import dbus-1.12.8-11.el8

This commit is contained in:
CentOS Sources 2020-07-28 06:57:32 -04:00 committed by Stepan Oksanichenko
parent fa816fab82
commit c16855a1cf
2 changed files with 84 additions and 1 deletions

View File

@ -0,0 +1,74 @@
From 872b085f12f56da25a2dbd9bd0b2dff31d5aea63 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Thu, 16 Apr 2020 14:45:11 +0100
Subject: [PATCH] sysdeps-unix: On MSG_CTRUNC, close the fds we did receive
MSG_CTRUNC indicates that we have received fewer fds that we should
have done because the buffer was too small, but we were treating it
as though it indicated that we received *no* fds. If we received any,
we still have to make sure we close them, otherwise they will be leaked.
On the system bus, if an attacker can induce us to leak fds in this
way, that's a local denial of service via resource exhaustion.
Reported-by: Kevin Backhouse, GitHub Security Lab
Fixes: dbus#294
Fixes: CVE-2020-12049
Fixes: GHSL-2020-057
---
dbus/dbus-sysdeps-unix.c | 32 ++++++++++++++++++++------------
1 file changed, 20 insertions(+), 12 deletions(-)
diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
index b5fc24663..b176dae1a 100644
--- a/dbus/dbus-sysdeps-unix.c
+++ b/dbus/dbus-sysdeps-unix.c
@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
struct cmsghdr *cm;
dbus_bool_t found = FALSE;
- if (m.msg_flags & MSG_CTRUNC)
- {
- /* Hmm, apparently the control data was truncated. The bad
- thing is that we might have completely lost a couple of fds
- without chance to recover them. Hence let's treat this as a
- serious error. */
-
- errno = ENOSPC;
- _dbus_string_set_length (buffer, start);
- return -1;
- }
-
for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
{
@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
if (!found)
*n_fds = 0;
+ if (m.msg_flags & MSG_CTRUNC)
+ {
+ unsigned int i;
+
+ /* Hmm, apparently the control data was truncated. The bad
+ thing is that we might have completely lost a couple of fds
+ without chance to recover them. Hence let's treat this as a
+ serious error. */
+
+ /* We still need to close whatever fds we *did* receive,
+ * otherwise they'll never get closed. (CVE-2020-12049) */
+ for (i = 0; i < *n_fds; i++)
+ close (fds[i]);
+
+ *n_fds = 0;
+ errno = ENOSPC;
+ _dbus_string_set_length (buffer, start);
+ return -1;
+ }
+
/* put length back (doesn't actually realloc) */
_dbus_string_set_length (buffer, start + bytes_read);
--
GitLab

View File

@ -19,7 +19,7 @@
Name: dbus Name: dbus
Epoch: 1 Epoch: 1
Version: 1.12.8 Version: 1.12.8
Release: 9%{?dist} Release: 11%{?dist}
Summary: D-BUS message bus Summary: D-BUS message bus
Group: System Environment/Libraries Group: System Environment/Libraries
@ -33,6 +33,8 @@ Source1: 00-start-message-bus.sh
Patch0: 0001-tools-Use-Python3-for-GetAllMatchRules.patch Patch0: 0001-tools-Use-Python3-for-GetAllMatchRules.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1725570 # https://bugzilla.redhat.com/show_bug.cgi?id=1725570
Patch1: dbus-1.12.8-fix-CVE-2019-12749.patch Patch1: dbus-1.12.8-fix-CVE-2019-12749.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1851997
Patch2: dbus-1.12.8-fix-CVE-2020-12049.patch
BuildRequires: autoconf-archive BuildRequires: autoconf-archive
BuildRequires: libtool BuildRequires: libtool
@ -214,6 +216,7 @@ ln -s dbus.service %{buildroot}%{_unitdir}/messagebus.service
## %find_lang %{gettext_package} ## %find_lang %{gettext_package}
install --directory %{buildroot}/var/lib/dbus install --directory %{buildroot}/var/lib/dbus
install --directory %{buildroot}/run/dbus
install -pm 644 -t %{buildroot}%{_pkgdocdir} \ install -pm 644 -t %{buildroot}%{_pkgdocdir} \
doc/introspect.dtd doc/introspect.xsl doc/system-activation.txt doc/introspect.dtd doc/introspect.xsl doc/system-activation.txt
@ -396,6 +399,12 @@ popd
%changelog %changelog
* Tue Jun 30 2020 David King <dking@redhat.com> - 1:1.12.8-11
- Fix CVE-2020-12049 (#1851997)
* Mon Apr 06 2020 David King <dking@redhat.com> - 1:1.12.8-10
- Improve permissions on ghosted /run/dbus (#1797833)
* Thu Aug 01 2019 David King <dking@redhat.com> - 1:1.12.8-9 * Thu Aug 01 2019 David King <dking@redhat.com> - 1:1.12.8-9
- Ensure that patches are applied (#1725570) - Ensure that patches are applied (#1725570)