From 6d7cdd7f8b5b36c66de08ec0b0006d4c6f5d5f28 Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Tue, 11 Jun 2019 17:03:50 -0500 Subject: [PATCH] dbus: 1.12.14 -> 1.12.16 https://gitlab.freedesktop.org/dbus/dbus/blob/dbus-1.12.16/NEWS It's short and explains the CVE a bit, including below: > CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1 > authentication for identities that differ from the user running the > DBusServer. Previously, a local attacker could manipulate symbolic > links in their own home directory to bypass authentication and connect > to a DBusServer with elevated privileges. The standard system and > session dbus-daemons in their default configuration were immune to this > attack because they did not allow DBUS_COOKIE_SHA1, but third-party > users of DBusServer such as Upstart could be vulnerable. Thanks to Joe > Vennix of Apple Information Security. (dbus#269, Simon McVittie) --- pkgs/development/libraries/dbus/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/dbus/default.nix b/pkgs/development/libraries/dbus/default.nix index 60d0cc81d2bc..abc32b90c6b8 100644 --- a/pkgs/development/libraries/dbus/default.nix +++ b/pkgs/development/libraries/dbus/default.nix @@ -6,8 +6,8 @@ assert x11Support -> libX11 != null && libSM != null; let - version = "1.12.14"; - sha256 = "13aca7gzgl7z1dfdipfs23773w8n6z01d4rj5kmssv4gms8c5ya4"; + version = "1.12.16"; + sha256 = "107ckxaff1cv4q6kmfdi2fb1nlsv03312a7kf6lb4biglhpjv8jl"; self = stdenv.mkDerivation { name = "dbus-${version}";