diff --git a/dbus-1.12.20-CVE-2022-42012.patch b/dbus-1.12.20-CVE-2022-42012.patch new file mode 100644 index 0000000..29ff781 --- /dev/null +++ b/dbus-1.12.20-CVE-2022-42012.patch @@ -0,0 +1,73 @@ +From 51a5bbf9074855b0f4a353ed309938b196c13525 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 30 Sep 2022 13:46:31 +0100 +Subject: [PATCH] dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed + +When a D-Bus message includes attached file descriptors, the body of the +message contains unsigned 32-bit indexes pointing into an out-of-band +array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to +these indexes as "handles" for the associated fds (not to be confused +with a Windows HANDLE, which is a kernel object). + +The assertion message removed by this commit is arguably correct up to +a point: fd-passing is only reasonable on a local machine, and no known +operating system allows processes of differing endianness even on a +multi-endian ARM or PowerPC CPU, so it makes little sense for the sender +to specify a byte-order that differs from the byte-order of the recipient. + +However, this doesn't account for the fact that a malicious sender +doesn't have to restrict itself to only doing things that make sense. +On a system with untrusted local users, a message sender could crash +the system dbus-daemon (a denial of service) by sending a message in +the opposite endianness that contains handles to file descriptors. + +Before this commit, if assertions are enabled, attempting to byteswap +a fd index would cleanly crash the message recipient with an assertion +failure. If assertions are disabled, attempting to byteswap a fd index +would silently do nothing without advancing the pointer p, causing the +message's type and the pointer into its contents to go out of sync, which +can result in a subsequent crash (the crash demonstrated by fuzzing was +a use-after-free, but other failure modes might be possible). + +In principle we could resolve this by rejecting wrong-endianness messages +from a local sender, but it's actually simpler and less code to treat +wrong-endianness messages as valid and byteswap them. + +Thanks: Evgeny Vereshchagin +Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds" +Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417 +Resolves: CVE-2022-42012 +Signed-off-by: Simon McVittie +(cherry picked from commit 236f16e444e88a984cf12b09225e0f8efa6c5b44) +(cherry picked from commit 3fb065b0752db1e298e4ada52cf4adc414f5e946) +--- + dbus/dbus-marshal-byteswap.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/dbus/dbus-marshal-byteswap.c b/dbus/dbus-marshal-byteswap.c +index 27695aafb..7104e9c63 100644 +--- a/dbus/dbus-marshal-byteswap.c ++++ b/dbus/dbus-marshal-byteswap.c +@@ -61,6 +61,7 @@ byteswap_body_helper (DBusTypeReader *reader, + case DBUS_TYPE_BOOLEAN: + case DBUS_TYPE_INT32: + case DBUS_TYPE_UINT32: ++ case DBUS_TYPE_UNIX_FD: + { + p = _DBUS_ALIGN_ADDRESS (p, 4); + *((dbus_uint32_t*)p) = DBUS_UINT32_SWAP_LE_BE (*((dbus_uint32_t*)p)); +@@ -188,11 +189,6 @@ byteswap_body_helper (DBusTypeReader *reader, + } + break; + +- case DBUS_TYPE_UNIX_FD: +- /* fds can only be passed on a local machine, so byte order must always match */ +- _dbus_assert_not_reached("attempted to byteswap unix fds which makes no sense"); +- break; +- + default: + _dbus_assert_not_reached ("invalid typecode in supposedly-validated signature"); + break; +-- +GitLab + diff --git a/dbus.spec b/dbus.spec index 104d6ea..d54b1d1 100644 --- a/dbus.spec +++ b/dbus.spec @@ -47,6 +47,8 @@ Patch0: 0001-tools-Use-Python3-for-GetAllMatchRules.patch Patch1: dbus-1.12.20-CVE-2022-42010.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2133641 Patch2: dbus-1.12.20-CVE-2022-42011.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2133635 +Patch3: dbus-1.12.20-CVE-2022-42012.patch BuildRequires: autoconf-archive BuildRequires: libtool @@ -455,6 +457,7 @@ systemctl --no-reload --global preset dbus-daemon.service &>/dev/null || : * Tue Oct 18 2022 David King - 1:1.12.20-7 - Fix CVE-2022-42010 (#2133647) - Fix CVE-2022-42011 (#2133641) +- Fix CVE-2022-42012 (#2133635) * Wed Aug 17 2022 David King - 1:1.12.20-6 - Override upstream sysusers.d confguration (#2118226)