SOURCES/dbus-1.12.8-fix-CVE-2023-34969.patch

@@ -1,337 +0,0 @@
-From 3a1b1e9a4010e581e2e940e61d37c4f617eb5eff Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Mon, 5 Jun 2023 17:56:33 +0100
-Subject: [PATCH 1/3] monitor test: Log the messages that we monitored
-
-This is helpful while debugging test failures.
-
-Helps: dbus/dbus#457
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit 8ee5d3e04420975107c27073b50f8758871a998b)
----
- test/monitor.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/test/monitor.c b/test/monitor.c
-index df5a7180..182110f8 100644
---- a/test/monitor.c
-+++ b/test/monitor.c
-@@ -196,6 +196,10 @@ _log_message (DBusMessage *m,
-       not_null (dbus_message_get_signature (m)));
-   g_test_message ("\terror name: %s",
-       not_null (dbus_message_get_error_name (m)));
-+  g_test_message ("\tserial number: %u",
-+      dbus_message_get_serial (m));
-+  g_test_message ("\tin reply to: %u",
-+      dbus_message_get_reply_serial (m));
- 
-   if (strcmp ("s", dbus_message_get_signature (m)) == 0)
-     {
-@@ -339,6 +343,9 @@ monitor_filter (DBusConnection *connection,
- {
-   Fixture *f = user_data;
- 
-+  g_test_message ("Monitor received message:");
-+  log_message (message);
-+
-   g_assert_cmpstr (dbus_message_get_interface (message), !=,
-       "com.example.Tedious");
- 
--- 
-2.41.0
-
-
-From 37a4dc5835731a1f7a81f1b67c45b8dfb556dd1c Mon Sep 17 00:00:00 2001
-From: hongjinghao <q1204531485@163.com>
-Date: Mon, 5 Jun 2023 18:17:06 +0100
-Subject: [PATCH 2/3] bus: Assign a serial number for messages from the driver
-
-Normally, it's enough to rely on a message being given a serial number
-by the DBusConnection just before it is actually sent. However, in the
-rare case where the policy blocks the driver from sending a message
-(due to a deny rule or the outgoing message quota being full), we need
-to get a valid serial number sooner, so that we can copy it into the
-DBUS_HEADER_FIELD_REPLY_SERIAL field (which is mandatory) in the error
-message sent to monitors. Otherwise, the dbus-daemon will crash with
-an assertion failure if at least one Monitoring client is attached,
-because zero is not a valid serial number to copy.
-
-This fixes a denial-of-service vulnerability: if a privileged user is
-monitoring the well-known system bus using a Monitoring client like
-dbus-monitor or `busctl monitor`, then an unprivileged user can cause
-denial-of-service by triggering this crash. A mitigation for this
-vulnerability is to avoid attaching Monitoring clients to the system
-bus when they are not needed. If there are no Monitoring clients, then
-the vulnerable code is not reached.
-
-Co-authored-by: Simon McVittie <smcv@collabora.com>
-Resolves: dbus/dbus#457
-(cherry picked from commit b159849e031000d1dbc1ab876b5fc78a3ce9b534)
----
- bus/connection.c                | 15 +++++++++++++++
- dbus/dbus-connection-internal.h |  2 ++
- dbus/dbus-connection.c          | 11 ++++++++++-
- 3 files changed, 27 insertions(+), 1 deletion(-)
-
-diff --git a/bus/connection.c b/bus/connection.c
-index b3583433..215f0230 100644
---- a/bus/connection.c
-+++ b/bus/connection.c
-@@ -2350,6 +2350,21 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
-   if (!dbus_message_set_sender (message, DBUS_SERVICE_DBUS))
-     return FALSE;
- 
-+  /* Make sure the message has a non-zero serial number, otherwise
-+   * bus_transaction_capture_error_reply() will not be able to mock up
-+   * a corresponding reply for it. Normally this would be delayed until
-+   * the first time we actually send the message out from a
-+   * connection, when the transaction is committed, but that's too late
-+   * in this case.
-+   */
-+  if (dbus_message_get_serial (message) == 0)
-+    {
-+      dbus_uint32_t next_serial;
-+
-+      next_serial = _dbus_connection_get_next_client_serial (connection);
-+      dbus_message_set_serial (message, next_serial);
-+    }
-+
-   if (bus_connection_is_active (connection))
-     {
-       if (!dbus_message_set_destination (message,
-diff --git a/dbus/dbus-connection-internal.h b/dbus/dbus-connection-internal.h
-index 48357321..ba79b192 100644
---- a/dbus/dbus-connection-internal.h
-+++ b/dbus/dbus-connection-internal.h
-@@ -54,6 +54,8 @@ DBUS_PRIVATE_EXPORT
- DBusConnection *  _dbus_connection_ref_unlocked                (DBusConnection     *connection);
- DBUS_PRIVATE_EXPORT
- void              _dbus_connection_unref_unlocked              (DBusConnection     *connection);
-+DBUS_PRIVATE_EXPORT
-+dbus_uint32_t     _dbus_connection_get_next_client_serial      (DBusConnection *connection);
- void              _dbus_connection_queue_received_message_link (DBusConnection     *connection,
-                                                                 DBusList           *link);
- dbus_bool_t       _dbus_connection_has_messages_to_send_unlocked (DBusConnection     *connection);
-diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c
-index c525b6dc..09cef278 100644
---- a/dbus/dbus-connection.c
-+++ b/dbus/dbus-connection.c
-@@ -1456,7 +1456,16 @@ _dbus_connection_unref_unlocked (DBusConnection *connection)
-     _dbus_connection_last_unref (connection);
- }
- 
--static dbus_uint32_t
-+/**
-+ * Allocate and return the next non-zero serial number for outgoing messages.
-+ *
-+ * This method is only valid to call from single-threaded code, such as
-+ * the dbus-daemon, or with the connection lock held.
-+ *
-+ * @param connection the connection
-+ * @returns A suitable serial number for the next message to be sent on the connection.
-+ */
-+dbus_uint32_t
- _dbus_connection_get_next_client_serial (DBusConnection *connection)
- {
-   dbus_uint32_t serial;
--- 
-2.41.0
-
-
-From 2c699f6ba9c162878c69d0728298c1ab7308db72 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Mon, 5 Jun 2023 18:51:22 +0100
-Subject: [PATCH 3/3] monitor test: Reproduce dbus/dbus#457
-
-The exact failure mode reported in dbus/dbus#457 is quite difficult
-to achieve in a reliable way in a unit test, because we'd have to send
-enough messages to a client to fill up its queue, then stop that client
-from draining its queue, while still triggering a message that gets a
-reply from the bus driver. However, we can trigger the same crash in a
-slightly different way by not allowing the client to receive a
-particular message. I chose NameAcquired.
-
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit 986611ad0f7f67a3693e5672cd66bc608c00b228)
----
- .../valid-config-files/forbidding.conf.in     |  3 +
- test/monitor.c                                | 77 ++++++++++++++++---
- 2 files changed, 71 insertions(+), 9 deletions(-)
-
-diff --git a/test/data/valid-config-files/forbidding.conf.in b/test/data/valid-config-files/forbidding.conf.in
-index d145613c..58b3cc6a 100644
---- a/test/data/valid-config-files/forbidding.conf.in
-+++ b/test/data/valid-config-files/forbidding.conf.in
-@@ -24,5 +24,8 @@
-     <allow send_interface="com.example.CannotUnicast2" send_broadcast="true"/>
- 
-     <deny receive_interface="com.example.CannotReceive"/>
-+
-+    <!-- Used to reproduce dbus#457 -->
-+    <deny receive_interface="org.freedesktop.DBus" receive_member="NameAcquired"/>
-   </policy>
- </busconfig>
-diff --git a/test/monitor.c b/test/monitor.c
-index 182110f8..42e0734d 100644
---- a/test/monitor.c
-+++ b/test/monitor.c
-@@ -155,6 +155,21 @@ static Config side_effects_config = {
-     TRUE
- };
- 
-+static dbus_bool_t
-+config_forbids_name_acquired_signal (const Config *config)
-+{
-+  if (config == NULL)
-+    return FALSE;
-+
-+  if (config->config_file == NULL)
-+    return FALSE;
-+
-+  if (strcmp (config->config_file, forbidding_config.config_file) == 0)
-+    return TRUE;
-+
-+  return FALSE;
-+}
-+
- static inline const char *
- not_null2 (const char *x,
-     const char *fallback)
-@@ -253,9 +268,6 @@ do { \
- 
- #define assert_name_acquired(m) \
- do { \
--  DBusError _e = DBUS_ERROR_INIT; \
--  const char *_s; \
--    \
-   g_assert_cmpstr (dbus_message_type_to_string (dbus_message_get_type (m)), \
-       ==, dbus_message_type_to_string (DBUS_MESSAGE_TYPE_SIGNAL)); \
-   g_assert_cmpstr (dbus_message_get_sender (m), ==, DBUS_SERVICE_DBUS); \
-@@ -265,7 +277,14 @@ do { \
-   g_assert_cmpstr (dbus_message_get_signature (m), ==, "s"); \
-   g_assert_cmpint (dbus_message_get_serial (m), !=, 0); \
-   g_assert_cmpint (dbus_message_get_reply_serial (m), ==, 0); \
-+} while (0)
-+
-+#define assert_unique_name_acquired(m) \
-+do { \
-+  DBusError _e = DBUS_ERROR_INIT; \
-+  const char *_s; \
-     \
-+  assert_name_acquired (m); \
-   dbus_message_get_args (m, &_e, \
-         DBUS_TYPE_STRING, &_s, \
-         DBUS_TYPE_INVALID); \
-@@ -333,6 +352,21 @@ do { \
-   g_assert_cmpint (dbus_message_get_reply_serial (m), !=, 0); \
- } while (0)
- 
-+/* forbidding.conf does not allow receiving NameAcquired, so if we are in
-+ * that configuration, then dbus-daemon synthesizes an error reply to itself
-+ * and sends that to monitors */
-+#define expect_name_acquired_error(queue, in_reply_to) \
-+do { \
-+  DBusMessage *message; \
-+  \
-+  message = g_queue_pop_head (queue); \
-+  assert_error_reply (message, DBUS_SERVICE_DBUS, DBUS_SERVICE_DBUS, \
-+                      DBUS_ERROR_ACCESS_DENIED); \
-+  g_assert_cmpint (dbus_message_get_reply_serial (message), ==, \
-+                   dbus_message_get_serial (in_reply_to)); \
-+  dbus_message_unref (message); \
-+} while (0)
-+
- /* This is called after processing pending replies to our own method
-  * calls, but before anything else.
-  */
-@@ -797,6 +831,11 @@ test_become_monitor (Fixture *f,
-   test_assert_no_error (&f->e);
-   g_assert_cmpint (ret, ==, DBUS_REQUEST_NAME_REPLY_PRIMARY_OWNER);
- 
-+  /* If the policy forbids receiving NameAcquired, then we'll never
-+   * receive it, so behave as though we had */
-+  if (config_forbids_name_acquired_signal (f->config))
-+    got_unique = got_a = got_b = got_c = TRUE;
-+
-   while (!got_unique || !got_a || !got_b || !got_c)
-     {
-       if (g_queue_is_empty (&f->monitored))
-@@ -1448,6 +1487,7 @@ test_dbus_daemon (Fixture *f,
- {
-   DBusMessage *m;
-   int res;
-+  size_t n_expected;
- 
-   if (f->address == NULL)
-     return;
-@@ -1463,7 +1503,12 @@ test_dbus_daemon (Fixture *f,
-   test_assert_no_error (&f->e);
-   g_assert_cmpint (res, ==, DBUS_RELEASE_NAME_REPLY_RELEASED);
- 
--  while (g_queue_get_length (&f->monitored) < 8)
-+  n_expected = 8;
-+
-+  if (config_forbids_name_acquired_signal (context))
-+    n_expected += 1;
-+
-+  while (g_queue_get_length (&f->monitored) < n_expected)
-     test_main_context_iterate (f->ctx, TRUE);
- 
-   m = g_queue_pop_head (&f->monitored);
-@@ -1476,10 +1521,12 @@ test_dbus_daemon (Fixture *f,
-       "NameOwnerChanged", "sss", NULL);
-   dbus_message_unref (m);
- 
--  /* FIXME: should we get this? */
-   m = g_queue_pop_head (&f->monitored);
--  assert_signal (m, DBUS_SERVICE_DBUS, DBUS_PATH_DBUS, DBUS_INTERFACE_DBUS,
--      "NameAcquired", "s", f->sender_name);
-+  assert_name_acquired (m);
-+
-+  if (config_forbids_name_acquired_signal (f->config))
-+    expect_name_acquired_error (&f->monitored, m);
-+
-   dbus_message_unref (m);
- 
-   m = g_queue_pop_head (&f->monitored);
-@@ -1701,8 +1748,14 @@ static void
- expect_new_connection (Fixture *f)
- {
-   DBusMessage *m;
-+  size_t n_expected;
- 
--  while (g_queue_get_length (&f->monitored) < 4)
-+  n_expected = 4;
-+
-+  if (config_forbids_name_acquired_signal (f->config))
-+    n_expected += 1;
-+
-+  while (g_queue_get_length (&f->monitored) < n_expected)
-     test_main_context_iterate (f->ctx, TRUE);
- 
-   m = g_queue_pop_head (&f->monitored);
-@@ -1719,7 +1772,11 @@ expect_new_connection (Fixture *f)
-   dbus_message_unref (m);
- 
-   m = g_queue_pop_head (&f->monitored);
--  assert_name_acquired (m);
-+  assert_unique_name_acquired (m);
-+
-+  if (config_forbids_name_acquired_signal (f->config))
-+    expect_name_acquired_error (&f->monitored, m);
-+
-   dbus_message_unref (m);
- }
- 
-@@ -2044,6 +2101,8 @@ main (int argc,
-       setup, test_method_call, teardown);
-   g_test_add ("/monitor/forbidden-method", Fixture, &forbidding_config,
-       setup, test_forbidden_method_call, teardown);
-+  g_test_add ("/monitor/forbidden-reply", Fixture, &forbidding_config,
-+      setup, test_dbus_daemon, teardown);
-   g_test_add ("/monitor/dbus-daemon", Fixture, NULL,
-       setup, test_dbus_daemon, teardown);
-   g_test_add ("/monitor/selective", Fixture, &selective_config,
--- 
-2.41.0
-

SOURCES/dbus-1.20.8-CVE-2022-42010.patch

@@ -1,116 +0,0 @@
-From 8f382ee405ec68850866298ba0574f12e261a6fa Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Tue, 13 Sep 2022 15:10:22 +0100
-Subject: [PATCH] dbus-marshal-validate: Check brackets in signature nest
- correctly
-
-In debug builds with assertions enabled, a signature with incorrectly
-nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result
-in an assertion failure.
-
-In production builds without assertions enabled, a signature with
-incorrectly nested `()` and `{}` could potentially result in a crash
-or incorrect message parsing, although we do not have a concrete example
-of either of these failure modes.
-
-Thanks: Evgeny Vereshchagin
-Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418
-Resolves: CVE-2022-42010
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit 9d07424e9011e3bbe535e83043d335f3093d2916)
-(cherry picked from commit 3e53a785dee8d1432156188a2c4260e4cbc78c4d)
----
- dbus/dbus-marshal-validate.c | 38 +++++++++++++++++++++++++++++++++++-
- 1 file changed, 37 insertions(+), 1 deletion(-)
-
-diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
-index 4d492f3f3..ae68414dd 100644
---- a/dbus/dbus-marshal-validate.c
-+++ b/dbus/dbus-marshal-validate.c
-@@ -62,6 +62,8 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
- 
-   int element_count;
-   DBusList *element_count_stack;
-+  char opened_brackets[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2 + 1] = { '\0' };
-+  char last_bracket;
- 
-   result = DBUS_VALID;
-   element_count_stack = NULL;
-@@ -93,6 +95,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
- 
-   while (p != end)
-     {
-+      _dbus_assert (struct_depth + dict_entry_depth >= 0);
-+      _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
-+      _dbus_assert (opened_brackets[struct_depth + dict_entry_depth] == '\0');
-+
-       switch (*p)
-         {
-         case DBUS_TYPE_BYTE:
-@@ -136,6 +142,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
-               goto out;
-             }
- 
-+          _dbus_assert (struct_depth + dict_entry_depth >= 1);
-+          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
-+          _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
-+          opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_STRUCT_BEGIN_CHAR;
-           break;
- 
-         case DBUS_STRUCT_END_CHAR:
-@@ -151,9 +161,20 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
-               goto out;
-             }
- 
-+          _dbus_assert (struct_depth + dict_entry_depth >= 1);
-+          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
-+          last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
-+
-+          if (last_bracket != DBUS_STRUCT_BEGIN_CHAR)
-+            {
-+              result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED;
-+              goto out;
-+            }
-+
-           _dbus_list_pop_last (&element_count_stack);
- 
-           struct_depth -= 1;
-+          opened_brackets[struct_depth + dict_entry_depth] = '\0';
-           break;
- 
-         case DBUS_DICT_ENTRY_BEGIN_CHAR:
-@@ -178,6 +199,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
-               goto out;
-             }
- 
-+          _dbus_assert (struct_depth + dict_entry_depth >= 1);
-+          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
-+          _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
-+          opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_DICT_ENTRY_BEGIN_CHAR;
-           break;
- 
-         case DBUS_DICT_ENTRY_END_CHAR:
-@@ -186,8 +211,19 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
-               result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
-               goto out;
-             }
--            
-+
-+          _dbus_assert (struct_depth + dict_entry_depth >= 1);
-+          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
-+          last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
-+
-+          if (last_bracket != DBUS_DICT_ENTRY_BEGIN_CHAR)
-+            {
-+              result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
-+              goto out;
-+            }
-+
-           dict_entry_depth -= 1;
-+          opened_brackets[struct_depth + dict_entry_depth] = '\0';
- 
-           element_count = 
-             _DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack));
--- 
-GitLab
-

SOURCES/dbus-1.20.8-CVE-2022-42011.patch

@@ -1,57 +0,0 @@
-From 3b8a7aff228770f4f7b478db606b10cceacea875 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Mon, 12 Sep 2022 13:14:18 +0100
-Subject: [PATCH] dbus-marshal-validate: Validate length of arrays of
- fixed-length items
-
-This fast-path previously did not check that the array was made up
-of an integer number of items. This could lead to assertion failures
-and out-of-bounds accesses during subsequent message processing (which
-assumes that the message has already been validated), particularly after
-the addition of _dbus_header_remove_unknown_fields(), which makes it
-more likely that dbus-daemon will apply non-trivial edits to messages.
-
-Thanks: Evgeny Vereshchagin
-Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
-Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
-Resolves: CVE-2022-42011
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit 079bbf16186e87fb0157adf8951f19864bc2ed69)
-(cherry picked from commit b9e6a7523085a2cfceaffca7ba1ab4251f12a984)
----
- dbus/dbus-marshal-validate.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
-index ae68414dd..7d0d6cf72 100644
---- a/dbus/dbus-marshal-validate.c
-+++ b/dbus/dbus-marshal-validate.c
-@@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader       *reader,
-                  */ 
-                 if (dbus_type_is_fixed (array_elem_type))
-                   {
-+                    /* Note that fixed-size types all have sizes equal to
-+                     * their alignments, so this is really the item size. */
-+                    alignment = _dbus_type_get_alignment (array_elem_type);
-+                    _dbus_assert (alignment == 1 || alignment == 2 ||
-+                                  alignment == 4 || alignment == 8);
-+
-+                    /* Because the alignment is a power of 2, this is
-+                     * equivalent to: (claimed_len % alignment) != 0,
-+                     * but avoids slower integer division */
-+                    if ((claimed_len & (alignment - 1)) != 0)
-+                      return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;
-+
-                     /* bools need to be handled differently, because they can
-                      * have an invalid value
-                      */
-                     if (array_elem_type == DBUS_TYPE_BOOLEAN)
-                       {
-                         dbus_uint32_t v;
--                        alignment = _dbus_type_get_alignment (array_elem_type);
- 
-                         while (p < array_end)
-                           {
--- 
-GitLab
-

SOURCES/dbus-1.20.8-CVE-2022-42012.patch

@@ -1,73 +0,0 @@
-From 51a5bbf9074855b0f4a353ed309938b196c13525 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Fri, 30 Sep 2022 13:46:31 +0100
-Subject: [PATCH] dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed
-
-When a D-Bus message includes attached file descriptors, the body of the
-message contains unsigned 32-bit indexes pointing into an out-of-band
-array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to
-these indexes as "handles" for the associated fds (not to be confused
-with a Windows HANDLE, which is a kernel object).
-
-The assertion message removed by this commit is arguably correct up to
-a point: fd-passing is only reasonable on a local machine, and no known
-operating system allows processes of differing endianness even on a
-multi-endian ARM or PowerPC CPU, so it makes little sense for the sender
-to specify a byte-order that differs from the byte-order of the recipient.
-
-However, this doesn't account for the fact that a malicious sender
-doesn't have to restrict itself to only doing things that make sense.
-On a system with untrusted local users, a message sender could crash
-the system dbus-daemon (a denial of service) by sending a message in
-the opposite endianness that contains handles to file descriptors.
-
-Before this commit, if assertions are enabled, attempting to byteswap
-a fd index would cleanly crash the message recipient with an assertion
-failure. If assertions are disabled, attempting to byteswap a fd index
-would silently do nothing without advancing the pointer p, causing the
-message's type and the pointer into its contents to go out of sync, which
-can result in a subsequent crash (the crash demonstrated by fuzzing was
-a use-after-free, but other failure modes might be possible).
-
-In principle we could resolve this by rejecting wrong-endianness messages
-from a local sender, but it's actually simpler and less code to treat
-wrong-endianness messages as valid and byteswap them.
-
-Thanks: Evgeny Vereshchagin
-Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds"
-Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417
-Resolves: CVE-2022-42012
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit 236f16e444e88a984cf12b09225e0f8efa6c5b44)
-(cherry picked from commit 3fb065b0752db1e298e4ada52cf4adc414f5e946)
----
- dbus/dbus-marshal-byteswap.c | 6 +-----
- 1 file changed, 1 insertion(+), 5 deletions(-)
-
-diff --git a/dbus/dbus-marshal-byteswap.c b/dbus/dbus-marshal-byteswap.c
-index 27695aafb..7104e9c63 100644
---- a/dbus/dbus-marshal-byteswap.c
-+++ b/dbus/dbus-marshal-byteswap.c
-@@ -61,6 +61,7 @@ byteswap_body_helper (DBusTypeReader       *reader,
-         case DBUS_TYPE_BOOLEAN:
-         case DBUS_TYPE_INT32:
-         case DBUS_TYPE_UINT32:
-+        case DBUS_TYPE_UNIX_FD:
-           {
-             p = _DBUS_ALIGN_ADDRESS (p, 4);
-             *((dbus_uint32_t*)p) = DBUS_UINT32_SWAP_LE_BE (*((dbus_uint32_t*)p));
-@@ -188,11 +189,6 @@ byteswap_body_helper (DBusTypeReader       *reader,
-           }
-           break;
- 
--        case DBUS_TYPE_UNIX_FD:
--          /* fds can only be passed on a local machine, so byte order must always match */
--          _dbus_assert_not_reached("attempted to byteswap unix fds which makes no sense");
--          break;
--
-         default:
-           _dbus_assert_not_reached ("invalid typecode in supposedly-validated signature");
-           break;
--- 
-GitLab
-

SOURCES/dbus-kill-process-with-session

@@ -1,30 +0,0 @@
-#!/bin/bash
-# This script ensures the dbus-daemon is killed when the session closes.
-# It's used by SSH sessions that have X forwarding (since the X display
-# may outlive the session in those cases)
-[ $# != 1 ] && exit 1
-
-exec >& /dev/null
-
-MONITOR_READY_FILE=$(mktemp dbus-session-monitor.XXXXXX --tmpdir)
-DBUS_SESSIONS="${XDG_RUNTIME_DIR}/dbus-1/sessions"
-DBUS_SESSION_ADDRESS_FILE="${DBUS_SESSIONS}/${XDG_SESSION_ID}"
-
-trap 'rm -f "${MONITOR_READY_FILE}"; rm -f "${DBUS_SESSION_ADDRESS_FILE}"; kill -TERM $1; kill -HUP $(jobs -p)' EXIT
-
-export GVFS_DISABLE_FUSE=1
-coproc SESSION_MONITOR (gio monitor -f "/run/systemd/sessions/${XDG_SESSION_ID}" "${MONITOR_READY_FILE}")
-
-# Poll until the gio monitor command is actively monitoring
-until
-    touch "${MONITOR_READY_FILE}"
-    read -t 0.5 -u ${SESSION_MONITOR[0]}
-do
-    continue
-done
-
-# Block until the session is closed
-while grep -q ^State=active <(loginctl show-session $XDG_SESSION_ID)
-do
-    read -u ${SESSION_MONITOR[0]}
-done

SOURCES/dbus-systemd-sysusers.conf

@@ -1,2 +0,0 @@
-#Type  Name  ID  GECOS                 Home directory  Shell
-u      dbus  81  "System Message Bus"  -               -

SOURCES/ssh-x-forwarding.csh

@@ -1,24 +1,6 @@
 # DBus session bus over SSH with X11 forwarding
 if ( $?SSH_CONNECTION == 0 ) exit
-if ( $?XDG_SESSION_ID == 0) exit
 if ( $?DISPLAY == 0 ) exit
 if ( $SHLVL > 1 ) exit
-
-set DBUS_SESSIONS = "${XDG_RUNTIME_DIR}/dbus-1/sessions"
-set DBUS_SESSION_ADDRESS_FILE = "${DBUS_SESSIONS}/${XDG_SESSION_ID}"
-
-if ( -e "${DBUS_SESSION_ADDRESS_FILE}" ) then
-    setenv DBUS_SESSION_BUS_ADDRESS "`cat ${DBUS_SESSION_ADDRESS_FILE}`"
-    exit
-endif
-
 setenv GDK_BACKEND x11
-
-eval `dbus-launch --csh-syntax`
-
-if ( $?DBUS_SESSION_BUS_PID == 0 ) exit
-
-mkdir -p "${DBUS_SESSIONS}"
-echo "${DBUS_SESSION_BUS_ADDRESS}" > "${DBUS_SESSION_ADDRESS_FILE}"
-
-setsid -f /usr/libexec/dbus-1/dbus-kill-process-with-session $DBUS_SESSION_BUS_PID
+eval `dbus-launch --auto-syntax --exit-with-x11`

SOURCES/ssh-x-forwarding.sh

@@ -1,25 +1,7 @@
 # DBus session bus over SSH with X11 forwarding
 [ -z "$SSH_CONNECTION" ] && return
-[ -z "$XDG_SESSION_ID" ] && return
 [ -z "$DISPLAY" ] && return
-[ "${DISPLAY:0:1}" = ":" ] && return
-[ "$SHLVL" -ne 1 ] && return
+[ "$SHLVL" -gt 1 ] && return
 
-DBUS_SESSIONS="${XDG_RUNTIME_DIR}/dbus-1/sessions"
-DBUS_SESSION_ADDRESS_FILE="${DBUS_SESSIONS}/${XDG_SESSION_ID}"
-
-if [ -e "${DBUS_SESSION_ADDRESS_FILE}" ]; then
-    export DBUS_SESSION_BUS_ADDRESS="$(cat ${DBUS_SESSION_ADDRESS_FILE})"
-    return
-fi
-
-export GDK_BACKEND=x11
-
-eval `dbus-launch --sh-syntax`
-
-[ -z "$DBUS_SESSION_BUS_PID" ] && return
-
-mkdir -p "${DBUS_SESSIONS}"
-echo "${DBUS_SESSION_BUS_ADDRESS}" > "${DBUS_SESSION_ADDRESS_FILE}"
-
-setsid -f /usr/libexec/dbus-1/dbus-kill-process-with-session "$DBUS_SESSION_BUS_PID"
+GDK_BACKEND=x11; export GDK_BACKEND
+eval $(dbus-launch --sh-syntax --exit-with-session)

SPECS/dbus.spec

@@ -19,7 +19,7 @@
 Name:    dbus
 Epoch:   1
 Version: 1.12.8
-Release: 26%{?dist}
+Release: 13%{?dist}
 Summary: D-BUS message bus
 
 Group:   System Environment/Libraries
@@ -32,8 +32,6 @@ Source0: https://dbus.freedesktop.org/releases/%{name}/%{name}-%{version}.tar.gz
 Source1: 00-start-message-bus.sh
 Source2: ssh-x-forwarding.csh
 Source3: ssh-x-forwarding.sh
-Source4: dbus-kill-process-with-session
-Source5: dbus-systemd-sysusers.conf
 Patch0: 0001-tools-Use-Python3-for-GetAllMatchRules.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1725570
 Patch1: dbus-1.12.8-fix-CVE-2019-12749.patch
@@ -41,14 +39,6 @@ Patch1: dbus-1.12.8-fix-CVE-2019-12749.patch
 Patch2: dbus-1.12.8-fix-CVE-2020-12049.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1839753
 Patch3: dbus-1.12.8-fix-fd-limit-change.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2133645
-Patch4: dbus-1.20.8-CVE-2022-42010.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2133639
-Patch5: dbus-1.20.8-CVE-2022-42011.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2133633
-Patch6: dbus-1.20.8-CVE-2022-42012.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2213400
-Patch7: dbus-1.12.8-fix-CVE-2023-34969.patch
 
 BuildRequires: autoconf-archive
 BuildRequires: libtool
@@ -97,7 +87,6 @@ per-user-login-session messaging facility.
 Summary:        D-BUS message bus configuration
 Group:          System Environment/Libraries
 BuildArch:      noarch
-Requires:       /usr/bin/systemctl
 
 %description common
 The %{name}-common package provides the configuration and setup files for D-Bus
@@ -159,8 +148,6 @@ Summary: X11-requiring add-ons for D-BUS
 Group: Development/Libraries
 # The server package can be a different architecture.
 Requires: %{name}-daemon = %{epoch}:%{version}-%{release}
-# Used by SSH daemon helper script.
-Requires: /usr/bin/gio
 
 %description x11
 D-BUS contains some tools that require Xlib to be installed, those are
@@ -217,13 +204,9 @@ find %{buildroot} -name '*.la' -type f -delete
 rm -rf %{buildroot}%{_libdir}/cmake
 %endif
 
-rm -f %{buildroot}%{_sysusersdir}/dbus.conf
-
 install -Dp -m755 %{SOURCE1} %{buildroot}%{_sysconfdir}/X11/xinit/xinitrc.d/00-start-message-bus.sh
 install -Dp -m644 %{SOURCE2} %{buildroot}%{_sysconfdir}/profile.d/ssh-x-forwarding.csh
 install -p -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/profile.d/
-install -Dp -m755 %{SOURCE4} %{buildroot}%{_libexecdir}/dbus-1/dbus-kill-process-with-session
-install -Dp -m644 %{SOURCE5} %{buildroot}%{_sysusersdir}/dbus.conf
 
 # Obsolete, but still widely used, for drop-in configuration snippets.
 install --directory %{buildroot}%{_sysconfdir}/dbus-1/session.d
@@ -406,7 +389,6 @@ popd
 
 %files x11
 %{_bindir}/dbus-launch
-%{_libexecdir}/dbus-1/dbus-kill-process-with-session
 %{_mandir}/man1/dbus-launch.1*
 %{_sysconfdir}/profile.d/ssh-x-forwarding.*
 %{_sysconfdir}/X11/xinit/xinitrc.d/00-start-message-bus.sh
@@ -422,55 +404,8 @@ popd
 %{_libdir}/pkgconfig/dbus-1.pc
 %{_includedir}/*
 
+
 %changelog
-* Mon Jun 19 2023 David King <amigadave@amigadave.com> - 1.12.8-26
-- Fix CVE-2023-34969 (#2213400)
-
-* Mon Apr 24 2023 Ray Strode <rstrode@redhat.com> - 1.12.8-25
-- Ensure only one dbus-daemon is spawned for all shells sharing
-  a single connection.
-  Resolves: #2189201
-
-* Wed Oct 19 2022 David King <dking@redhat.com> - 1:1.12.8-24
-- Fix CVE-2022-42010 (#2133645)
-- Fix CVE-2022-42011 (#2133639)
-- Fix CVE-2022-42011 (#2133633)
-
-* Tue Sep 06 2022 Ray Strode <rstrode@redhat.com> - 1:1.12.8-23
-- Address race for very short running sessions in SSH
-  session monitoring script.
-  Related: #2089362
-
-* Tue Aug 09 2022 Ray Strode <rstrode@redhat.com> - 1:1.12.8-22
-- Use hangup signal instead of termination signal to
-  kill sesssion monitoring script to appeach tcsh.
-  Related: #2089362
-
-* Mon Aug 08 2022 David King <dking@redhat.com> - 1:1.12.8-20
-- Override sysusers configuration (#2090397)
-
-* Thu Jun 16 2022 Ray Strode <rstrode@redhat.com> - 1:1.12.8-19
-- Ensure SSH session monitoring script is cleaned up when the
-  session exits.
-  Resolves: #2089362
-
-* Mon Dec 06 2021 Ray Strode <rstrode@redhat.com> - 1.12.8-18
-- Ensure session bus started for SSH sessions gets used by those
-  sessions.
-  Related: #1940067
-
-* Mon Nov 08 2021 David King <dking@redhat.com> - 1:1.12.8-17
-- Improve SSH session bus starting (#1940067)
-
-* Thu Jun 10 2021 David King <dking@redhat.com> - 1:1.12.8-16
-- Add Conflicts on older redhat-release versions (#1941642)
-
-* Wed May 26 2021 David King <dking@redhat.com> - 1:1.12.8-15
-- Packaging updates from Fedora (#1941642)
-
-* Tue Apr 27 2021 David King <dking@redhat.com> - 1:1.12.8-14
-- Fix dbus-launch call in sh snippet (#1940348)
-
 * Tue Mar 23 2021 David King <dking@redhat.com> - 1:1.12.8-13
 - Fix raising hard fd limit (#1839753)