diff --git a/SOURCES/dbus-1.20.8-CVE-2022-42010.patch b/SOURCES/dbus-1.20.8-CVE-2022-42010.patch new file mode 100644 index 0000000..ce387c7 --- /dev/null +++ b/SOURCES/dbus-1.20.8-CVE-2022-42010.patch @@ -0,0 +1,116 @@ +From 8f382ee405ec68850866298ba0574f12e261a6fa Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Tue, 13 Sep 2022 15:10:22 +0100 +Subject: [PATCH] dbus-marshal-validate: Check brackets in signature nest + correctly + +In debug builds with assertions enabled, a signature with incorrectly +nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result +in an assertion failure. + +In production builds without assertions enabled, a signature with +incorrectly nested `()` and `{}` could potentially result in a crash +or incorrect message parsing, although we do not have a concrete example +of either of these failure modes. + +Thanks: Evgeny Vereshchagin +Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418 +Resolves: CVE-2022-42010 +Signed-off-by: Simon McVittie +(cherry picked from commit 9d07424e9011e3bbe535e83043d335f3093d2916) +(cherry picked from commit 3e53a785dee8d1432156188a2c4260e4cbc78c4d) +--- + dbus/dbus-marshal-validate.c | 38 +++++++++++++++++++++++++++++++++++- + 1 file changed, 37 insertions(+), 1 deletion(-) + +diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c +index 4d492f3f3..ae68414dd 100644 +--- a/dbus/dbus-marshal-validate.c ++++ b/dbus/dbus-marshal-validate.c +@@ -62,6 +62,8 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + + int element_count; + DBusList *element_count_stack; ++ char opened_brackets[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2 + 1] = { '\0' }; ++ char last_bracket; + + result = DBUS_VALID; + element_count_stack = NULL; +@@ -93,6 +95,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + + while (p != end) + { ++ _dbus_assert (struct_depth + dict_entry_depth >= 0); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth] == '\0'); ++ + switch (*p) + { + case DBUS_TYPE_BYTE: +@@ -136,6 +142,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + goto out; + } + ++ _dbus_assert (struct_depth + dict_entry_depth >= 1); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0'); ++ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_STRUCT_BEGIN_CHAR; + break; + + case DBUS_STRUCT_END_CHAR: +@@ -151,9 +161,20 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + goto out; + } + ++ _dbus_assert (struct_depth + dict_entry_depth >= 1); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1]; ++ ++ if (last_bracket != DBUS_STRUCT_BEGIN_CHAR) ++ { ++ result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED; ++ goto out; ++ } ++ + _dbus_list_pop_last (&element_count_stack); + + struct_depth -= 1; ++ opened_brackets[struct_depth + dict_entry_depth] = '\0'; + break; + + case DBUS_DICT_ENTRY_BEGIN_CHAR: +@@ -178,6 +199,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + goto out; + } + ++ _dbus_assert (struct_depth + dict_entry_depth >= 1); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0'); ++ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_DICT_ENTRY_BEGIN_CHAR; + break; + + case DBUS_DICT_ENTRY_END_CHAR: +@@ -186,8 +211,19 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED; + goto out; + } +- ++ ++ _dbus_assert (struct_depth + dict_entry_depth >= 1); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1]; ++ ++ if (last_bracket != DBUS_DICT_ENTRY_BEGIN_CHAR) ++ { ++ result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED; ++ goto out; ++ } ++ + dict_entry_depth -= 1; ++ opened_brackets[struct_depth + dict_entry_depth] = '\0'; + + element_count = + _DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack)); +-- +GitLab + diff --git a/SOURCES/dbus-1.20.8-CVE-2022-42011.patch b/SOURCES/dbus-1.20.8-CVE-2022-42011.patch new file mode 100644 index 0000000..d0a5510 --- /dev/null +++ b/SOURCES/dbus-1.20.8-CVE-2022-42011.patch @@ -0,0 +1,57 @@ +From 3b8a7aff228770f4f7b478db606b10cceacea875 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Mon, 12 Sep 2022 13:14:18 +0100 +Subject: [PATCH] dbus-marshal-validate: Validate length of arrays of + fixed-length items + +This fast-path previously did not check that the array was made up +of an integer number of items. This could lead to assertion failures +and out-of-bounds accesses during subsequent message processing (which +assumes that the message has already been validated), particularly after +the addition of _dbus_header_remove_unknown_fields(), which makes it +more likely that dbus-daemon will apply non-trivial edits to messages. + +Thanks: Evgeny Vereshchagin +Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays" +Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413 +Resolves: CVE-2022-42011 +Signed-off-by: Simon McVittie +(cherry picked from commit 079bbf16186e87fb0157adf8951f19864bc2ed69) +(cherry picked from commit b9e6a7523085a2cfceaffca7ba1ab4251f12a984) +--- + dbus/dbus-marshal-validate.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c +index ae68414dd..7d0d6cf72 100644 +--- a/dbus/dbus-marshal-validate.c ++++ b/dbus/dbus-marshal-validate.c +@@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader *reader, + */ + if (dbus_type_is_fixed (array_elem_type)) + { ++ /* Note that fixed-size types all have sizes equal to ++ * their alignments, so this is really the item size. */ ++ alignment = _dbus_type_get_alignment (array_elem_type); ++ _dbus_assert (alignment == 1 || alignment == 2 || ++ alignment == 4 || alignment == 8); ++ ++ /* Because the alignment is a power of 2, this is ++ * equivalent to: (claimed_len % alignment) != 0, ++ * but avoids slower integer division */ ++ if ((claimed_len & (alignment - 1)) != 0) ++ return DBUS_INVALID_ARRAY_LENGTH_INCORRECT; ++ + /* bools need to be handled differently, because they can + * have an invalid value + */ + if (array_elem_type == DBUS_TYPE_BOOLEAN) + { + dbus_uint32_t v; +- alignment = _dbus_type_get_alignment (array_elem_type); + + while (p < array_end) + { +-- +GitLab + diff --git a/SOURCES/dbus-1.20.8-CVE-2022-42012.patch b/SOURCES/dbus-1.20.8-CVE-2022-42012.patch new file mode 100644 index 0000000..29ff781 --- /dev/null +++ b/SOURCES/dbus-1.20.8-CVE-2022-42012.patch @@ -0,0 +1,73 @@ +From 51a5bbf9074855b0f4a353ed309938b196c13525 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 30 Sep 2022 13:46:31 +0100 +Subject: [PATCH] dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed + +When a D-Bus message includes attached file descriptors, the body of the +message contains unsigned 32-bit indexes pointing into an out-of-band +array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to +these indexes as "handles" for the associated fds (not to be confused +with a Windows HANDLE, which is a kernel object). + +The assertion message removed by this commit is arguably correct up to +a point: fd-passing is only reasonable on a local machine, and no known +operating system allows processes of differing endianness even on a +multi-endian ARM or PowerPC CPU, so it makes little sense for the sender +to specify a byte-order that differs from the byte-order of the recipient. + +However, this doesn't account for the fact that a malicious sender +doesn't have to restrict itself to only doing things that make sense. +On a system with untrusted local users, a message sender could crash +the system dbus-daemon (a denial of service) by sending a message in +the opposite endianness that contains handles to file descriptors. + +Before this commit, if assertions are enabled, attempting to byteswap +a fd index would cleanly crash the message recipient with an assertion +failure. If assertions are disabled, attempting to byteswap a fd index +would silently do nothing without advancing the pointer p, causing the +message's type and the pointer into its contents to go out of sync, which +can result in a subsequent crash (the crash demonstrated by fuzzing was +a use-after-free, but other failure modes might be possible). + +In principle we could resolve this by rejecting wrong-endianness messages +from a local sender, but it's actually simpler and less code to treat +wrong-endianness messages as valid and byteswap them. + +Thanks: Evgeny Vereshchagin +Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds" +Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417 +Resolves: CVE-2022-42012 +Signed-off-by: Simon McVittie +(cherry picked from commit 236f16e444e88a984cf12b09225e0f8efa6c5b44) +(cherry picked from commit 3fb065b0752db1e298e4ada52cf4adc414f5e946) +--- + dbus/dbus-marshal-byteswap.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/dbus/dbus-marshal-byteswap.c b/dbus/dbus-marshal-byteswap.c +index 27695aafb..7104e9c63 100644 +--- a/dbus/dbus-marshal-byteswap.c ++++ b/dbus/dbus-marshal-byteswap.c +@@ -61,6 +61,7 @@ byteswap_body_helper (DBusTypeReader *reader, + case DBUS_TYPE_BOOLEAN: + case DBUS_TYPE_INT32: + case DBUS_TYPE_UINT32: ++ case DBUS_TYPE_UNIX_FD: + { + p = _DBUS_ALIGN_ADDRESS (p, 4); + *((dbus_uint32_t*)p) = DBUS_UINT32_SWAP_LE_BE (*((dbus_uint32_t*)p)); +@@ -188,11 +189,6 @@ byteswap_body_helper (DBusTypeReader *reader, + } + break; + +- case DBUS_TYPE_UNIX_FD: +- /* fds can only be passed on a local machine, so byte order must always match */ +- _dbus_assert_not_reached("attempted to byteswap unix fds which makes no sense"); +- break; +- + default: + _dbus_assert_not_reached ("invalid typecode in supposedly-validated signature"); + break; +-- +GitLab + diff --git a/SPECS/dbus.spec b/SPECS/dbus.spec index 9735497..3fabf92 100644 --- a/SPECS/dbus.spec +++ b/SPECS/dbus.spec @@ -19,7 +19,7 @@ Name: dbus Epoch: 1 Version: 1.12.8 -Release: 23%{?dist} +Release: 23%{?dist}.1 Summary: D-BUS message bus Group: System Environment/Libraries @@ -41,6 +41,12 @@ Patch1: dbus-1.12.8-fix-CVE-2019-12749.patch Patch2: dbus-1.12.8-fix-CVE-2020-12049.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1839753 Patch3: dbus-1.12.8-fix-fd-limit-change.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2133644 +Patch4: dbus-1.20.8-CVE-2022-42010.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2133638 +Patch5: dbus-1.20.8-CVE-2022-42011.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2133632 +Patch6: dbus-1.20.8-CVE-2022-42012.patch BuildRequires: autoconf-archive BuildRequires: libtool @@ -415,6 +421,11 @@ popd %{_includedir}/* %changelog +* Wed Oct 19 2022 David King - 1:1.12.8-23.1 +- Fix CVE-2022-42010 (#2133644) +- Fix CVE-2022-42011 (#2133638) +- Fix CVE-2022-42012 (#2133632) + * Tue Sep 06 2022 Ray Strode - 1:1.12.8-23 - Address race for very short running sessions in SSH session monitoring script.