Update NEWS

Signed-off-by: Simon McVittie <smcv@collabora.com>

NEWS

@@ -23,16 +23,41 @@ Behaviour changes:
   directory, with the chroot or container.
   (dbus#416, Simon McVittie)
 
-Fixes:
+Denial of service fixes:
+
+Evgeny Vereshchagin discovered several ways in which an authenticated
+local attacker could cause a crash (denial of service) in
+dbus-daemon --system or a custom DBusServer. In uncommon configurations
+these could potentially be carried out by an authenticated remote attacker.
+
+• An invalid array of fixed-length elements where the length of the array
+  is not a multiple of the length of the element would cause an assertion
+  failure in debug builds or an out-of-bounds read in production builds.
+  This was a regression in version 1.3.0.
+  (dbus#413, CVE-2022-42011; Simon McVittie)
+
+• A syntactically invalid type signature with incorrectly nested parentheses
+  and curly brackets would cause an assertion failure in debug builds.
+  Similar messages could potentially result in a crash or incorrect message
+  processing in a production build, although we are not aware of a practical
+  example. (dbus#418, CVE-2022-42010; Simon McVittie)
+
+• A message in non-native endianness with out-of-band Unix file descriptors
+  would cause a use-after-free and possible memory corruption in production
+  builds, or an assertion failure in debug builds. This was a regression in
+  version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie)
+
+Non-security bug fixes:
 
 • Don't crash if dbus-daemon is asked to watch more than 128 directories
   for changes (dbus!302, Jan Tojnar)
 
+• Correctly set error indicator if out-of-memory is reached while
+  demarshalling a message (fdo#100317, Simon McVittie)
+
 • On Windows, consistently use msvcrt.dll-style printf formats, fixing
   builds with mingw-w64 8.0.0 (dbus#380, Simon McVittie)
 
-Tests and CI enhancements:
-
 • Use the latest MSYS2 packages for CI, fixing failure to download older
   packages
   (Ralf Habacker, Simon McVittie)