Merge branch 'dbus-1.8'

Conflicts: NEWS configure.ac
2025-12-23 23:30:09 +01:00 · 2014-11-24 13:05:09 +00:00 · 2014-11-24 13:05:09 +00:00 · 2bc75daa2c
commit 2bc75daa2c
parent 1f1649eada 4afb7a7412
3 changed files with 27 additions and 1 deletions
--- a/18
+++ b/18
@ -3,6 +3,24 @@ D-Bus 1.9.4 (UNRELEASED)

 Fixes:

+• Partially revert the CVE-2014-3639 patch by increasing the default
+  authentication timeout on the system bus from 5 seconds back to 30
+  seconds, since this has been reported to cause boot regressions for
+  some users, mostly with parallel boot (systemd) on slower hardware.
+
+  On fast systems where local users are considered particularly hostile,
+  administrators can return to the 5 second timeout (or any other value
+  in milliseconds) by saving this as /etc/dbus-1/system-local.conf:
+
+  <busconfig>
+    <limit name="auth_timeout">5000</limit>
+  </busconfig>
+
+  (fd.o #86431, Simon McVittie)
+
+• Add a message in syslog/the Journal when the auth_timeout is exceeded
+  (fd.o #86431, Simon McVittie)
+
 • Send back an AccessDenied error if the addressed recipient is not allowed
  to receive a message (and in builds with assertions enabled, don't
  assert under the same conditions). (fd.o #86194, Jacek Bukarewicz)
--- a/bus/config-parser.c
+++ b/bus/config-parser.c
@ -438,7 +438,7 @@ bus_config_parser_new (const DBusString      *basedir,
       * and legitimate auth will fail.  If interactive auth (ask user for
       * password) is allowed, then potentially it has to be quite long.
       */
-      parser->limits.auth_timeout = 5000; /* 5 seconds */
+      parser->limits.auth_timeout = 30000; /* 30 seconds */

      /* Do not allow a fd to stay forever in dbus-daemon
       * https://bugs.freedesktop.org/show_bug.cgi?id=80559
--- a/bus/connection.c
+++ b/bus/connection.c
@ -860,6 +860,14 @@ bus_connections_expire_incomplete (BusConnections *connections)

          if (elapsed >= (double) auth_timeout)
            {
+              /* Unfortunately, we can't identify the connection: it doesn't
+               * have a unique name yet, we don't know its uid/pid yet,
+               * and so on. */
+              bus_context_log (connections->context, DBUS_SYSTEM_LOG_INFO,
+                  "Connection has not authenticated soon enough, closing it "
+                  "(auth_timeout=%dms, elapsed: %.0fms)",
+                  auth_timeout, elapsed);
+
              _dbus_verbose ("Timing out authentication for connection %p\n", connection);
              dbus_connection_close (connection);
            }