https://gitlab.freedesktop.org/dbus/dbus/blob/dbus-1.12.16/NEWS
It's short and explains the CVE a bit, including below:
> CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
> authentication for identities that differ from the user running the
> DBusServer. Previously, a local attacker could manipulate symbolic
> links in their own home directory to bypass authentication and connect
> to a DBusServer with elevated privileges. The standard system and
> session dbus-daemons in their default configuration were immune to this
> attack because they did not allow DBUS_COOKIE_SHA1, but third-party
> users of DBusServer such as Upstart could be vulnerable. Thanks to Joe
> Vennix of Apple Information Security. (dbus#269, Simon McVittie)
This is rebuilt virtually every time a NixOS module is enabled or
disabled, so I don't think it makes sense to have it substituted.
It gets in the way of trivial config changes when I would otherwise be
able to rebuild my system entirely offline.
* treewide: http -> https sources
This updates the source urls of all top-level packages from http to
https where possible.
* buildtorrent: fix url and tab -> spaces
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/dbus/versions.
These checks were done:
- built on NixOS
- ran ‘/nix/store/q2p724wzbngs5qrv96s2mny5bhsnm3jk-dbus-1.12.8/bin/dbus-monitor --help’ got 0 exit code
- ran ‘/nix/store/q2p724wzbngs5qrv96s2mny5bhsnm3jk-dbus-1.12.8/bin/dbus-update-activation-environment help’ got 0 exit code
- ran ‘/nix/store/q2p724wzbngs5qrv96s2mny5bhsnm3jk-dbus-1.12.8/bin/dbus-cleanup-sockets -h’ got 0 exit code
- ran ‘/nix/store/q2p724wzbngs5qrv96s2mny5bhsnm3jk-dbus-1.12.8/bin/dbus-cleanup-sockets --help’ got 0 exit code
- ran ‘/nix/store/q2p724wzbngs5qrv96s2mny5bhsnm3jk-dbus-1.12.8/bin/dbus-cleanup-sockets help’ got 0 exit code
- ran ‘/nix/store/q2p724wzbngs5qrv96s2mny5bhsnm3jk-dbus-1.12.8/bin/dbus-run-session -h’ got 0 exit code
- ran ‘/nix/store/q2p724wzbngs5qrv96s2mny5bhsnm3jk-dbus-1.12.8/bin/dbus-run-session --help’ got 0 exit code
- ran ‘/nix/store/q2p724wzbngs5qrv96s2mny5bhsnm3jk-dbus-1.12.8/bin/dbus-uuidgen --help’ got 0 exit code
- ran ‘/nix/store/q2p724wzbngs5qrv96s2mny5bhsnm3jk-dbus-1.12.8/bin/dbus-launch -h’ got 0 exit code
- ran ‘/nix/store/q2p724wzbngs5qrv96s2mny5bhsnm3jk-dbus-1.12.8/bin/dbus-launch --help’ got 0 exit code
- found 1.12.8 with grep in /nix/store/q2p724wzbngs5qrv96s2mny5bhsnm3jk-dbus-1.12.8
- directory tree listing: https://gist.github.com/598fa486a7a2da2a0887e0899dd2ed27
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/dbus/versions.
These checks were done:
- built on NixOS
- ran ‘/nix/store/2fb87ah2lsvnzlah1mkdiwsrv8p01yh6-dbus-1.12.6/bin/dbus-monitor --help’ got 0 exit code
- ran ‘/nix/store/2fb87ah2lsvnzlah1mkdiwsrv8p01yh6-dbus-1.12.6/bin/dbus-cleanup-sockets -h’ got 0 exit code
- ran ‘/nix/store/2fb87ah2lsvnzlah1mkdiwsrv8p01yh6-dbus-1.12.6/bin/dbus-cleanup-sockets --help’ got 0 exit code
- ran ‘/nix/store/2fb87ah2lsvnzlah1mkdiwsrv8p01yh6-dbus-1.12.6/bin/dbus-cleanup-sockets help’ got 0 exit code
- ran ‘/nix/store/2fb87ah2lsvnzlah1mkdiwsrv8p01yh6-dbus-1.12.6/bin/dbus-run-session -h’ got 0 exit code
- ran ‘/nix/store/2fb87ah2lsvnzlah1mkdiwsrv8p01yh6-dbus-1.12.6/bin/dbus-run-session --help’ got 0 exit code
- ran ‘/nix/store/2fb87ah2lsvnzlah1mkdiwsrv8p01yh6-dbus-1.12.6/bin/dbus-uuidgen --help’ got 0 exit code
- ran ‘/nix/store/2fb87ah2lsvnzlah1mkdiwsrv8p01yh6-dbus-1.12.6/bin/dbus-launch -h’ got 0 exit code
- ran ‘/nix/store/2fb87ah2lsvnzlah1mkdiwsrv8p01yh6-dbus-1.12.6/bin/dbus-launch --help’ got 0 exit code
- found 1.12.6 with grep in /nix/store/2fb87ah2lsvnzlah1mkdiwsrv8p01yh6-dbus-1.12.6
- directory tree listing: https://gist.github.com/f7926c86c6572ac1a02dab3468dbbb95
First of all, these "documents" are not really documentation, so it
really doesn't make much sense to put it into $doc.
The main point however is that the installer tests are failing since
this was introduced in ac0cdc1952.
One way to circumvent this is putting dbus.doc into
system.extraDependencies of the installer tests, but given the first
point this sounds a bit odd to me.
So I went for the second way of putting it into $out, because it's now
basically necessary to build a NixOS system.
With this the NixOS installer tests should now work again, although I
have only tested this with the installer.simple test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @abbradar
The problem with using libxslt as buildInputs is that the dev output is
used for building the dbus config.
This is one of the reasons why the installer tests are failing since
ac0cdc1952, because the tests do not have
libxslt.dev in their closure and really shouldn't.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @abbradar
This is the output of the builder:
building path(s) `/nix/store/khkcfb8433i9mabb6wnb8ik6p9skg644-dbus-1'
error : connection refused
error : connection refused
However, even when using --nonet we'd still get this:
I/O error : Attempt to load network entity
http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd
So in order to avoid this, we now provide an XML catalog file, mapping
the public URLs to the local DTD paths inside the store instead of using
--path (which doesn't seem to work with xsltproc).
Tested this by comparing the SHA256 (nix-hash --type sha256) of the
output path generated by:
nix-build -E '(import ./. {}).makeDBusConf {
suidHelper = "SUIDHELPER";
serviceDirectories = [ "SERVICEDIR1" "SERVICEDIR1" ];
}'
... with the SHA256 of the generated output path prior to this commit
and they have the same hash:
6f3f9594b12fddbff9407b85252b6f649da11f56b7fd514f761966c11399a7ab
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @abbradar
Use XSLT transform to modify stock dbus configuration file. This is needed
because some dbus components doesn't support <include> so we need to put our
core configuration in the main file.
The following changes are included:
1) install user unit files from upstream dbus
2) use absolute paths to config for --system and --session instances
3) make socket activation of user units configurable
There has been a number of PRs to address this, so this one does the
bare minimum, which is to make the functionality available and
configurable but defaults to off.
Related PRs:
- #18382
- #18222
(cherry picked from commit f7215c9b5b)
Signed-off-by: Domen Kožar <domen@dev.si>
This reverts commit d088e0621e.
The D-Bus update breaks logind and polkit.
(cherry picked from commit 2e06e5eb36)
Hydra had rebuilt this on staging, fixing many test problems.
There were also phonon changes in these rebuilds, but the amount of
binaries affected by them is relatively low and I'm not yet fully
convinced of their stability.