CVS commit: pkgsrc/sysutils/dbus

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Mon Jan  5 23:25:20 UTC 2015

Modified Files:
        pkgsrc/sysutils/dbus: Makefile distinfo

Log Message:
Update to 1.8.14:

D-Bus 1.8.14 (2015-01-05)
==

The “40lb of roofing nails” release.

Security hardening:

• Do not allow calls to UpdateActivationEnvironment from uids other than
  the uid of the dbus-daemon. If a system service installs unsafe
  security policy rules that allow arbitrary method calls
  (such as CVE-2014-8148) then this prevents memory consumption and
  possible privilege escalation via UpdateActivationEnvironment.

  We believe that in practice, privilege escalation here is avoided
  by dbus-daemon-launch-helper sanitizing its environment; but
  it seems better to be safe.

• Do not allow calls to UpdateActivationEnvironment or the Stats interface
  on object paths other than /org/freedesktop/DBus. Some system services
  install unsafe security policy rules that allow arbitrary method calls
  to any destination, method and interface with a specified object path;
  while less bad than allowing arbitrary method calls, these security
  policies are still harmful, since dbus-daemon normally offers the
  same API on all object paths and other system services might behave
  similarly.

Other fixes:

• Add missing initialization so GetExtendedTcpTable doesn't crash on
  Windows Vista SP0 (fd.o #77008, Илья А. Ткаченко)


To generate a diff of this commit:
cvs rdiff -u -r1.76 -r1.77 pkgsrc/sysutils/dbus/Makefile
cvs rdiff -u -r1.61 -r1.62 pkgsrc/sysutils/dbus/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.