-space indentation
This realigns it with the script loosely based on this one that I
sent to OSTree.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889
Simon McVittie [Mon, 28 Nov 2016 12:27:03 +0000 (12:27 +0000)]
travis-ci: add an explicit copyright/license statement
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889
Simon McVittie [Sat, 1 Oct 2016 14:20:11 +0000 (15:20 +0100)]
Rename distro-style CI build from "release" to "production"
This avoids confusion with the meaning of "release" used by
AX_IS_RELEASE. AX_IS_RELEASE is about facts about the source tree,
namely the distinction between releases (tags) and random snapshots.
The build variants in .travis.yml are about facts about the build
being done, namely the distinction between production and
debug/developer builds.
Production builds are sometimes referred to as "release builds",
for example in typical CMake and MSVC build environments, but a
different term seems better here.
Signed-off-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
[smcv: cherry-picked from master to dbus-1.10 to get the Travis-CI setup
consistent between the two branches]
Simon McVittie [Fri, 30 Sep 2016 18:35:59 +0000 (19:35 +0100)]
Update autoconf-archive, and use snapshot.debian.org
This way the link won't expire in future.
Signed-off-by: Simon McVittie <smcv@debian.org>
[smcv: cherry-picked from master to dbus-1.10 to get the Travis-CI setup
consistent between the two branches; it is not strictly needed on dbus-1.10]
Simon McVittie [Mon, 15 Aug 2016 19:41:28 +0000 (20:41 +0100)]
Travis-CI: fetch a newer autoconf-archive from Debian
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
[smcv: cherry-picked from master to dbus-1.10 to get the Travis-CI setup
consistent between the two branches; it is not strictly needed on dbus-1.10]
Simon McVittie [Mon, 15 Aug 2016 19:12:19 +0000 (20:12 +0100)]
Travis-CI: install new autoconf-archive build-dependency
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
[smcv: cherry-picked from master to dbus-1.10 to get the Travis-CI setup
consistent between the two branches; it is not strictly needed on dbus-1.10]
Simon McVittie [Mon, 28 Nov 2016 20:23:14 +0000 (20:23 +0000)]
Start developing 1.10.16
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Mon, 28 Nov 2016 18:26:07 +0000 (18:26 +0000)]
dbus 1.10.14
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Mon, 28 Nov 2016 18:48:28 +0000 (18:48 +0000)]
Suppress -Wmisleading-indentation for this stable branch
We are not going to fix the inconsistent tab/space indentation in a
stable branch just to keep gcc happy.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Fri, 11 Nov 2016 16:40:44 +0000 (16:40 +0000)]
Make uid 0 immune to pending_fd_timeout limit
This is a workaround for
<https://bugs.freedesktop.org/show_bug.cgi?id=95263>. If a service
sends a file descriptor sufficiently frequently that its queue of
messages never goes down to 0 fds pending, then it will eventually be
disconnected. logind is one such service.
We do not currently have a good solution for this: the proposed
patches either don't work, or reintroduce a denial of service
security vulnerability (CVE-2014-3637). Neither seems desirable.
However, we can avoid the worst symptoms by trusting uid 0 not to be
malicious.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=95263
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1591411
Reviewed-by: Łukasz Zemczak
Tested-by: Ivan Kozik
Tested-by: Finn Herpich
Tested-by: autostatic
Tested-by: Ben Parafina
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
(cherry picked from commit
d5fae1db789d741295ca4746b84915d4bec591fd)
[smcv: omit the test/dbus-daemon.c part, which does not apply unless
a363822f5f58e5513e30dc2f84a30ae03cd91e07 is also applied]
Simon McVittie [Tue, 16 Aug 2016 15:12:35 +0000 (16:12 +0100)]
Log to syslog when pending_fd_timeout is exceeded
This is either a denial-of-service attempt, a pathological performance
problem or a dbus-daemon bug. Sysadmins should be told about any of
these.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86442
[smcv: add units to timeout: it is in milliseconds]
Signed-off-by: Simon McVittie <smcv@debian.org>
(cherry picked from commit
05cb619f0a6a4c9997832cb4acbb26f7a0be66c3)
Simon McVittie [Tue, 22 Nov 2016 21:10:44 +0000 (21:10 +0000)]
Install mingw build-dependencies in a different order
This avoids installing the build-dependencies for dbus and its tests,
then uninstalling them all because they rely on libraries whose versions
are older than the ones needed by wine:i386 (and apparently apt prefers
to remove those libraries rather than upgrade them). Doing it this way
round seems to convince apt to do the right thing.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Tue, 22 Nov 2016 21:07:48 +0000 (21:07 +0000)]
ci-build: run our copy of config.guess
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Tue, 22 Nov 2016 20:06:36 +0000 (20:06 +0000)]
NEWS
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Wed, 9 Nov 2016 18:44:21 +0000 (18:44 +0000)]
Don't test X11 autolaunching if it was disabled at compile time
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98665
Simon McVittie [Mon, 10 Oct 2016 09:19:44 +0000 (10:19 +0100)]
1.10.12
Simon McVittie [Fri, 7 Oct 2016 20:38:05 +0000 (21:38 +0100)]
Disable deprecation warnings for stable branch
We're not going to replace deprecated functions here.
Signed-off-by: Simon McVittie <smcv@debian.org>
Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
Simon McVittie [Fri, 7 Oct 2016 20:26:36 +0000 (21:26 +0100)]
Ignore ActivationFailure if not using systemd activation
This isn't security-related, just defensive programming: if
dbus-daemon wasn't run with --systemd-activation, then there is no
reason why systemd would legitimately send us this signal, and if it
does we should just ignore it.
Signed-off-by: Simon McVittie <smcv@debian.org>
Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
Simon McVittie [Fri, 7 Oct 2016 20:25:08 +0000 (21:25 +0100)]
bus_driver_handle_message: reject ActivationFailure if unprivileged
Specifically, this will allow ActivationFailure messages from our
own uid or from root, but reject them otherwise, even if the bus
configuration for who can own org.freedesktop.systemd1 is entirely
wrong due to something like CVE-2014-8148.
Signed-off-by: Simon McVittie <smcv@debian.org>
Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
Simon McVittie [Fri, 7 Oct 2016 18:13:01 +0000 (19:13 +0100)]
dbus_activation_systemd_failure: do not use non-literal format string
In principle this could lead to arbitrary memory overwrite via
a format string attack in the message received from systemd,
resulting in arbitrary code execution.
This is not believed to be an exploitable security vulnerability on the
system bus in practice: it can only be exploited by the owner of the
org.freedesktop.systemd1 bus name, which is restricted to uid 0, so
if systemd is attacker-controlled then the system is already doomed.
Similarly, if a systemd system unit mentioned in the activation failure
message has an attacker-controlled name, then the attacker likely already
has sufficient access to execute arbitrary code as root in any case.
However, prior to dbus 1.8.16 and 1.9.10, due to a missing check for
systemd's identity, unprivileged processes could forge activation
failure messages which would have gone through this code path.
We thought at the time that this was a denial of service vulnerability
(CVE-2015-0245); this bug means that it was in fact potentially an
arbitrary code execution vulnerability.
Bug found using -Wsuggest-attribute=format and -Wformat-security.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
Simon McVittie [Tue, 4 Oct 2016 10:23:30 +0000 (11:23 +0100)]
NEWS
Marc Mutz [Mon, 3 Oct 2016 20:19:45 +0000 (22:19 +0200)]
DBusMessage: Fix UB (misaligned access) in call to _dbus_header_set_field_basic()
The const void* 'value' pointer that is passed the address of a
uint32_t here eventually ends up in _dbus_marshal_write_basic(), which
casts it to a DBusBasicValue, a union type that has an alignment of
eight on 64-bit platforms and is therefore more-aligned than the
uint32.
The read of a value of a more-aligned type through a pointer to a less
-aligned type is undefined behaviour.
Fix by storing the uint32 in a DBusBasicValue and passing that instead.
Found by UBSan:
dbus/dbus/dbus-marshal-basic.c:832:14: runtime error: member access within misaligned address 0x7fdb8dac3a04 for type 'const union DBusBasicValue', which requires 8 byte alignment
0x7fdb8dac3a04: note: pointer points here
4a 87 b5 71 01 00 00 00 40 7d 01 00 00 61 00 00 10 3b ac 8d db 7f 00 00 2c 2a 3e 94 db 7f 00 00
^
#0 0x7fdb9444a2c3 in _dbus_marshal_write_basic dbus/dbus/dbus-marshal-basic.c:832
#1 0x7fdb943d22fb in _dbus_type_writer_write_basic_no_typecode dbus/dbus/dbus-marshal-recursive.c:1605
#2 0x7fdb943d64e9 in _dbus_type_writer_write_basic dbus/dbus/dbus-marshal-recursive.c:2327
#3 0x7fdb943c52a6 in write_basic_field dbus/dbus/dbus-marshal-header.c:318
#4 0x7fdb943c919e in _dbus_header_set_field_basic dbus/dbus/dbus-marshal-header.c:1321
#5 0x7fdb943e1349 in dbus_message_set_reply_serial dbus/dbus/dbus-message.c:1173
Signed-off-by: Marc Mutz <marc@kdab.net>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98035
Simon McVittie [Mon, 3 Oct 2016 10:43:06 +0000 (11:43 +0100)]
NEWS for 1.10.x
Simon McVittie [Mon, 15 Aug 2016 19:11:49 +0000 (20:11 +0100)]
autogen.sh: fail cleanly if autoconf fails
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
(cherry picked from commit
0bbfca6def7a39c03b7a0a4cba166fdf89f3c630)
Simon McVittie [Mon, 15 Aug 2016 22:31:18 +0000 (23:31 +0100)]
1.10.11
Simon McVittie [Mon, 15 Aug 2016 18:59:18 +0000 (19:59 +0100)]
1.10.10
Signed-off-by: Simon McVittie <smcv@debian.org>
Simon McVittie [Fri, 12 Aug 2016 09:58:13 +0000 (10:58 +0100)]
Add a regression test for dbus-launch in X11
[Modified for the dbus-1.10 branch: DBUS_USE_TEST_BINARY is needed.]
Signed-off-by: Simon McVittie <smcv@debian.org>
Simon McVittie [Wed, 20 Jul 2016 12:31:50 +0000 (13:31 +0100)]
test-dbus-daemon-fork: exercise closed stdin, stdout, stderr
Signed-off-by: Simon McVittie <smcv@debian.org>
Simon McVittie [Wed, 20 Jul 2016 11:07:03 +0000 (12:07 +0100)]
test: expand dbus-launch-eval test to cover stdin being closed
Signed-off-by: Simon McVittie <smcv@debian.org>
Simon McVittie [Wed, 20 Jul 2016 12:12:45 +0000 (13:12 +0100)]
Add a simple test for dbus-daemon --fork
[Modified for the dbus-1.10 branch: DBUS_USE_TEST_BINARY is needed.]
Signed-off-by: Simon McVittie <smcv@debian.org>
Simon McVittie [Wed, 20 Jul 2016 11:00:34 +0000 (12:00 +0100)]
test: add a regression test for eval "$(dbus-launch --sh-syntax)"
[Modified for the dbus-1.10 branch: DBUS_USE_TEST_BINARY is needed.]
Signed-off-by: Simon McVittie <smcv@debian.org>
Simon McVittie [Thu, 21 Jul 2016 07:24:38 +0000 (08:24 +0100)]
dbus-daemon, dbus-launch: cope with callers having closed standard fds
In Debian bug <https://bugs.debian.org/829348>, lightdm appears to
have been starting dbus-launch with at least one of the three
standard fds 0, 1, 2 (stdin, stdout, stderr) closed. This resulted
in the dbus-daemon's epoll_create1() returning a fd less than 3.
Later, _dbus_become_daemon() replaces fds 0-2 with /dev/null. As a
result, a subsequent call to _dbus_loop_add_watch() for the reload
pipe resulted in calling epoll_ctl on the non-epoll fd pointing to
/dev/null, which fails with EINVAL, resulting in the dbus-daemon
exiting unsuccessfully.
Unix programs are not normally expected to behave correctly when
launched with the standard fds not already open; but at the same time,
X11 autolaunching means that dbus-launch (and hence the dbus-daemon)
can get started from an arbitrarily precarious situation.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97008
Signed-off-by: Simon McVittie <smcv@debian.org>
Reviewed-by: Thiago Macieira <thiago@kde.org>
(cherry picked from commit
c8f73a2a3a9d9d10587f596a62ebb64e8963197e)
Simon McVittie [Thu, 21 Jul 2016 07:23:12 +0000 (08:23 +0100)]
_dbus_ensure_standard_fds: new function to ensure std* fds are open
This function opens stdin, stdout, stderr pointing to /dev/null
if they aren't already open. Optionally, it can also replace
whatever is available on those fds with /dev/null.
To allow for use in contexts where only async-signal-safe functions
should be used, such as between fork() and a following exec(),
this function does not use conventional libdbus error handling
(which would require malloc). Instead, it sets errno and returns
an explanatory string.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97008
Signed-off-by: Simon McVittie <smcv@debian.org>
Reviewed-by: Thiago Macieira <thiago@kde.org>
(cherry picked from commit
69123a6bd2adabbaec1f770fc4573fc3ed4ceca6)
Simon McVittie [Fri, 12 Aug 2016 09:12:28 +0000 (10:12 +0100)]
NEWS for 1.10
Simon McVittie [Thu, 11 Aug 2016 15:08:39 +0000 (16:08 +0100)]
Mark WaitingForOK state as unused
It should probably be used (see #97298) but the fact that it isn't
is breaking compatibility with gcc 6, so apply a quick workaround
while we look into what's wrong here.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97282
(cherry picked from commit
21d61180819c141e779d6ecf9919e62e768b6fd9)
Simon McVittie [Mon, 11 Jul 2016 09:52:44 +0000 (10:52 +0100)]
update-activation-environment: produce better diagnostics on error
If dbus-daemon or systemd replied to our method call with an error,
we would report it as "invalid arguments" instead of the true error
name and message.
Same root cause as <https://bugs.freedesktop.org/show_bug.cgi?id=96653>.
Signed-off-by: Simon McVittie <smcv@debian.org>
Simon McVittie [Fri, 29 Jul 2016 18:14:18 +0000 (19:14 +0100)]
NEWS for 1.10 branch
Ioan-Adrian Ratiu [Thu, 28 Jul 2016 22:19:37 +0000 (01:19 +0300)]
configure.ac: explicitely check stdint.h
Otherwise HAVE_STDINT_H will not be defined or the var will not be
picked up from cache so builds could fail with errors like:
| ../../dbus-1.10.8/dbus/dbus-internals.h:239:8: error: ‘uintptr_t’ undeclared (first use in this function)
Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
[smcv: fix Autoconf underquoting]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Mon, 25 Jul 2016 10:53:13 +0000 (11:53 +0100)]
Update NEWS for merge of dbus-1.10-ci branch
Simon McVittie [Mon, 25 Jul 2016 10:43:54 +0000 (11:43 +0100)]
Merge branch 'dbus-1.10-ci' into dbus-1.10
Simon McVittie [Thu, 30 Jun 2016 13:40:24 +0000 (14:40 +0100)]
Update NEWS
Simon McVittie [Thu, 30 Jun 2016 12:57:29 +0000 (13:57 +0100)]
Merge branch 'dbus-1.10' into dbus-1.10-ci
WaLyong Cho [Tue, 7 Jun 2016 14:26:42 +0000 (23:26 +0900)]
activation: set children oom_score_adj to 0
If dbus is running as systemd service, dbus daemon is running with
oom_score_adj -900 by OOMScoreAdjust=-900. And children will also have
same value with dbus daemon.
To avoid this, set the child itself values after fork () to 0.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=32851
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Руслан Ижбулатов [Thu, 23 Jun 2016 12:26:45 +0000 (12:26 +0000)]
Use dbus_set_error_from_message() to check for an error
Do not rely on dbus_message_get_args() to turn an ERROR message
into DBusError.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=96653
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Thiago Macieira [Tue, 29 Mar 2016 19:15:15 +0000 (12:15 -0700)]
Quote the DBUS_SESSION_BUS_ADDRESS variable in the shell file
Some D-Bus daemon versions set multiple addresses separated by semi-colon,
which breaks sourcing of the file.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=94746
Signed-off-by: Thiago Macieira <thiago@kde.org>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Mon, 16 May 2016 12:48:37 +0000 (13:48 +0100)]
travis: compile with mingw in both production and debug flavours
This should detect anything that is only a build failure when embedded
tests or verbose mode are enabled, such as the missing include fixed
in commit 4858faf. I'm not enabling embedded tests and verbose mode
orthogonally because we don't want CI builds to take too long.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
(cherry picked from commit
8f6fe1451ead14b82475177f40bbc2c256cba876)
Simon McVittie [Wed, 18 May 2016 17:14:16 +0000 (18:14 +0100)]
Merge branch 'dbus-1.10' into dbus-1.10-ci
Simon McVittie [Mon, 16 May 2016 13:10:36 +0000 (14:10 +0100)]
test-segfault: add missing include of <stdio.h> on Windows
Needed for fprintf (stderr, ...).
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
(cherry picked from commit
07b7dcd7178f927cd0b3a3282396b7f99c0b1d29)
Ralf Habacker [Mon, 16 May 2016 10:52:25 +0000 (12:52 +0200)]
Fix ambiguous setup of DBusBabySitter struct member child_handle on Windows.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=95191
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Ralf Habacker [Tue, 10 May 2016 14:53:57 +0000 (16:53 +0200)]
On Windows make access to member 'refcount' of struct DBusBabysitter thread safe.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=95191
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Ralf Habacker [Thu, 12 May 2016 22:56:42 +0000 (00:56 +0200)]
Eliminates a race condition accessing DBusBabysitter instance at startup of babysitter() on Windows.
Ensure that the babysitter thread already owns its one reference to the
babysitter when it starts up, and eliminates the race condition.
This patch requires that DBusBabysitter refcounting is thread-safe
and is based on an analysis and proposal of Simon Mc Vittie.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=95191
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>