* [PATCH 0/1] Dbus update 1.10.12 for core-updates
@ 2016-10-10 17:44 Leo Famulari
2016-10-10 17:44 ` [PATCH 1/1] gnu: dbus: Update to 1.10.12 Leo Famulari
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Leo Famulari @ 2016-10-10 17:44 UTC (permalink / raw)
To: guix-devel
There's a format string vulnerability (with unknown impact) in our dbus:
http://seclists.org/oss-sec/2016/q4/85
Please read that message and the linked bug report.
My understanding of the upsream analysis of the format string
vulnerability is that only the bus owner can trigger it. So, if the
vulnerability allows arbitrary code execution, it would mean that root
could execute arbitrary code via the system bus... not a huge problem.
But still undesirable.
What do you think? Should we update this on core-updates? Should we
graft it on master?
Leo Famulari (1):
gnu: dbus: Update to 1.10.12.
gnu/packages/glib.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--
2.10.1
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 1/1] gnu: dbus: Update to 1.10.12.
2016-10-10 17:44 [PATCH 0/1] Dbus update 1.10.12 for core-updates Leo Famulari
@ 2016-10-10 17:44 ` Leo Famulari
2016-10-10 18:10 ` [PATCH 0/1] Dbus update 1.10.12 for core-updates Kei Kebreau
2016-10-10 20:57 ` Ludovic Courtès
2 siblings, 0 replies; 9+ messages in thread
From: Leo Famulari @ 2016-10-10 17:44 UTC (permalink / raw)
To: guix-devel
* gnu/packages/glib.scm (dbus): Update to 1.10.12.
---
gnu/packages/glib.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index 7e247d3..e7419fd 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -64,7 +64,7 @@
(define dbus
(package
(name "dbus")
- (version "1.10.10")
+ (version "1.10.12")
(source (origin
(method url-fetch)
(uri (string-append
@@ -72,7 +72,7 @@
version ".tar.gz"))
(sha256
(base32
- "0hwsfczhx2djmc9116vj5v230i7gpjihwh3vbljs1ldlk831v3wx"))
+ "0pa71vf5c0d7k3gni06iascmplj0j5g70wbc833ayvi71d1pj2i1"))
(patches (search-patches "dbus-helper-search-path.patch"))))
(build-system gnu-build-system)
(arguments
--
2.10.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates
2016-10-10 17:44 [PATCH 0/1] Dbus update 1.10.12 for core-updates Leo Famulari
2016-10-10 17:44 ` [PATCH 1/1] gnu: dbus: Update to 1.10.12 Leo Famulari
@ 2016-10-10 18:10 ` Kei Kebreau
2016-10-10 18:39 ` John Darrington
2016-10-10 20:57 ` Ludovic Courtès
2 siblings, 1 reply; 9+ messages in thread
From: Kei Kebreau @ 2016-10-10 18:10 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 935 bytes --]
Leo Famulari <leo@famulari.name> writes:
> There's a format string vulnerability (with unknown impact) in our dbus:
>
> http://seclists.org/oss-sec/2016/q4/85
>
> Please read that message and the linked bug report.
>
> My understanding of the upsream analysis of the format string
> vulnerability is that only the bus owner can trigger it. So, if the
> vulnerability allows arbitrary code execution, it would mean that root
> could execute arbitrary code via the system bus... not a huge problem.
> But still undesirable.
>
> What do you think? Should we update this on core-updates? Should we
> graft it on master?
>
> Leo Famulari (1):
> gnu: dbus: Update to 1.10.12.
>
> gnu/packages/glib.scm | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
Excuse my ignorance, but when is a patch considered significant enough
to be updated on core-updates instead of master? Put another way, what
is the purpose of core-updates?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates
2016-10-10 18:10 ` [PATCH 0/1] Dbus update 1.10.12 for core-updates Kei Kebreau
@ 2016-10-10 18:39 ` John Darrington
2016-10-10 19:30 ` Kei Kebreau
0 siblings, 1 reply; 9+ messages in thread
From: John Darrington @ 2016-10-10 18:39 UTC (permalink / raw)
To: Kei Kebreau; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 737 bytes --]
On Mon, Oct 10, 2016 at 02:10:24PM -0400, Kei Kebreau wrote:
Excuse my ignorance, but when is a patch considered significant enough
to be updated on core-updates instead of master? Put another way, what
is the purpose of core-updates?
Core updates is for those things near the root of the dependency tree.
Changing these things causes a large amount of other things to be rebuilt.
Therefore, the core-updates branch is built very much less frequently than
master.
J'
--
Avoid eavesdropping. Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3
fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates
2016-10-10 18:39 ` John Darrington
@ 2016-10-10 19:30 ` Kei Kebreau
0 siblings, 0 replies; 9+ messages in thread
From: Kei Kebreau @ 2016-10-10 19:30 UTC (permalink / raw)
To: John Darrington; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 974 bytes --]
John Darrington <john@darrington.wattle.id.au> writes:
> On Mon, Oct 10, 2016 at 02:10:24PM -0400, Kei Kebreau wrote:
>
> Excuse my ignorance, but when is a patch considered significant enough
> to be updated on core-updates instead of master? Put another way, what
> is the purpose of core-updates?
>
> Core updates is for those things near the root of the dependency tree.
> Changing these things causes a large amount of other things to be rebuilt.
> Therefore, the core-updates branch is built very much less frequently than
> master.
>
> J'
In that case, I think that this patch can go into core-updates, since an
updated dbus appears to require an amount of updates similar to that of
some other packages updated in core-updates. The security threat from this
package seems relatively low to me as well.
I'd weigh more experienced opinions more heavily than my own,
though. I'm still observing how core-updates works. :-)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates
2016-10-10 17:44 [PATCH 0/1] Dbus update 1.10.12 for core-updates Leo Famulari
2016-10-10 17:44 ` [PATCH 1/1] gnu: dbus: Update to 1.10.12 Leo Famulari
2016-10-10 18:10 ` [PATCH 0/1] Dbus update 1.10.12 for core-updates Kei Kebreau
@ 2016-10-10 20:57 ` Ludovic Courtès
2016-10-12 16:41 ` Leo Famulari
2 siblings, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2016-10-10 20:57 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Hello!
Leo Famulari <leo@famulari.name> skribis:
> There's a format string vulnerability (with unknown impact) in our dbus:
>
> http://seclists.org/oss-sec/2016/q4/85
>
> Please read that message and the linked bug report.
>
> My understanding of the upsream analysis of the format string
> vulnerability is that only the bus owner can trigger it. So, if the
> vulnerability allows arbitrary code execution, it would mean that root
> could execute arbitrary code via the system bus... not a huge problem.
> But still undesirable.
Yeah, seems hard to exploit. Apparently even if we’re not using systemd
activations we could be vulnerable, because it’s about how specific
messages are processed, IIUC.
> What do you think? Should we update this on core-updates?
I think so.
> Should we graft it on master?
Unless there are possible ABI incompatibilies, it probably doesn’t hurt
to do that.
Thank you!
Ludo’.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates
2016-10-10 20:57 ` Ludovic Courtès
@ 2016-10-12 16:41 ` Leo Famulari
2016-10-13 20:19 ` Ludovic Courtès
0 siblings, 1 reply; 9+ messages in thread
From: Leo Famulari @ 2016-10-12 16:41 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
On Mon, Oct 10, 2016 at 10:57:47PM +0200, Ludovic Courtès wrote:
> Yeah, seems hard to exploit. Apparently even if we’re not using systemd
> activations we could be vulnerable, because it’s about how specific
> messages are processed, IIUC.
>
> > What do you think? Should we update this on core-updates?
>
> I think so.
Okay. Just to clarify, this will trigger >1000 rebuilds.
>
> > Should we graft it on master?
>
> Unless there are possible ABI incompatibilies, it probably doesn’t hurt
> to do that.
According to the dbus README, the offer a stable ABI within each stable
release series:
https://dbus.freedesktop.org/doc/README
But, I found that the regular approach to grafting does not work for our
dbus package. Presumably, it's because (gnu packages glib) exports dbus
before defining it.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates
2016-10-12 16:41 ` Leo Famulari
@ 2016-10-13 20:19 ` Ludovic Courtès
2016-10-14 3:01 ` Leo Famulari
0 siblings, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2016-10-13 20:19 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> skribis:
> On Mon, Oct 10, 2016 at 10:57:47PM +0200, Ludovic Courtès wrote:
>> Yeah, seems hard to exploit. Apparently even if we’re not using systemd
>> activations we could be vulnerable, because it’s about how specific
>> messages are processed, IIUC.
>>
>> > What do you think? Should we update this on core-updates?
>>
>> I think so.
>
> Okay. Just to clarify, this will trigger >1000 rebuilds.
Well the answer was valid on Oct. 10th ;-), but at this point of the
build progress I agree that it’s kinda problematic would probably
recommend grafting.
What are your thoughts?
>>
>> > Should we graft it on master?
>>
>> Unless there are possible ABI incompatibilies, it probably doesn’t hurt
>> to do that.
>
> According to the dbus README, the offer a stable ABI within each stable
> release series:
>
> https://dbus.freedesktop.org/doc/README
>
> But, I found that the regular approach to grafting does not work for our
> dbus package. Presumably, it's because (gnu packages glib) exports dbus
> before defining it.
The #:export at the top shouldn’t make any difference. In what way does
it not work? :-)
Could it be an instance of <http://bugs.gnu.org/24418>?
Ludo’.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates
2016-10-13 20:19 ` Ludovic Courtès
@ 2016-10-14 3:01 ` Leo Famulari
0 siblings, 0 replies; 9+ messages in thread
From: Leo Famulari @ 2016-10-14 3:01 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1040 bytes --]
On Thu, Oct 13, 2016 at 10:19:56PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > But, I found that the regular approach to grafting does not work for our
> > dbus package. Presumably, it's because (gnu packages glib) exports dbus
> > before defining it.
>
> The #:export at the top shouldn’t make any difference. In what way does
> it not work? :-)
I think I must have made some mistake before — it works for me now and I
just pushed it to master and core-updates.
> Could it be an instance of <http://bugs.gnu.org/24418>?
I did a quick test with the package 'lash' and lash does refer to the
grafted dbus:
$ ./pre-inst-env guix build dbus --no-grafts
/gnu/store/bmlkg9mbqj1k0y7kdq2rdll42aicglyk-dbus-1.10.8
$ ./pre-inst-env guix build dbus
/gnu/store/j8zrqkcdp849q391hj9wrbz3a98zs128-dbus-1.10.8
$ guix gc --references $(./pre-inst-env guix build lash) | grep dbus
/gnu/store/j8zrqkcdp849q391hj9wrbz3a98zs128-dbus-1.10.8
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2016-10-14 3:01 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-10 17:44 [PATCH 0/1] Dbus update 1.10.12 for core-updates Leo Famulari
2016-10-10 17:44 ` [PATCH 1/1] gnu: dbus: Update to 1.10.12 Leo Famulari
2016-10-10 18:10 ` [PATCH 0/1] Dbus update 1.10.12 for core-updates Kei Kebreau
2016-10-10 18:39 ` John Darrington
2016-10-10 19:30 ` Kei Kebreau
2016-10-10 20:57 ` Ludovic Courtès
2016-10-12 16:41 ` Leo Famulari
2016-10-13 20:19 ` Ludovic Courtès
2016-10-14 3:01 ` Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).