SOURCES/dbus-1.12.8-fix-CVE-2023-34969.patch

@@ -0,0 +1,337 @@
+From 3a1b1e9a4010e581e2e940e61d37c4f617eb5eff Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Mon, 5 Jun 2023 17:56:33 +0100
+Subject: [PATCH 1/3] monitor test: Log the messages that we monitored
+
+This is helpful while debugging test failures.
+
+Helps: dbus/dbus#457
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+(cherry picked from commit 8ee5d3e04420975107c27073b50f8758871a998b)
+---
+ test/monitor.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/test/monitor.c b/test/monitor.c
+index df5a7180..182110f8 100644
+--- a/test/monitor.c
++++ b/test/monitor.c
+@@ -196,6 +196,10 @@ _log_message (DBusMessage *m,
+       not_null (dbus_message_get_signature (m)));
+   g_test_message ("\terror name: %s",
+       not_null (dbus_message_get_error_name (m)));
++  g_test_message ("\tserial number: %u",
++      dbus_message_get_serial (m));
++  g_test_message ("\tin reply to: %u",
++      dbus_message_get_reply_serial (m));
+ 
+   if (strcmp ("s", dbus_message_get_signature (m)) == 0)
+     {
+@@ -339,6 +343,9 @@ monitor_filter (DBusConnection *connection,
+ {
+   Fixture *f = user_data;
+ 
++  g_test_message ("Monitor received message:");
++  log_message (message);
++
+   g_assert_cmpstr (dbus_message_get_interface (message), !=,
+       "com.example.Tedious");
+ 
+-- 
+2.41.0
+
+
+From 37a4dc5835731a1f7a81f1b67c45b8dfb556dd1c Mon Sep 17 00:00:00 2001
+From: hongjinghao <q1204531485@163.com>
+Date: Mon, 5 Jun 2023 18:17:06 +0100
+Subject: [PATCH 2/3] bus: Assign a serial number for messages from the driver
+
+Normally, it's enough to rely on a message being given a serial number
+by the DBusConnection just before it is actually sent. However, in the
+rare case where the policy blocks the driver from sending a message
+(due to a deny rule or the outgoing message quota being full), we need
+to get a valid serial number sooner, so that we can copy it into the
+DBUS_HEADER_FIELD_REPLY_SERIAL field (which is mandatory) in the error
+message sent to monitors. Otherwise, the dbus-daemon will crash with
+an assertion failure if at least one Monitoring client is attached,
+because zero is not a valid serial number to copy.
+
+This fixes a denial-of-service vulnerability: if a privileged user is
+monitoring the well-known system bus using a Monitoring client like
+dbus-monitor or `busctl monitor`, then an unprivileged user can cause
+denial-of-service by triggering this crash. A mitigation for this
+vulnerability is to avoid attaching Monitoring clients to the system
+bus when they are not needed. If there are no Monitoring clients, then
+the vulnerable code is not reached.
+
+Co-authored-by: Simon McVittie <smcv@collabora.com>
+Resolves: dbus/dbus#457
+(cherry picked from commit b159849e031000d1dbc1ab876b5fc78a3ce9b534)
+---
+ bus/connection.c                | 15 +++++++++++++++
+ dbus/dbus-connection-internal.h |  2 ++
+ dbus/dbus-connection.c          | 11 ++++++++++-
+ 3 files changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/bus/connection.c b/bus/connection.c
+index b3583433..215f0230 100644
+--- a/bus/connection.c
++++ b/bus/connection.c
+@@ -2350,6 +2350,21 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
+   if (!dbus_message_set_sender (message, DBUS_SERVICE_DBUS))
+     return FALSE;
+ 
++  /* Make sure the message has a non-zero serial number, otherwise
++   * bus_transaction_capture_error_reply() will not be able to mock up
++   * a corresponding reply for it. Normally this would be delayed until
++   * the first time we actually send the message out from a
++   * connection, when the transaction is committed, but that's too late
++   * in this case.
++   */
++  if (dbus_message_get_serial (message) == 0)
++    {
++      dbus_uint32_t next_serial;
++
++      next_serial = _dbus_connection_get_next_client_serial (connection);
++      dbus_message_set_serial (message, next_serial);
++    }
++
+   if (bus_connection_is_active (connection))
+     {
+       if (!dbus_message_set_destination (message,
+diff --git a/dbus/dbus-connection-internal.h b/dbus/dbus-connection-internal.h
+index 48357321..ba79b192 100644
+--- a/dbus/dbus-connection-internal.h
++++ b/dbus/dbus-connection-internal.h
+@@ -54,6 +54,8 @@ DBUS_PRIVATE_EXPORT
+ DBusConnection *  _dbus_connection_ref_unlocked                (DBusConnection     *connection);
+ DBUS_PRIVATE_EXPORT
+ void              _dbus_connection_unref_unlocked              (DBusConnection     *connection);
++DBUS_PRIVATE_EXPORT
++dbus_uint32_t     _dbus_connection_get_next_client_serial      (DBusConnection *connection);
+ void              _dbus_connection_queue_received_message_link (DBusConnection     *connection,
+                                                                 DBusList           *link);
+ dbus_bool_t       _dbus_connection_has_messages_to_send_unlocked (DBusConnection     *connection);
+diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c
+index c525b6dc..09cef278 100644
+--- a/dbus/dbus-connection.c
++++ b/dbus/dbus-connection.c
+@@ -1456,7 +1456,16 @@ _dbus_connection_unref_unlocked (DBusConnection *connection)
+     _dbus_connection_last_unref (connection);
+ }
+ 
+-static dbus_uint32_t
++/**
++ * Allocate and return the next non-zero serial number for outgoing messages.
++ *
++ * This method is only valid to call from single-threaded code, such as
++ * the dbus-daemon, or with the connection lock held.
++ *
++ * @param connection the connection
++ * @returns A suitable serial number for the next message to be sent on the connection.
++ */
++dbus_uint32_t
+ _dbus_connection_get_next_client_serial (DBusConnection *connection)
+ {
+   dbus_uint32_t serial;
+-- 
+2.41.0
+
+
+From 2c699f6ba9c162878c69d0728298c1ab7308db72 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Mon, 5 Jun 2023 18:51:22 +0100
+Subject: [PATCH 3/3] monitor test: Reproduce dbus/dbus#457
+
+The exact failure mode reported in dbus/dbus#457 is quite difficult
+to achieve in a reliable way in a unit test, because we'd have to send
+enough messages to a client to fill up its queue, then stop that client
+from draining its queue, while still triggering a message that gets a
+reply from the bus driver. However, we can trigger the same crash in a
+slightly different way by not allowing the client to receive a
+particular message. I chose NameAcquired.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+(cherry picked from commit 986611ad0f7f67a3693e5672cd66bc608c00b228)
+---
+ .../valid-config-files/forbidding.conf.in     |  3 +
+ test/monitor.c                                | 77 ++++++++++++++++---
+ 2 files changed, 71 insertions(+), 9 deletions(-)
+
+diff --git a/test/data/valid-config-files/forbidding.conf.in b/test/data/valid-config-files/forbidding.conf.in
+index d145613c..58b3cc6a 100644
+--- a/test/data/valid-config-files/forbidding.conf.in
++++ b/test/data/valid-config-files/forbidding.conf.in
+@@ -24,5 +24,8 @@
+     <allow send_interface="com.example.CannotUnicast2" send_broadcast="true"/>
+ 
+     <deny receive_interface="com.example.CannotReceive"/>
++
++    <!-- Used to reproduce dbus#457 -->
++    <deny receive_interface="org.freedesktop.DBus" receive_member="NameAcquired"/>
+   </policy>
+ </busconfig>
+diff --git a/test/monitor.c b/test/monitor.c
+index 182110f8..42e0734d 100644
+--- a/test/monitor.c
++++ b/test/monitor.c
+@@ -155,6 +155,21 @@ static Config side_effects_config = {
+     TRUE
+ };
+ 
++static dbus_bool_t
++config_forbids_name_acquired_signal (const Config *config)
++{
++  if (config == NULL)
++    return FALSE;
++
++  if (config->config_file == NULL)
++    return FALSE;
++
++  if (strcmp (config->config_file, forbidding_config.config_file) == 0)
++    return TRUE;
++
++  return FALSE;
++}
++
+ static inline const char *
+ not_null2 (const char *x,
+     const char *fallback)
+@@ -253,9 +268,6 @@ do { \
+ 
+ #define assert_name_acquired(m) \
+ do { \
+-  DBusError _e = DBUS_ERROR_INIT; \
+-  const char *_s; \
+-    \
+   g_assert_cmpstr (dbus_message_type_to_string (dbus_message_get_type (m)), \
+       ==, dbus_message_type_to_string (DBUS_MESSAGE_TYPE_SIGNAL)); \
+   g_assert_cmpstr (dbus_message_get_sender (m), ==, DBUS_SERVICE_DBUS); \
+@@ -265,7 +277,14 @@ do { \
+   g_assert_cmpstr (dbus_message_get_signature (m), ==, "s"); \
+   g_assert_cmpint (dbus_message_get_serial (m), !=, 0); \
+   g_assert_cmpint (dbus_message_get_reply_serial (m), ==, 0); \
++} while (0)
++
++#define assert_unique_name_acquired(m) \
++do { \
++  DBusError _e = DBUS_ERROR_INIT; \
++  const char *_s; \
+     \
++  assert_name_acquired (m); \
+   dbus_message_get_args (m, &_e, \
+         DBUS_TYPE_STRING, &_s, \
+         DBUS_TYPE_INVALID); \
+@@ -333,6 +352,21 @@ do { \
+   g_assert_cmpint (dbus_message_get_reply_serial (m), !=, 0); \
+ } while (0)
+ 
++/* forbidding.conf does not allow receiving NameAcquired, so if we are in
++ * that configuration, then dbus-daemon synthesizes an error reply to itself
++ * and sends that to monitors */
++#define expect_name_acquired_error(queue, in_reply_to) \
++do { \
++  DBusMessage *message; \
++  \
++  message = g_queue_pop_head (queue); \
++  assert_error_reply (message, DBUS_SERVICE_DBUS, DBUS_SERVICE_DBUS, \
++                      DBUS_ERROR_ACCESS_DENIED); \
++  g_assert_cmpint (dbus_message_get_reply_serial (message), ==, \
++                   dbus_message_get_serial (in_reply_to)); \
++  dbus_message_unref (message); \
++} while (0)
++
+ /* This is called after processing pending replies to our own method
+  * calls, but before anything else.
+  */
+@@ -797,6 +831,11 @@ test_become_monitor (Fixture *f,
+   test_assert_no_error (&f->e);
+   g_assert_cmpint (ret, ==, DBUS_REQUEST_NAME_REPLY_PRIMARY_OWNER);
+ 
++  /* If the policy forbids receiving NameAcquired, then we'll never
++   * receive it, so behave as though we had */
++  if (config_forbids_name_acquired_signal (f->config))
++    got_unique = got_a = got_b = got_c = TRUE;
++
+   while (!got_unique || !got_a || !got_b || !got_c)
+     {
+       if (g_queue_is_empty (&f->monitored))
+@@ -1448,6 +1487,7 @@ test_dbus_daemon (Fixture *f,
+ {
+   DBusMessage *m;
+   int res;
++  size_t n_expected;
+ 
+   if (f->address == NULL)
+     return;
+@@ -1463,7 +1503,12 @@ test_dbus_daemon (Fixture *f,
+   test_assert_no_error (&f->e);
+   g_assert_cmpint (res, ==, DBUS_RELEASE_NAME_REPLY_RELEASED);
+ 
+-  while (g_queue_get_length (&f->monitored) < 8)
++  n_expected = 8;
++
++  if (config_forbids_name_acquired_signal (context))
++    n_expected += 1;
++
++  while (g_queue_get_length (&f->monitored) < n_expected)
+     test_main_context_iterate (f->ctx, TRUE);
+ 
+   m = g_queue_pop_head (&f->monitored);
+@@ -1476,10 +1521,12 @@ test_dbus_daemon (Fixture *f,
+       "NameOwnerChanged", "sss", NULL);
+   dbus_message_unref (m);
+ 
+-  /* FIXME: should we get this? */
+   m = g_queue_pop_head (&f->monitored);
+-  assert_signal (m, DBUS_SERVICE_DBUS, DBUS_PATH_DBUS, DBUS_INTERFACE_DBUS,
+-      "NameAcquired", "s", f->sender_name);
++  assert_name_acquired (m);
++
++  if (config_forbids_name_acquired_signal (f->config))
++    expect_name_acquired_error (&f->monitored, m);
++
+   dbus_message_unref (m);
+ 
+   m = g_queue_pop_head (&f->monitored);
+@@ -1701,8 +1748,14 @@ static void
+ expect_new_connection (Fixture *f)
+ {
+   DBusMessage *m;
++  size_t n_expected;
+ 
+-  while (g_queue_get_length (&f->monitored) < 4)
++  n_expected = 4;
++
++  if (config_forbids_name_acquired_signal (f->config))
++    n_expected += 1;
++
++  while (g_queue_get_length (&f->monitored) < n_expected)
+     test_main_context_iterate (f->ctx, TRUE);
+ 
+   m = g_queue_pop_head (&f->monitored);
+@@ -1719,7 +1772,11 @@ expect_new_connection (Fixture *f)
+   dbus_message_unref (m);
+ 
+   m = g_queue_pop_head (&f->monitored);
+-  assert_name_acquired (m);
++  assert_unique_name_acquired (m);
++
++  if (config_forbids_name_acquired_signal (f->config))
++    expect_name_acquired_error (&f->monitored, m);
++
+   dbus_message_unref (m);
+ }
+ 
+@@ -2044,6 +2101,8 @@ main (int argc,
+       setup, test_method_call, teardown);
+   g_test_add ("/monitor/forbidden-method", Fixture, &forbidding_config,
+       setup, test_forbidden_method_call, teardown);
++  g_test_add ("/monitor/forbidden-reply", Fixture, &forbidding_config,
++      setup, test_dbus_daemon, teardown);
+   g_test_add ("/monitor/dbus-daemon", Fixture, NULL,
+       setup, test_dbus_daemon, teardown);
+   g_test_add ("/monitor/selective", Fixture, &selective_config,
+-- 
+2.41.0
+

SOURCES/dbus-1.20.8-CVE-2022-42010.patch

@@ -0,0 +1,116 @@
+From 8f382ee405ec68850866298ba0574f12e261a6fa Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Tue, 13 Sep 2022 15:10:22 +0100
+Subject: [PATCH] dbus-marshal-validate: Check brackets in signature nest
+ correctly
+
+In debug builds with assertions enabled, a signature with incorrectly
+nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result
+in an assertion failure.
+
+In production builds without assertions enabled, a signature with
+incorrectly nested `()` and `{}` could potentially result in a crash
+or incorrect message parsing, although we do not have a concrete example
+of either of these failure modes.
+
+Thanks: Evgeny Vereshchagin
+Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418
+Resolves: CVE-2022-42010
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+(cherry picked from commit 9d07424e9011e3bbe535e83043d335f3093d2916)
+(cherry picked from commit 3e53a785dee8d1432156188a2c4260e4cbc78c4d)
+---
+ dbus/dbus-marshal-validate.c | 38 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 37 insertions(+), 1 deletion(-)
+
+diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
+index 4d492f3f3..ae68414dd 100644
+--- a/dbus/dbus-marshal-validate.c
++++ b/dbus/dbus-marshal-validate.c
+@@ -62,6 +62,8 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
+ 
+   int element_count;
+   DBusList *element_count_stack;
++  char opened_brackets[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2 + 1] = { '\0' };
++  char last_bracket;
+ 
+   result = DBUS_VALID;
+   element_count_stack = NULL;
+@@ -93,6 +95,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
+ 
+   while (p != end)
+     {
++      _dbus_assert (struct_depth + dict_entry_depth >= 0);
++      _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
++      _dbus_assert (opened_brackets[struct_depth + dict_entry_depth] == '\0');
++
+       switch (*p)
+         {
+         case DBUS_TYPE_BYTE:
+@@ -136,6 +142,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
+               goto out;
+             }
+ 
++          _dbus_assert (struct_depth + dict_entry_depth >= 1);
++          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
++          _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
++          opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_STRUCT_BEGIN_CHAR;
+           break;
+ 
+         case DBUS_STRUCT_END_CHAR:
+@@ -151,9 +161,20 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
+               goto out;
+             }
+ 
++          _dbus_assert (struct_depth + dict_entry_depth >= 1);
++          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
++          last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
++
++          if (last_bracket != DBUS_STRUCT_BEGIN_CHAR)
++            {
++              result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED;
++              goto out;
++            }
++
+           _dbus_list_pop_last (&element_count_stack);
+ 
+           struct_depth -= 1;
++          opened_brackets[struct_depth + dict_entry_depth] = '\0';
+           break;
+ 
+         case DBUS_DICT_ENTRY_BEGIN_CHAR:
+@@ -178,6 +199,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
+               goto out;
+             }
+ 
++          _dbus_assert (struct_depth + dict_entry_depth >= 1);
++          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
++          _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
++          opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_DICT_ENTRY_BEGIN_CHAR;
+           break;
+ 
+         case DBUS_DICT_ENTRY_END_CHAR:
+@@ -186,8 +211,19 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
+               result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
+               goto out;
+             }
+-            
++
++          _dbus_assert (struct_depth + dict_entry_depth >= 1);
++          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
++          last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
++
++          if (last_bracket != DBUS_DICT_ENTRY_BEGIN_CHAR)
++            {
++              result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
++              goto out;
++            }
++
+           dict_entry_depth -= 1;
++          opened_brackets[struct_depth + dict_entry_depth] = '\0';
+ 
+           element_count = 
+             _DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack));
+-- 
+GitLab
+

SOURCES/dbus-1.20.8-CVE-2022-42011.patch

@@ -0,0 +1,57 @@
+From 3b8a7aff228770f4f7b478db606b10cceacea875 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Mon, 12 Sep 2022 13:14:18 +0100
+Subject: [PATCH] dbus-marshal-validate: Validate length of arrays of
+ fixed-length items
+
+This fast-path previously did not check that the array was made up
+of an integer number of items. This could lead to assertion failures
+and out-of-bounds accesses during subsequent message processing (which
+assumes that the message has already been validated), particularly after
+the addition of _dbus_header_remove_unknown_fields(), which makes it
+more likely that dbus-daemon will apply non-trivial edits to messages.
+
+Thanks: Evgeny Vereshchagin
+Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
+Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
+Resolves: CVE-2022-42011
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+(cherry picked from commit 079bbf16186e87fb0157adf8951f19864bc2ed69)
+(cherry picked from commit b9e6a7523085a2cfceaffca7ba1ab4251f12a984)
+---
+ dbus/dbus-marshal-validate.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
+index ae68414dd..7d0d6cf72 100644
+--- a/dbus/dbus-marshal-validate.c
++++ b/dbus/dbus-marshal-validate.c
+@@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader       *reader,
+                  */ 
+                 if (dbus_type_is_fixed (array_elem_type))
+                   {
++                    /* Note that fixed-size types all have sizes equal to
++                     * their alignments, so this is really the item size. */
++                    alignment = _dbus_type_get_alignment (array_elem_type);
++                    _dbus_assert (alignment == 1 || alignment == 2 ||
++                                  alignment == 4 || alignment == 8);
++
++                    /* Because the alignment is a power of 2, this is
++                     * equivalent to: (claimed_len % alignment) != 0,
++                     * but avoids slower integer division */
++                    if ((claimed_len & (alignment - 1)) != 0)
++                      return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;
++
+                     /* bools need to be handled differently, because they can
+                      * have an invalid value
+                      */
+                     if (array_elem_type == DBUS_TYPE_BOOLEAN)
+                       {
+                         dbus_uint32_t v;
+-                        alignment = _dbus_type_get_alignment (array_elem_type);
+ 
+                         while (p < array_end)
+                           {
+-- 
+GitLab
+

SOURCES/dbus-1.20.8-CVE-2022-42012.patch

@@ -0,0 +1,73 @@
+From 51a5bbf9074855b0f4a353ed309938b196c13525 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Fri, 30 Sep 2022 13:46:31 +0100
+Subject: [PATCH] dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed
+
+When a D-Bus message includes attached file descriptors, the body of the
+message contains unsigned 32-bit indexes pointing into an out-of-band
+array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to
+these indexes as "handles" for the associated fds (not to be confused
+with a Windows HANDLE, which is a kernel object).
+
+The assertion message removed by this commit is arguably correct up to
+a point: fd-passing is only reasonable on a local machine, and no known
+operating system allows processes of differing endianness even on a
+multi-endian ARM or PowerPC CPU, so it makes little sense for the sender
+to specify a byte-order that differs from the byte-order of the recipient.
+
+However, this doesn't account for the fact that a malicious sender
+doesn't have to restrict itself to only doing things that make sense.
+On a system with untrusted local users, a message sender could crash
+the system dbus-daemon (a denial of service) by sending a message in
+the opposite endianness that contains handles to file descriptors.
+
+Before this commit, if assertions are enabled, attempting to byteswap
+a fd index would cleanly crash the message recipient with an assertion
+failure. If assertions are disabled, attempting to byteswap a fd index
+would silently do nothing without advancing the pointer p, causing the
+message's type and the pointer into its contents to go out of sync, which
+can result in a subsequent crash (the crash demonstrated by fuzzing was
+a use-after-free, but other failure modes might be possible).
+
+In principle we could resolve this by rejecting wrong-endianness messages
+from a local sender, but it's actually simpler and less code to treat
+wrong-endianness messages as valid and byteswap them.
+
+Thanks: Evgeny Vereshchagin
+Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds"
+Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417
+Resolves: CVE-2022-42012
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+(cherry picked from commit 236f16e444e88a984cf12b09225e0f8efa6c5b44)
+(cherry picked from commit 3fb065b0752db1e298e4ada52cf4adc414f5e946)
+---
+ dbus/dbus-marshal-byteswap.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/dbus/dbus-marshal-byteswap.c b/dbus/dbus-marshal-byteswap.c
+index 27695aafb..7104e9c63 100644
+--- a/dbus/dbus-marshal-byteswap.c
++++ b/dbus/dbus-marshal-byteswap.c
+@@ -61,6 +61,7 @@ byteswap_body_helper (DBusTypeReader       *reader,
+         case DBUS_TYPE_BOOLEAN:
+         case DBUS_TYPE_INT32:
+         case DBUS_TYPE_UINT32:
++        case DBUS_TYPE_UNIX_FD:
+           {
+             p = _DBUS_ALIGN_ADDRESS (p, 4);
+             *((dbus_uint32_t*)p) = DBUS_UINT32_SWAP_LE_BE (*((dbus_uint32_t*)p));
+@@ -188,11 +189,6 @@ byteswap_body_helper (DBusTypeReader       *reader,
+           }
+           break;
+ 
+-        case DBUS_TYPE_UNIX_FD:
+-          /* fds can only be passed on a local machine, so byte order must always match */
+-          _dbus_assert_not_reached("attempted to byteswap unix fds which makes no sense");
+-          break;
+-
+         default:
+           _dbus_assert_not_reached ("invalid typecode in supposedly-validated signature");
+           break;
+-- 
+GitLab
+

SOURCES/dbus-kill-process-with-session

@@ -6,11 +6,24 @@
 
 exec >& /dev/null
 
-trap "kill -TERM $1" EXIT
+MONITOR_READY_FILE=$(mktemp dbus-session-monitor.XXXXXX --tmpdir)
+DBUS_SESSIONS="${XDG_RUNTIME_DIR}/dbus-1/sessions"
+DBUS_SESSION_ADDRESS_FILE="${DBUS_SESSIONS}/${XDG_SESSION_ID}"
+
+trap 'rm -f "${MONITOR_READY_FILE}"; rm -f "${DBUS_SESSION_ADDRESS_FILE}"; kill -TERM $1; kill -HUP $(jobs -p)' EXIT
 
 export GVFS_DISABLE_FUSE=1
-coproc SESSION_MONITOR (gio monitor -f "/run/systemd/sessions/${XDG_SESSION_ID}")
+coproc SESSION_MONITOR (gio monitor -f "/run/systemd/sessions/${XDG_SESSION_ID}" "${MONITOR_READY_FILE}")
 
+# Poll until the gio monitor command is actively monitoring
+until
+    touch "${MONITOR_READY_FILE}"
+    read -t 0.5 -u ${SESSION_MONITOR[0]}
+do
+    continue
+done
+
+# Block until the session is closed
 while grep -q ^State=active <(loginctl show-session $XDG_SESSION_ID)
 do
     read -u ${SESSION_MONITOR[0]}

SOURCES/dbus-systemd-sysusers.conf

@@ -0,0 +1,2 @@
+#Type  Name  ID  GECOS                 Home directory  Shell
+u      dbus  81  "System Message Bus"  -               -

SOURCES/ssh-x-forwarding.csh

@@ -1,10 +1,24 @@
 # DBus session bus over SSH with X11 forwarding
 if ( $?SSH_CONNECTION == 0 ) exit
+if ( $?XDG_SESSION_ID == 0) exit
 if ( $?DISPLAY == 0 ) exit
 if ( $SHLVL > 1 ) exit
+
+set DBUS_SESSIONS = "${XDG_RUNTIME_DIR}/dbus-1/sessions"
+set DBUS_SESSION_ADDRESS_FILE = "${DBUS_SESSIONS}/${XDG_SESSION_ID}"
+
+if ( -e "${DBUS_SESSION_ADDRESS_FILE}" ) then
+    setenv DBUS_SESSION_BUS_ADDRESS "`cat ${DBUS_SESSION_ADDRESS_FILE}`"
+    exit
+endif
+
 setenv GDK_BACKEND x11
 
 eval `dbus-launch --csh-syntax`
 
 if ( $?DBUS_SESSION_BUS_PID == 0 ) exit
+
+mkdir -p "${DBUS_SESSIONS}"
+echo "${DBUS_SESSION_BUS_ADDRESS}" > "${DBUS_SESSION_ADDRESS_FILE}"
+
 setsid -f /usr/libexec/dbus-1/dbus-kill-process-with-session $DBUS_SESSION_BUS_PID

SOURCES/ssh-x-forwarding.sh

@@ -1,12 +1,25 @@
 # DBus session bus over SSH with X11 forwarding
 [ -z "$SSH_CONNECTION" ] && return
+[ -z "$XDG_SESSION_ID" ] && return
 [ -z "$DISPLAY" ] && return
 [ "${DISPLAY:0:1}" = ":" ] && return
 [ "$SHLVL" -ne 1 ] && return
 
+DBUS_SESSIONS="${XDG_RUNTIME_DIR}/dbus-1/sessions"
+DBUS_SESSION_ADDRESS_FILE="${DBUS_SESSIONS}/${XDG_SESSION_ID}"
+
+if [ -e "${DBUS_SESSION_ADDRESS_FILE}" ]; then
+    export DBUS_SESSION_BUS_ADDRESS="$(cat ${DBUS_SESSION_ADDRESS_FILE})"
+    return
+fi
+
 export GDK_BACKEND=x11
 
 eval `dbus-launch --sh-syntax`
 
 [ -z "$DBUS_SESSION_BUS_PID" ] && return
+
+mkdir -p "${DBUS_SESSIONS}"
+echo "${DBUS_SESSION_BUS_ADDRESS}" > "${DBUS_SESSION_ADDRESS_FILE}"
+
 setsid -f /usr/libexec/dbus-1/dbus-kill-process-with-session "$DBUS_SESSION_BUS_PID"

SPECS/dbus.spec

@@ -19,7 +19,7 @@
 Name:    dbus
 Epoch:   1
 Version: 1.12.8
-Release: 18%{?dist}
+Release: 26%{?dist}
 Summary: D-BUS message bus
 
 Group:   System Environment/Libraries
@@ -33,6 +33,7 @@ Source1: 00-start-message-bus.sh
 Source2: ssh-x-forwarding.csh
 Source3: ssh-x-forwarding.sh
 Source4: dbus-kill-process-with-session
+Source5: dbus-systemd-sysusers.conf
 Patch0: 0001-tools-Use-Python3-for-GetAllMatchRules.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1725570
 Patch1: dbus-1.12.8-fix-CVE-2019-12749.patch
@@ -40,6 +41,14 @@ Patch1: dbus-1.12.8-fix-CVE-2019-12749.patch
 Patch2: dbus-1.12.8-fix-CVE-2020-12049.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1839753
 Patch3: dbus-1.12.8-fix-fd-limit-change.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2133645
+Patch4: dbus-1.20.8-CVE-2022-42010.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2133639
+Patch5: dbus-1.20.8-CVE-2022-42011.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2133633
+Patch6: dbus-1.20.8-CVE-2022-42012.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2213400
+Patch7: dbus-1.12.8-fix-CVE-2023-34969.patch
 
 BuildRequires: autoconf-archive
 BuildRequires: libtool
@@ -208,10 +217,13 @@ find %{buildroot} -name '*.la' -type f -delete
 rm -rf %{buildroot}%{_libdir}/cmake
 %endif
 
+rm -f %{buildroot}%{_sysusersdir}/dbus.conf
+
 install -Dp -m755 %{SOURCE1} %{buildroot}%{_sysconfdir}/X11/xinit/xinitrc.d/00-start-message-bus.sh
 install -Dp -m644 %{SOURCE2} %{buildroot}%{_sysconfdir}/profile.d/ssh-x-forwarding.csh
 install -p -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/profile.d/
 install -Dp -m755 %{SOURCE4} %{buildroot}%{_libexecdir}/dbus-1/dbus-kill-process-with-session
+install -Dp -m644 %{SOURCE5} %{buildroot}%{_sysusersdir}/dbus.conf
 
 # Obsolete, but still widely used, for drop-in configuration snippets.
 install --directory %{buildroot}%{_sysconfdir}/dbus-1/session.d
@@ -411,6 +423,37 @@ popd
 %{_includedir}/*
 
 %changelog
+* Mon Jun 19 2023 David King <amigadave@amigadave.com> - 1.12.8-26
+- Fix CVE-2023-34969 (#2213400)
+
+* Mon Apr 24 2023 Ray Strode <rstrode@redhat.com> - 1.12.8-25
+- Ensure only one dbus-daemon is spawned for all shells sharing
+  a single connection.
+  Resolves: #2189201
+
+* Wed Oct 19 2022 David King <dking@redhat.com> - 1:1.12.8-24
+- Fix CVE-2022-42010 (#2133645)
+- Fix CVE-2022-42011 (#2133639)
+- Fix CVE-2022-42011 (#2133633)
+
+* Tue Sep 06 2022 Ray Strode <rstrode@redhat.com> - 1:1.12.8-23
+- Address race for very short running sessions in SSH
+  session monitoring script.
+  Related: #2089362
+
+* Tue Aug 09 2022 Ray Strode <rstrode@redhat.com> - 1:1.12.8-22
+- Use hangup signal instead of termination signal to
+  kill sesssion monitoring script to appeach tcsh.
+  Related: #2089362
+
+* Mon Aug 08 2022 David King <dking@redhat.com> - 1:1.12.8-20
+- Override sysusers configuration (#2090397)
+
+* Thu Jun 16 2022 Ray Strode <rstrode@redhat.com> - 1:1.12.8-19
+- Ensure SSH session monitoring script is cleaned up when the
+  session exits.
+  Resolves: #2089362
+
 * Mon Dec 06 2021 Ray Strode <rstrode@redhat.com> - 1.12.8-18
 - Ensure session bus started for SSH sessions gets used by those
   sessions.