[PATCH 0/1] Dbus update 1.10.12 for core-updates

[PATCH 0/1] Dbus update 1.10.12 for core-updates

[Leo Famulari]

There's a format string vulnerability (with unknown impact) in our dbus:

http://seclists.org/oss-sec/2016/q4/85

Please read that message and the linked bug report.

My understanding of the upsream analysis of the format string
vulnerability is that only the bus owner can trigger it. So, if the
vulnerability allows arbitrary code execution, it would mean that root
could execute arbitrary code via the system bus... not a huge problem.
But still undesirable.

What do you think? Should we update this on core-updates? Should we
graft it on master?

Leo Famulari (1):
  gnu: dbus: Update to 1.10.12.

 gnu/packages/glib.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

-- 
2.10.1

[PATCH 1/1] gnu: dbus: Update to 1.10.12.

[Leo Famulari]

* gnu/packages/glib.scm (dbus): Update to 1.10.12.
---
 gnu/packages/glib.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index 7e247d3..e7419fd 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -64,7 +64,7 @@
 (define dbus
   (package
     (name "dbus")
-    (version "1.10.10")
+    (version "1.10.12")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -72,7 +72,7 @@
                     version ".tar.gz"))
               (sha256
                (base32
-                "0hwsfczhx2djmc9116vj5v230i7gpjihwh3vbljs1ldlk831v3wx"))
+                "0pa71vf5c0d7k3gni06iascmplj0j5g70wbc833ayvi71d1pj2i1"))
               (patches (search-patches "dbus-helper-search-path.patch"))))
     (build-system gnu-build-system)
     (arguments
-- 
2.10.1

Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates

[Kei Kebreau]

[-- Attachment #1: Type: text/plain, Size: 935 bytes --]

Leo Famulari <leo@famulari.name> writes:

> There's a format string vulnerability (with unknown impact) in our dbus:
>
> http://seclists.org/oss-sec/2016/q4/85
>
> Please read that message and the linked bug report.
>
> My understanding of the upsream analysis of the format string
> vulnerability is that only the bus owner can trigger it. So, if the
> vulnerability allows arbitrary code execution, it would mean that root
> could execute arbitrary code via the system bus... not a huge problem.
> But still undesirable.
>
> What do you think? Should we update this on core-updates? Should we
> graft it on master?
>
> Leo Famulari (1):
>   gnu: dbus: Update to 1.10.12.
>
>  gnu/packages/glib.scm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

Excuse my ignorance, but when is a patch considered significant enough
to be updated on core-updates instead of master? Put another way, what
is the purpose of core-updates?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates

[John Darrington]

[-- Attachment #1: Type: text/plain, Size: 737 bytes --]

On Mon, Oct 10, 2016 at 02:10:24PM -0400, Kei Kebreau wrote:
     
     Excuse my ignorance, but when is a patch considered significant enough
     to be updated on core-updates instead of master? Put another way, what
     is the purpose of core-updates?

Core updates is for those things near the root of the dependency tree.
Changing these things causes a large amount of other things to be rebuilt.
Therefore, the core-updates branch is built very much less frequently than
master.

J'



-- 
Avoid eavesdropping.  Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates

[Kei Kebreau]

[-- Attachment #1: Type: text/plain, Size: 974 bytes --]

John Darrington <john@darrington.wattle.id.au> writes:

> On Mon, Oct 10, 2016 at 02:10:24PM -0400, Kei Kebreau wrote:
>      
>      Excuse my ignorance, but when is a patch considered significant enough
>      to be updated on core-updates instead of master? Put another way, what
>      is the purpose of core-updates?
>
> Core updates is for those things near the root of the dependency tree.
> Changing these things causes a large amount of other things to be rebuilt.
> Therefore, the core-updates branch is built very much less frequently than
> master.
>
> J'

In that case, I think that this patch can go into core-updates, since an
updated dbus appears to require an amount of updates similar to that of
some other packages updated in core-updates. The security threat from this
package seems relatively low to me as well.

I'd weigh more experienced opinions more heavily than my own,
though. I'm still observing how core-updates works. :-)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates

[Ludovic Courtès]

Hello!

Leo Famulari <leo@famulari.name> skribis:

> There's a format string vulnerability (with unknown impact) in our dbus:
>
> http://seclists.org/oss-sec/2016/q4/85
>
> Please read that message and the linked bug report.
>
> My understanding of the upsream analysis of the format string
> vulnerability is that only the bus owner can trigger it. So, if the
> vulnerability allows arbitrary code execution, it would mean that root
> could execute arbitrary code via the system bus... not a huge problem.
> But still undesirable.

Yeah, seems hard to exploit.  Apparently even if we’re not using systemd
activations we could be vulnerable, because it’s about how specific
messages are processed, IIUC.

> What do you think? Should we update this on core-updates?

I think so.

> Should we graft it on master?

Unless there are possible ABI incompatibilies, it probably doesn’t hurt
to do that.

Thank you!

Ludo’.

Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates

[Leo Famulari]

On Mon, Oct 10, 2016 at 10:57:47PM +0200, Ludovic Courtès wrote:
> Yeah, seems hard to exploit.  Apparently even if we’re not using systemd
> activations we could be vulnerable, because it’s about how specific
> messages are processed, IIUC.
> 
> > What do you think? Should we update this on core-updates?
> 
> I think so.

Okay. Just to clarify, this will trigger >1000 rebuilds.

> 
> > Should we graft it on master?
> 
> Unless there are possible ABI incompatibilies, it probably doesn’t hurt
> to do that.

According to the dbus README, the offer a stable ABI within each stable
release series:

https://dbus.freedesktop.org/doc/README

But, I found that the regular approach to grafting does not work for our
dbus package. Presumably, it's because (gnu packages glib) exports dbus
before defining it.

Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> On Mon, Oct 10, 2016 at 10:57:47PM +0200, Ludovic Courtès wrote:
>> Yeah, seems hard to exploit.  Apparently even if we’re not using systemd
>> activations we could be vulnerable, because it’s about how specific
>> messages are processed, IIUC.
>> 
>> > What do you think? Should we update this on core-updates?
>> 
>> I think so.
>
> Okay. Just to clarify, this will trigger >1000 rebuilds.

Well the answer was valid on Oct. 10th ;-), but at this point of the
build progress I agree that it’s kinda problematic would probably
recommend grafting.

What are your thoughts?
>> 
>> > Should we graft it on master?
>> 
>> Unless there are possible ABI incompatibilies, it probably doesn’t hurt
>> to do that.
>
> According to the dbus README, the offer a stable ABI within each stable
> release series:
>
> https://dbus.freedesktop.org/doc/README
>
> But, I found that the regular approach to grafting does not work for our
> dbus package. Presumably, it's because (gnu packages glib) exports dbus
> before defining it.

The #:export at the top shouldn’t make any difference.  In what way does
it not work?  :-)

Could it be an instance of <http://bugs.gnu.org/24418>?

Ludo’.

Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1040 bytes --]

On Thu, Oct 13, 2016 at 10:19:56PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > But, I found that the regular approach to grafting does not work for our
> > dbus package. Presumably, it's because (gnu packages glib) exports dbus
> > before defining it.
> 
> The #:export at the top shouldn’t make any difference.  In what way does
> it not work?  :-)

I think I must have made some mistake before — it works for me now and I
just pushed it to master and core-updates.

> Could it be an instance of <http://bugs.gnu.org/24418>?

I did a quick test with the package 'lash' and lash does refer to the
grafted dbus:

$ ./pre-inst-env guix build dbus --no-grafts                        
/gnu/store/bmlkg9mbqj1k0y7kdq2rdll42aicglyk-dbus-1.10.8
$ ./pre-inst-env guix build dbus            
/gnu/store/j8zrqkcdp849q391hj9wrbz3a98zs128-dbus-1.10.8
$ guix gc --references $(./pre-inst-env guix build lash) | grep dbus
/gnu/store/j8zrqkcdp849q391hj9wrbz3a98zs128-dbus-1.10.8               

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]