From a3477feb7aa8658602cceb8d29ae370a83002172 Mon Sep 17 00:00:00 2001
From: Alban Crequy <alban.crequy@collabora.co.uk>
Date: Tue, 8 Jul 2014 12:00:58 +0100
Subject: [PATCH 03/10] config: change default auth_timeout to 5 seconds

This partially addresses CVE-2014-3639.

This will change the default on the system bus where the limit
  <limit name="auth_timeout">...</limit>
is not specified.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80919
Reviewed-by: Thiago Macieira <thiago@kde.org>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
(cherry picked from commit 54d26df52b6a394bea175651d1d7ad2ab3f87dea)
---
 bus/config-parser.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bus/config-parser.c b/bus/config-parser.c
index cc29ef4..95d69a4 100644
--- a/bus/config-parser.c
+++ b/bus/config-parser.c
@@ -427,7 +427,7 @@ bus_config_parser_new (const DBusString      *basedir,
        * and legitimate auth will fail.  If interactive auth (ask user for
        * password) is allowed, then potentially it has to be quite long.
        */
-      parser->limits.auth_timeout = 30000; /* 30 seconds */
+      parser->limits.auth_timeout = 5000; /* 5 seconds */
       
       parser->limits.max_incomplete_connections = 64;
       parser->limits.max_connections_per_user = 256;
-- 
2.1.0