Subject: CVS commit: pkgsrc/sysutils/dbus
From: Thomas Klausner
Date: 2015-08-30 17:08:00
Message id: 20150830150800.7E73E98@cvs.netbsd.org

Log Message:
Update to 1.10.0:

D-Bus 1.10.0 (2015-08-25)
==

The “0x20” release.

This is a new stable branch, recommended for use in OS distributions.

Fixes since 1.9.20:

• distribute test/tap-test.sh.in, even if the tarball was built without
  tests enabled (fd.o #91684, Simon McVittie)
• work around a fd leak in libcap-ng < 0.7.7 (fd.o #91684, Simon McVittie)

Summary of major changes since 1.8.0:

• The basic setup for the well-known system and session buses is
  now done in read-only files in ${datadir} (normally /usr/share).
  See the NEWS entry for 1.9.18 for details.

• AppArmor integration has been merged, with features similar to the
  pre-existing SELinux integration. It is mostly compatible with the
  patches previously shipped by Ubuntu, with one significant change:
  Ubuntu's GetConnectionAppArmorSecurityContext method has been superseded
  by GetConnectionCredentials and was not included.

• The --enable-user-session configure option can be enabled
  by OS integrators intending to use systemd to provide a session bus
  per user (in effect, treating all concurrent graphical and non-graphical
  login sessions as one large session).

• The new listenable address mode "unix:runtime=yes" listens on
  $XDG_RUNTIME_DIR/bus, the same AF_UNIX socket used by the systemd
  user session. libdbus and "dbus-launch --autolaunch" will connect to
  this address by default. GLib ≥ 2.45.3 and sd-bus ≥ 209 have a
  matching default.

• All executables are now dynamically linked to libdbus-1.
  Previously, some executables, most notably dbus-daemon, were statically
  linked to a specially-compiled variant of libdbus. This results in
  various private functions in the _dbus namespace being exposed by the
  shared library. These are not API, and must not be used outside
  the dbus source tree.

• On platforms with ELF symbol versioning, all public symbols
  are versioned LIBDBUS_1_3.

New bus APIs:

• org.freedesktop.DBus.GetConnectionCredentials returns
  LinuxSecurityLabel where supported
• org.freedesktop.DBus.Monitoring interface (privileged)
  · BecomeMonitor method supersedes match rules with eavesdrop=true,
    which are now deprecated
• org.freedesktop.DBus.Stats interface (semi-privileged)
  · now enabled by default
  · new GetAllMatchRules method

New executables:

• dbus-test-tool
• dbus-update-activation-environment

New optional dependencies:

• The systemd: pseudo-transport requires libsystemd or libsd-daemon
• Complete documentation requires Ducktype and yelp-tools
• Full test coverage requires GLib 2.36 and PyGI
• AppArmor integration requires libapparmor and optionally libaudit

Dependencies removed:

• dbus-glib

D-Bus 1.9.20 (2015-08-06)
==

The “Remember Tomorrow” release.

This is a release-candidate for D-Bus 1.10.0. OS distribution vendors
should test it.

Fixes:

• Don't second-guess what the ABI of poll() is, allowing it to be used
  on Integrity RTOS and other unusual platforms (fd.o #90314;
  Rolland Dudemaine, Simon McVittie)

• Don't duplicate audit subsystem integration if AppArmor and SELinux are
  both enabled (fd.o #89225, Simon McVittie)

• Log audit events for AppArmor/SELinux policy violations whenever
  we have CAP_AUDIT_WRITE, even if not the system bus
  (fd.o #83856, Laurent Bigonville)

D-Bus 1.9.18 (2015-07-21)
==

The “Pirate Elite” release.

Configuration changes:

• The basic setup for the well-known system and session buses is now done
  in read-only files in ${datadir}, moving a step closer to systems
  that can operate with an empty /etc directory. In increasing order
  of precedence:

  · ${datadir}/dbus-1/s*.conf now perform the basic setup such as setting
    the default message policies.
  · ${sysconfdir}/dbus-1/s*.conf are now optional. By default
    dbus still installs a trivial version of each, for documentation
    purposes; putting configuration directives in these files is deprecated.
  · ${datadir}/dbus-1/s*.d/ are now available for third-party software
    to install "drop-in" configuration snippets (any packages
    using those directories should explicitly depend on at least this
    version of dbus).
  · ${sysconfdir}/dbus-1/s*.d/ are also still available for sysadmins
    or third-party software to install "drop-in" configuration snippets
  · ${sysconfdir}/dbus-1/s*-local.conf are still available for sysadmins'
    overrides

  ${datadir} is normally /usr/share, ${sysconfdir} is normally /etc,
  and "s*" refers to either system or session as appropriate.

  (fd.o #89280, Dimitri John Ledkov)

Fixes:

• Fix a memory leak when GetConnectionCredentials() succeeds
  (fd.o #91008, Jacek Bukarewicz)

• Ensure that dbus-monitor does not reply to messages intended for others,
  resulting in its own disconnection (fd.o #90952, Simon McVittie)

D-Bus 1.9.16 (2015-05-14)
==

The “titanium barns” release.

Dependencies:

• Automake 1.13 is now required when compiling from git or modifying
  the build system.

Security hardening:

• On Unix platforms, change the default configuration for the session bus
  to only allow EXTERNAL authentication (secure kernel-mediated
  credentials-passing), as was already done for the system bus.

  This avoids falling back to DBUS_COOKIE_SHA1, which relies on strongly
  unpredictable pseudo-random numbers.

  If you are using D-Bus over the (unencrypted!) tcp: or nonce-tcp: transport,
  in conjunction with DBUS_COOKIE_SHA1 and a shared home directory using
  NFS or similar, you will need to reconfigure the session bus to accept
  DBUS_COOKIE_SHA1 by commenting out the <auth> element. This configuration
  is not recommended.

  (fd.o #90414, Simon McVittie)

• When asked for random numbers for DBUS_COOKIE_SHA1, the nonce-tcp:
  transport, UUIDs or any other reason, fail if we cannot obtain entropy
  (from /dev/urandom or CryptGenRandom()) or an out-of-memory condition
  occurs, instead of silently falling back to low-entropy pseudorandom
  numbers from rand(). (fd.o #90414; Simon McVittie, Ralf Habacker)

Enhancements:

• Add dbus_message_iter_get_element_count()
  (fd.o #30350; Christian Dywan, Simon McVittie)

• Introduce new internal DBusSocket and DBusPollable types so we can
  stop treating the Windows SOCKET type as if it was int. DBusSocket
  is specifically a socket, cross-platform. DBusPollable is whatever
  _dbus_poll() can act on, i.e. a fd on Unix or a SOCKET on Windows.
  (fd.o #89444; Ralf Habacker, Simon McVittie)

• All regression tests now output TAP <https://testanything.org/>
  (fd.o #89846, Simon McVittie)

• Internal APIs consistently use signed values for timestamps
  (fd.o #18494, Peter McCurdy)

• Improve diagnostics when UpdateActivationEnvironment calls are rejected
  (fd.o #88812, Simon McVittie)

• Clean up a lot of compiler warnings
  (fd.o #17289, fd.o #89284; Ralf Habacker, Simon McVittie)

Fixes:

• Add locking to DBusCounter's reference count and notify function
  (fd.o #89297, Adrian Szyndela)

• Ensure that DBusTransport's reference count is protected by the
  corresponding DBusConnection's lock (fd.o #90312, Adrian Szyndela)

• Correctly release DBusServer mutex before early-return if we run out
  of memory while copying authentication mechanisms (fd.o #90021,
  Ralf Habacker)

• Make dbus-test-tool and dbus-update-activation-environment portable
  to Windows (fd.o #90089, Ralf Habacker)

• Correctly initialize all fields of DBusTypeReader (fd.o #90021;
  Ralf Habacker, Simon McVittie)

• Fix some missing \n in verbose (debug log) messages (fd.o #90004,
  Ralf Habacker)

• Clean up some memory and fd leaks in test code and tools
  (fd.o #90021, Ralf Habacker)

• Fix a NULL dereference if the dbus-daemon cannot read a configuration
  directory for a reason that is not ENOENT (fd.o #90021, Ralf Habacker)

• CMake generates a versioned shared library even if the revision is 0,
  as it usually is on the development branch. (fd.o #89450, Ralf Habacker)

D-Bus 1.9.14 (2015-03-02)
==

The “don't stand in the poison cloud” release.

Dependencies:

• dbus-daemon and dbus-daemon-launch-helper now require libdbus. They
  were previously linked to a static version of libdbus.

• The tests no longer require dbus-glib in order to exercise the libdbus
  shared library; they are always linked to libdbus now.

Build-time configuration:

• The new --enable-user-session option, off by default, can be enabled
  by OS integrators intending to use systemd to provide a session bus
  per user (in effect, treating all concurrent graphical and non-graphical
  login sessions as one large session)

Enhancements:

• All executables are now linked dynamically to libdbus.
  (fd.o #83115; Bertrand SIMONNET, Simon McVittie, Ralf Habacker)

• On platforms that support them (GNU libc and possibly others),
  libdbus now has versioned symbols for its public API.
  All public symbols (visible in the header files) are currently
  versioned as LIBDBUS_1_3; private symbols starting with _dbus or
  dbus_internal have a version that changes with each release, and
  must not be used by applications. (also fd.o #83115)

• New listenable address mode "unix:runtime=yes" which listens on
  a real filesystem (non-abstract) socket $XDG_RUNTIME_DIR/bus
  (fd.o #61303; Colin Walters, Alexander Larsson, Simon McVittie)

• Add optional systemd units for a per-user bus listening on
  $XDG_RUNTIME_DIR/bus (fd.o #61301; Simon McVittie, Colin Walters)

• On Unix platforms, both libdbus and "dbus-launch --autolaunch"
  default to connecting to $XDG_RUNTIME_DIR/bus if it is a socket
  (also fd.o #61301)

• New dbus-update-activation-environment tool uploads environment
  variables to "dbus-daemon --session" and optionally "systemd \ 
--user",
  primarily as a way to keep the per-user bus compatible with
  distributions' existing X11 login scripts (also fd.o #61301)

• <includedir/> elements in dbus-daemon configuration are now silently
  ignored if the directory does not exist. (fd.o #89280, Dimitri John Ledkov)

• Add microsecond-resolution timestamps to the default output of
  dbus-monitor and dbus-send (fd.o #88896; Ralf Habacker, Simon McVittie)

Fixes:

• Fix a race condition in the 'monitor' test introduced in 1.9.10
  (fd.o #89222, Simon McVittie)

D-Bus 1.9.12 (2015-02-19)
==

The “monster lasagna” release.

Dependencies:

• Ducktype and yelp-tools are now required to build complete documentation
  (they are optional for normal builds).

Enhancements:

• D-Bus Specification version 0.26
  · GetConnectionCredentials can return LinuxSecurityLabel or WindowsSID
  · document the BecomeMonitor method

• On Linux, add LinuxSecurityLabel to GetConnectionCredentials
  (fd.o #89041; Tyler Hicks, Simon McVittie)

• On Linux, add support for AppArmor mediation of message sending and
  receiving and name ownership (paralleling existing SELinux mediation
  support), and eavesdropping (a new check, currently AppArmor-specific)
  (fd.o #75113; John Johansen, Tyler Hicks, Simon McVittie)

• In dbus-send and dbus-monitor, pretty-print \0-terminated bytestrings
  that have printable ASCII contents; we previously only did this for
  unterminated bytestrings (fd.o #89109, Simon McVittie)

• Add a guide to designing good D-Bus APIs (fd.o #88994, Philip Withnall)

• On Windows, add WindowsSID to GetConnectionCredentials
  (fd.o #54445, Ralf Habacker)

• Improve clarity of dbus-monitor --profile output and add more columns
  (fd.o #89165, Ralf Habacker)

• Add a man page for dbus-test-tool, and build it under CMake as well
  as Autotools (fd.o#89086, Simon McVittie)

• If dbus-daemon was compiled with --enable-verbose, add a D-Bus API
  to control it at runtime, overriding the DBUS_VERBOSE environment variable
  (fd.o #88896, Ralf Habacker)

Fixes:

• Reduce the number of file descriptors used in the fd-passing test,
  avoiding failure under the default Linux fd limit, and automatically
  skip it if the rlimit is too small (fd.o #88998, Simon McVittie)

D-Bus 1.9.10 (2015-02-09)
==

The “sad cyborgs” release.

Security fixes merged from 1.8.16:

• Do not allow non-uid-0 processes to send forged ActivationFailure
  messages. On Linux systems with systemd activation, this would
  allow a local denial of service: unprivileged processes could
  flood the bus with these forged messages, winning the race with
  the actual service activation and causing an error reply
  to be sent back when service auto-activation was requested.
  This does not prevent the real service from being started,
  so the attack only works while the real service is not running.
  (CVE-2015-0245, fd.o #88811; Simon McVittie)

Enhancements:

• The new Monitoring interface in the dbus-daemon lets dbus-monitor and
  similar tools receive messages without altering the security properties
  of the system bus, by calling the new BecomeMonitor method on a
  private connection. This bypasses the normal <allow> and <deny> rules
  entirely, so to preserve normal message-privacy assumptions, only root
  is allowed to do this on the system bus. Restricted environments,
  such as Linux with LSMs, should lock down access to the Monitoring
  interface. (fd.o #46787, Simon McVittie)

• dbus-monitor uses BecomeMonitor to capture more traffic, if the
  dbus-daemon supports it and access permissions allow it.
  It still supports the previous approach ("eavesdropping" match rules)
  for compatibility with older bus daemons. (fd.o #46787, Simon)

• dbus-monitor can now log the message stream as binary data for later
  analysis, with either no extra framing beyond the normal D-Bus headers,
  or libpcap-compatible framing treating each D-Bus message
  as a captured packet. (fd.o #46787, Simon)

Other fixes:

• Fix some CMake build regressions (fd.o #88964, Ralf Habacker)

• On Unix, forcibly terminate regression tests after 60 seconds to
  prevent them from blocking continuous integration frameworks
  (fd.o #46787, Simon)

D-Bus 1.9.8 (2015-02-03)
==

The “all the types of precipitation” release.

Dependencies:

• full test coverage now requires GLib 2.36
• full test coverage now requires PyGI (PyGObject 3,
  "import gi.repository.GObject") instead of the
  obsolete PyGObject 2 ("import gobject")

Enhancements:

• add GLib-style "installed tests" (fd.o #88810, Simon McVittie)

• better regression test coverage, including systemd activation
  (fd.o #57952, #88810; Simon McVittie)

Fixes:

• fatal errors correctly make the dbus-daemon exit even if <syslog/> is
  turned off (fd.o #88808, Simon McVittie)

• TCP sockets on Windows no longer fail to listen approximately 1 time
  in 256, caused by a logic error that should have always made it fail but
  was mitigated by incorrect endianness for the port number
  (fd.o #87999, Ralf Habacker)

• fix some Windows build failures (fd.o #88009, #88010; Ralf Habacker)

• on Windows, allow up to 8K connections to the dbus-daemon instead of the
  previous 64, completing a previous fix which only worked under
  Autotools (fd.o #71297, Ralf Habacker)

• on Windows, if the IP family is unspecified only use IPv4,
  to mitigate IPv6 not working correctly (fd.o #87999, Ralf Habacker)

• fix some unlikely memory leaks on OOM (fd.o #88087, Simon McVittie)

• lcov code coverage analysis works again (fd.o #88808, Simon McVittie)

• fix an unused function error with --disable-embedded-tests (fd.o #87837,
  Thiago Macieira)

D-Bus 1.9.6 (2015-01-05)
==

The “I do have a bread knife” release.

Security hardening:

• Do not allow calls to UpdateActivationEnvironment from uids other than
  the uid of the dbus-daemon. If a system service installs unsafe
  security policy rules that allow arbitrary method calls
  (such as CVE-2014-8148) then this prevents memory consumption and
  possible privilege escalation via UpdateActivationEnvironment.

  We believe that in practice, privilege escalation here is avoided
  by dbus-daemon-launch-helper sanitizing its environment; but
  it seems better to be safe.

• Do not allow calls to UpdateActivationEnvironment or the Stats interface
  on object paths other than /org/freedesktop/DBus. Some system services
  install unsafe security policy rules that allow arbitrary method calls
  to any destination, method and interface with a specified object path;
  while less bad than allowing arbitrary method calls, these security
  policies are still harmful, since dbus-daemon normally offers the
  same API on all object paths and other system services might behave
  similarly.

Other fixes:

• Add missing initialization so GetExtendedTcpTable doesn't crash on
  Windows Vista SP0 (fd.o #77008, Илья А. \ 
Ткаченко)

D-Bus 1.9.4 (2014-11-24)
==

The “extra-sturdy caramel” release.

Fixes:

• Partially revert the CVE-2014-3639 patch by increasing the default
  authentication timeout on the system bus from 5 seconds back to 30
  seconds, since this has been reported to cause boot regressions for
  some users, mostly with parallel boot (systemd) on slower hardware.

  On fast systems where local users are considered particularly hostile,
  administrators can return to the 5 second timeout (or any other value
  in milliseconds) by saving this as /etc/dbus-1/system-local.conf:

  <busconfig>
    <limit name="auth_timeout">5000</limit>
  </busconfig>

  (fd.o #86431, Simon McVittie)

• Add a message in syslog/the Journal when the auth_timeout is exceeded
  (fd.o #86431, Simon McVittie)

• Send back an AccessDenied error if the addressed recipient is not allowed
  to receive a message (and in builds with assertions enabled, don't
  assert under the same conditions). (fd.o #86194, Jacek Bukarewicz)

D-Bus 1.9.2 (2014-11-10)
==

The “structurally unsound flapjack” release.

Security fixes:

• Increase dbus-daemon's RLIMIT_NOFILE rlimit to 65536
  so that CVE-2014-3636 part A cannot exhaust the system bus'
  file descriptors, completing the incomplete fix in 1.8.8.
  (CVE-2014-7824, fd.o #85105; Simon McVittie, Alban Crequy)

Enhancements:

• D-Bus Specification version 0.25
  · new value 'const' for EmitsChangedSignal annotation
    (fd.o #72958, Lennart Poettering)
  · new ALLOW_INTERACTIVE_AUTHORIZATION flag, for PolicyKit and similar
    (fd.o #83449; Lennart Poettering, Simon McVittie)
  · annotate table of types with reserved/basic/container, and for
    basic types, fixed/string-like
  · clarify arbitrary limits by quoting them in mebibytes

• New API: add accessors for the ALLOW_INTERACTIVE_AUTHORIZATION flag
  (fd.o #83449, Simon McVittie)

• Add dbus-test-tool, a D-Bus swiss army knife with multiple subcommands,
  useful for debugging and performance testing:
  · dbus-test-tool spam: send repeated messages
  · dbus-test-tool echo: send an empty reply for all method calls
  · dbus-test-tool black-hole: do not reply to method calls
  (fd.o #34140; Alban Crequy, Simon McVittie, Will Thompson)

• Add support for process ID in credentials-passing on NetBSD
  (fd.o #69702, Patrick Welche)

• Add an example script to find potentially undesired match rules
  (fd.o #84598, Alban Crequy)

• Document the central assumption that makes our use of credentials-passing
  secure (fd.o #83499, Simon McVittie)

• Replace the dbus-glib section of the tutorial with a GDBus recommendation,
  and add some links to GDBus and QtDBus documentation (fd.o #25140,
  Simon McVittie)

Fixes:

• Use a less confusing NoReply message when disconnected with a reply pending
  (fd.o #76112, Simon McVittie)

• Make the .pc file relocatable by letting pkg-config do all variable
  expansion itself (fd.o #75858, Руслан \ 
Ижбулатов)

• Fix a build failure on platforms with kqueue, which regressed in 1.9.0
  (fd.o #85563, Patrick Welche)

• Consistently save errno after socket calls (fd.o #83625, Simon McVittie)

• In dbus-spawn, when the grandchild process exits due to a failed exec(),
  do not lose the exec() errno (fd.o #24821, Simon McVittie)

• Do not fail the tests if a parent process has leaked non-close-on-exec
  file descriptors to us (fd.o #73689, fd.o #83899; Simon McVittie)

• Do not fail the tests on Unix platforms with incomplete
  credentials-passing support, but do fail if we can't pass credentials
  on a platform where it is known to work: Linux, FreeBSD, OpenBSD, NetBSD
  (fd.o #69702, Simon McVittie)

• Detect accept4, dirfd, inotify_init1, pipe2, and Unix fd passing
  when building with cmake, and expand test coverage there
  (fd.o #73689; Ralf Habacker, Simon McVittie)

D-Bus 1.9.0 (2014-10-01)
==

The “tiered cheeses” release.

Requirements:

• Support for the systemd: (LISTEN_FDS) pseudo-transport on Linux now
  requires either the libsystemd or libsd-daemon shared library, dropping the
  embedded convenience copy of sd-daemon (fd.o #71818, Simon)

Build-time configuration changes:

• The Stats interface is now enabled by default, and locked-down to
  root-only on the system bus. Configure with --disable-stats
  to disable it altogether on memory- or disk-constrained systems,
  or see ${docdir}/examples/ to open it up to non-root users on the
  system bus or restrict access on the session bus.
  (fd.o #80759; Simon McVittie, Alban Crequy)

• The CMake build system now builds the same shared library name as Autotools
  on at least Linux and Windows:
  - on Linux (and perhaps other Unix platforms), it previously built
    libdbus-1.so, but now builds libdbus-1.so.3.* with development
    symlink libdbus-1.so and SONAME/symlink libdbus-1.so.3
  - on Windows, it previously built either libdbus-1.dll (release) or
    libdbus-1d.dll (debug), but now builds libdbus-1-3.dll, copied to
    libdbus-1.dll for compatibility with older applications.
  (fd.o #74117, Ralf Habacker)

Enhancements:

• D-Bus Specification version 0.24
  · document how to quote match rules (fd.o #24307, Simon McVittie)
  · explicitly say that most message types never expect a reply
    regardles of whether they have NO_REPLY_EXPECTED
    (fd.o #75749, Simon McVittie)

• on Unix platforms, disable Nagle's algorithm on TCP connections to improve
  initial latency (fd.o #75544, Matt Hoosier)

• use backtrace() if it is in -lexecinfo instead of libc, as on NetBSD
  (fd.o #69702, Patrick Welche)

• in dbus-monitor, print more information about file descriptors
  (fd.o #80603, Alban Crequy)

• do not install system bus configuration if built for Windows
  (fd.o #83583; Ralf Habacker, Simon McVittie)

• Add GetAllMatchRules to the Stats interface (fd.o #24307, Alban Crequy)

• Add a regression test for file descriptor passing (fd.o #83622,
  Simon McVittie)

Fixes:

• fix an incorrect error message if a Unix socket path is too long
  (fd.o #73887, Antoine Jacoutot)

• in an MSYS/Cygwin environment, pass Unix-style filenames to xmlto,
  fixing documentation generation (fd.o #75860, Руслан \ 
Ижбулатов)

• in Unix with X11, avoid giving dbus-launch a misleading argv[0]
  in ps(1) (fd.o #69716, Chengwei Yang)

• avoid calling poll() with timeout < -1, which is considered invalid
  on FreeBSD and NetBSD (fd.o #78480, Jaap Boender)

• be portable to BSD-derived platforms where O_CLOEXEC is unavailable in libc
  (like Mac OS X 10.6), or available in libc but unsupported by the kernel
  (fd.o #77032; rmvsxop, OBATA Akio, Patrick Welche)

• Fix include path for test/internal/*.c with cmake (Ralf Habacker)

• Documentation improvements
  (fd.o #80795, #84313; Thomas Haller, Sebastian Rasmussen)

• in dbus-monitor, do not leak file descriptors that we have monitored
  (fd.o #80603, Alban Crequy)

• Set the close-on-exec flag for the inotify file descriptor, even
  if built with CMake or older libc (fd.o #73689, Simon McVittie)

• Remove some LGPL code from the Windows dbus-daemon
  (fd.o #57272, Ralf Habacker)

Files:
RevisionActionfile
1.86modifypkgsrc/sysutils/dbus/Makefile
1.20modifypkgsrc/sysutils/dbus/PLIST
1.66modifypkgsrc/sysutils/dbus/distinfo
1.4modifypkgsrc/sysutils/dbus/patches/patch-ak
1.11removepkgsrc/sysutils/dbus/patches/patch-aa
1.3removepkgsrc/sysutils/dbus/patches/patch-ba
1.2removepkgsrc/sysutils/dbus/patches/patch-bus_dir-watch-kqueue.c
1.3removepkgsrc/sysutils/dbus/patches/patch-configure
1.2removepkgsrc/sysutils/dbus/patches/patch-dbus_dbus-sysdeps-unix.c