Compare commits
10 Commits
bb6b6ce5e9
...
c6e4bda7ac
Author | SHA1 | Date |
---|---|---|
Frantisek Sumsal | c6e4bda7ac | |
Jakub Martisko | e0e597a849 | |
Jakub Martisko | 2291b0e38c | |
Mohan Boddu | c226f7e782 | |
Mohan Boddu | bcd401bde5 | |
DistroBaker | 8ee714488b | |
DistroBaker | 4d77ffa871 | |
DistroBaker | d90451e203 | |
DistroBaker | 02e7e00556 | |
DistroBaker | 81350b943b |
|
@ -0,0 +1 @@
|
|||
2602b87b336875bc1fd6866004f16013e6cf3fe4 dbus-broker-28.tar.xz
|
|
@ -0,0 +1,38 @@
|
|||
From 1add8a7d60e46806e0ef87994d3024245db0d84a Mon Sep 17 00:00:00 2001
|
||||
From: David Rheinsberg <david.rheinsberg@gmail.com>
|
||||
Date: Thu, 18 Mar 2021 11:10:02 +0100
|
||||
Subject: [PATCH] launch/policy: fix incorrect assertion for at_console
|
||||
|
||||
We write at_console policies for ranges of uids. If one of those ranges
|
||||
is 0, an overflow assertion will incorrectly fire. Fix this and simplify
|
||||
the assertions for better readability.
|
||||
|
||||
Note that such empty ranges will happen if more than one user on the
|
||||
system is considered `at_console` **and** those users have consecutive
|
||||
UIDs. Another possibility for empty ranges is when uid 0 is considered
|
||||
at_console.
|
||||
|
||||
In any case, the assertion will abort the application incorrectly. So
|
||||
this is not a security issue, but merely an incorrect assertion.
|
||||
|
||||
Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
|
||||
---
|
||||
src/launch/policy.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/launch/policy.c b/src/launch/policy.c
|
||||
index f91f11b..75eb0d3 100644
|
||||
--- a/src/launch/policy.c
|
||||
+++ b/src/launch/policy.c
|
||||
@@ -934,7 +934,10 @@ static int policy_export_xmit(Policy *policy, CList *list1, CList *list2, sd_bus
|
||||
static int policy_export_console(Policy *policy, sd_bus_message *m, PolicyEntries *entries, uint32_t uid_start, uint32_t n_uid) {
|
||||
int r;
|
||||
|
||||
- c_assert(((uint32_t)-1) - n_uid + 1 >= uid_start);
|
||||
+ /* check for overflow */
|
||||
+ c_assert(uid_start + n_uid >= uid_start);
|
||||
+ /* check for encoding into dbus `u` type */
|
||||
+ c_assert(uid_start + n_uid <= (uint32_t)-1);
|
||||
|
||||
if (n_uid == 0)
|
||||
return 0;
|
|
@ -0,0 +1,155 @@
|
|||
From 33e0595b1c7cf8fa0e7ca3a353f4380c1307dc25 Mon Sep 17 00:00:00 2001
|
||||
From: David Rheinsberg <david.rheinsberg@gmail.com>
|
||||
Date: Thu, 5 May 2022 10:50:31 +0200
|
||||
Subject: [PATCH] test-config: add tests for some config samples
|
||||
|
||||
Add infrastructure to easily parse config-samples in our test. This
|
||||
allows us to add any reports about broken configurations easily, and
|
||||
making sure we will not run into the same issues again.
|
||||
|
||||
Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
|
||||
---
|
||||
src/launch/test-config.c | 97 +++++++++++++++++++++++++++++++++++++---
|
||||
1 file changed, 91 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/launch/test-config.c b/src/launch/test-config.c
|
||||
index 0401a434..c2f8765e 100644
|
||||
--- a/src/launch/test-config.c
|
||||
+++ b/src/launch/test-config.c
|
||||
@@ -9,6 +9,7 @@
|
||||
#include "launch/config.h"
|
||||
#include "launch/nss-cache.h"
|
||||
#include "util/dirwatch.h"
|
||||
+#include "util/syscall.h"
|
||||
|
||||
static const char *test_type2str[_CONFIG_NODE_N] = {
|
||||
[CONFIG_NODE_BUSCONFIG] = "busconfig",
|
||||
@@ -35,12 +36,23 @@ static const char *test_type2str[_CONFIG_NODE_N] = {
|
||||
[CONFIG_NODE_ASSOCIATE] = "associate",
|
||||
};
|
||||
|
||||
-static void print_config(const char *path) {
|
||||
+static int config_memfd(const char *data) {
|
||||
+ ssize_t n;
|
||||
+ int fd;
|
||||
+
|
||||
+ fd = syscall_memfd_create("dbus-broker-test-config", 0);
|
||||
+ c_assert(fd >= 0);
|
||||
+ n = write(fd, data, strlen(data));
|
||||
+ c_assert(n == (ssize_t)strlen(data));
|
||||
+
|
||||
+ return fd;
|
||||
+}
|
||||
+
|
||||
+static int parse_config(ConfigRoot **rootp, const char *path) {
|
||||
_c_cleanup_(config_parser_deinit) ConfigParser parser = CONFIG_PARSER_NULL(parser);
|
||||
_c_cleanup_(config_root_freep) ConfigRoot *root = NULL;
|
||||
_c_cleanup_(nss_cache_deinit) NSSCache nss_cache = NSS_CACHE_INIT;
|
||||
_c_cleanup_(dirwatch_freep) Dirwatch *dirwatch = NULL;
|
||||
- ConfigNode *i_node;
|
||||
int r;
|
||||
|
||||
r = dirwatch_new(&dirwatch);
|
||||
@@ -49,6 +61,32 @@ static void print_config(const char *path) {
|
||||
config_parser_init(&parser);
|
||||
|
||||
r = config_parser_read(&parser, &root, path, &nss_cache, dirwatch);
|
||||
+ if (r)
|
||||
+ return r;
|
||||
+
|
||||
+ *rootp = root;
|
||||
+ root = NULL;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int parse_config_inline(ConfigRoot **rootp, const char *data) {
|
||||
+ _c_cleanup_(c_closep) int fd = -1;
|
||||
+ _c_cleanup_(c_freep) char *path = NULL;
|
||||
+ int r;
|
||||
+
|
||||
+ fd = config_memfd(data);
|
||||
+ r = asprintf(&path, "/proc/self/fd/%d", fd);
|
||||
+ c_assert(r > 0);
|
||||
+
|
||||
+ return parse_config(rootp, path);
|
||||
+}
|
||||
+
|
||||
+static void print_config(const char *path) {
|
||||
+ _c_cleanup_(config_root_freep) ConfigRoot *root = NULL;
|
||||
+ ConfigNode *i_node;
|
||||
+ int r;
|
||||
+
|
||||
+ r = parse_config(&root, path);
|
||||
c_assert(!r);
|
||||
|
||||
c_list_for_each_entry(i_node, &root->node_list, root_link) {
|
||||
@@ -56,18 +94,65 @@ static void print_config(const char *path) {
|
||||
}
|
||||
}
|
||||
|
||||
-static void test_config(void) {
|
||||
+static void test_config_base(void) {
|
||||
_c_cleanup_(config_parser_deinit) ConfigParser parser = CONFIG_PARSER_NULL(parser);
|
||||
|
||||
config_parser_init(&parser);
|
||||
config_parser_deinit(&parser);
|
||||
}
|
||||
|
||||
+static void test_config_sample0(void) {
|
||||
+ _c_cleanup_(config_root_freep) ConfigRoot *root = NULL;
|
||||
+ const char *data;
|
||||
+ int r;
|
||||
+
|
||||
+ data =
|
||||
+"<?xml version=\"1.0\"?> <!--*-nxml-*-->\
|
||||
+<!DOCTYPE g PUBLIC \"-/N\"\
|
||||
+ \"htt\">\
|
||||
+<busconfig>\
|
||||
+ <policy user=\"root\">\
|
||||
+ <allow own_prefix=\"oramd\"/>\
|
||||
+ <allow send_interface=\"d\"/>\
|
||||
+ </policy>\
|
||||
+ <user ix=\"d\"/>\
|
||||
+ </cy>";
|
||||
+
|
||||
+ r = parse_config_inline(&root, data);
|
||||
+ c_assert(r == CONFIG_E_INVALID);
|
||||
+}
|
||||
+
|
||||
+static void test_config_sample1(void) {
|
||||
+ _c_cleanup_(config_root_freep) ConfigRoot *root = NULL;
|
||||
+ const char *data;
|
||||
+ int r;
|
||||
+
|
||||
+ data =
|
||||
+"<?xml version=\"1.0\"?> <!--*-nxml-*-->\
|
||||
+<!DOCTYPE g PUBLIC \"-/N\"\
|
||||
+ \"htt\">\
|
||||
+<busconfig>\
|
||||
+ <policy user=\"root\">\
|
||||
+ <allow own_prefix=\"oramd\"/>\
|
||||
+ <allow send_interface=\"d\"/>\
|
||||
+ </policy>\
|
||||
+ <policy context=\"default\"/> <user ix=\"d\"/>\
|
||||
+ </policy>\
|
||||
+</busconfig>";
|
||||
+
|
||||
+ r = parse_config_inline(&root, data);
|
||||
+ c_assert(r == CONFIG_E_INVALID);
|
||||
+}
|
||||
+
|
||||
int main(int argc, char **argv) {
|
||||
- if (argc < 2)
|
||||
- test_config();
|
||||
- else
|
||||
+ if (argc > 1) {
|
||||
print_config(argv[1]);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ test_config_base();
|
||||
+ test_config_sample0();
|
||||
+ test_config_sample1();
|
||||
|
||||
return 0;
|
||||
}
|
|
@ -0,0 +1,30 @@
|
|||
From b82b670bfec6600d0144bcb9ca635fb07c80118f Mon Sep 17 00:00:00 2001
|
||||
From: David Rheinsberg <david.rheinsberg@gmail.com>
|
||||
Date: Thu, 18 Mar 2021 12:13:16 +0100
|
||||
Subject: [PATCH] launch/policy: fix at_console range assertion again
|
||||
|
||||
The previous fix did not actually consider that a full range can span up
|
||||
until (uint32_t)-1. Fix this properly now, and just check manually for
|
||||
an empty range before checking that the highest entry in the range can
|
||||
be represented.
|
||||
|
||||
Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
|
||||
---
|
||||
src/launch/policy.c | 4 +---
|
||||
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/launch/policy.c b/src/launch/policy.c
|
||||
index 75eb0d3..6999ceb 100644
|
||||
--- a/src/launch/policy.c
|
||||
+++ b/src/launch/policy.c
|
||||
@@ -935,9 +935,7 @@ static int policy_export_console(Policy *policy, sd_bus_message *m, PolicyEntrie
|
||||
int r;
|
||||
|
||||
/* check for overflow */
|
||||
- c_assert(uid_start + n_uid >= uid_start);
|
||||
- /* check for encoding into dbus `u` type */
|
||||
- c_assert(uid_start + n_uid <= (uint32_t)-1);
|
||||
+ c_assert(n_uid == 0 || uid_start + n_uid - 1 >= uid_start);
|
||||
|
||||
if (n_uid == 0)
|
||||
return 0;
|
|
@ -0,0 +1,66 @@
|
|||
From 7fd15f8e272136955f7ffc37df29fbca9ddceca1 Mon Sep 17 00:00:00 2001
|
||||
From: David Rheinsberg <david.rheinsberg@gmail.com>
|
||||
Date: Tue, 19 Apr 2022 13:11:02 +0200
|
||||
Subject: [PATCH] strnspn: fix buffer overflow
|
||||
|
||||
Fix the strnspn and strncspn functions to use a properly sized buffer.
|
||||
It used to be 1 byte too short. Checking for `0xff` in a string will
|
||||
thus write `0xff` once byte beyond the stack space of the local buffer.
|
||||
|
||||
Note that the public API does not allow to pass `0xff` to those
|
||||
functions. Therefore, this is a read-only buffer overrun, possibly
|
||||
causing bogus reports from the parser, but still well-defined.
|
||||
|
||||
Reported-by: Steffen Robertz
|
||||
Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
|
||||
---
|
||||
/subprojects/c-shquote/src/c-shquote.c | 4 ++--
|
||||
/subprojects/c-shquote/src/test-private.c | 6 ++++++
|
||||
2 files changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a//subprojects/c-shquote/src/c-shquote.c b//subprojects/c-shquote/src/c-shquote.c
|
||||
index b268906..abb55d6 100644
|
||||
--- a//subprojects/c-shquote/src/c-shquote.c
|
||||
+++ b//subprojects/c-shquote/src/c-shquote.c
|
||||
@@ -85,7 +85,7 @@ int c_shquote_consume_char(char **outp,
|
||||
size_t c_shquote_strnspn(const char *string,
|
||||
size_t n_string,
|
||||
const char *accept) {
|
||||
- bool buffer[UCHAR_MAX] = {};
|
||||
+ bool buffer[UCHAR_MAX + 1] = {};
|
||||
|
||||
for ( ; *accept; ++accept)
|
||||
buffer[(unsigned char)*accept] = true;
|
||||
@@ -100,7 +100,7 @@ size_t c_shquote_strnspn(const char *string,
|
||||
size_t c_shquote_strncspn(const char *string,
|
||||
size_t n_string,
|
||||
const char *reject) {
|
||||
- bool buffer[UCHAR_MAX] = {};
|
||||
+ bool buffer[UCHAR_MAX + 1] = {};
|
||||
|
||||
if (strlen(reject) == 1) {
|
||||
const char *p;
|
||||
diff --git a//subprojects/c-shquote/src/test-private.c b//subprojects/c-shquote/src/test-private.c
|
||||
index 57a7250..c6afe40 100644
|
||||
--- a//subprojects/c-shquote/src/test-private.c
|
||||
+++ b//subprojects/c-shquote/src/test-private.c
|
||||
@@ -148,6 +148,9 @@ static void test_strnspn(void) {
|
||||
|
||||
len = c_shquote_strnspn("ab", 2, "bc");
|
||||
c_assert(len == 0);
|
||||
+
|
||||
+ len = c_shquote_strnspn("ab", 2, "\xff");
|
||||
+ c_assert(len == 0);
|
||||
}
|
||||
|
||||
static void test_strncspn(void) {
|
||||
@@ -167,6 +170,9 @@ static void test_strncspn(void) {
|
||||
|
||||
len = c_shquote_strncspn("ab", 2, "cd");
|
||||
c_assert(len == 2);
|
||||
+
|
||||
+ len = c_shquote_strncspn("ab", 2, "\xff");
|
||||
+ c_assert(len == 2);
|
||||
}
|
||||
|
||||
static void test_discard_comment(void) {
|
|
@ -0,0 +1,35 @@
|
|||
From 4fefc3908ce527de4ca3d7386886c2447d6b4c14 Mon Sep 17 00:00:00 2001
|
||||
From: David Rheinsberg <david.rheinsberg@gmail.com>
|
||||
Date: Tue, 19 Apr 2022 13:29:53 +0200
|
||||
Subject: [PATCH] launch/config: keep empty cdata around
|
||||
|
||||
We expect the `node->cdata` pointer to contain the actual content of an
|
||||
XML entry. Make sure it is initialized to an empty string, so we can
|
||||
dereference it without checking for validity everywhere.
|
||||
|
||||
Note that we want it to be an owned string, to allow claiming the value.
|
||||
We will avoid any `n_cdata + 'static ""` here, to keep the code simple.
|
||||
The performance of that strdup() merely affects XML parsing, no bus
|
||||
runtime.
|
||||
|
||||
Reported-by: Steffen Robertz
|
||||
Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
|
||||
---
|
||||
src/launch/config.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/launch/config.c b/src/launch/config.c
|
||||
index 490d7b7d..cb7e3fae 100644
|
||||
--- a/src/launch/config.c
|
||||
+++ b/src/launch/config.c
|
||||
@@ -133,6 +133,10 @@ int config_node_new(ConfigNode **nodep, ConfigNode *parent, unsigned int type) {
|
||||
break;
|
||||
}
|
||||
|
||||
+ node->cdata = strdup("");
|
||||
+ if (!node->cdata)
|
||||
+ return error_origin(-ENOMEM);
|
||||
+
|
||||
*nodep = node;
|
||||
node = NULL;
|
||||
return 0;
|
|
@ -1,17 +1,17 @@
|
|||
%global dbus_user_id 81
|
||||
|
||||
Name: dbus-broker
|
||||
Version: 24
|
||||
Release: 1%{?dist}
|
||||
Version: 28
|
||||
Release: 7%{?dist}
|
||||
Summary: Linux D-Bus Message Broker
|
||||
License: ASL 2.0
|
||||
URL: https://github.com/bus1/dbus-broker
|
||||
Source0: https://github.com/bus1/dbus-broker/releases/download/v%{version}/dbus-broker-%{version}.tar.xz
|
||||
Provides: bundled(c-dvar) = 1
|
||||
Provides: bundled(c-ini) = 1
|
||||
Provides: bundled(c-list) = 3
|
||||
Provides: bundled(c-rbtree) = 3
|
||||
Provides: bundled(c-shquote) = 1
|
||||
Patch0000: https://github.com/bus1/dbus-broker/commit/1add8a7d60e46806e0ef87994d3024245db0d84a.patch
|
||||
Patch0001: https://github.com/bus1/dbus-broker/commit/b82b670bfec6600d0144bcb9ca635fb07c80118f.patch
|
||||
Patch0002: cve-2022-31212.patch
|
||||
Patch0003: cve-2022-31213.patch
|
||||
Patch0004: https://github.com/bus1/dbus-broker/commit/33e0595b1c7cf8fa0e7ca3a353f4380c1307dc25.patch
|
||||
%{?systemd_requires}
|
||||
BuildRequires: pkgconfig(audit)
|
||||
BuildRequires: pkgconfig(expat)
|
||||
|
@ -98,6 +98,48 @@ fi
|
|||
%{_userunitdir}/dbus-broker.service
|
||||
|
||||
%changelog
|
||||
* Mon Aug 22 2022 Frantisek Sumsal <fsumsal@redhat.com> - 28-7
|
||||
- Add coverage for CVE-2022-31213 and other config-file-related issues
|
||||
Related: CVE-2022-31213
|
||||
|
||||
* Tue Aug 02 2022 Jakub Martisko <jamartis@redhat.com> - 28-6
|
||||
- Fix a stack buffer over-read in the c-shquote library
|
||||
- Fix null pointer reference when supplying a malformed XML config file
|
||||
Resolves: CVE-2022-31212
|
||||
Resolves: CVE-2022-31213
|
||||
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 28-5
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 28-4
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Thu Mar 18 2021 David Rheinsberg <david.rheinsberg@gmail.com> - 28-3
|
||||
- Apply another fix for incorrect at_console range assertion.
|
||||
|
||||
* Thu Mar 18 2021 David Rheinsberg <david.rheinsberg@gmail.com> - 28-2
|
||||
- Apply fix for incorrect at_console range assertion.
|
||||
|
||||
* Thu Mar 18 2021 David Rheinsberg <david.rheinsberg@gmail.com> - 28-1
|
||||
- Update to upstream v28.
|
||||
- Drop unused c-util based bundling annotations.
|
||||
|
||||
* Wed Feb 17 2021 David Rheinsberg <david.rheinsberg@gmail.com> - 27-2
|
||||
- Apply activation-tracking bugfixes from upstream.
|
||||
|
||||
* Mon Feb 15 2021 David Rheinsberg <david.rheinsberg@gmail.com> - 27-1
|
||||
- Update to upstream v27.
|
||||
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 26-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Wed Jan 20 2021 David Rheinsberg <david.rheinsberg@gmail.com> - 26-1
|
||||
- Update to upstream v26.
|
||||
|
||||
* Wed Jan 6 2021 Jeff Law <law@redhat.com> - 24-2
|
||||
- Bump NVR to force rebuild with gcc-11
|
||||
|
||||
* Fri Sep 4 2020 David Rheinsberg <david.rheinsberg@gmail.com> - 24-1
|
||||
- Update to upstream v24. Only minor changes to the diagnostic messages as
|
||||
well as audit-events.
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-9
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build.revdeps.integration}
|
2
sources
2
sources
|
@ -1 +1 @@
|
|||
SHA512 (dbus-broker-24.tar.xz) = 7fbe6c689eff27ec842bb9d839a418abc356b026bb0a54dfa8b680a655409aa1ea4cb90655a6b04561a88c6e703cacf8800fddfe1abc21e7ee60db2dac1c2db9
|
||||
SHA512 (dbus-broker-28.tar.xz) = 81a05a3ad2fbc0292a7de0cc719c5946e2d70d0bf91abb2eb9764fdef738a460a0cc988e050d0985ff45009a51677df3f619f4e17c8712df34c85e84826efbee
|
||||
|
|
Loading…
Reference in New Issue