Update: dbus 1.8.14

[Schamschula (Marius Schamschula)]

dbus has been updated to version 1.8.14:

The “40lb of roofing nails” release.

Security hardening:

• Do not allow calls to UpdateActivationEnvironment from uids other than
  the uid of the dbus-daemon. If a system service installs unsafe
  security policy rules that allow arbitrary method calls
  (such as CVE-2014-8148) then this prevents memory consumption and
  possible privilege escalation via UpdateActivationEnvironment.

  We believe that in practice, privilege escalation here is avoided
  by dbus-daemon-launch-helper sanitizing its environment; but
  it seems better to be safe.

• Do not allow calls to UpdateActivationEnvironment or the Stats interface
  on object paths other than /org/freedesktop/DBus. Some system services
  install unsafe security policy rules that allow arbitrary method calls
  to any destination, method and interface with a specified object path;
  while less bad than allowing arbitrary method calls, these security
  policies are still harmful, since dbus-daemon normally offers the
  same API on all object paths and other system services might behave
  similarly.

[Schamschula (Marius Schamschula)]

In the meantime dbus has been updated to version 1.8.16:

The “poorly concealed wrestlers” release.

Security fixes:

• Do not allow non-uid-0 processes to send forged ActivationFailure
  messages. On Linux systems with systemd activation, this would
  allow a local denial of service: unprivileged processes could
  flood the bus with these forged messages, winning the race with
  the actual service activation and causing an error reply
  to be sent back when service auto-activation was requested.
  This does not prevent the real service from being started,
  so it only works while the real service is not running.
  (CVE-2015-0245, fd.o #88811; Simon McVittie)

[nerdling (Jeremy Lavergne)]

r134498.