Add coverage for CVE-2022-31213 and other config-file-related issues

- Fix a stack buffer over-read in the c-shquote library
- Fix null pointer reference when supplying a malformed XML config file
Resolves: CVE-2022-31212
Resolves: CVE-2022-31213

.dbus-broker.metadata

@@ -0,0 +1 @@
+2602b87b336875bc1fd6866004f16013e6cf3fe4 dbus-broker-28.tar.xz

1add8a7d60e46806e0ef87994d3024245db0d84a.patch

@@ -0,0 +1,38 @@
+From 1add8a7d60e46806e0ef87994d3024245db0d84a Mon Sep 17 00:00:00 2001
+From: David Rheinsberg <david.rheinsberg@gmail.com>
+Date: Thu, 18 Mar 2021 11:10:02 +0100
+Subject: [PATCH] launch/policy: fix incorrect assertion for at_console
+
+We write at_console policies for ranges of uids. If one of those ranges
+is 0, an overflow assertion will incorrectly fire. Fix this and simplify
+the assertions for better readability.
+
+Note that such empty ranges will happen if more than one user on the
+system is considered `at_console` **and** those users have consecutive
+UIDs. Another possibility for empty ranges is when uid 0 is considered
+at_console.
+
+In any case, the assertion will abort the application incorrectly. So
+this is not a security issue, but merely an incorrect assertion.
+
+Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
+---
+ src/launch/policy.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/launch/policy.c b/src/launch/policy.c
+index f91f11b..75eb0d3 100644
+--- a/src/launch/policy.c
++++ b/src/launch/policy.c
+@@ -934,7 +934,10 @@ static int policy_export_xmit(Policy *policy, CList *list1, CList *list2, sd_bus
+ static int policy_export_console(Policy *policy, sd_bus_message *m, PolicyEntries *entries, uint32_t uid_start, uint32_t n_uid) {
+         int r;
+ 
+-        c_assert(((uint32_t)-1) - n_uid + 1 >= uid_start);
++        /* check for overflow */
++        c_assert(uid_start + n_uid >= uid_start);
++        /* check for encoding into dbus `u` type */
++        c_assert(uid_start + n_uid <= (uint32_t)-1);
+ 
+         if (n_uid == 0)
+                 return 0;

33e0595b1c7cf8fa0e7ca3a353f4380c1307dc25.patch

@@ -0,0 +1,155 @@
+From 33e0595b1c7cf8fa0e7ca3a353f4380c1307dc25 Mon Sep 17 00:00:00 2001
+From: David Rheinsberg <david.rheinsberg@gmail.com>
+Date: Thu, 5 May 2022 10:50:31 +0200
+Subject: [PATCH] test-config: add tests for some config samples
+
+Add infrastructure to easily parse config-samples in our test. This
+allows us to add any reports about broken configurations easily, and
+making sure we will not run into the same issues again.
+
+Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
+---
+ src/launch/test-config.c | 97 +++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 91 insertions(+), 6 deletions(-)
+
+diff --git a/src/launch/test-config.c b/src/launch/test-config.c
+index 0401a434..c2f8765e 100644
+--- a/src/launch/test-config.c
++++ b/src/launch/test-config.c
+@@ -9,6 +9,7 @@
+ #include "launch/config.h"
+ #include "launch/nss-cache.h"
+ #include "util/dirwatch.h"
++#include "util/syscall.h"
+ 
+ static const char *test_type2str[_CONFIG_NODE_N] = {
+         [CONFIG_NODE_BUSCONFIG]         = "busconfig",
+@@ -35,12 +36,23 @@ static const char *test_type2str[_CONFIG_NODE_N] = {
+         [CONFIG_NODE_ASSOCIATE]         = "associate",
+ };
+ 
+-static void print_config(const char *path) {
++static int config_memfd(const char *data) {
++        ssize_t n;
++        int fd;
++
++        fd = syscall_memfd_create("dbus-broker-test-config", 0);
++        c_assert(fd >= 0);
++        n = write(fd, data, strlen(data));
++        c_assert(n == (ssize_t)strlen(data));
++
++        return fd;
++}
++
++static int parse_config(ConfigRoot **rootp, const char *path) {
+         _c_cleanup_(config_parser_deinit) ConfigParser parser = CONFIG_PARSER_NULL(parser);
+         _c_cleanup_(config_root_freep) ConfigRoot *root = NULL;
+         _c_cleanup_(nss_cache_deinit) NSSCache nss_cache = NSS_CACHE_INIT;
+         _c_cleanup_(dirwatch_freep) Dirwatch *dirwatch = NULL;
+-        ConfigNode *i_node;
+         int r;
+ 
+         r = dirwatch_new(&dirwatch);
+@@ -49,6 +61,32 @@ static void print_config(const char *path) {
+         config_parser_init(&parser);
+ 
+         r = config_parser_read(&parser, &root, path, &nss_cache, dirwatch);
++        if (r)
++                return r;
++
++        *rootp = root;
++        root = NULL;
++        return 0;
++}
++
++static int parse_config_inline(ConfigRoot **rootp, const char *data) {
++        _c_cleanup_(c_closep) int fd = -1;
++        _c_cleanup_(c_freep) char *path = NULL;
++        int r;
++
++        fd = config_memfd(data);
++        r = asprintf(&path, "/proc/self/fd/%d", fd);
++        c_assert(r > 0);
++
++        return parse_config(rootp, path);
++}
++
++static void print_config(const char *path) {
++        _c_cleanup_(config_root_freep) ConfigRoot *root = NULL;
++        ConfigNode *i_node;
++        int r;
++
++        r = parse_config(&root, path);
+         c_assert(!r);
+ 
+         c_list_for_each_entry(i_node, &root->node_list, root_link) {
+@@ -56,18 +94,65 @@ static void print_config(const char *path) {
+         }
+ }
+ 
+-static void test_config(void) {
++static void test_config_base(void) {
+         _c_cleanup_(config_parser_deinit) ConfigParser parser = CONFIG_PARSER_NULL(parser);
+ 
+         config_parser_init(&parser);
+         config_parser_deinit(&parser);
+ }
+ 
++static void test_config_sample0(void) {
++        _c_cleanup_(config_root_freep) ConfigRoot *root = NULL;
++        const char *data;
++        int r;
++
++        data =
++"<?xml version=\"1.0\"?> <!--*-nxml-*-->\
++<!DOCTYPE g PUBLIC \"-/N\"\
++	\"htt\">\
++<busconfig>\
++	<policy user=\"root\">\
++		<allow own_prefix=\"oramd\"/>\
++		<allow send_interface=\"d\"/>\
++	</policy>\
++		<user ix=\"d\"/>\
++	</cy>";
++
++        r = parse_config_inline(&root, data);
++        c_assert(r == CONFIG_E_INVALID);
++}
++
++static void test_config_sample1(void) {
++        _c_cleanup_(config_root_freep) ConfigRoot *root = NULL;
++        const char *data;
++        int r;
++
++        data =
++"<?xml version=\"1.0\"?> <!--*-nxml-*-->\
++<!DOCTYPE g PUBLIC \"-/N\"\
++	\"htt\">\
++<busconfig>\
++	<policy user=\"root\">\
++		<allow own_prefix=\"oramd\"/>\
++		<allow send_interface=\"d\"/>\
++	</policy>\
++	<policy context=\"default\"/>		<user ix=\"d\"/>\
++	</policy>\
++</busconfig>";
++
++        r = parse_config_inline(&root, data);
++        c_assert(r == CONFIG_E_INVALID);
++}
++
+ int main(int argc, char **argv) {
+-        if (argc < 2)
+-                test_config();
+-        else
++        if (argc > 1) {
+                 print_config(argv[1]);
++                return 0;
++        }
++
++        test_config_base();
++        test_config_sample0();
++        test_config_sample1();
+ 
+         return 0;
+ }

b82b670bfec6600d0144bcb9ca635fb07c80118f.patch

@@ -0,0 +1,30 @@
+From b82b670bfec6600d0144bcb9ca635fb07c80118f Mon Sep 17 00:00:00 2001
+From: David Rheinsberg <david.rheinsberg@gmail.com>
+Date: Thu, 18 Mar 2021 12:13:16 +0100
+Subject: [PATCH] launch/policy: fix at_console range assertion again
+
+The previous fix did not actually consider that a full range can span up
+until (uint32_t)-1. Fix this properly now, and just check manually for
+an empty range before checking that the highest entry in the range can
+be represented.
+
+Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
+---
+ src/launch/policy.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/launch/policy.c b/src/launch/policy.c
+index 75eb0d3..6999ceb 100644
+--- a/src/launch/policy.c
++++ b/src/launch/policy.c
+@@ -935,9 +935,7 @@ static int policy_export_console(Policy *policy, sd_bus_message *m, PolicyEntrie
+         int r;
+ 
+         /* check for overflow */
+-        c_assert(uid_start + n_uid >= uid_start);
+-        /* check for encoding into dbus `u` type */
+-        c_assert(uid_start + n_uid <= (uint32_t)-1);
++        c_assert(n_uid == 0 || uid_start + n_uid - 1 >= uid_start);
+ 
+         if (n_uid == 0)
+                 return 0;

cve-2022-31212.patch

@@ -0,0 +1,66 @@
+From 7fd15f8e272136955f7ffc37df29fbca9ddceca1 Mon Sep 17 00:00:00 2001
+From: David Rheinsberg <david.rheinsberg@gmail.com>
+Date: Tue, 19 Apr 2022 13:11:02 +0200
+Subject: [PATCH] strnspn: fix buffer overflow
+
+Fix the strnspn and strncspn functions to use a properly sized buffer.
+It used to be 1 byte too short. Checking for `0xff` in a string will
+thus write `0xff` once byte beyond the stack space of the local buffer.
+
+Note that the public API does not allow to pass `0xff` to those
+functions. Therefore, this is a read-only buffer overrun, possibly
+causing bogus reports from the parser, but still well-defined.
+
+Reported-by: Steffen Robertz
+Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
+---
+ /subprojects/c-shquote/src/c-shquote.c    | 4 ++--
+ /subprojects/c-shquote/src/test-private.c | 6 ++++++
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a//subprojects/c-shquote/src/c-shquote.c b//subprojects/c-shquote/src/c-shquote.c
+index b268906..abb55d6 100644
+--- a//subprojects/c-shquote/src/c-shquote.c
++++ b//subprojects/c-shquote/src/c-shquote.c
+@@ -85,7 +85,7 @@ int c_shquote_consume_char(char **outp,
+ size_t c_shquote_strnspn(const char *string,
+                         size_t n_string,
+                         const char *accept) {
+-        bool buffer[UCHAR_MAX] = {};
++        bool buffer[UCHAR_MAX + 1] = {};
+ 
+         for ( ; *accept; ++accept)
+                 buffer[(unsigned char)*accept] = true;
+@@ -100,7 +100,7 @@ size_t c_shquote_strnspn(const char *string,
+ size_t c_shquote_strncspn(const char *string,
+                           size_t n_string,
+                           const char *reject) {
+-        bool buffer[UCHAR_MAX] = {};
++        bool buffer[UCHAR_MAX + 1] = {};
+ 
+         if (strlen(reject) == 1) {
+                 const char *p;
+diff --git a//subprojects/c-shquote/src/test-private.c b//subprojects/c-shquote/src/test-private.c
+index 57a7250..c6afe40 100644
+--- a//subprojects/c-shquote/src/test-private.c
++++ b//subprojects/c-shquote/src/test-private.c
+@@ -148,6 +148,9 @@ static void test_strnspn(void) {
+ 
+         len = c_shquote_strnspn("ab", 2, "bc");
+         c_assert(len == 0);
++
++        len = c_shquote_strnspn("ab", 2, "\xff");
++        c_assert(len == 0);
+ }
+ 
+ static void test_strncspn(void) {
+@@ -167,6 +170,9 @@ static void test_strncspn(void) {
+ 
+         len = c_shquote_strncspn("ab", 2, "cd");
+         c_assert(len == 2);
++
++        len = c_shquote_strncspn("ab", 2, "\xff");
++        c_assert(len == 2);
+ }
+ 
+ static void test_discard_comment(void) {

cve-2022-31213.patch

@@ -0,0 +1,35 @@
+From 4fefc3908ce527de4ca3d7386886c2447d6b4c14 Mon Sep 17 00:00:00 2001
+From: David Rheinsberg <david.rheinsberg@gmail.com>
+Date: Tue, 19 Apr 2022 13:29:53 +0200
+Subject: [PATCH] launch/config: keep empty cdata around
+
+We expect the `node->cdata` pointer to contain the actual content of an
+XML entry. Make sure it is initialized to an empty string, so we can
+dereference it without checking for validity everywhere.
+
+Note that we want it to be an owned string, to allow claiming the value.
+We will avoid any `n_cdata + 'static ""` here, to keep the code simple.
+The performance of that strdup() merely affects XML parsing, no bus
+runtime.
+
+Reported-by: Steffen Robertz
+Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
+---
+ src/launch/config.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/launch/config.c b/src/launch/config.c
+index 490d7b7d..cb7e3fae 100644
+--- a/src/launch/config.c
++++ b/src/launch/config.c
+@@ -133,6 +133,10 @@ int config_node_new(ConfigNode **nodep, ConfigNode *parent, unsigned int type) {
+                 break;
+         }
+ 
++        node->cdata = strdup("");
++        if (!node->cdata)
++                return error_origin(-ENOMEM);
++
+         *nodep = node;
+         node = NULL;
+         return 0;

dbus-broker.spec

@@ -1,17 +1,17 @@
 %global dbus_user_id 81
 
 Name:                 dbus-broker
-Version:              24
-Release:              1%{?dist}
+Version:              28
+Release:              7%{?dist}
 Summary:              Linux D-Bus Message Broker
 License:              ASL 2.0
 URL:                  https://github.com/bus1/dbus-broker
 Source0:              https://github.com/bus1/dbus-broker/releases/download/v%{version}/dbus-broker-%{version}.tar.xz
-Provides:             bundled(c-dvar) = 1
-Provides:             bundled(c-ini) = 1
-Provides:             bundled(c-list) = 3
-Provides:             bundled(c-rbtree) = 3
-Provides:             bundled(c-shquote) = 1
+Patch0000:            https://github.com/bus1/dbus-broker/commit/1add8a7d60e46806e0ef87994d3024245db0d84a.patch
+Patch0001:            https://github.com/bus1/dbus-broker/commit/b82b670bfec6600d0144bcb9ca635fb07c80118f.patch
+Patch0002:            cve-2022-31212.patch
+Patch0003:            cve-2022-31213.patch
+Patch0004:            https://github.com/bus1/dbus-broker/commit/33e0595b1c7cf8fa0e7ca3a353f4380c1307dc25.patch
 %{?systemd_requires}
 BuildRequires:        pkgconfig(audit)
 BuildRequires:        pkgconfig(expat)
@@ -98,6 +98,48 @@ fi
 %{_userunitdir}/dbus-broker.service
 
 %changelog
+* Mon Aug 22 2022 Frantisek Sumsal <fsumsal@redhat.com> - 28-7
+- Add coverage for CVE-2022-31213 and other config-file-related issues
+Related: CVE-2022-31213
+
+* Tue Aug 02 2022 Jakub Martisko <jamartis@redhat.com> - 28-6
+- Fix a stack buffer over-read in the c-shquote library
+- Fix null pointer reference when supplying a malformed XML config file
+Resolves: CVE-2022-31212
+Resolves: CVE-2022-31213
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 28-5
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 28-4
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Thu Mar 18 2021 David Rheinsberg <david.rheinsberg@gmail.com> - 28-3
+- Apply another fix for incorrect at_console range assertion.
+
+* Thu Mar 18 2021 David Rheinsberg <david.rheinsberg@gmail.com> - 28-2
+- Apply fix for incorrect at_console range assertion.
+
+* Thu Mar 18 2021 David Rheinsberg <david.rheinsberg@gmail.com> - 28-1
+- Update to upstream v28.
+- Drop unused c-util based bundling annotations.
+
+* Wed Feb 17 2021 David Rheinsberg <david.rheinsberg@gmail.com> - 27-2
+- Apply activation-tracking bugfixes from upstream.
+
+* Mon Feb 15 2021 David Rheinsberg <david.rheinsberg@gmail.com> - 27-1
+- Update to upstream v27.
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 26-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jan 20 2021 David Rheinsberg <david.rheinsberg@gmail.com> - 26-1
+- Update to upstream v26.
+
+* Wed Jan  6 2021 Jeff Law <law@redhat.com> - 24-2
+- Bump NVR to force rebuild with gcc-11
+
 * Fri Sep  4 2020 David Rheinsberg <david.rheinsberg@gmail.com> - 24-1
 - Update to upstream v24. Only minor changes to the diagnostic messages as
   well as audit-events.

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.revdeps.integration}

sources

@@ -1 +1 @@
-SHA512 (dbus-broker-24.tar.xz) = 7fbe6c689eff27ec842bb9d839a418abc356b026bb0a54dfa8b680a655409aa1ea4cb90655a6b04561a88c6e703cacf8800fddfe1abc21e7ee60db2dac1c2db9
+SHA512 (dbus-broker-28.tar.xz) = 81a05a3ad2fbc0292a7de0cc719c5946e2d70d0bf91abb2eb9764fdef738a460a0cc988e050d0985ff45009a51677df3f619f4e17c8712df34c85e84826efbee