rpms/dbus-broker
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import dbus-broker-28-7.el9

Browse Source
This commit is contained in:
CentOS Sources 2022-09-27 10:10:47 -04:00 committed by Stepan Oksanichenko
parent ed0fac2aa5
commit 808beaa8f0
4 changed files with 270 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

155
SOURCES/33e0595b1c7cf8fa0e7ca3a353f4380c1307dc25.patch Normal file
View File

@ -0,0 +1,155 @@
From 33e0595b1c7cf8fa0e7ca3a353f4380c1307dc25 Mon Sep 17 00:00:00 2001
From: David Rheinsberg <david.rheinsberg@gmail.com>
Date: Thu, 5 May 2022 10:50:31 +0200
Subject: [PATCH] test-config: add tests for some config samples
Add infrastructure to easily parse config-samples in our test. This
allows us to add any reports about broken configurations easily, and
making sure we will not run into the same issues again.
Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
---
src/launch/test-config.c | 97 +++++++++++++++++++++++++++++++++++++---
1 file changed, 91 insertions(+), 6 deletions(-)
diff --git a/src/launch/test-config.c b/src/launch/test-config.c
index 0401a434..c2f8765e 100644
--- a/src/launch/test-config.c
+++ b/src/launch/test-config.c
@@ -9,6 +9,7 @@
#include "launch/config.h"
#include "launch/nss-cache.h"
#include "util/dirwatch.h"
+#include "util/syscall.h"
static const char *test_type2str[_CONFIG_NODE_N] = {
[CONFIG_NODE_BUSCONFIG] = "busconfig",
@@ -35,12 +36,23 @@ static const char *test_type2str[_CONFIG_NODE_N] = {
[CONFIG_NODE_ASSOCIATE] = "associate",
};
-static void print_config(const char *path) {
+static int config_memfd(const char *data) {
+ ssize_t n;
+ int fd;
+
+ fd = syscall_memfd_create("dbus-broker-test-config", 0);
+ c_assert(fd >= 0);
+ n = write(fd, data, strlen(data));
+ c_assert(n == (ssize_t)strlen(data));
+
+ return fd;
+}
+
+static int parse_config(ConfigRoot **rootp, const char *path) {
_c_cleanup_(config_parser_deinit) ConfigParser parser = CONFIG_PARSER_NULL(parser);
_c_cleanup_(config_root_freep) ConfigRoot *root = NULL;
_c_cleanup_(nss_cache_deinit) NSSCache nss_cache = NSS_CACHE_INIT;
_c_cleanup_(dirwatch_freep) Dirwatch *dirwatch = NULL;
- ConfigNode *i_node;
int r;
r = dirwatch_new(&dirwatch);
@@ -49,6 +61,32 @@ static void print_config(const char *path) {
config_parser_init(&parser);
r = config_parser_read(&parser, &root, path, &nss_cache, dirwatch);
+ if (r)
+ return r;
+
+ *rootp = root;
+ root = NULL;
+ return 0;
+}
+
+static int parse_config_inline(ConfigRoot **rootp, const char *data) {
+ _c_cleanup_(c_closep) int fd = -1;
+ _c_cleanup_(c_freep) char *path = NULL;
+ int r;
+
+ fd = config_memfd(data);
+ r = asprintf(&path, "/proc/self/fd/%d", fd);
+ c_assert(r > 0);
+
+ return parse_config(rootp, path);
+}
+
+static void print_config(const char *path) {
+ _c_cleanup_(config_root_freep) ConfigRoot *root = NULL;
+ ConfigNode *i_node;
+ int r;
+
+ r = parse_config(&root, path);
c_assert(!r);
c_list_for_each_entry(i_node, &root->node_list, root_link) {
@@ -56,18 +94,65 @@ static void print_config(const char *path) {
}
}
-static void test_config(void) {
+static void test_config_base(void) {
_c_cleanup_(config_parser_deinit) ConfigParser parser = CONFIG_PARSER_NULL(parser);
config_parser_init(&parser);
config_parser_deinit(&parser);
}
+static void test_config_sample0(void) {
+ _c_cleanup_(config_root_freep) ConfigRoot *root = NULL;
+ const char *data;
+ int r;
+
+ data =
+"<?xml version=\"1.0\"?> <!--*-nxml-*-->\
+<!DOCTYPE g PUBLIC \"-/N\"\
+ \"htt\">\
+<busconfig>\
+ <policy user=\"root\">\
+ <allow own_prefix=\"oramd\"/>\
+ <allow send_interface=\"d\"/>\
+ </policy>\
+ <user ix=\"d\"/>\
+ </cy>";
+
+ r = parse_config_inline(&root, data);
+ c_assert(r == CONFIG_E_INVALID);
+}
+
+static void test_config_sample1(void) {
+ _c_cleanup_(config_root_freep) ConfigRoot *root = NULL;
+ const char *data;
+ int r;
+
+ data =
+"<?xml version=\"1.0\"?> <!--*-nxml-*-->\
+<!DOCTYPE g PUBLIC \"-/N\"\
+ \"htt\">\
+<busconfig>\
+ <policy user=\"root\">\
+ <allow own_prefix=\"oramd\"/>\
+ <allow send_interface=\"d\"/>\
+ </policy>\
+ <policy context=\"default\"/> <user ix=\"d\"/>\
+ </policy>\
+</busconfig>";
+
+ r = parse_config_inline(&root, data);
+ c_assert(r == CONFIG_E_INVALID);
+}
+
int main(int argc, char **argv) {
- if (argc < 2)
- test_config();
- else
+ if (argc > 1) {
print_config(argv[1]);
+ return 0;
+ }
+
+ test_config_base();
+ test_config_sample0();
+ test_config_sample1();
return 0;
}

66
SOURCES/cve-2022-31212.patch Normal file
View File

@ -0,0 +1,66 @@
From 7fd15f8e272136955f7ffc37df29fbca9ddceca1 Mon Sep 17 00:00:00 2001
From: David Rheinsberg <david.rheinsberg@gmail.com>
Date: Tue, 19 Apr 2022 13:11:02 +0200
Subject: [PATCH] strnspn: fix buffer overflow
Fix the strnspn and strncspn functions to use a properly sized buffer.
It used to be 1 byte too short. Checking for `0xff` in a string will
thus write `0xff` once byte beyond the stack space of the local buffer.
Note that the public API does not allow to pass `0xff` to those
functions. Therefore, this is a read-only buffer overrun, possibly
causing bogus reports from the parser, but still well-defined.
Reported-by: Steffen Robertz
Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
---
/subprojects/c-shquote/src/c-shquote.c | 4 ++--
/subprojects/c-shquote/src/test-private.c | 6 ++++++
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a//subprojects/c-shquote/src/c-shquote.c b//subprojects/c-shquote/src/c-shquote.c
index b268906..abb55d6 100644
--- a//subprojects/c-shquote/src/c-shquote.c
+++ b//subprojects/c-shquote/src/c-shquote.c
@@ -85,7 +85,7 @@ int c_shquote_consume_char(char **outp,
size_t c_shquote_strnspn(const char *string,
size_t n_string,
const char *accept) {
- bool buffer[UCHAR_MAX] = {};
+ bool buffer[UCHAR_MAX + 1] = {};
for ( ; *accept; ++accept)
buffer[(unsigned char)*accept] = true;
@@ -100,7 +100,7 @@ size_t c_shquote_strnspn(const char *string,
size_t c_shquote_strncspn(const char *string,
size_t n_string,
const char *reject) {
- bool buffer[UCHAR_MAX] = {};
+ bool buffer[UCHAR_MAX + 1] = {};
if (strlen(reject) == 1) {
const char *p;
diff --git a//subprojects/c-shquote/src/test-private.c b//subprojects/c-shquote/src/test-private.c
index 57a7250..c6afe40 100644
--- a//subprojects/c-shquote/src/test-private.c
+++ b//subprojects/c-shquote/src/test-private.c
@@ -148,6 +148,9 @@ static void test_strnspn(void) {
len = c_shquote_strnspn("ab", 2, "bc");
c_assert(len == 0);
+
+ len = c_shquote_strnspn("ab", 2, "\xff");
+ c_assert(len == 0);
}
static void test_strncspn(void) {
@@ -167,6 +170,9 @@ static void test_strncspn(void) {
len = c_shquote_strncspn("ab", 2, "cd");
c_assert(len == 2);
+
+ len = c_shquote_strncspn("ab", 2, "\xff");
+ c_assert(len == 2);
}
static void test_discard_comment(void) {

35
SOURCES/cve-2022-31213.patch Normal file
View File

@ -0,0 +1,35 @@
From 4fefc3908ce527de4ca3d7386886c2447d6b4c14 Mon Sep 17 00:00:00 2001
From: David Rheinsberg <david.rheinsberg@gmail.com>
Date: Tue, 19 Apr 2022 13:29:53 +0200
Subject: [PATCH] launch/config: keep empty cdata around
We expect the `node->cdata` pointer to contain the actual content of an
XML entry. Make sure it is initialized to an empty string, so we can
dereference it without checking for validity everywhere.
Note that we want it to be an owned string, to allow claiming the value.
We will avoid any `n_cdata + 'static ""` here, to keep the code simple.
The performance of that strdup() merely affects XML parsing, no bus
runtime.
Reported-by: Steffen Robertz
Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
---
src/launch/config.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/launch/config.c b/src/launch/config.c
index 490d7b7d..cb7e3fae 100644
--- a/src/launch/config.c
+++ b/src/launch/config.c
@@ -133,6 +133,10 @@ int config_node_new(ConfigNode **nodep, ConfigNode *parent, unsigned int type) {
break;
}
+ node->cdata = strdup("");
+ if (!node->cdata)
+ return error_origin(-ENOMEM);
+
*nodep = node;
node = NULL;
return 0;

15
SPECS/dbus-broker.spec
View File

@ -2,13 +2,16 @@
Name: dbus-broker
Version: 28
Release: 5%{?dist}
Release: 7%{?dist}
Summary: Linux D-Bus Message Broker
License: ASL 2.0
URL: https://github.com/bus1/dbus-broker
Source0: https://github.com/bus1/dbus-broker/releases/download/v%{version}/dbus-broker-%{version}.tar.xz
Patch0000: https://github.com/bus1/dbus-broker/commit/1add8a7d60e46806e0ef87994d3024245db0d84a.patch
Patch0001: https://github.com/bus1/dbus-broker/commit/b82b670bfec6600d0144bcb9ca635fb07c80118f.patch
Patch0002: cve-2022-31212.patch
Patch0003: cve-2022-31213.patch
Patch0004: https://github.com/bus1/dbus-broker/commit/33e0595b1c7cf8fa0e7ca3a353f4380c1307dc25.patch
%{?systemd_requires}
BuildRequires: pkgconfig(audit)
BuildRequires: pkgconfig(expat)
@ -95,6 +98,16 @@ fi
%{_userunitdir}/dbus-broker.service
%changelog
* Mon Aug 22 2022 Frantisek Sumsal <fsumsal@redhat.com> - 28-7
- Add coverage for CVE-2022-31213 and other config-file-related issues
Related: CVE-2022-31213
* Tue Aug 02 2022 Jakub Martisko <jamartis@redhat.com> - 28-6
- Fix a stack buffer over-read in the c-shquote library
- Fix null pointer reference when supplying a malformed XML config file
Resolves: CVE-2022-31212
Resolves: CVE-2022-31213
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 28-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688