[Buildroot] [PATCH 1/1] package/dbus: security bump to version 1.12.24
Peter Korsgaard
peter at korsgaard.com
Wed Oct 19 08:02:33 UTC 2022
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice at gmail.com> writes:
> Denial of service fixes:
> Evgeny Vereshchagin discovered several ways in which an authenticated
> local attacker could cause a crash (denial of service) in
> dbus-daemon --system or a custom DBusServer. In uncommon configurations
> these could potentially be carried out by an authenticated remote
> attacker.
> • An invalid array of fixed-length elements where the length of the
> array is not a multiple of the length of the element would cause an
> assertion failure in debug builds or an out-of-bounds read in
> production builds. This was a regression in version 1.3.0.
> (dbus#413, CVE-2022-42011; Simon McVittie)
> • A syntactically invalid type signature with incorrectly nested
> parentheses and curly brackets would cause an assertion failure in
> debug builds. Similar messages could potentially result in a crash or
> incorrect message processing in a production build, although we are
> not aware of a practical example. (dbus#418, CVE-2022-42010;
> Simon McVittie)
> • A message in non-native endianness with out-of-band Unix file
> descriptors would cause a use-after-free and possible memory
> corruption in production builds, or an assertion failure in debug
> builds. This was a regression in version 1.3.0. (dbus#417,
> CVE-2022-42012; Simon McVittie)
> https://gitlab.freedesktop.org/dbus/dbus/-/blob/dbus-1.12.24/NEWS
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Committed to 2022.08.x and 2022.02.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list