6d7cdd7f8b
https://gitlab.freedesktop.org/dbus/dbus/blob/dbus-1.12.16/NEWS It's short and explains the CVE a bit, including below: > CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1 > authentication for identities that differ from the user running the > DBusServer. Previously, a local attacker could manipulate symbolic > links in their own home directory to bypass authentication and connect > to a DBusServer with elevated privileges. The standard system and > session dbus-daemons in their default configuration were immune to this > attack because they did not allow DBUS_COOKIE_SHA1, but third-party > users of DBusServer such as Upstart could be vulnerable. Thanks to Joe > Vennix of Apple Information Security. (dbus#269, Simon McVittie)
92 lines
3.2 KiB
Nix
92 lines
3.2 KiB
Nix
{ stdenv, lib, fetchurl, pkgconfig, expat, systemd
|
|
, libX11 ? null, libICE ? null, libSM ? null, x11Support ? (stdenv.isLinux || stdenv.isDarwin) }:
|
|
|
|
assert x11Support -> libX11 != null
|
|
&& libICE != null
|
|
&& libSM != null;
|
|
|
|
let
|
|
version = "1.12.16";
|
|
sha256 = "107ckxaff1cv4q6kmfdi2fb1nlsv03312a7kf6lb4biglhpjv8jl";
|
|
|
|
self = stdenv.mkDerivation {
|
|
name = "dbus-${version}";
|
|
inherit version;
|
|
|
|
src = fetchurl {
|
|
url = "https://dbus.freedesktop.org/releases/dbus/dbus-${version}.tar.gz";
|
|
inherit sha256;
|
|
};
|
|
|
|
patches = lib.optional stdenv.isSunOS ./implement-getgrouplist.patch;
|
|
postPatch = ''
|
|
substituteInPlace tools/Makefile.in \
|
|
--replace 'install-localstatelibDATA:' 'disabled:' \
|
|
--replace 'install-data-local:' 'disabled:' \
|
|
--replace 'installcheck-local:' 'disabled:'
|
|
substituteInPlace bus/Makefile.in \
|
|
--replace '$(mkinstalldirs) $(DESTDIR)$(localstatedir)/run/dbus' ':'
|
|
'' + /* cleanup of runtime references */ ''
|
|
substituteInPlace ./dbus/dbus-sysdeps-unix.c \
|
|
--replace 'DBUS_BINDIR "/dbus-launch"' "\"$lib/bin/dbus-launch\""
|
|
substituteInPlace ./tools/dbus-launch.c \
|
|
--replace 'DBUS_DAEMONDIR"/dbus-daemon"' '"/run/current-system/sw/bin/dbus-daemon"'
|
|
'';
|
|
|
|
outputs = [ "out" "dev" "lib" "doc" ];
|
|
|
|
nativeBuildInputs = [ pkgconfig ];
|
|
propagatedBuildInputs = [ expat ];
|
|
buildInputs = lib.optional stdenv.isLinux systemd
|
|
++ lib.optionals x11Support [ libX11 libICE libSM ];
|
|
# ToDo: optional selinux?
|
|
|
|
configureFlags = [
|
|
"--localstatedir=/var"
|
|
"--sysconfdir=/etc"
|
|
"--with-session-socket-dir=/tmp"
|
|
"--with-system-pid-file=/run/dbus/pid"
|
|
"--with-system-socket=/run/dbus/system_bus_socket"
|
|
"--with-systemdsystemunitdir=$(out)/etc/systemd/system"
|
|
"--with-systemduserunitdir=$(out)/etc/systemd/user"
|
|
"--enable-user-session"
|
|
"--datadir=/etc"
|
|
"--libexecdir=$(out)/libexec"
|
|
] ++ lib.optional (!x11Support) "--without-x";
|
|
|
|
# Enable X11 autolaunch support in libdbus. This doesn't actually depend on X11
|
|
# (it just execs dbus-launch in dbus.tools), contrary to what the configure script demands.
|
|
# problems building without x11Support so disabled in that case for now
|
|
NIX_CFLAGS_COMPILE = lib.optionalString x11Support "-DDBUS_ENABLE_X11_AUTOLAUNCH=1";
|
|
NIX_CFLAGS_LINK = lib.optionalString (!stdenv.isDarwin) "-Wl,--as-needed";
|
|
|
|
enableParallelBuilding = true;
|
|
|
|
doCheck = true;
|
|
|
|
installFlags = [ "sysconfdir=$(out)/etc" "datadir=$(out)/share" ];
|
|
|
|
postInstall = ''
|
|
mkdir -p "$out/share/xml/dbus"
|
|
cp doc/*.dtd "$out/share/xml/dbus"
|
|
'';
|
|
|
|
# it's executed from $lib by absolute path
|
|
postFixup = ''
|
|
moveToOutput bin/dbus-launch "$lib"
|
|
ln -s "$lib/bin/dbus-launch" "$out/bin/"
|
|
'';
|
|
|
|
passthru = {
|
|
dbus-launch = "${self.lib}/bin/dbus-launch";
|
|
daemon = self.out;
|
|
};
|
|
|
|
meta = with stdenv.lib; {
|
|
description = "Simple interprocess messaging system";
|
|
homepage = http://www.freedesktop.org/wiki/Software/dbus/;
|
|
license = licenses.gpl2Plus; # most is also under AFL-2.1
|
|
platforms = platforms.unix;
|
|
};
|
|
};
|
|
in self
|