nixpkgs-suyu/pkgs/development/libraries/dbus/default.nix
Will Dietz 6d7cdd7f8b dbus: 1.12.14 -> 1.12.16
https://gitlab.freedesktop.org/dbus/dbus/blob/dbus-1.12.16/NEWS

It's short and explains the CVE a bit, including below:

> CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
> authentication for identities that differ from the user running the
> DBusServer. Previously, a local attacker could manipulate symbolic
> links in their own home directory to bypass authentication and connect
> to a DBusServer with elevated privileges. The standard system and
> session dbus-daemons in their default configuration were immune to this
> attack because they did not allow DBUS_COOKIE_SHA1, but third-party
> users of DBusServer such as Upstart could be vulnerable.   Thanks to Joe
> Vennix of Apple Information Security.   (dbus#269, Simon McVittie)
2019-06-15 18:16:58 +02:00

92 lines
3.2 KiB
Nix

{ stdenv, lib, fetchurl, pkgconfig, expat, systemd
, libX11 ? null, libICE ? null, libSM ? null, x11Support ? (stdenv.isLinux || stdenv.isDarwin) }:
assert x11Support -> libX11 != null
&& libICE != null
&& libSM != null;
let
version = "1.12.16";
sha256 = "107ckxaff1cv4q6kmfdi2fb1nlsv03312a7kf6lb4biglhpjv8jl";
self = stdenv.mkDerivation {
name = "dbus-${version}";
inherit version;
src = fetchurl {
url = "https://dbus.freedesktop.org/releases/dbus/dbus-${version}.tar.gz";
inherit sha256;
};
patches = lib.optional stdenv.isSunOS ./implement-getgrouplist.patch;
postPatch = ''
substituteInPlace tools/Makefile.in \
--replace 'install-localstatelibDATA:' 'disabled:' \
--replace 'install-data-local:' 'disabled:' \
--replace 'installcheck-local:' 'disabled:'
substituteInPlace bus/Makefile.in \
--replace '$(mkinstalldirs) $(DESTDIR)$(localstatedir)/run/dbus' ':'
'' + /* cleanup of runtime references */ ''
substituteInPlace ./dbus/dbus-sysdeps-unix.c \
--replace 'DBUS_BINDIR "/dbus-launch"' "\"$lib/bin/dbus-launch\""
substituteInPlace ./tools/dbus-launch.c \
--replace 'DBUS_DAEMONDIR"/dbus-daemon"' '"/run/current-system/sw/bin/dbus-daemon"'
'';
outputs = [ "out" "dev" "lib" "doc" ];
nativeBuildInputs = [ pkgconfig ];
propagatedBuildInputs = [ expat ];
buildInputs = lib.optional stdenv.isLinux systemd
++ lib.optionals x11Support [ libX11 libICE libSM ];
# ToDo: optional selinux?
configureFlags = [
"--localstatedir=/var"
"--sysconfdir=/etc"
"--with-session-socket-dir=/tmp"
"--with-system-pid-file=/run/dbus/pid"
"--with-system-socket=/run/dbus/system_bus_socket"
"--with-systemdsystemunitdir=$(out)/etc/systemd/system"
"--with-systemduserunitdir=$(out)/etc/systemd/user"
"--enable-user-session"
"--datadir=/etc"
"--libexecdir=$(out)/libexec"
] ++ lib.optional (!x11Support) "--without-x";
# Enable X11 autolaunch support in libdbus. This doesn't actually depend on X11
# (it just execs dbus-launch in dbus.tools), contrary to what the configure script demands.
# problems building without x11Support so disabled in that case for now
NIX_CFLAGS_COMPILE = lib.optionalString x11Support "-DDBUS_ENABLE_X11_AUTOLAUNCH=1";
NIX_CFLAGS_LINK = lib.optionalString (!stdenv.isDarwin) "-Wl,--as-needed";
enableParallelBuilding = true;
doCheck = true;
installFlags = [ "sysconfdir=$(out)/etc" "datadir=$(out)/share" ];
postInstall = ''
mkdir -p "$out/share/xml/dbus"
cp doc/*.dtd "$out/share/xml/dbus"
'';
# it's executed from $lib by absolute path
postFixup = ''
moveToOutput bin/dbus-launch "$lib"
ln -s "$lib/bin/dbus-launch" "$out/bin/"
'';
passthru = {
dbus-launch = "${self.lib}/bin/dbus-launch";
daemon = self.out;
};
meta = with stdenv.lib; {
description = "Simple interprocess messaging system";
homepage = http://www.freedesktop.org/wiki/Software/dbus/;
license = licenses.gpl2Plus; # most is also under AFL-2.1
platforms = platforms.unix;
};
};
in self