diff --git a/dbus-1.12.20-CVE-2022-42011.patch b/dbus-1.12.20-CVE-2022-42011.patch new file mode 100644 index 0000000..d0a5510 --- /dev/null +++ b/dbus-1.12.20-CVE-2022-42011.patch @@ -0,0 +1,57 @@ +From 3b8a7aff228770f4f7b478db606b10cceacea875 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Mon, 12 Sep 2022 13:14:18 +0100 +Subject: [PATCH] dbus-marshal-validate: Validate length of arrays of + fixed-length items + +This fast-path previously did not check that the array was made up +of an integer number of items. This could lead to assertion failures +and out-of-bounds accesses during subsequent message processing (which +assumes that the message has already been validated), particularly after +the addition of _dbus_header_remove_unknown_fields(), which makes it +more likely that dbus-daemon will apply non-trivial edits to messages. + +Thanks: Evgeny Vereshchagin +Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays" +Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413 +Resolves: CVE-2022-42011 +Signed-off-by: Simon McVittie +(cherry picked from commit 079bbf16186e87fb0157adf8951f19864bc2ed69) +(cherry picked from commit b9e6a7523085a2cfceaffca7ba1ab4251f12a984) +--- + dbus/dbus-marshal-validate.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c +index ae68414dd..7d0d6cf72 100644 +--- a/dbus/dbus-marshal-validate.c ++++ b/dbus/dbus-marshal-validate.c +@@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader *reader, + */ + if (dbus_type_is_fixed (array_elem_type)) + { ++ /* Note that fixed-size types all have sizes equal to ++ * their alignments, so this is really the item size. */ ++ alignment = _dbus_type_get_alignment (array_elem_type); ++ _dbus_assert (alignment == 1 || alignment == 2 || ++ alignment == 4 || alignment == 8); ++ ++ /* Because the alignment is a power of 2, this is ++ * equivalent to: (claimed_len % alignment) != 0, ++ * but avoids slower integer division */ ++ if ((claimed_len & (alignment - 1)) != 0) ++ return DBUS_INVALID_ARRAY_LENGTH_INCORRECT; ++ + /* bools need to be handled differently, because they can + * have an invalid value + */ + if (array_elem_type == DBUS_TYPE_BOOLEAN) + { + dbus_uint32_t v; +- alignment = _dbus_type_get_alignment (array_elem_type); + + while (p < array_end) + { +-- +GitLab + diff --git a/dbus.spec b/dbus.spec index dd7bc67..104d6ea 100644 --- a/dbus.spec +++ b/dbus.spec @@ -45,6 +45,8 @@ Source8: dbus-systemd-sysusers.conf Patch0: 0001-tools-Use-Python3-for-GetAllMatchRules.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2133647 Patch1: dbus-1.12.20-CVE-2022-42010.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2133641 +Patch2: dbus-1.12.20-CVE-2022-42011.patch BuildRequires: autoconf-archive BuildRequires: libtool @@ -452,6 +454,7 @@ systemctl --no-reload --global preset dbus-daemon.service &>/dev/null || : %changelog * Tue Oct 18 2022 David King - 1:1.12.20-7 - Fix CVE-2022-42010 (#2133647) +- Fix CVE-2022-42011 (#2133641) * Wed Aug 17 2022 David King - 1:1.12.20-6 - Override upstream sysusers.d confguration (#2118226)