From 8e503831b80762b56f69a5f5c0333d44f4e93f7d Mon Sep 17 00:00:00 2001 From: David King Date: Tue, 18 Oct 2022 23:06:25 +0100 Subject: [PATCH] Fix CVE-2022-42010 (#2133647) Resolves: #2133647 --- dbus-1.12.20-CVE-2022-42010.patch | 116 ++++++++++++++++++++++++++++++ dbus.spec | 7 +- 2 files changed, 122 insertions(+), 1 deletion(-) create mode 100644 dbus-1.12.20-CVE-2022-42010.patch diff --git a/dbus-1.12.20-CVE-2022-42010.patch b/dbus-1.12.20-CVE-2022-42010.patch new file mode 100644 index 0000000..ce387c7 --- /dev/null +++ b/dbus-1.12.20-CVE-2022-42010.patch @@ -0,0 +1,116 @@ +From 8f382ee405ec68850866298ba0574f12e261a6fa Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Tue, 13 Sep 2022 15:10:22 +0100 +Subject: [PATCH] dbus-marshal-validate: Check brackets in signature nest + correctly + +In debug builds with assertions enabled, a signature with incorrectly +nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result +in an assertion failure. + +In production builds without assertions enabled, a signature with +incorrectly nested `()` and `{}` could potentially result in a crash +or incorrect message parsing, although we do not have a concrete example +of either of these failure modes. + +Thanks: Evgeny Vereshchagin +Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418 +Resolves: CVE-2022-42010 +Signed-off-by: Simon McVittie +(cherry picked from commit 9d07424e9011e3bbe535e83043d335f3093d2916) +(cherry picked from commit 3e53a785dee8d1432156188a2c4260e4cbc78c4d) +--- + dbus/dbus-marshal-validate.c | 38 +++++++++++++++++++++++++++++++++++- + 1 file changed, 37 insertions(+), 1 deletion(-) + +diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c +index 4d492f3f3..ae68414dd 100644 +--- a/dbus/dbus-marshal-validate.c ++++ b/dbus/dbus-marshal-validate.c +@@ -62,6 +62,8 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + + int element_count; + DBusList *element_count_stack; ++ char opened_brackets[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2 + 1] = { '\0' }; ++ char last_bracket; + + result = DBUS_VALID; + element_count_stack = NULL; +@@ -93,6 +95,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + + while (p != end) + { ++ _dbus_assert (struct_depth + dict_entry_depth >= 0); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth] == '\0'); ++ + switch (*p) + { + case DBUS_TYPE_BYTE: +@@ -136,6 +142,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + goto out; + } + ++ _dbus_assert (struct_depth + dict_entry_depth >= 1); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0'); ++ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_STRUCT_BEGIN_CHAR; + break; + + case DBUS_STRUCT_END_CHAR: +@@ -151,9 +161,20 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + goto out; + } + ++ _dbus_assert (struct_depth + dict_entry_depth >= 1); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1]; ++ ++ if (last_bracket != DBUS_STRUCT_BEGIN_CHAR) ++ { ++ result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED; ++ goto out; ++ } ++ + _dbus_list_pop_last (&element_count_stack); + + struct_depth -= 1; ++ opened_brackets[struct_depth + dict_entry_depth] = '\0'; + break; + + case DBUS_DICT_ENTRY_BEGIN_CHAR: +@@ -178,6 +199,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + goto out; + } + ++ _dbus_assert (struct_depth + dict_entry_depth >= 1); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0'); ++ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_DICT_ENTRY_BEGIN_CHAR; + break; + + case DBUS_DICT_ENTRY_END_CHAR: +@@ -186,8 +211,19 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED; + goto out; + } +- ++ ++ _dbus_assert (struct_depth + dict_entry_depth >= 1); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1]; ++ ++ if (last_bracket != DBUS_DICT_ENTRY_BEGIN_CHAR) ++ { ++ result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED; ++ goto out; ++ } ++ + dict_entry_depth -= 1; ++ opened_brackets[struct_depth + dict_entry_depth] = '\0'; + + element_count = + _DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack)); +-- +GitLab + diff --git a/dbus.spec b/dbus.spec index 05a4724..dd7bc67 100644 --- a/dbus.spec +++ b/dbus.spec @@ -23,7 +23,7 @@ Name: dbus Epoch: 1 Version: 1.12.20 -Release: 6%{?dist} +Release: 7%{?dist} Summary: D-BUS message bus # The effective license of the majority of the package, including the shared @@ -43,6 +43,8 @@ Source6: dbus.user.socket Source7: dbus-daemon.user.service Source8: dbus-systemd-sysusers.conf Patch0: 0001-tools-Use-Python3-for-GetAllMatchRules.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2133647 +Patch1: dbus-1.12.20-CVE-2022-42010.patch BuildRequires: autoconf-archive BuildRequires: libtool @@ -448,6 +450,9 @@ systemctl --no-reload --global preset dbus-daemon.service &>/dev/null || : %changelog +* Tue Oct 18 2022 David King - 1:1.12.20-7 +- Fix CVE-2022-42010 (#2133647) + * Wed Aug 17 2022 David King - 1:1.12.20-6 - Override upstream sysusers.d confguration (#2118226)