Update NEWS

Signed-off-by: Simon McVittie <smcv@collabora.com>
2026-05-05 11:08:03 +02:00 · 2022-10-05 10:26:35 +01:00 · 2022-10-05 10:26:35 +01:00 · 0ba4ba3d64
commit 0ba4ba3d64
parent bef693f442
1 changed files with 24 additions and 0 deletions
--- a/24
+++ b/24
@ -23,6 +23,30 @@ Behaviour changes:
  directory, with the chroot or container.
  (dbus#416, Simon McVittie)

+Denial of service fixes:
+
+Evgeny Vereshchagin discovered several ways in which an authenticated
+local attacker could cause a crash (denial of service) in
+dbus-daemon --system or a custom DBusServer. In uncommon configurations
+these could potentially be carried out by an authenticated remote attacker.
+
+• An invalid array of fixed-length elements where the length of the array
+  is not a multiple of the length of the element would cause an assertion
+  failure in debug builds or an out-of-bounds read in production builds.
+  This was a regression in version 1.3.0.
+  (dbus#413, CVE-2022-42011; Simon McVittie)
+
+• A syntactically invalid type signature with incorrectly nested parentheses
+  and curly brackets would cause an assertion failure in debug builds.
+  Similar messages could potentially result in a crash or incorrect message
+  processing in a production build, although we are not aware of a practical
+  example. (dbus#418, CVE-2022-42010; Simon McVittie)
+
+• A message in non-native endianness with out-of-band Unix file descriptors
+  would cause a use-after-free and possible memory corruption in production
+  builds, or an assertion failure in debug builds. This was a regression in
+  version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie)
+
 dbus 1.15.0 (2022-09-22)
 ========================