import dbus-1.12.8-11.el8
This commit is contained in:
parent
fa816fab82
commit
c16855a1cf
74
SOURCES/dbus-1.12.8-fix-CVE-2020-12049.patch
Normal file
74
SOURCES/dbus-1.12.8-fix-CVE-2020-12049.patch
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
From 872b085f12f56da25a2dbd9bd0b2dff31d5aea63 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simon McVittie <smcv@collabora.com>
|
||||||
|
Date: Thu, 16 Apr 2020 14:45:11 +0100
|
||||||
|
Subject: [PATCH] sysdeps-unix: On MSG_CTRUNC, close the fds we did receive
|
||||||
|
|
||||||
|
MSG_CTRUNC indicates that we have received fewer fds that we should
|
||||||
|
have done because the buffer was too small, but we were treating it
|
||||||
|
as though it indicated that we received *no* fds. If we received any,
|
||||||
|
we still have to make sure we close them, otherwise they will be leaked.
|
||||||
|
|
||||||
|
On the system bus, if an attacker can induce us to leak fds in this
|
||||||
|
way, that's a local denial of service via resource exhaustion.
|
||||||
|
|
||||||
|
Reported-by: Kevin Backhouse, GitHub Security Lab
|
||||||
|
Fixes: dbus#294
|
||||||
|
Fixes: CVE-2020-12049
|
||||||
|
Fixes: GHSL-2020-057
|
||||||
|
---
|
||||||
|
dbus/dbus-sysdeps-unix.c | 32 ++++++++++++++++++++------------
|
||||||
|
1 file changed, 20 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
|
||||||
|
index b5fc24663..b176dae1a 100644
|
||||||
|
--- a/dbus/dbus-sysdeps-unix.c
|
||||||
|
+++ b/dbus/dbus-sysdeps-unix.c
|
||||||
|
@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
|
||||||
|
struct cmsghdr *cm;
|
||||||
|
dbus_bool_t found = FALSE;
|
||||||
|
|
||||||
|
- if (m.msg_flags & MSG_CTRUNC)
|
||||||
|
- {
|
||||||
|
- /* Hmm, apparently the control data was truncated. The bad
|
||||||
|
- thing is that we might have completely lost a couple of fds
|
||||||
|
- without chance to recover them. Hence let's treat this as a
|
||||||
|
- serious error. */
|
||||||
|
-
|
||||||
|
- errno = ENOSPC;
|
||||||
|
- _dbus_string_set_length (buffer, start);
|
||||||
|
- return -1;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
|
||||||
|
if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
|
||||||
|
{
|
||||||
|
@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
|
||||||
|
if (!found)
|
||||||
|
*n_fds = 0;
|
||||||
|
|
||||||
|
+ if (m.msg_flags & MSG_CTRUNC)
|
||||||
|
+ {
|
||||||
|
+ unsigned int i;
|
||||||
|
+
|
||||||
|
+ /* Hmm, apparently the control data was truncated. The bad
|
||||||
|
+ thing is that we might have completely lost a couple of fds
|
||||||
|
+ without chance to recover them. Hence let's treat this as a
|
||||||
|
+ serious error. */
|
||||||
|
+
|
||||||
|
+ /* We still need to close whatever fds we *did* receive,
|
||||||
|
+ * otherwise they'll never get closed. (CVE-2020-12049) */
|
||||||
|
+ for (i = 0; i < *n_fds; i++)
|
||||||
|
+ close (fds[i]);
|
||||||
|
+
|
||||||
|
+ *n_fds = 0;
|
||||||
|
+ errno = ENOSPC;
|
||||||
|
+ _dbus_string_set_length (buffer, start);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* put length back (doesn't actually realloc) */
|
||||||
|
_dbus_string_set_length (buffer, start + bytes_read);
|
||||||
|
|
||||||
|
--
|
||||||
|
GitLab
|
||||||
|
|
@ -19,7 +19,7 @@
|
|||||||
Name: dbus
|
Name: dbus
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 1.12.8
|
Version: 1.12.8
|
||||||
Release: 9%{?dist}
|
Release: 11%{?dist}
|
||||||
Summary: D-BUS message bus
|
Summary: D-BUS message bus
|
||||||
|
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -33,6 +33,8 @@ Source1: 00-start-message-bus.sh
|
|||||||
Patch0: 0001-tools-Use-Python3-for-GetAllMatchRules.patch
|
Patch0: 0001-tools-Use-Python3-for-GetAllMatchRules.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1725570
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1725570
|
||||||
Patch1: dbus-1.12.8-fix-CVE-2019-12749.patch
|
Patch1: dbus-1.12.8-fix-CVE-2019-12749.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1851997
|
||||||
|
Patch2: dbus-1.12.8-fix-CVE-2020-12049.patch
|
||||||
|
|
||||||
BuildRequires: autoconf-archive
|
BuildRequires: autoconf-archive
|
||||||
BuildRequires: libtool
|
BuildRequires: libtool
|
||||||
@ -214,6 +216,7 @@ ln -s dbus.service %{buildroot}%{_unitdir}/messagebus.service
|
|||||||
## %find_lang %{gettext_package}
|
## %find_lang %{gettext_package}
|
||||||
|
|
||||||
install --directory %{buildroot}/var/lib/dbus
|
install --directory %{buildroot}/var/lib/dbus
|
||||||
|
install --directory %{buildroot}/run/dbus
|
||||||
|
|
||||||
install -pm 644 -t %{buildroot}%{_pkgdocdir} \
|
install -pm 644 -t %{buildroot}%{_pkgdocdir} \
|
||||||
doc/introspect.dtd doc/introspect.xsl doc/system-activation.txt
|
doc/introspect.dtd doc/introspect.xsl doc/system-activation.txt
|
||||||
@ -396,6 +399,12 @@ popd
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jun 30 2020 David King <dking@redhat.com> - 1:1.12.8-11
|
||||||
|
- Fix CVE-2020-12049 (#1851997)
|
||||||
|
|
||||||
|
* Mon Apr 06 2020 David King <dking@redhat.com> - 1:1.12.8-10
|
||||||
|
- Improve permissions on ghosted /run/dbus (#1797833)
|
||||||
|
|
||||||
* Thu Aug 01 2019 David King <dking@redhat.com> - 1:1.12.8-9
|
* Thu Aug 01 2019 David King <dking@redhat.com> - 1:1.12.8-9
|
||||||
- Ensure that patches are applied (#1725570)
|
- Ensure that patches are applied (#1725570)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user