sys-apps/dbus: update to 1.10.32

Update dbus to 1.10.32, mainly to address CVE-2020-35512.
It is based on commit 71a58ff8b6cebe8b9e8aeddaf93185ecb52bdb8c of
Gentoo.

sdk_container/src/third_party/coreos-overlay/sys-apps/dbus/Manifest

@@ -1 +1 @@
-DIST dbus-1.10.18.tar.gz 1986589 SHA256 6049ddd5f3f3e2618f615f1faeda0a115104423a7996b7aa73e2f36e38cc514a SHA512 726f97d0a2016f4f0625ba332e93e2d33bb16857cd35cb6c79da0f44fff297df948c3df62c31ffbec34713a7b85b3ff5b65f31517fe3511ddbd3bf18bd4748ed WHIRLPOOL ee164e1f6de80595fbfbcbad65d78dab4b91b5ec4e1ce88e1c4015f1c1b531f09796d54db163b2c2eceb3b92261f8a57852d2e0b29f71d9c65f9b91684433d9e
+DIST dbus-1.10.32.tar.gz 2000784 BLAKE2B 490dfa33bf7e26d68e6dfb01c41a720623a28936fd635b8becbbb1dad6b58579fba2d7f75ed57ee0588c4a87ab9c0d07b0005f0ae7cf5b68df5e277cc6f8de07 SHA512 c0cdf99a72fe191ce45767121d67772854c6ec5df3939f2aec76b4ecc3905162d57548c2f02d8073b81c3b4d71277745b7aac8489c364064bd2cf723ce6bbbcd

sdk_container/src/third_party/coreos-overlay/sys-apps/dbus/dbus-1.10.32.ebuild

@@ -2,9 +2,9 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=6
-PYTHON_COMPAT=( python2_7 )
+PYTHON_COMPAT=( python{2_7,3_{4,5,6}} )
 
-inherit autotools eutils linux-info flag-o-matic python-any-r1 readme.gentoo-r1 systemd virtualx user multilib-minimal
+inherit autotools ltprune linux-info flag-o-matic python-any-r1 readme.gentoo-r1 systemd virtualx user multilib-minimal
 
 DESCRIPTION="A message bus system, a simple way for applications to talk to each other"
 HOMEPAGE="https://dbus.freedesktop.org/"
@@ -12,28 +12,25 @@ SRC_URI="https://dbus.freedesktop.org/releases/dbus/${P}.tar.gz"
 
 LICENSE="|| ( AFL-2.1 GPL-2 )"
 SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x86-solaris"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x86-solaris"
 IUSE="debug doc elogind selinux static-libs systemd test user-session X"
 
-RESTRICT="test"
+#RESTRICT="test"
 
-REQUIRED_USE="?? ( elogind systemd )"
+REQUIRED_USE="
+	?? ( elogind systemd )
+	test? ( debug )
+"
 
 CDEPEND="
 	>=dev-libs/expat-2
-	selinux? (
+	selinux? ( sys-libs/libselinux )
-		sys-libs/libselinux
-		)
 	elogind? ( sys-auth/elogind )
 	systemd? ( sys-apps/systemd:0= )
 	X? (
 		x11-libs/libX11
 		x11-libs/libXt
 		)
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20131008-r4
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)
 "
 DEPEND="${CDEPEND}
 	app-text/xmlto
@@ -45,7 +42,9 @@ DEPEND="${CDEPEND}
 		${PYTHON_DEPS}
 		)
 "
-RDEPEND="${CDEPEND}"
+RDEPEND="${CDEPEND}
+	selinux? ( sec-policy/selinux-dbus )
+"
 
 DOC_CONTENTS="
 	Some applications require a session bus in addition to the system
@@ -53,7 +52,11 @@ DOC_CONTENTS="
 "
 
 # out of sources build dir for make check
-TBD=${WORKDIR}/${P}-tests-build
+TBD="${WORKDIR}/${P}-tests-build"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-enable-elogind.patch"
+)
 
 pkg_setup() {
 	enewgroup messagebus
@@ -74,13 +77,9 @@ src_prepare() {
 		-e '/"dispatch"/d' \
 		bus/test-main.c || die
 
-	eapply "${FILESDIR}/${PN}-enable-elogind.patch"
+	default
-	eapply "${FILESDIR}/CVE-2019-12749.patch"
 
-	eapply_user
+	# required for bug 263909, cross-compile so don't remove eautoreconf
-
-	# required for asneeded patch but also for bug 263909, cross-compile so
-	# don't remove eautoreconf
 	eautoreconf
 }
 
@@ -190,7 +189,7 @@ multilib_src_compile() {
 }
 
 src_test() {
-	DBUS_VERBOSE=1 Xemake -j1 -C "${TBD}" check
+	DBUS_VERBOSE=1 virtx emake -j1 -C "${TBD}" check
 }
 
 multilib_src_install() {
@@ -232,6 +231,12 @@ multilib_src_install_all() {
 pkg_postinst() {
 	readme.gentoo_print_elog
 
+	# Ensure unique id is generated and put it in /etc wrt #370451 but symlink
+	# for DBUS_MACHINE_UUID_FILE (see tools/dbus-launch.c) and reverse
+	# dependencies with hardcoded paths (although the known ones got fixed already)
+	dbus-uuidgen --ensure="${EROOT%/}"/etc/machine-id
+	ln -sf "${EPREFIX%/}"/etc/machine-id "${EROOT%/}"/var/lib/dbus/machine-id
+
 	if [[ ${CHOST} == *-darwin* ]]; then
 		local plist="org.freedesktop.dbus-session.plist"
 		elog

sdk_container/src/third_party/coreos-overlay/sys-apps/dbus/files/CVE-2019-12749.patch

@@ -1,119 +0,0 @@
-From 47b1a4c41004bf494b87370987b222c934b19016 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Thu, 30 May 2019 12:53:03 +0100
-Subject: [PATCH] auth: Reject DBUS_COOKIE_SHA1 for users other than the server
- owner
-
-The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
-of a shared home directory by having the server write a secret "cookie"
-into a .dbus-keyrings subdirectory of the desired identity's home
-directory with 0700 permissions, and having the client prove that it can
-read the cookie. This never actually worked for non-malicious clients in
-the case where server uid != client uid (unless the server and client
-both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
-Unix uid 0) because an unprivileged server would fail to write out the
-cookie, and an unprivileged client would be unable to read the resulting
-file owned by the server.
-
-Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
-is owned by the uid of the server (a side-effect of a check added to
-harden our use of XDG_RUNTIME_DIR), further ruling out successful use
-by a non-malicious client with a uid differing from the server's.
-
-Joe Vennix of Apple Information Security discovered that the
-implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
-attack: a malicious client with write access to its own home directory
-could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
-read and write in unintended locations. In the worst case this could
-result in the DBusServer reusing a cookie that is known to the
-malicious client, and treating that cookie as evidence that a subsequent
-client connection came from an attacker-chosen uid, allowing
-authentication bypass.
-
-This is mitigated by the fact that by default, the well-known system
-dbus-daemon (since 2003) and the well-known session dbus-daemon (in
-stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
-authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
-at an early stage, before manipulating cookies. As a result, this
-vulnerability only applies to:
-
-* system or session dbus-daemons with non-standard configuration
-* third-party dbus-daemon invocations such as at-spi2-core (although
-  in practice at-spi2-core also only accepts EXTERNAL by default)
-* third-party uses of DBusServer such as the one in Upstart
-
-Avoiding symlink attacks in a portable way is difficult, because APIs
-like openat() and Linux /proc/self/fd are not universally available.
-However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
-a non-matching uid, we can solve this vulnerability in an easier way
-without regressions, by rejecting it early (before looking at
-~/.dbus-keyrings) whenever the requested identity doesn't match the
-identity of the process hosting the DBusServer.
-
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
-Closes: CVE-2019-12749
----
- dbus/dbus-auth.c | 32 ++++++++++++++++++++++++++++++++
- 1 file changed, 32 insertions(+)
-
-diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c
-index 37d8d4c9..7390a9d5 100644
---- a/dbus/dbus-auth.c
-+++ b/dbus/dbus-auth.c
-@@ -529,6 +529,7 @@ sha1_handle_first_client_response (DBusAuth         *auth,
-   DBusString tmp2;
-   dbus_bool_t retval = FALSE;
-   DBusError error = DBUS_ERROR_INIT;
-+  DBusCredentials *myself = NULL;
- 
-   _dbus_string_set_length (&auth->challenge, 0);
-   
-@@ -565,6 +566,34 @@ sha1_handle_first_client_response (DBusAuth         *auth,
-       return FALSE;
-     }
- 
-+  myself = _dbus_credentials_new_from_current_process ();
-+
-+  if (myself == NULL)
-+    goto out;
-+
-+  if (!_dbus_credentials_same_user (myself, auth->desired_identity))
-+    {
-+      /*
-+       * DBUS_COOKIE_SHA1 is not suitable for authenticating that the
-+       * client is anyone other than the user owning the process
-+       * containing the DBusServer: we probably aren't allowed to write
-+       * to other users' home directories. Even if we can (for example
-+       * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we
-+       * must not, because the other user controls their home directory,
-+       * and could carry out symlink attacks to make us read from or
-+       * write to unintended locations. It's difficult to avoid symlink
-+       * attacks in a portable way, so we just don't try. This isn't a
-+       * regression, because DBUS_COOKIE_SHA1 never worked for other
-+       * users anyway.
-+       */
-+      _dbus_verbose ("%s: client tried to authenticate as \"%s\", "
-+                     "but that doesn't match this process",
-+                     DBUS_AUTH_NAME (auth),
-+                     _dbus_string_get_const_data (data));
-+      retval = send_rejected (auth);
-+      goto out;
-+    }
-+
-   /* we cache the keyring for speed, so here we drop it if it's the
-    * wrong one. FIXME caching the keyring here is useless since we use
-    * a different DBusAuth for every connection.
-@@ -679,6 +708,9 @@ sha1_handle_first_client_response (DBusAuth         *auth,
-   _dbus_string_zero (&tmp2);
-   _dbus_string_free (&tmp2);
- 
-+  if (myself != NULL)
-+    _dbus_credentials_unref (myself);
-+
-   return retval;
- }
- 
--- 
-2.21.0
-