diff --git a/SOURCES/0001-GDBus-prefer-getsockopt-style-credentials-passing-AP.patch b/SOURCES/0001-GDBus-prefer-getsockopt-style-credentials-passing-AP.patch deleted file mode 100644 index 5bfd8ba..0000000 --- a/SOURCES/0001-GDBus-prefer-getsockopt-style-credentials-passing-AP.patch +++ /dev/null @@ -1,170 +0,0 @@ -From ee502dbbe89a5976c32eb8863c9a9d274ddb60e1 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 14 Oct 2019 08:47:39 +0100 -Subject: [PATCH] GDBus: prefer getsockopt()-style credentials-passing APIs - -Conceptually, a D-Bus server is really trying to determine the credentials -of (the process that initiated) a connection, not the credentials that -the process had when it sent a particular message. Ideally, it does -this with a getsockopt()-style API that queries the credentials of the -connection's initiator without requiring any particular cooperation from -that process, avoiding a class of possible failures. - -The leading '\0' in the D-Bus protocol is primarily a workaround -for platforms where the message-based credentials-passing API is -strictly better than the getsockopt()-style API (for example, on -FreeBSD, SCM_CREDS includes a process ID but getpeereid() does not), -or where the getsockopt()-style API does not exist at all. As a result -libdbus, the reference implementation of D-Bus, does not implement -Linux SCM_CREDENTIALS at all - it has no reason to do so, because the -SO_PEERCRED socket option is equally informative. - -This change makes GDBusServer on Linux more closely match the behaviour -of libdbus. - -In particular, GNOME/glib#1831 indicates that when a libdbus client -connects to a GDBus server, recvmsg() sometimes yields a SCM_CREDENTIALS -message with cmsg_data={pid=0, uid=65534, gid=65534}. I think this is -most likely a race condition in the early steps to connect: - - client server - connect - accept - send '\0' <- race -> set SO_PASSCRED = 1 - receive '\0' - -If the server wins the race: - - client server - connect - accept - set SO_PASSCRED = 1 - send '\0' - receive '\0' - -then everything is fine. However, if the client wins the race: - - client server - connect - accept - send '\0' - set SO_PASSCRED = 1 - receive '\0' - -then the kernel does not record credentials for the message containing -'\0' (because SO_PASSCRED was 0 at the time). However, by the time the -server receives the message, the kernel knows that credentials are -desired. I would have expected the kernel to omit the credentials header -in this case, but it seems that instead, it synthesizes a credentials -structure with a dummy process ID 0, a dummy uid derived from -/proc/sys/kernel/overflowuid and a dummy gid derived from -/proc/sys/kernel/overflowgid. - -In an unconfigured GDBusServer, hitting this race condition results in -falling back to DBUS_COOKIE_SHA1 authentication, which in practice usually -succeeds in authenticating the peer's uid. However, we encourage AF_UNIX -servers on Unix platforms to allow only EXTERNAL authentication as a -security-hardening measure, because DBUS_COOKIE_SHA1 relies on a series -of assumptions including a cryptographically strong PRNG and a shared -home directory with no write access by others, which are not necessarily -true for all operating systems and users. EXTERNAL authentication will -fail if the server cannot determine the client's credentials. - -In particular, this caused a regression when CVE-2019-14822 was fixed -in ibus, which appears to be resolved by this commit. Qt clients -(which use libdbus) intermittently fail to connect to an ibus server -(which uses GDBusServer), because ibus no longer allows DBUS_COOKIE_SHA1 -authentication or non-matching uids. - -Signed-off-by: Simon McVittie -Closes: https://gitlab.gnome.org/GNOME/glib/issues/1831 ---- - gio/gcredentialsprivate.h | 18 ++++++++++++++++++ - gio/gdbusauth.c | 27 +++++++++++++++++++++++++-- - 2 files changed, 43 insertions(+), 2 deletions(-) - -diff --git a/gio/gcredentialsprivate.h b/gio/gcredentialsprivate.h -index 06f0aed19..e9ec09b9f 100644 ---- a/gio/gcredentialsprivate.h -+++ b/gio/gcredentialsprivate.h -@@ -81,6 +81,18 @@ - */ - #undef G_CREDENTIALS_SPOOFING_SUPPORTED - -+/* -+ * G_CREDENTIALS_PREFER_MESSAGE_PASSING: -+ * -+ * Defined to 1 if the data structure transferred by the message-passing -+ * API is strictly more informative than the one transferred by the -+ * `getsockopt()`-style API, and hence should be preferred, even for -+ * protocols like D-Bus that are defined in terms of the credentials of -+ * the (process that opened the) socket, as opposed to the credentials -+ * of an individual message. -+ */ -+#undef G_CREDENTIALS_PREFER_MESSAGE_PASSING -+ - #ifdef __linux__ - #define G_CREDENTIALS_SUPPORTED 1 - #define G_CREDENTIALS_USE_LINUX_UCRED 1 -@@ -100,6 +112,12 @@ - #define G_CREDENTIALS_NATIVE_SIZE (sizeof (struct cmsgcred)) - #define G_CREDENTIALS_UNIX_CREDENTIALS_MESSAGE_SUPPORTED 1 - #define G_CREDENTIALS_SPOOFING_SUPPORTED 1 -+/* GLib doesn't implement it yet, but FreeBSD's getsockopt()-style API -+ * is getpeereid(), which is not as informative as struct cmsgcred - -+ * it does not tell us the PID. As a result, libdbus prefers to use -+ * SCM_CREDS, and if we implement getpeereid() in future, we should -+ * do the same. */ -+#define G_CREDENTIALS_PREFER_MESSAGE_PASSING 1 - - #elif defined(__NetBSD__) - #define G_CREDENTIALS_SUPPORTED 1 -diff --git a/gio/gdbusauth.c b/gio/gdbusauth.c -index 752ec23fc..14cc5d70e 100644 ---- a/gio/gdbusauth.c -+++ b/gio/gdbusauth.c -@@ -31,6 +31,7 @@ - #include "gdbusutils.h" - #include "gioenumtypes.h" - #include "gcredentials.h" -+#include "gcredentialsprivate.h" - #include "gdbusprivate.h" - #include "giostream.h" - #include "gdatainputstream.h" -@@ -969,9 +970,31 @@ _g_dbus_auth_run_server (GDBusAuth *auth, - - g_data_input_stream_set_newline_type (dis, G_DATA_STREAM_NEWLINE_TYPE_CR_LF); - -- /* first read the NUL-byte */ -+ /* read the NUL-byte, possibly with credentials attached */ - #ifdef G_OS_UNIX -- if (G_IS_UNIX_CONNECTION (auth->priv->stream)) -+#ifndef G_CREDENTIALS_PREFER_MESSAGE_PASSING -+ if (G_IS_SOCKET_CONNECTION (auth->priv->stream)) -+ { -+ GSocket *sock = g_socket_connection_get_socket (G_SOCKET_CONNECTION (auth->priv->stream)); -+ -+ local_error = NULL; -+ credentials = g_socket_get_credentials (sock, &local_error); -+ -+ if (credentials == NULL && !g_error_matches (local_error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED)) -+ { -+ g_propagate_error (error, local_error); -+ goto out; -+ } -+ else -+ { -+ /* Clear the error indicator, so we can retry with -+ * g_unix_connection_receive_credentials() if necessary */ -+ g_clear_error (&local_error); -+ } -+ } -+#endif -+ -+ if (credentials == NULL && G_IS_UNIX_CONNECTION (auth->priv->stream)) - { - local_error = NULL; - credentials = g_unix_connection_receive_credentials (G_UNIX_CONNECTION (auth->priv->stream), --- -2.23.0 - diff --git a/SOURCES/0001-credentials-Invalid-Linux-struct-ucred-means-no-info.patch b/SOURCES/0001-credentials-Invalid-Linux-struct-ucred-means-no-info.patch deleted file mode 100644 index 764d407..0000000 --- a/SOURCES/0001-credentials-Invalid-Linux-struct-ucred-means-no-info.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 1485a97d8051b0aa047987f7b0c0bfe4ba4ce55b Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Fri, 18 Oct 2019 10:55:09 +0100 -Subject: [PATCH] credentials: Invalid Linux struct ucred means "no - information" - -On Linux, if getsockopt SO_PEERCRED is used on a TCP socket, one -might expect it to fail with an appropriate error like ENOTSUP or -EPROTONOSUPPORT. However, it appears that in fact it succeeds, but -yields a credentials structure with pid 0, uid -1 and gid -1. These -are not real process, user and group IDs that can be allocated to a -real process (pid 0 needs to be reserved to give kill(0) its documented -special semantics, and similarly uid and gid -1 need to be reserved for -setresuid() and setresgid()) so it is not meaningful to signal them to -high-level API users. - -An API user with Linux-specific knowledge can still inspect these fields -via g_credentials_get_native() if desired. - -Similarly, if SO_PASSCRED is used to receive a SCM_CREDENTIALS message -on a receiving Unix socket, but the sending socket had not enabled -SO_PASSCRED at the time that the message was sent, it is possible -for it to succeed but yield a credentials structure with pid 0, uid -/proc/sys/kernel/overflowuid and gid /proc/sys/kernel/overflowgid. Even -if we were to read those pseudo-files, we cannot distinguish between -the overflow IDs and a real process that legitimately has the same IDs -(typically they are set to 'nobody' and 'nogroup', which can be used -by a real process), so we detect this situation by noticing that -pid == 0, and to save syscalls we do not read the overflow IDs from -/proc at all. - -This results in a small API change: g_credentials_is_same_user() now -returns FALSE if we compare two credentials structures that are both -invalid. This seems like reasonable, conservative behaviour: if we cannot -prove that they are the same user, we should assume they are not. - -Signed-off-by: Simon McVittie ---- - gio/gcredentials.c | 42 +++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 39 insertions(+), 3 deletions(-) - -diff --git a/gio/gcredentials.c b/gio/gcredentials.c -index c350e3c88..c4794ded7 100644 ---- a/gio/gcredentials.c -+++ b/gio/gcredentials.c -@@ -265,6 +265,35 @@ g_credentials_to_string (GCredentials *credentials) - - /* ---------------------------------------------------------------------------------------------------- */ - -+#if G_CREDENTIALS_USE_LINUX_UCRED -+/* -+ * Check whether @native contains invalid data. If getsockopt SO_PEERCRED -+ * is used on a TCP socket, it succeeds but yields a credentials structure -+ * with pid 0, uid -1 and gid -1. Similarly, if SO_PASSCRED is used on a -+ * receiving Unix socket when the sending socket did not also enable -+ * SO_PASSCRED, it can succeed but yield a credentials structure with -+ * pid 0, uid /proc/sys/kernel/overflowuid and gid -+ * /proc/sys/kernel/overflowgid. -+ */ -+static gboolean -+linux_ucred_check_valid (struct ucred *native, -+ GError **error) -+{ -+ if (native->pid == 0 -+ || native->uid == -1 -+ || native->gid == -1) -+ { -+ g_set_error_literal (error, -+ G_IO_ERROR, -+ G_IO_ERROR_INVALID_DATA, -+ _("GCredentials contains invalid data")); -+ return FALSE; -+ } -+ -+ return TRUE; -+} -+#endif -+ - /** - * g_credentials_is_same_user: - * @credentials: A #GCredentials. -@@ -294,7 +323,8 @@ g_credentials_is_same_user (GCredentials *credentials, - - ret = FALSE; - #if G_CREDENTIALS_USE_LINUX_UCRED -- if (credentials->native.uid == other_credentials->native.uid) -+ if (linux_ucred_check_valid (&credentials->native, NULL) -+ && credentials->native.uid == other_credentials->native.uid) - ret = TRUE; - #elif G_CREDENTIALS_USE_FREEBSD_CMSGCRED - if (credentials->native.cmcred_euid == other_credentials->native.cmcred_euid) -@@ -453,7 +483,10 @@ g_credentials_get_unix_user (GCredentials *credentials, - g_return_val_if_fail (error == NULL || *error == NULL, -1); - - #if G_CREDENTIALS_USE_LINUX_UCRED -- ret = credentials->native.uid; -+ if (linux_ucred_check_valid (&credentials->native, error)) -+ ret = credentials->native.uid; -+ else -+ ret = -1; - #elif G_CREDENTIALS_USE_FREEBSD_CMSGCRED - ret = credentials->native.cmcred_euid; - #elif G_CREDENTIALS_USE_NETBSD_UNPCBID -@@ -499,7 +532,10 @@ g_credentials_get_unix_pid (GCredentials *credentials, - g_return_val_if_fail (error == NULL || *error == NULL, -1); - - #if G_CREDENTIALS_USE_LINUX_UCRED -- ret = credentials->native.pid; -+ if (linux_ucred_check_valid (&credentials->native, error)) -+ ret = credentials->native.pid; -+ else -+ ret = -1; - #elif G_CREDENTIALS_USE_FREEBSD_CMSGCRED - ret = credentials->native.cmcred_pid; - #elif G_CREDENTIALS_USE_NETBSD_UNPCBID --- -2.23.0 - diff --git a/SOURCES/0001-gcredentialsprivate-Document-the-various-private-mac.patch b/SOURCES/0001-gcredentialsprivate-Document-the-various-private-mac.patch deleted file mode 100644 index fe37025..0000000 --- a/SOURCES/0001-gcredentialsprivate-Document-the-various-private-mac.patch +++ /dev/null @@ -1,83 +0,0 @@ -From ef1035d9d86464ea0b5dde60a7a0e190895fdf5b Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 14 Oct 2019 08:22:24 +0100 -Subject: [PATCH] gcredentialsprivate: Document the various private macros - -Signed-off-by: Simon McVittie ---- - gio/gcredentialsprivate.h | 59 +++++++++++++++++++++++++++++++++++++++ - 1 file changed, 59 insertions(+) - -diff --git a/gio/gcredentialsprivate.h b/gio/gcredentialsprivate.h -index 4d1c420a8..06f0aed19 100644 ---- a/gio/gcredentialsprivate.h -+++ b/gio/gcredentialsprivate.h -@@ -22,6 +22,65 @@ - #include "gio/gcredentials.h" - #include "gio/gnetworking.h" - -+/* -+ * G_CREDENTIALS_SUPPORTED: -+ * -+ * Defined to 1 if GCredentials works. -+ */ -+#undef G_CREDENTIALS_SUPPORTED -+ -+/* -+ * G_CREDENTIALS_USE_LINUX_UCRED, etc.: -+ * -+ * Defined to 1 if GCredentials uses Linux `struct ucred`, etc. -+ */ -+#undef G_CREDENTIALS_USE_LINUX_UCRED -+#undef G_CREDENTIALS_USE_FREEBSD_CMSGCRED -+#undef G_CREDENTIALS_USE_NETBSD_UNPCBID -+#undef G_CREDENTIALS_USE_OPENBSD_SOCKPEERCRED -+#undef G_CREDENTIALS_USE_SOLARIS_UCRED -+ -+/* -+ * G_CREDENTIALS_NATIVE_TYPE: -+ * -+ * Defined to one of G_CREDENTIALS_TYPE_LINUX_UCRED, etc. -+ */ -+#undef G_CREDENTIALS_NATIVE_TYPE -+ -+/* -+ * G_CREDENTIALS_NATIVE_SIZE: -+ * -+ * Defined to the size of the %G_CREDENTIALS_NATIVE_TYPE -+ */ -+#undef G_CREDENTIALS_NATIVE_SIZE -+ -+/* -+ * G_CREDENTIALS_UNIX_CREDENTIALS_MESSAGE_SUPPORTED: -+ * -+ * Defined to 1 if we have a message-passing API in which credentials -+ * are attached to a particular message, such as `SCM_CREDENTIALS` on Linux -+ * or `SCM_CREDS` on FreeBSD. -+ */ -+#undef G_CREDENTIALS_UNIX_CREDENTIALS_MESSAGE_SUPPORTED -+ -+/* -+ * G_CREDENTIALS_SOCKET_GET_CREDENTIALS_SUPPORTED: -+ * -+ * Defined to 1 if we have a `getsockopt()`-style API in which one end of -+ * a socket connection can directly query the credentials of the process -+ * that initiated the other end, such as `getsockopt SO_PEERCRED` on Linux -+ * or `getpeereid()` on multiple operating systems. -+ */ -+#undef G_CREDENTIALS_SOCKET_GET_CREDENTIALS_SUPPORTED -+ -+/* -+ * G_CREDENTIALS_SPOOFING_SUPPORTED: -+ * -+ * Defined to 1 if privileged processes can spoof their credentials when -+ * using the message-passing API. -+ */ -+#undef G_CREDENTIALS_SPOOFING_SUPPORTED -+ - #ifdef __linux__ - #define G_CREDENTIALS_SUPPORTED 1 - #define G_CREDENTIALS_USE_LINUX_UCRED 1 --- -2.23.0 - diff --git a/SOURCES/0002-gvariant-test-Also-force-alignment-for-tuple-test-da.patch b/SOURCES/0002-gvariant-test-Also-force-alignment-for-tuple-test-da.patch deleted file mode 100644 index 6699c59..0000000 --- a/SOURCES/0002-gvariant-test-Also-force-alignment-for-tuple-test-da.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 4ef58e5661849317a1110c9b93957f2c608677dd Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Thu, 3 Jan 2019 08:21:40 +0000 -Subject: [PATCH 2/2] gvariant test: Also force alignment for tuple test data - -glib!552 (commit 9eed22b3) fixed this for the tests that failed on i686, -but this additional test failed on Debian's s390x port -(IBM z/Architecture, 64-bit big-endian). - -Signed-off-by: Simon McVittie ---- - glib/tests/gvariant.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c -index a7b19826d..c4a996c1f 100644 ---- a/glib/tests/gvariant.c -+++ b/glib/tests/gvariant.c -@@ -4820,6 +4820,7 @@ test_normal_checking_array_offsets (void) - static void - test_normal_checking_tuple_offsets (void) - { -+ gpointer aligned_data; - const guint8 data[] = { - 0x07, 0xe5, 0x00, 0x07, 0x00, 0x07, - '(', 'a', 's', 'a', 's', 'a', 's', 'a', 's', 'a', 's', 'a', 's', ')', -@@ -4828,13 +4829,15 @@ test_normal_checking_tuple_offsets (void) - GVariant *variant = NULL; - GVariant *normal_variant = NULL; - -- variant = g_variant_new_from_data (G_VARIANT_TYPE_VARIANT, data, size, -- FALSE, NULL, NULL); -+ aligned_data = g_memdup (data, size); /* guarantee alignment */ -+ variant = g_variant_new_from_data (G_VARIANT_TYPE_VARIANT, aligned_data, -+ size, FALSE, NULL, NULL); - g_assert_nonnull (variant); - - normal_variant = g_variant_get_normal_form (variant); - g_assert_nonnull (normal_variant); - -+ g_free (aligned_data); - g_variant_unref (normal_variant); - g_variant_unref (variant); - } --- -2.19.1 - diff --git a/SOURCES/backport-per-desktop-overrides.patch b/SOURCES/105.patch similarity index 100% rename from SOURCES/backport-per-desktop-overrides.patch rename to SOURCES/105.patch diff --git a/SOURCES/1176.patch b/SOURCES/1176.patch new file mode 100644 index 0000000..7322a12 --- /dev/null +++ b/SOURCES/1176.patch @@ -0,0 +1,371 @@ +From ef1035d9d86464ea0b5dde60a7a0e190895fdf5b Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Mon, 14 Oct 2019 08:22:24 +0100 +Subject: [PATCH] gcredentialsprivate: Document the various private macros + +Signed-off-by: Simon McVittie +--- + gio/gcredentialsprivate.h | 59 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 59 insertions(+) + +diff --git a/gio/gcredentialsprivate.h b/gio/gcredentialsprivate.h +index 4d1c420a8..06f0aed19 100644 +--- a/gio/gcredentialsprivate.h ++++ b/gio/gcredentialsprivate.h +@@ -22,6 +22,65 @@ + #include "gio/gcredentials.h" + #include "gio/gnetworking.h" + ++/* ++ * G_CREDENTIALS_SUPPORTED: ++ * ++ * Defined to 1 if GCredentials works. ++ */ ++#undef G_CREDENTIALS_SUPPORTED ++ ++/* ++ * G_CREDENTIALS_USE_LINUX_UCRED, etc.: ++ * ++ * Defined to 1 if GCredentials uses Linux `struct ucred`, etc. ++ */ ++#undef G_CREDENTIALS_USE_LINUX_UCRED ++#undef G_CREDENTIALS_USE_FREEBSD_CMSGCRED ++#undef G_CREDENTIALS_USE_NETBSD_UNPCBID ++#undef G_CREDENTIALS_USE_OPENBSD_SOCKPEERCRED ++#undef G_CREDENTIALS_USE_SOLARIS_UCRED ++ ++/* ++ * G_CREDENTIALS_NATIVE_TYPE: ++ * ++ * Defined to one of G_CREDENTIALS_TYPE_LINUX_UCRED, etc. ++ */ ++#undef G_CREDENTIALS_NATIVE_TYPE ++ ++/* ++ * G_CREDENTIALS_NATIVE_SIZE: ++ * ++ * Defined to the size of the %G_CREDENTIALS_NATIVE_TYPE ++ */ ++#undef G_CREDENTIALS_NATIVE_SIZE ++ ++/* ++ * G_CREDENTIALS_UNIX_CREDENTIALS_MESSAGE_SUPPORTED: ++ * ++ * Defined to 1 if we have a message-passing API in which credentials ++ * are attached to a particular message, such as `SCM_CREDENTIALS` on Linux ++ * or `SCM_CREDS` on FreeBSD. ++ */ ++#undef G_CREDENTIALS_UNIX_CREDENTIALS_MESSAGE_SUPPORTED ++ ++/* ++ * G_CREDENTIALS_SOCKET_GET_CREDENTIALS_SUPPORTED: ++ * ++ * Defined to 1 if we have a `getsockopt()`-style API in which one end of ++ * a socket connection can directly query the credentials of the process ++ * that initiated the other end, such as `getsockopt SO_PEERCRED` on Linux ++ * or `getpeereid()` on multiple operating systems. ++ */ ++#undef G_CREDENTIALS_SOCKET_GET_CREDENTIALS_SUPPORTED ++ ++/* ++ * G_CREDENTIALS_SPOOFING_SUPPORTED: ++ * ++ * Defined to 1 if privileged processes can spoof their credentials when ++ * using the message-passing API. ++ */ ++#undef G_CREDENTIALS_SPOOFING_SUPPORTED ++ + #ifdef __linux__ + #define G_CREDENTIALS_SUPPORTED 1 + #define G_CREDENTIALS_USE_LINUX_UCRED 1 +-- +2.23.0 + +From ee502dbbe89a5976c32eb8863c9a9d274ddb60e1 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Mon, 14 Oct 2019 08:47:39 +0100 +Subject: [PATCH] GDBus: prefer getsockopt()-style credentials-passing APIs + +Conceptually, a D-Bus server is really trying to determine the credentials +of (the process that initiated) a connection, not the credentials that +the process had when it sent a particular message. Ideally, it does +this with a getsockopt()-style API that queries the credentials of the +connection's initiator without requiring any particular cooperation from +that process, avoiding a class of possible failures. + +The leading '\0' in the D-Bus protocol is primarily a workaround +for platforms where the message-based credentials-passing API is +strictly better than the getsockopt()-style API (for example, on +FreeBSD, SCM_CREDS includes a process ID but getpeereid() does not), +or where the getsockopt()-style API does not exist at all. As a result +libdbus, the reference implementation of D-Bus, does not implement +Linux SCM_CREDENTIALS at all - it has no reason to do so, because the +SO_PEERCRED socket option is equally informative. + +This change makes GDBusServer on Linux more closely match the behaviour +of libdbus. + +In particular, GNOME/glib#1831 indicates that when a libdbus client +connects to a GDBus server, recvmsg() sometimes yields a SCM_CREDENTIALS +message with cmsg_data={pid=0, uid=65534, gid=65534}. I think this is +most likely a race condition in the early steps to connect: + + client server + connect + accept + send '\0' <- race -> set SO_PASSCRED = 1 + receive '\0' + +If the server wins the race: + + client server + connect + accept + set SO_PASSCRED = 1 + send '\0' + receive '\0' + +then everything is fine. However, if the client wins the race: + + client server + connect + accept + send '\0' + set SO_PASSCRED = 1 + receive '\0' + +then the kernel does not record credentials for the message containing +'\0' (because SO_PASSCRED was 0 at the time). However, by the time the +server receives the message, the kernel knows that credentials are +desired. I would have expected the kernel to omit the credentials header +in this case, but it seems that instead, it synthesizes a credentials +structure with a dummy process ID 0, a dummy uid derived from +/proc/sys/kernel/overflowuid and a dummy gid derived from +/proc/sys/kernel/overflowgid. + +In an unconfigured GDBusServer, hitting this race condition results in +falling back to DBUS_COOKIE_SHA1 authentication, which in practice usually +succeeds in authenticating the peer's uid. However, we encourage AF_UNIX +servers on Unix platforms to allow only EXTERNAL authentication as a +security-hardening measure, because DBUS_COOKIE_SHA1 relies on a series +of assumptions including a cryptographically strong PRNG and a shared +home directory with no write access by others, which are not necessarily +true for all operating systems and users. EXTERNAL authentication will +fail if the server cannot determine the client's credentials. + +In particular, this caused a regression when CVE-2019-14822 was fixed +in ibus, which appears to be resolved by this commit. Qt clients +(which use libdbus) intermittently fail to connect to an ibus server +(which uses GDBusServer), because ibus no longer allows DBUS_COOKIE_SHA1 +authentication or non-matching uids. + +Signed-off-by: Simon McVittie +Closes: https://gitlab.gnome.org/GNOME/glib/issues/1831 +--- + gio/gcredentialsprivate.h | 18 ++++++++++++++++++ + gio/gdbusauth.c | 27 +++++++++++++++++++++++++-- + 2 files changed, 43 insertions(+), 2 deletions(-) + +diff --git a/gio/gcredentialsprivate.h b/gio/gcredentialsprivate.h +index 06f0aed19..e9ec09b9f 100644 +--- a/gio/gcredentialsprivate.h ++++ b/gio/gcredentialsprivate.h +@@ -81,6 +81,18 @@ + */ + #undef G_CREDENTIALS_SPOOFING_SUPPORTED + ++/* ++ * G_CREDENTIALS_PREFER_MESSAGE_PASSING: ++ * ++ * Defined to 1 if the data structure transferred by the message-passing ++ * API is strictly more informative than the one transferred by the ++ * `getsockopt()`-style API, and hence should be preferred, even for ++ * protocols like D-Bus that are defined in terms of the credentials of ++ * the (process that opened the) socket, as opposed to the credentials ++ * of an individual message. ++ */ ++#undef G_CREDENTIALS_PREFER_MESSAGE_PASSING ++ + #ifdef __linux__ + #define G_CREDENTIALS_SUPPORTED 1 + #define G_CREDENTIALS_USE_LINUX_UCRED 1 +@@ -100,6 +112,12 @@ + #define G_CREDENTIALS_NATIVE_SIZE (sizeof (struct cmsgcred)) + #define G_CREDENTIALS_UNIX_CREDENTIALS_MESSAGE_SUPPORTED 1 + #define G_CREDENTIALS_SPOOFING_SUPPORTED 1 ++/* GLib doesn't implement it yet, but FreeBSD's getsockopt()-style API ++ * is getpeereid(), which is not as informative as struct cmsgcred - ++ * it does not tell us the PID. As a result, libdbus prefers to use ++ * SCM_CREDS, and if we implement getpeereid() in future, we should ++ * do the same. */ ++#define G_CREDENTIALS_PREFER_MESSAGE_PASSING 1 + + #elif defined(__NetBSD__) + #define G_CREDENTIALS_SUPPORTED 1 +diff --git a/gio/gdbusauth.c b/gio/gdbusauth.c +index 752ec23fc..14cc5d70e 100644 +--- a/gio/gdbusauth.c ++++ b/gio/gdbusauth.c +@@ -31,6 +31,7 @@ + #include "gdbusutils.h" + #include "gioenumtypes.h" + #include "gcredentials.h" ++#include "gcredentialsprivate.h" + #include "gdbusprivate.h" + #include "giostream.h" + #include "gdatainputstream.h" +@@ -969,9 +970,31 @@ _g_dbus_auth_run_server (GDBusAuth *auth, + + g_data_input_stream_set_newline_type (dis, G_DATA_STREAM_NEWLINE_TYPE_CR_LF); + +- /* first read the NUL-byte */ ++ /* read the NUL-byte, possibly with credentials attached */ + #ifdef G_OS_UNIX +- if (G_IS_UNIX_CONNECTION (auth->priv->stream)) ++#ifndef G_CREDENTIALS_PREFER_MESSAGE_PASSING ++ if (G_IS_SOCKET_CONNECTION (auth->priv->stream)) ++ { ++ GSocket *sock = g_socket_connection_get_socket (G_SOCKET_CONNECTION (auth->priv->stream)); ++ ++ local_error = NULL; ++ credentials = g_socket_get_credentials (sock, &local_error); ++ ++ if (credentials == NULL && !g_error_matches (local_error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED)) ++ { ++ g_propagate_error (error, local_error); ++ goto out; ++ } ++ else ++ { ++ /* Clear the error indicator, so we can retry with ++ * g_unix_connection_receive_credentials() if necessary */ ++ g_clear_error (&local_error); ++ } ++ } ++#endif ++ ++ if (credentials == NULL && G_IS_UNIX_CONNECTION (auth->priv->stream)) + { + local_error = NULL; + credentials = g_unix_connection_receive_credentials (G_UNIX_CONNECTION (auth->priv->stream), +-- +2.23.0 + +From 1485a97d8051b0aa047987f7b0c0bfe4ba4ce55b Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 18 Oct 2019 10:55:09 +0100 +Subject: [PATCH] credentials: Invalid Linux struct ucred means "no + information" + +On Linux, if getsockopt SO_PEERCRED is used on a TCP socket, one +might expect it to fail with an appropriate error like ENOTSUP or +EPROTONOSUPPORT. However, it appears that in fact it succeeds, but +yields a credentials structure with pid 0, uid -1 and gid -1. These +are not real process, user and group IDs that can be allocated to a +real process (pid 0 needs to be reserved to give kill(0) its documented +special semantics, and similarly uid and gid -1 need to be reserved for +setresuid() and setresgid()) so it is not meaningful to signal them to +high-level API users. + +An API user with Linux-specific knowledge can still inspect these fields +via g_credentials_get_native() if desired. + +Similarly, if SO_PASSCRED is used to receive a SCM_CREDENTIALS message +on a receiving Unix socket, but the sending socket had not enabled +SO_PASSCRED at the time that the message was sent, it is possible +for it to succeed but yield a credentials structure with pid 0, uid +/proc/sys/kernel/overflowuid and gid /proc/sys/kernel/overflowgid. Even +if we were to read those pseudo-files, we cannot distinguish between +the overflow IDs and a real process that legitimately has the same IDs +(typically they are set to 'nobody' and 'nogroup', which can be used +by a real process), so we detect this situation by noticing that +pid == 0, and to save syscalls we do not read the overflow IDs from +/proc at all. + +This results in a small API change: g_credentials_is_same_user() now +returns FALSE if we compare two credentials structures that are both +invalid. This seems like reasonable, conservative behaviour: if we cannot +prove that they are the same user, we should assume they are not. + +Signed-off-by: Simon McVittie +--- + gio/gcredentials.c | 42 +++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 39 insertions(+), 3 deletions(-) + +diff --git a/gio/gcredentials.c b/gio/gcredentials.c +index c350e3c88..c4794ded7 100644 +--- a/gio/gcredentials.c ++++ b/gio/gcredentials.c +@@ -265,6 +265,35 @@ g_credentials_to_string (GCredentials *credentials) + + /* ---------------------------------------------------------------------------------------------------- */ + ++#if G_CREDENTIALS_USE_LINUX_UCRED ++/* ++ * Check whether @native contains invalid data. If getsockopt SO_PEERCRED ++ * is used on a TCP socket, it succeeds but yields a credentials structure ++ * with pid 0, uid -1 and gid -1. Similarly, if SO_PASSCRED is used on a ++ * receiving Unix socket when the sending socket did not also enable ++ * SO_PASSCRED, it can succeed but yield a credentials structure with ++ * pid 0, uid /proc/sys/kernel/overflowuid and gid ++ * /proc/sys/kernel/overflowgid. ++ */ ++static gboolean ++linux_ucred_check_valid (struct ucred *native, ++ GError **error) ++{ ++ if (native->pid == 0 ++ || native->uid == -1 ++ || native->gid == -1) ++ { ++ g_set_error_literal (error, ++ G_IO_ERROR, ++ G_IO_ERROR_INVALID_DATA, ++ _("GCredentials contains invalid data")); ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++#endif ++ + /** + * g_credentials_is_same_user: + * @credentials: A #GCredentials. +@@ -294,7 +323,8 @@ g_credentials_is_same_user (GCredentials *credentials, + + ret = FALSE; + #if G_CREDENTIALS_USE_LINUX_UCRED +- if (credentials->native.uid == other_credentials->native.uid) ++ if (linux_ucred_check_valid (&credentials->native, NULL) ++ && credentials->native.uid == other_credentials->native.uid) + ret = TRUE; + #elif G_CREDENTIALS_USE_FREEBSD_CMSGCRED + if (credentials->native.cmcred_euid == other_credentials->native.cmcred_euid) +@@ -453,7 +483,10 @@ g_credentials_get_unix_user (GCredentials *credentials, + g_return_val_if_fail (error == NULL || *error == NULL, -1); + + #if G_CREDENTIALS_USE_LINUX_UCRED +- ret = credentials->native.uid; ++ if (linux_ucred_check_valid (&credentials->native, error)) ++ ret = credentials->native.uid; ++ else ++ ret = -1; + #elif G_CREDENTIALS_USE_FREEBSD_CMSGCRED + ret = credentials->native.cmcred_euid; + #elif G_CREDENTIALS_USE_NETBSD_UNPCBID +@@ -499,7 +532,10 @@ g_credentials_get_unix_pid (GCredentials *credentials, + g_return_val_if_fail (error == NULL || *error == NULL, -1); + + #if G_CREDENTIALS_USE_LINUX_UCRED +- ret = credentials->native.pid; ++ if (linux_ucred_check_valid (&credentials->native, error)) ++ ret = credentials->native.pid; ++ else ++ ret = -1; + #elif G_CREDENTIALS_USE_FREEBSD_CMSGCRED + ret = credentials->native.cmcred_pid; + #elif G_CREDENTIALS_USE_NETBSD_UNPCBID +-- +2.23.0 + diff --git a/SOURCES/1369.patch b/SOURCES/1369.patch new file mode 100644 index 0000000..2d5d1c3 --- /dev/null +++ b/SOURCES/1369.patch @@ -0,0 +1,38 @@ +From a18f091c6c090b93cd816f8cd5be763b6e238632 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Fri, 7 Feb 2020 17:10:23 +0000 +Subject: [PATCH] libcharset: Drop a redundant environment variable + +It was used for running tests when we built with autotools, but is no +longer used in the Meson build system. If we need something similar in +future, it should be done by adding internal API to override the +directory on a per-call basis, rather than loading a path from a shared +global table every time. + +Signed-off-by: Philip Withnall + +Helps: #1919 +--- + glib/libcharset/localcharset.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/glib/libcharset/localcharset.c b/glib/libcharset/localcharset.c +index 0c4d544be..ab3a2678d 100644 +--- a/glib/libcharset/localcharset.c ++++ b/glib/libcharset/localcharset.c +@@ -117,11 +117,7 @@ _g_locale_get_charset_aliases (void) + const char *base = "charset.alias"; + char *file_name; + +- /* Make it possible to override the charset.alias location. This is +- necessary for running the testsuite before "make install". */ +- dir = getenv ("CHARSETALIASDIR"); +- if (dir == NULL || dir[0] == '\0') +- dir = relocate (GLIB_CHARSETALIAS_DIR); ++ dir = relocate (GLIB_CHARSETALIAS_DIR); + + /* Concatenate dir and base into freshly allocated file_name. */ + { +-- +2.31.1 + diff --git a/SOURCES/1713.patch b/SOURCES/1713.patch new file mode 100644 index 0000000..cace858 --- /dev/null +++ b/SOURCES/1713.patch @@ -0,0 +1,204 @@ +From 4f0a31d66c2a6588495b8ae682f555584dafdf45 Mon Sep 17 00:00:00 2001 +From: Claudio Saavedra +Date: Wed, 21 Oct 2020 13:19:42 +0300 +Subject: [PATCH] gmain: g_main_context_check() can skip updating polled FD + sources + +If there is a file descriptor source that has a lower priority +than the one for sources that are going to be dispatched, +all subsequent file descriptor sources (internally sorted by +file descriptor identifier) do not get an update in their GPollRec +and later on wrong sources can be dispatched. + +Fix this by first finding the first GPollRec that matches the current +GPollFD, instead of relying on it to be the current one. At +the same time, document the assumptions about the ordering of the +file descriptor records and array and make explicit in the documentation +that the array needs to be passed to g_main_context_check() as it was +received from g_main_context_query(). + +Added a new test that reproduces the bug by creating two file +descriptor sources and an idle one. Since the first +file descriptor created has a lower identifier and a low priority, +the second one is not dispatched even when it has the same, higher, +priority as the idle source. After fixing this bug, both +higher priority sources are dispatched as expected. + +While this patch was written independently, a similar fix for this +bug was first submitted by Eugene M in GNOME/glib!562. Having a +second fix that basically does the same is a reassurance that we +are in the right here. + +Fixes #1592 +--- + glib/gmain.c | 32 ++++++++++++++++++++++-- + glib/tests/mainloop.c | 57 +++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 87 insertions(+), 2 deletions(-) + +diff --git a/glib/gmain.c b/glib/gmain.c +index 95992253d..a59cd686c 100644 +--- a/glib/gmain.c ++++ b/glib/gmain.c +@@ -3573,7 +3573,10 @@ g_main_context_prepare (GMainContext *context, + * store #GPollFD records that need to be polled. + * @n_fds: (in): length of @fds. + * +- * Determines information necessary to poll this main loop. ++ * Determines information necessary to poll this main loop. You should ++ * be careful to pass the resulting @fds array and its length @n_fds ++ * as is when calling g_main_context_check(), as this function relies ++ * on assumptions made when the array is filled. + * + * You must have successfully acquired the context with + * g_main_context_acquire() before you may call this function. +@@ -3597,6 +3600,10 @@ g_main_context_query (GMainContext *context, + + TRACE (GLIB_MAIN_CONTEXT_BEFORE_QUERY (context, max_priority)); + ++ /* fds is filled sequentially from poll_records. Since poll_records ++ * are incrementally sorted by file descriptor identifier, fds will ++ * also be incrementally sorted. ++ */ + n_poll = 0; + lastpollrec = NULL; + for (pollrec = context->poll_records; pollrec; pollrec = pollrec->next) +@@ -3611,6 +3618,10 @@ g_main_context_query (GMainContext *context, + */ + events = pollrec->fd->events & ~(G_IO_ERR|G_IO_HUP|G_IO_NVAL); + ++ /* This optimization --using the same GPollFD to poll for more ++ * than one poll record-- relies on the poll records being ++ * incrementally sorted. ++ */ + if (lastpollrec && pollrec->fd->fd == lastpollrec->fd->fd) + { + if (n_poll - 1 < n_fds) +@@ -3656,7 +3667,10 @@ g_main_context_query (GMainContext *context, + * the last call to g_main_context_query() + * @n_fds: return value of g_main_context_query() + * +- * Passes the results of polling back to the main loop. ++ * Passes the results of polling back to the main loop. You should be ++ * careful to pass @fds and its length @n_fds as received from ++ * g_main_context_query(), as this functions relies on assumptions ++ * on how @fds is filled. + * + * You must have successfully acquired the context with + * g_main_context_acquire() before you may call this function. +@@ -3711,10 +3725,22 @@ g_main_context_check (GMainContext *context, + return FALSE; + } + ++ /* The linear iteration below relies on the assumption that both ++ * poll records and the fds array are incrementally sorted by file ++ * descriptor identifier. ++ */ + pollrec = context->poll_records; + i = 0; + while (pollrec && i < n_fds) + { ++ /* Make sure that fds is sorted by file descriptor identifier. */ ++ g_assert (i <= 0 || fds[i - 1].fd < fds[i].fd); ++ ++ /* Skip until finding the first GPollRec matching the current GPollFD. */ ++ while (pollrec && pollrec->fd->fd != fds[i].fd) ++ pollrec = pollrec->next; ++ ++ /* Update all consecutive GPollRecs that match. */ + while (pollrec && pollrec->fd->fd == fds[i].fd) + { + if (pollrec->priority <= max_priority) +@@ -3725,6 +3751,7 @@ g_main_context_check (GMainContext *context, + pollrec = pollrec->next; + } + ++ /* Iterate to next GPollFD. */ + i++; + } + +@@ -4320,6 +4347,7 @@ g_main_context_add_poll_unlocked (GMainContext *context, + newrec->fd = fd; + newrec->priority = priority; + ++ /* Poll records are incrementally sorted by file descriptor identifier. */ + prevrec = NULL; + nextrec = context->poll_records; + while (nextrec) +diff --git a/glib/tests/mainloop.c b/glib/tests/mainloop.c +index f5d672a63..397921f2d 100644 +--- a/glib/tests/mainloop.c ++++ b/glib/tests/mainloop.c +@@ -1511,6 +1511,62 @@ test_unix_file_poll (void) + close (fd); + } + ++static void ++test_unix_fd_priority (void) ++{ ++ gint fd1, fd2; ++ GMainLoop *loop; ++ GSource *source; ++ ++ gint s1 = 0; ++ gboolean s2 = FALSE, s3 = FALSE; ++ ++ g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/1592"); ++ ++ loop = g_main_loop_new (NULL, FALSE); ++ ++ source = g_idle_source_new (); ++ g_source_set_callback (source, count_calls, &s1, NULL); ++ g_source_set_priority (source, 0); ++ g_source_attach (source, NULL); ++ g_source_unref (source); ++ ++ fd1 = open ("/dev/random", O_RDONLY); ++ g_assert_cmpint (fd1, >=, 0); ++ source = g_unix_fd_source_new (fd1, G_IO_IN); ++ g_source_set_callback (source, (GSourceFunc) (void (*)(void)) (flag_bool), &s2, NULL); ++ g_source_set_priority (source, 10); ++ g_source_attach (source, NULL); ++ g_source_unref (source); ++ ++ fd2 = open ("/dev/random", O_RDONLY); ++ g_assert_cmpint (fd2, >=, 0); ++ source = g_unix_fd_source_new (fd2, G_IO_IN); ++ g_source_set_callback (source, (GSourceFunc) (void (*)(void)) (flag_bool), &s3, NULL); ++ g_source_set_priority (source, 0); ++ g_source_attach (source, NULL); ++ g_source_unref (source); ++ ++ /* This tests a bug that depends on the source with the lowest FD ++ identifier to have the lowest priority. Make sure that this is ++ the case. */ ++ g_assert_cmpint (fd1, <, fd2); ++ ++ g_assert_true (g_main_context_iteration (NULL, FALSE)); ++ ++ /* Idle source should have been dispatched. */ ++ g_assert_cmpint (s1, ==, 1); ++ /* Low priority FD source shouldn't have been dispatched. */ ++ g_assert_false (s2); ++ /* Default priority FD source should have been dispatched. */ ++ g_assert_true (s3); ++ ++ g_main_loop_unref (loop); ++ ++ close (fd1); ++ close (fd2); ++} ++ + #endif + + static gboolean +@@ -1751,6 +1807,7 @@ main (int argc, char *argv[]) + g_test_add_func ("/mainloop/source-unix-fd-api", test_source_unix_fd_api); + g_test_add_func ("/mainloop/wait", test_mainloop_wait); + g_test_add_func ("/mainloop/unix-file-poll", test_unix_file_poll); ++ g_test_add_func ("/mainloop/unix-fd-priority", test_unix_fd_priority); + #endif + g_test_add_func ("/mainloop/nfds", test_nfds); + +-- +2.31.1 + diff --git a/SOURCES/0001-codegen-Change-pointer-casting-to-remove-type-punnin.patch b/SOURCES/309.patch similarity index 100% rename from SOURCES/0001-codegen-Change-pointer-casting-to-remove-type-punnin.patch rename to SOURCES/309.patch diff --git a/SOURCES/0001-build-sys-Pass-CFLAGS-to-DTRACE.patch b/SOURCES/409.patch similarity index 100% rename from SOURCES/0001-build-sys-Pass-CFLAGS-to-DTRACE.patch rename to SOURCES/409.patch diff --git a/SOURCES/0001-gdbus-unix-addresses-test-don-t-g_debug-when-also-te.patch b/SOURCES/50.patch similarity index 100% rename from SOURCES/0001-gdbus-unix-addresses-test-don-t-g_debug-when-also-te.patch rename to SOURCES/50.patch diff --git a/SOURCES/0001-gdbus-codegen-honor-Property.EmitsChangedSignal-anno.patch b/SOURCES/532.patch similarity index 100% rename from SOURCES/0001-gdbus-codegen-honor-Property.EmitsChangedSignal-anno.patch rename to SOURCES/532.patch diff --git a/SOURCES/0001-spawn-add-shebang-line-to-script.patch b/SOURCES/546.patch similarity index 100% rename from SOURCES/0001-spawn-add-shebang-line-to-script.patch rename to SOURCES/546.patch diff --git a/SOURCES/0001-gfile-Limit-access-to-files-when-copying.patch b/SOURCES/CVE-2019-12450.patch similarity index 100% rename from SOURCES/0001-gfile-Limit-access-to-files-when-copying.patch rename to SOURCES/CVE-2019-12450.patch diff --git a/SOURCES/CVE-2021-27218.patch b/SOURCES/CVE-2021-27218.patch new file mode 100644 index 0000000..15aa571 --- /dev/null +++ b/SOURCES/CVE-2021-27218.patch @@ -0,0 +1,129 @@ +From 89b522ed31837cb2ac107a8961fbb0f2c7fc7ccb Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Wed, 10 Feb 2021 23:51:07 +0100 +Subject: [PATCH] gbytearray: Do not accept too large byte arrays + +GByteArray uses guint for storing the length of the byte array, but it +also has a constructor (g_byte_array_new_take) that takes length as a +gsize. gsize may be larger than guint (64 bits for gsize vs 32 bits +for guint). It is possible to call the function with a value greater +than G_MAXUINT, which will result in silent length truncation. This +may happen as a result of unreffing GBytes into GByteArray, so rather +be loud about it. + +(Test case tweaked by Philip Withnall.) +--- + glib/garray.c | 6 ++++++ + glib/gbytes.c | 4 ++++ + glib/tests/bytes.c | 37 +++++++++++++++++++++++++++++++++++-- + 3 files changed, 45 insertions(+), 2 deletions(-) + +diff --git a/glib/garray.c b/glib/garray.c +index aa3c04707..271d85ad8 100644 +--- a/glib/garray.c ++++ b/glib/garray.c +@@ -1666,6 +1666,10 @@ g_byte_array_new (void) + * Create byte array containing the data. The data will be owned by the array + * and will be freed with g_free(), i.e. it could be allocated using g_strdup(). + * ++ * Do not use it if @len is greater than %G_MAXUINT. #GByteArray ++ * stores the length of its data in #guint, which may be shorter than ++ * #gsize. ++ * + * Since: 2.32 + * + * Returns: (transfer full): a new #GByteArray +@@ -1677,6 +1681,8 @@ g_byte_array_new_take (guint8 *data, + GByteArray *array; + GRealArray *real; + ++ g_return_val_if_fail (len <= G_MAXUINT, NULL); ++ + array = g_byte_array_new (); + real = (GRealArray *)array; + g_assert (real->data == NULL); +diff --git a/glib/gbytes.c b/glib/gbytes.c +index 5141170d7..635b79535 100644 +--- a/glib/gbytes.c ++++ b/glib/gbytes.c +@@ -512,6 +512,10 @@ g_bytes_unref_to_data (GBytes *bytes, + * g_bytes_new(), g_bytes_new_take() or g_byte_array_free_to_bytes(). In all + * other cases the data is copied. + * ++ * Do not use it if @bytes contains more than %G_MAXUINT ++ * bytes. #GByteArray stores the length of its data in #guint, which ++ * may be shorter than #gsize, that @bytes is using. ++ * + * Returns: (transfer full): a new mutable #GByteArray containing the same byte data + * + * Since: 2.32 +diff --git a/glib/tests/bytes.c b/glib/tests/bytes.c +index 5ea5c2b35..42281307b 100644 +--- a/glib/tests/bytes.c ++++ b/glib/tests/bytes.c +@@ -10,12 +10,12 @@ + */ + + #undef G_DISABLE_ASSERT +-#undef G_LOG_DOMAIN + + #include + #include + #include + #include "glib.h" ++#include "glib/gstrfuncsprivate.h" + + /* Keep in sync with glib/gbytes.c */ + struct _GBytes +@@ -333,6 +333,38 @@ test_to_array_transferred (void) + g_byte_array_unref (array); + } + ++static void ++test_to_array_transferred_oversize (void) ++{ ++ g_test_message ("g_bytes_unref_to_array() can only take GBytes up to " ++ "G_MAXUINT in length; test that longer ones are rejected"); ++ ++ if (sizeof (guint) >= sizeof (gsize)) ++ { ++ g_test_skip ("Skipping test as guint is not smaller than gsize"); ++ } ++ else if (g_test_undefined ()) ++ { ++ GByteArray *array = NULL; ++ GBytes *bytes = NULL; ++ gpointer data = g_memdup2 (NYAN, N_NYAN); ++ gsize len = ((gsize) G_MAXUINT) + 1; ++ ++ bytes = g_bytes_new_take (data, len); ++ g_test_expect_message (G_LOG_DOMAIN, G_LOG_LEVEL_CRITICAL, ++ "g_byte_array_new_take: assertion 'len <= G_MAXUINT' failed"); ++ array = g_bytes_unref_to_array (g_steal_pointer (&bytes)); ++ g_test_assert_expected_messages (); ++ g_assert_null (array); ++ ++ g_free (data); ++ } ++ else ++ { ++ g_test_skip ("Skipping test as testing undefined behaviour is disabled"); ++ } ++} ++ + static void + test_to_array_two_refs (void) + { +@@ -407,7 +439,8 @@ main (int argc, char *argv[]) + g_test_add_func ("/bytes/to-data/transfered", test_to_data_transferred); + g_test_add_func ("/bytes/to-data/two-refs", test_to_data_two_refs); + g_test_add_func ("/bytes/to-data/non-malloc", test_to_data_non_malloc); +- g_test_add_func ("/bytes/to-array/transfered", test_to_array_transferred); ++ g_test_add_func ("/bytes/to-array/transferred", test_to_array_transferred); ++ g_test_add_func ("/bytes/to-array/transferred-oversize", test_to_array_transferred_oversize); + g_test_add_func ("/bytes/to-array/two-refs", test_to_array_two_refs); + g_test_add_func ("/bytes/to-array/non-malloc", test_to_array_non_malloc); + g_test_add_func ("/bytes/null", test_null); +-- +2.31.1 + diff --git a/SOURCES/CVE-2021-27219.patch b/SOURCES/CVE-2021-27219.patch new file mode 100644 index 0000000..8374e68 --- /dev/null +++ b/SOURCES/CVE-2021-27219.patch @@ -0,0 +1,849 @@ +From 7b46597384de916b4027ebaff662d06ff3ea2bc8 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 13:30:52 +0000 +Subject: [PATCH 1/6] gstrfuncs: Add internal g_memdup2() function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This will replace the existing `g_memdup()` function for use within +GLib. It has an unavoidable security flaw of taking its `byte_size` +argument as a `guint` rather than as a `gsize`. Most callers will +expect it to be a `gsize`, and may pass in large values which could +silently be truncated, resulting in an undersize allocation compared +to what the caller expects. + +This could lead to a classic buffer overflow vulnerability for many +callers of `g_memdup()`. + +`g_memdup2()`, in comparison, takes its `byte_size` as a `gsize`. + +Spotted by Kevin Backhouse of GHSL. + +In GLib 2.68, `g_memdup2()` will be a new public API. In this version +for backport to older stable releases, it’s a new `static inline` API +in a private header, so that use of `g_memdup()` within GLib can be +fixed without adding a new API in a stable release series. + +Signed-off-by: Philip Withnall +Helps: CVE-2021-27219 +Helps: GHSL-2021-045 +Helps: #2319 +(cherry picked from commit 5e5f75a77e399c638be66d74e5daa8caeb433e00) +--- + docs/reference/glib/meson.build | 1 + + glib/gstrfuncsprivate.h | 55 +++++++++++++++++++++++++++++++++ + glib/meson.build | 1 + + glib/tests/strfuncs.c | 23 ++++++++++++++ + 4 files changed, 80 insertions(+) + create mode 100644 glib/gstrfuncsprivate.h + +diff --git a/docs/reference/glib/meson.build b/docs/reference/glib/meson.build +index f0f915e96..1a3680941 100644 +--- a/docs/reference/glib/meson.build ++++ b/docs/reference/glib/meson.build +@@ -20,6 +20,7 @@ if get_option('gtk_doc') + 'gprintfint.h', + 'gmirroringtable.h', + 'gscripttable.h', ++ 'gstrfuncsprivate.h', + 'glib-mirroring-tab', + 'gnulib', + 'pcre', +diff --git a/glib/gstrfuncsprivate.h b/glib/gstrfuncsprivate.h +new file mode 100644 +index 000000000..85c88328a +--- /dev/null ++++ b/glib/gstrfuncsprivate.h +@@ -0,0 +1,55 @@ ++/* GLIB - Library of useful routines for C programming ++ * Copyright (C) 1995-1997 Peter Mattis, Spencer Kimball and Josh MacDonald ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, see . ++ */ ++ ++#include ++#include ++ ++/* ++ * g_memdup2: ++ * @mem: (nullable): the memory to copy. ++ * @byte_size: the number of bytes to copy. ++ * ++ * Allocates @byte_size bytes of memory, and copies @byte_size bytes into it ++ * from @mem. If @mem is %NULL it returns %NULL. ++ * ++ * This replaces g_memdup(), which was prone to integer overflows when ++ * converting the argument from a #gsize to a #guint. ++ * ++ * This static inline version is a backport of the new public API from ++ * GLib 2.68, kept internal to GLib for backport to older stable releases. ++ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2319. ++ * ++ * Returns: (nullable): a pointer to the newly-allocated copy of the memory, ++ * or %NULL if @mem is %NULL. ++ * Since: 2.68 ++ */ ++static inline gpointer ++g_memdup2 (gconstpointer mem, ++ gsize byte_size) ++{ ++ gpointer new_mem; ++ ++ if (mem && byte_size != 0) ++ { ++ new_mem = g_malloc (byte_size); ++ memcpy (new_mem, mem, byte_size); ++ } ++ else ++ new_mem = NULL; ++ ++ return new_mem; ++} +diff --git a/glib/meson.build b/glib/meson.build +index a2f9da81c..481fd06ff 100644 +--- a/glib/meson.build ++++ b/glib/meson.build +@@ -167,6 +167,7 @@ glib_sources = files( + 'gslist.c', + 'gstdio.c', + 'gstrfuncs.c', ++ 'gstrfuncsprivate.h', + 'gstring.c', + 'gstringchunk.c', + 'gtestutils.c', +diff --git a/glib/tests/strfuncs.c b/glib/tests/strfuncs.c +index 7e031bdb1..2aa252946 100644 +--- a/glib/tests/strfuncs.c ++++ b/glib/tests/strfuncs.c +@@ -32,6 +32,8 @@ + #include + #include "glib.h" + ++#include "gstrfuncsprivate.h" ++ + #if defined (_MSC_VER) && (_MSC_VER <= 1800) + #define isnan(x) _isnan(x) + +@@ -199,6 +201,26 @@ test_is_to_digit (void) + #undef TEST_DIGIT + } + ++/* Testing g_memdup2() function with various positive and negative cases */ ++static void ++test_memdup2 (void) ++{ ++ gchar *str_dup = NULL; ++ const gchar *str = "The quick brown fox jumps over the lazy dog"; ++ ++ /* Testing negative cases */ ++ g_assert_null (g_memdup2 (NULL, 1024)); ++ g_assert_null (g_memdup2 (str, 0)); ++ g_assert_null (g_memdup2 (NULL, 0)); ++ ++ /* Testing normal usage cases */ ++ str_dup = g_memdup2 (str, strlen (str) + 1); ++ g_assert_nonnull (str_dup); ++ g_assert_cmpstr (str, ==, str_dup); ++ ++ g_free (str_dup); ++} ++ + static void + test_strdup (void) + { +@@ -1726,6 +1748,7 @@ main (int argc, + g_test_init (&argc, &argv, NULL); + + g_test_add_func ("/strfuncs/test-is-to-digit", test_is_to_digit); ++ g_test_add_func ("/strfuncs/memdup2", test_memdup2); + g_test_add_func ("/strfuncs/strdup", test_strdup); + g_test_add_func ("/strfuncs/strndup", test_strndup); + g_test_add_func ("/strfuncs/strdup-printf", test_strdup_printf); +-- +2.31.1 + +From d6aab169954d9e6e77753dee68e1b3f5932f6dee Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 13:41:21 +0000 +Subject: [PATCH 2/6] glib: Use g_memdup2() instead of g_memdup() in obvious + places +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Convert all the call sites which use `g_memdup()`’s length argument +trivially (for example, by passing a `sizeof()` or an existing `gsize` +variable), so that they use `g_memdup2()` instead. + +In almost all of these cases the use of `g_memdup()` would not have +caused problems, but it will soon be deprecated, so best port away from +it + +In particular, this fixes an overflow within `g_bytes_new()`, identified +as GHSL-2021-045 (aka CVE-2021-27219) by GHSL team member Kevin Backhouse. + +Adapted for GLib 2.58 by Simon McVittie. + +Signed-off-by: Philip Withnall +Fixes: CVE-2021-27219 +Fixes: GHSL-2021-045 +Helps: #2319 +(cherry picked from commit 0736b7c1e7cf4232c5d7eb2b0fbfe9be81bd3baa) +[Backport to 2.58: Omit changes to ghash.c, will be a separate commit] +[Backport to 2.58: Omit changes to giochannel.c, not needed in this branch] +[Backport to 2.58: Omit changes to uri test, not needed in this branch] +Signed-off-by: Simon McVittie +--- + glib/gbytes.c | 6 ++++-- + glib/gdir.c | 3 ++- + glib/gslice.c | 3 ++- + glib/gtestutils.c | 3 ++- + glib/gvariant.c | 7 ++++--- + glib/gvarianttype.c | 3 ++- + glib/tests/array-test.c | 2 +- + glib/tests/option-context.c | 6 ++++-- + 8 files changed, 21 insertions(+), 12 deletions(-) + +diff --git a/glib/gbytes.c b/glib/gbytes.c +index 3b14a51cd..5141170d7 100644 +--- a/glib/gbytes.c ++++ b/glib/gbytes.c +@@ -33,6 +33,8 @@ + + #include + ++#include "gstrfuncsprivate.h" ++ + /** + * GBytes: + * +@@ -94,7 +96,7 @@ g_bytes_new (gconstpointer data, + { + g_return_val_if_fail (data != NULL || size == 0, NULL); + +- return g_bytes_new_take (g_memdup (data, size), size); ++ return g_bytes_new_take (g_memdup2 (data, size), size); + } + + /** +@@ -490,7 +492,7 @@ g_bytes_unref_to_data (GBytes *bytes, + * Copy: Non g_malloc (or compatible) allocator, or static memory, + * so we have to copy, and then unref. + */ +- result = g_memdup (bytes->data, bytes->size); ++ result = g_memdup2 (bytes->data, bytes->size); + *size = bytes->size; + g_bytes_unref (bytes); + } +diff --git a/glib/gdir.c b/glib/gdir.c +index cb4ad0b2f..9d955d57f 100644 +--- a/glib/gdir.c ++++ b/glib/gdir.c +@@ -37,6 +37,7 @@ + #include "gconvert.h" + #include "gfileutils.h" + #include "gstrfuncs.h" ++#include "gstrfuncsprivate.h" + #include "gtestutils.h" + #include "glibintl.h" + +@@ -113,7 +114,7 @@ g_dir_open_with_errno (const gchar *path, + return NULL; + #endif + +- return g_memdup (&dir, sizeof dir); ++ return g_memdup2 (&dir, sizeof dir); + } + + /** +diff --git a/glib/gslice.c b/glib/gslice.c +index 454c8a602..8e2359515 100644 +--- a/glib/gslice.c ++++ b/glib/gslice.c +@@ -45,6 +45,7 @@ + #include "gmain.h" + #include "gmem.h" /* gslice.h */ + #include "gstrfuncs.h" ++#include "gstrfuncsprivate.h" + #include "gutils.h" + #include "gtrashstack.h" + #include "gtestutils.h" +@@ -352,7 +353,7 @@ g_slice_get_config_state (GSliceConfig ckey, + array[i++] = allocator->contention_counters[address]; + array[i++] = allocator_get_magazine_threshold (allocator, address); + *n_values = i; +- return g_memdup (array, sizeof (array[0]) * *n_values); ++ return g_memdup2 (array, sizeof (array[0]) * *n_values); + default: + return NULL; + } +diff --git a/glib/gtestutils.c b/glib/gtestutils.c +index 0447dcda5..14e071fce 100644 +--- a/glib/gtestutils.c ++++ b/glib/gtestutils.c +@@ -49,6 +49,7 @@ + #include "gpattern.h" + #include "grand.h" + #include "gstrfuncs.h" ++#include "gstrfuncsprivate.h" + #include "gtimer.h" + #include "gslice.h" + #include "gspawn.h" +@@ -3397,7 +3398,7 @@ g_test_log_extract (GTestLogBuffer *tbuffer) + if (p <= tbuffer->data->str + mlength) + { + g_string_erase (tbuffer->data, 0, mlength); +- tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup (&msg, sizeof (msg))); ++ tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup2 (&msg, sizeof (msg))); + return TRUE; + } + +diff --git a/glib/gvariant.c b/glib/gvariant.c +index 8be9ce798..45a1a73dc 100644 +--- a/glib/gvariant.c ++++ b/glib/gvariant.c +@@ -33,6 +33,7 @@ + + #include + ++#include "gstrfuncsprivate.h" + + /** + * SECTION:gvariant +@@ -720,7 +721,7 @@ g_variant_new_variant (GVariant *value) + g_variant_ref_sink (value); + + return g_variant_new_from_children (G_VARIANT_TYPE_VARIANT, +- g_memdup (&value, sizeof value), ++ g_memdup2 (&value, sizeof value), + 1, g_variant_is_trusted (value)); + } + +@@ -1224,7 +1225,7 @@ g_variant_new_fixed_array (const GVariantType *element_type, + return NULL; + } + +- data = g_memdup (elements, n_elements * element_size); ++ data = g_memdup2 (elements, n_elements * element_size); + value = g_variant_new_from_data (array_type, data, + n_elements * element_size, + FALSE, g_free, data); +@@ -1901,7 +1902,7 @@ g_variant_dup_bytestring (GVariant *value, + if (length) + *length = size; + +- return g_memdup (original, size + 1); ++ return g_memdup2 (original, size + 1); + } + + /** +diff --git a/glib/gvarianttype.c b/glib/gvarianttype.c +index c8433e65a..dbbf7d2d1 100644 +--- a/glib/gvarianttype.c ++++ b/glib/gvarianttype.c +@@ -28,6 +28,7 @@ + + #include + ++#include "gstrfuncsprivate.h" + + /** + * SECTION:gvarianttype +@@ -1174,7 +1175,7 @@ g_variant_type_new_tuple (const GVariantType * const *items, + g_assert (offset < sizeof buffer); + buffer[offset++] = ')'; + +- return (GVariantType *) g_memdup (buffer, offset); ++ return (GVariantType *) g_memdup2 (buffer, offset); + } + + /** +-- +2.31.1 + +From 7e2c2a07508a97b9d75e402afe4749b02a34dd8b Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Thu, 18 Mar 2021 10:31:00 +0000 +Subject: [PATCH 3/6] ghash: Use g_memdup2() instead of g_memdup() + +Backport of part of commit 0736b7c1e7cf4232c5d7eb2b0fbfe9be81bd3baa +to the simpler structure of the GHashTable code in glib-2-58. + +Helps: #2319 +Signed-off-by: Simon McVittie +--- + glib/ghash.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/glib/ghash.c b/glib/ghash.c +index 6bb04a50d..608d136f4 100644 +--- a/glib/ghash.c ++++ b/glib/ghash.c +@@ -34,6 +34,7 @@ + + #include "glib-private.h" + #include "gstrfuncs.h" ++#include "gstrfuncsprivate.h" + #include "gatomic.h" + #include "gtestutils.h" + #include "gslice.h" +@@ -967,7 +968,7 @@ g_hash_table_insert_node (GHashTable *hash_table, + * split the table. + */ + if (G_UNLIKELY (hash_table->keys == hash_table->values && hash_table->keys[node_index] != new_value)) +- hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size); ++ hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size); + + /* Step 3: Actually do the write */ + hash_table->values[node_index] = new_value; +-- +2.31.1 + +From 9e0c87610dccd1b0eaca28a3baa521ea6a24f46b Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 13:39:25 +0000 +Subject: [PATCH 4/6] gobject: Use g_memdup2() instead of g_memdup() in obvious + places +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Convert all the call sites which use `g_memdup()`’s length argument +trivially (for example, by passing a `sizeof()`), so that they use +`g_memdup2()` instead. + +In almost all of these cases the use of `g_memdup()` would not have +caused problems, but it will soon be deprecated, so best port away from +it. + +Signed-off-by: Philip Withnall +Helps: #2319 +(cherry picked from commit 6110caea45b235420b98cd41d845cc92238f6781) +--- + gobject/gsignal.c | 3 ++- + gobject/gtype.c | 9 +++++---- + gobject/gtypemodule.c | 3 ++- + gobject/tests/param.c | 4 +++- + 4 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/gobject/gsignal.c b/gobject/gsignal.c +index b22dfcca8..92555eb60 100644 +--- a/gobject/gsignal.c ++++ b/gobject/gsignal.c +@@ -28,6 +28,7 @@ + #include + + #include "gsignal.h" ++#include "gstrfuncsprivate.h" + #include "gtype-private.h" + #include "gbsearcharray.h" + #include "gvaluecollector.h" +@@ -1724,7 +1725,7 @@ g_signal_newv (const gchar *signal_name, + node->single_va_closure_is_valid = FALSE; + node->flags = signal_flags & G_SIGNAL_FLAGS_MASK; + node->n_params = n_params; +- node->param_types = g_memdup (param_types, sizeof (GType) * n_params); ++ node->param_types = g_memdup2 (param_types, sizeof (GType) * n_params); + node->return_type = return_type; + node->class_closure_bsa = NULL; + if (accumulator) +diff --git a/gobject/gtype.c b/gobject/gtype.c +index 275a8b60b..9e663ce52 100644 +--- a/gobject/gtype.c ++++ b/gobject/gtype.c +@@ -33,6 +33,7 @@ + + #include "glib-private.h" + #include "gconstructor.h" ++#include "gstrfuncsprivate.h" + + #ifdef G_OS_WIN32 + #include +@@ -1471,7 +1472,7 @@ type_add_interface_Wm (TypeNode *node, + iholder->next = iface_node_get_holders_L (iface); + iface_node_set_holders_W (iface, iholder); + iholder->instance_type = NODE_TYPE (node); +- iholder->info = info ? g_memdup (info, sizeof (*info)) : NULL; ++ iholder->info = info ? g_memdup2 (info, sizeof (*info)) : NULL; + iholder->plugin = plugin; + + /* create an iface entry for this type */ +@@ -1732,7 +1733,7 @@ type_iface_retrieve_holder_info_Wm (TypeNode *iface, + INVALID_RECURSION ("g_type_plugin_*", iholder->plugin, NODE_NAME (iface)); + + check_interface_info_I (iface, instance_type, &tmp_info); +- iholder->info = g_memdup (&tmp_info, sizeof (tmp_info)); ++ iholder->info = g_memdup2 (&tmp_info, sizeof (tmp_info)); + } + + return iholder; /* we don't modify write lock upon returning NULL */ +@@ -2013,10 +2014,10 @@ type_iface_vtable_base_init_Wm (TypeNode *iface, + IFaceEntry *pentry = type_lookup_iface_entry_L (pnode, iface); + + if (pentry) +- vtable = g_memdup (pentry->vtable, iface->data->iface.vtable_size); ++ vtable = g_memdup2 (pentry->vtable, iface->data->iface.vtable_size); + } + if (!vtable) +- vtable = g_memdup (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size); ++ vtable = g_memdup2 (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size); + entry->vtable = vtable; + vtable->g_type = NODE_TYPE (iface); + vtable->g_instance_type = NODE_TYPE (node); +diff --git a/gobject/gtypemodule.c b/gobject/gtypemodule.c +index c67f789b1..cf877bc0b 100644 +--- a/gobject/gtypemodule.c ++++ b/gobject/gtypemodule.c +@@ -19,6 +19,7 @@ + + #include + ++#include "gstrfuncsprivate.h" + #include "gtypeplugin.h" + #include "gtypemodule.h" + +@@ -436,7 +437,7 @@ g_type_module_register_type (GTypeModule *module, + module_type_info->loaded = TRUE; + module_type_info->info = *type_info; + if (type_info->value_table) +- module_type_info->info.value_table = g_memdup (type_info->value_table, ++ module_type_info->info.value_table = g_memdup2 (type_info->value_table, + sizeof (GTypeValueTable)); + + return module_type_info->type; +diff --git a/gobject/tests/param.c b/gobject/tests/param.c +index 758289bf8..971cff162 100644 +--- a/gobject/tests/param.c ++++ b/gobject/tests/param.c +@@ -2,6 +2,8 @@ + #include + #include + ++#include "gstrfuncsprivate.h" ++ + static void + test_param_value (void) + { +@@ -851,7 +853,7 @@ main (int argc, char *argv[]) + test_path = g_strdup_printf ("/param/implement/subprocess/%d-%d-%d-%d", + data.change_this_flag, data.change_this_type, + data.use_this_flag, data.use_this_type); +- test_data = g_memdup (&data, sizeof (TestParamImplementData)); ++ test_data = g_memdup2 (&data, sizeof (TestParamImplementData)); + g_test_add_data_func_full (test_path, test_data, test_param_implement_child, g_free); + g_free (test_path); + } +-- +2.31.1 + +From d3f7a79540fc1e85eb82c2987e9f7e2dbd93ff74 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 13:37:56 +0000 +Subject: [PATCH 5/6] gio: Use g_memdup2() instead of g_memdup() in obvious + places +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Convert all the call sites which use `g_memdup()`’s length argument +trivially (for example, by passing a `sizeof()`), so that they use +`g_memdup2()` instead. + +In almost all of these cases the use of `g_memdup()` would not have +caused problems, but it will soon be deprecated, so best port away from +it. + +Signed-off-by: Philip Withnall +Helps: #2319 +(cherry picked from commit be8834340a2d928ece82025463ae23dee2c333d0) +--- + gio/gdbusconnection.c | 5 +++-- + gio/gdbusinterfaceskeleton.c | 3 ++- + gio/gfile.c | 7 ++++--- + gio/gsettingsschema.c | 5 +++-- + gio/gwin32registrykey.c | 8 +++++--- + gio/tests/async-close-output-stream.c | 6 ++++-- + gio/tests/gdbus-export.c | 5 +++-- + gio/win32/gwinhttpfile.c | 9 +++++---- + 8 files changed, 29 insertions(+), 19 deletions(-) + +diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c +index 6f7e5fefc..117c8df35 100644 +--- a/gio/gdbusconnection.c ++++ b/gio/gdbusconnection.c +@@ -119,6 +119,7 @@ + #include "gasyncinitable.h" + #include "giostream.h" + #include "gasyncresult.h" ++#include "gstrfuncsprivate.h" + #include "gtask.h" + + #ifdef G_OS_UNIX +@@ -3970,7 +3971,7 @@ _g_dbus_interface_vtable_copy (const GDBusInterfaceVTable *vtable) + /* Don't waste memory by copying padding - remember to update this + * when changing struct _GDBusInterfaceVTable in gdbusconnection.h + */ +- return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer)); ++ return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer)); + } + + static void +@@ -3987,7 +3988,7 @@ _g_dbus_subtree_vtable_copy (const GDBusSubtreeVTable *vtable) + /* Don't waste memory by copying padding - remember to update this + * when changing struct _GDBusSubtreeVTable in gdbusconnection.h + */ +- return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer)); ++ return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer)); + } + + static void +diff --git a/gio/gdbusinterfaceskeleton.c b/gio/gdbusinterfaceskeleton.c +index 96bd520aa..672604c49 100644 +--- a/gio/gdbusinterfaceskeleton.c ++++ b/gio/gdbusinterfaceskeleton.c +@@ -27,6 +27,7 @@ + #include "gdbusprivate.h" + #include "gdbusmethodinvocation.h" + #include "gdbusconnection.h" ++#include "gstrfuncsprivate.h" + #include "gtask.h" + #include "gioerror.h" + +@@ -697,7 +698,7 @@ add_connection_locked (GDBusInterfaceSkeleton *interface_, + * properly before building the hooked_vtable, so we create it + * once at the last minute. + */ +- interface_->priv->hooked_vtable = g_memdup (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable)); ++ interface_->priv->hooked_vtable = g_memdup2 (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable)); + interface_->priv->hooked_vtable->method_call = skeleton_intercept_handle_method_call; + } + +diff --git a/gio/gfile.c b/gio/gfile.c +index ff313ebf8..29ebaaa62 100644 +--- a/gio/gfile.c ++++ b/gio/gfile.c +@@ -60,6 +60,7 @@ + #include "gasyncresult.h" + #include "gioerror.h" + #include "glibintl.h" ++#include "gstrfuncsprivate.h" + + + /** +@@ -7734,7 +7735,7 @@ measure_disk_usage_progress (gboolean reporting, + g_main_context_invoke_full (g_task_get_context (task), + g_task_get_priority (task), + measure_disk_usage_invoke_progress, +- g_memdup (&progress, sizeof progress), ++ g_memdup2 (&progress, sizeof progress), + g_free); + } + +@@ -7752,7 +7753,7 @@ measure_disk_usage_thread (GTask *task, + data->progress_callback ? measure_disk_usage_progress : NULL, task, + &result.disk_usage, &result.num_dirs, &result.num_files, + &error)) +- g_task_return_pointer (task, g_memdup (&result, sizeof result), g_free); ++ g_task_return_pointer (task, g_memdup2 (&result, sizeof result), g_free); + else + g_task_return_error (task, error); + } +@@ -7776,7 +7777,7 @@ g_file_real_measure_disk_usage_async (GFile *file, + + task = g_task_new (file, cancellable, callback, user_data); + g_task_set_source_tag (task, g_file_real_measure_disk_usage_async); +- g_task_set_task_data (task, g_memdup (&data, sizeof data), g_free); ++ g_task_set_task_data (task, g_memdup2 (&data, sizeof data), g_free); + g_task_set_priority (task, io_priority); + + g_task_run_in_thread (task, measure_disk_usage_thread); +diff --git a/gio/gsettingsschema.c b/gio/gsettingsschema.c +index 17b7e3b01..499944395 100644 +--- a/gio/gsettingsschema.c ++++ b/gio/gsettingsschema.c +@@ -20,6 +20,7 @@ + + #include "gsettingsschema-internal.h" + #include "gsettings.h" ++#include "gstrfuncsprivate.h" + + #include "gvdb/gvdb-reader.h" + #include "strinfo.c" +@@ -1054,9 +1055,9 @@ g_settings_schema_list_children (GSettingsSchema *schema) + + if (g_str_has_suffix (key, "/")) + { +- gint length = strlen (key); ++ gsize length = strlen (key); + +- strv[j] = g_memdup (key, length); ++ strv[j] = g_memdup2 (key, length); + strv[j][length - 1] = '\0'; + j++; + } +diff --git a/gio/gwin32registrykey.c b/gio/gwin32registrykey.c +index c19fede4e..619fd48af 100644 +--- a/gio/gwin32registrykey.c ++++ b/gio/gwin32registrykey.c +@@ -28,6 +28,8 @@ + #include + #include + ++#include "gstrfuncsprivate.h" ++ + #ifndef _WDMDDK_ + typedef enum _KEY_INFORMATION_CLASS { + KeyBasicInformation, +@@ -247,7 +249,7 @@ g_win32_registry_value_iter_copy (const GWin32RegistryValueIter *iter) + new_iter->value_name_size = iter->value_name_size; + + if (iter->value_data != NULL) +- new_iter->value_data = g_memdup (iter->value_data, iter->value_data_size); ++ new_iter->value_data = g_memdup2 (iter->value_data, iter->value_data_size); + + new_iter->value_data_size = iter->value_data_size; + +@@ -268,8 +270,8 @@ g_win32_registry_value_iter_copy (const GWin32RegistryValueIter *iter) + new_iter->value_data_expanded_charsize = iter->value_data_expanded_charsize; + + if (iter->value_data_expanded_u8 != NULL) +- new_iter->value_data_expanded_u8 = g_memdup (iter->value_data_expanded_u8, +- iter->value_data_expanded_charsize); ++ new_iter->value_data_expanded_u8 = g_memdup2 (iter->value_data_expanded_u8, ++ iter->value_data_expanded_charsize); + + new_iter->value_data_expanded_u8_size = iter->value_data_expanded_charsize; + +diff --git a/gio/tests/async-close-output-stream.c b/gio/tests/async-close-output-stream.c +index 5f6620275..d3f97a119 100644 +--- a/gio/tests/async-close-output-stream.c ++++ b/gio/tests/async-close-output-stream.c +@@ -24,6 +24,8 @@ + #include + #include + ++#include "gstrfuncsprivate.h" ++ + #define DATA_TO_WRITE "Hello world\n" + + typedef struct +@@ -147,9 +149,9 @@ prepare_data (SetupData *data, + + data->expected_size = g_memory_output_stream_get_data_size (G_MEMORY_OUTPUT_STREAM (data->data_stream)); + +- g_assert_cmpint (data->expected_size, >, 0); ++ g_assert_cmpuint (data->expected_size, >, 0); + +- data->expected_output = g_memdup (written, (guint)data->expected_size); ++ data->expected_output = g_memdup2 (written, data->expected_size); + + /* then recreate the streams and prepare them for the asynchronous close */ + destroy_streams (data); +diff --git a/gio/tests/gdbus-export.c b/gio/tests/gdbus-export.c +index ef0dddeee..a3c842360 100644 +--- a/gio/tests/gdbus-export.c ++++ b/gio/tests/gdbus-export.c +@@ -23,6 +23,7 @@ + #include + + #include "gdbus-tests.h" ++#include "gstrfuncsprivate.h" + + /* all tests rely on a shared mainloop */ + static GMainLoop *loop = NULL; +@@ -652,7 +653,7 @@ subtree_introspect (GDBusConnection *connection, + g_assert_not_reached (); + } + +- return g_memdup (interfaces, 2 * sizeof (void *)); ++ return g_memdup2 (interfaces, 2 * sizeof (void *)); + } + + static const GDBusInterfaceVTable * +@@ -708,7 +709,7 @@ dynamic_subtree_introspect (GDBusConnection *connection, + { + const GDBusInterfaceInfo *interfaces[2] = { &dyna_interface_info, NULL }; + +- return g_memdup (interfaces, 2 * sizeof (void *)); ++ return g_memdup2 (interfaces, 2 * sizeof (void *)); + } + + static const GDBusInterfaceVTable * +diff --git a/gio/win32/gwinhttpfile.c b/gio/win32/gwinhttpfile.c +index d5df16d91..f424d21cc 100644 +--- a/gio/win32/gwinhttpfile.c ++++ b/gio/win32/gwinhttpfile.c +@@ -29,6 +29,7 @@ + #include "gio/gfile.h" + #include "gio/gfileattribute.h" + #include "gio/gfileinfo.h" ++#include "gstrfuncsprivate.h" + #include "gwinhttpfile.h" + #include "gwinhttpfileinputstream.h" + #include "gwinhttpfileoutputstream.h" +@@ -393,10 +394,10 @@ g_winhttp_file_resolve_relative_path (GFile *file, + child = g_object_new (G_TYPE_WINHTTP_FILE, NULL); + child->vfs = winhttp_file->vfs; + child->url = winhttp_file->url; +- child->url.lpszScheme = g_memdup (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2); +- child->url.lpszHostName = g_memdup (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2); +- child->url.lpszUserName = g_memdup (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2); +- child->url.lpszPassword = g_memdup (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2); ++ child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2); ++ child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2); ++ child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2); ++ child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2); + child->url.lpszUrlPath = wnew_path; + child->url.dwUrlPathLength = wcslen (wnew_path); + child->url.lpszExtraInfo = NULL; +-- +2.31.1 + +From 661f5edc901219a1a99bb51f171be13063878bd6 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 20 May 2021 15:58:53 -0500 +Subject: [PATCH 6/6] gdatainputstream: replace easy use of g_memdup() + +This code is passing a gsize, so might as well switch this to g_memdup2(). + +This is the only use of g_memdup() in GLib 2.56 that is not part of GLib +2.58. All other uses analyzed in glib!2000. +--- + gio/gdatainputstream.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/gio/gdatainputstream.c b/gio/gdatainputstream.c +index 9f207b158..ebef7c797 100644 +--- a/gio/gdatainputstream.c ++++ b/gio/gdatainputstream.c +@@ -27,6 +27,7 @@ + #include "gioenumtypes.h" + #include "gioerror.h" + #include "glibintl.h" ++#include "gstrfuncsprivate.h" + + #include + +@@ -1082,7 +1083,7 @@ g_data_input_stream_read_async (GDataInputStream *stream, + data = g_slice_new0 (GDataInputStreamReadData); + if (stop_chars_len == -1) + stop_chars_len = strlen (stop_chars); +- data->stop_chars = g_memdup (stop_chars, stop_chars_len); ++ data->stop_chars = g_memdup2 (stop_chars, stop_chars_len); + data->stop_chars_len = stop_chars_len; + data->last_saw_cr = FALSE; + +-- +2.31.1 diff --git a/SOURCES/CVE-2021-28153.patch b/SOURCES/CVE-2021-28153.patch new file mode 100644 index 0000000..9397463 --- /dev/null +++ b/SOURCES/CVE-2021-28153.patch @@ -0,0 +1,388 @@ +From 8fef6abe1131da0c8a7211c740a12ebe11cbcc51 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 10 Mar 2021 16:05:55 +0000 +Subject: [PATCH 1/3] glocalfileoutputstream: Factor out a flag check + +This clarifies the code a little. It introduces no functional changes. + +Signed-off-by: Philip Withnall +--- + gio/glocalfileoutputstream.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c +index 57d2d5dfe..6a70b2a04 100644 +--- a/gio/glocalfileoutputstream.c ++++ b/gio/glocalfileoutputstream.c +@@ -751,6 +751,7 @@ handle_overwrite_open (const char *filename, + int res; + int mode; + int errsv; ++ gboolean replace_destination_set = (flags & G_FILE_CREATE_REPLACE_DESTINATION); + + mode = mode_from_flags_or_info (flags, reference_info); + +@@ -857,8 +858,8 @@ handle_overwrite_open (const char *filename, + * The second strategy consist simply in copying the old file + * to a backup file and rewrite the contents of the file. + */ +- +- if ((flags & G_FILE_CREATE_REPLACE_DESTINATION) || ++ ++ if (replace_destination_set || + (!(original_stat.st_nlink > 1) && !is_symlink)) + { + char *dirname, *tmp_filename; +@@ -877,7 +878,7 @@ handle_overwrite_open (const char *filename, + + /* try to keep permissions (unless replacing) */ + +- if ( ! (flags & G_FILE_CREATE_REPLACE_DESTINATION) && ++ if (!replace_destination_set && + ( + #ifdef HAVE_FCHOWN + fchown (tmpfd, original_stat.st_uid, original_stat.st_gid) == -1 || +@@ -1016,7 +1017,7 @@ handle_overwrite_open (const char *filename, + } + } + +- if (flags & G_FILE_CREATE_REPLACE_DESTINATION) ++ if (replace_destination_set) + { + g_close (fd, NULL); + +-- +2.31.1 + +From 6c10e8ce6905e8fcc3466eb8af707b5d0d3bdb85 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 24 Feb 2021 17:36:07 +0000 +Subject: [PATCH 2/3] glocalfileoutputstream: Fix CREATE_REPLACE_DESTINATION + with symlinks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The `G_FILE_CREATE_REPLACE_DESTINATION` flag is equivalent to unlinking +the destination file and re-creating it from scratch. That did +previously work, but in the process the code would call `open(O_CREAT)` +on the file. If the file was a dangling symlink, this would create the +destination file (empty). That’s not an intended side-effect, and has +security implications if the symlink is controlled by a lower-privileged +process. + +Fix that by not opening the destination file if it’s a symlink, and +adjusting the rest of the code to cope with + - the fact that `fd == -1` is not an error iff `is_symlink` is true, + - and that `original_stat` will contain the `lstat()` results for the + symlink now, rather than the `stat()` results for its target (again, + iff `is_symlink` is true). + +This means that the target of the dangling symlink is no longer created, +which was the bug. The symlink itself continues to be replaced (as +before) with the new file — this is the intended behaviour of +`g_file_replace()`. + +The behaviour for non-symlink cases, or cases where the symlink was not +dangling, should be unchanged. + +Includes a unit test. + +Signed-off-by: Philip Withnall + +Fixes: #2325 +--- + gio/glocalfileoutputstream.c | 63 ++++++++++++++------- + gio/tests/file.c | 107 ++++++++++++++++++++++++++++++++++- + 2 files changed, 149 insertions(+), 21 deletions(-) + +diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c +index 6a70b2a04..4a7766f68 100644 +--- a/gio/glocalfileoutputstream.c ++++ b/gio/glocalfileoutputstream.c +@@ -779,16 +779,22 @@ handle_overwrite_open (const char *filename, + /* Could be a symlink, or it could be a regular ELOOP error, + * but then the next open will fail too. */ + is_symlink = TRUE; +- fd = g_open (filename, open_flags, mode); ++ if (!replace_destination_set) ++ fd = g_open (filename, open_flags, mode); + } +-#else +- fd = g_open (filename, open_flags, mode); +- errsv = errno; ++#else /* if !O_NOFOLLOW */ + /* This is racy, but we do it as soon as possible to minimize the race */ + is_symlink = g_file_test (filename, G_FILE_TEST_IS_SYMLINK); ++ ++ if (!is_symlink || !replace_destination_set) ++ { ++ fd = g_open (filename, open_flags, mode); ++ errsv = errno; ++ } + #endif + +- if (fd == -1) ++ if (fd == -1 && ++ (!is_symlink || !replace_destination_set)) + { + char *display_name = g_filename_display_name (filename); + g_set_error (error, G_IO_ERROR, +@@ -800,10 +806,17 @@ handle_overwrite_open (const char *filename, + } + + #ifdef G_OS_WIN32 +- res = GLIB_PRIVATE_CALL (g_win32_fstat) (fd, &original_stat); +-#else +- res = fstat (fd, &original_stat); ++#error This patch has not been ported to Windows, sorry + #endif ++ ++ if (!is_symlink) ++ { ++ res = fstat (fd, &original_stat); ++ } ++ else ++ { ++ res = lstat (filename, &original_stat); ++ } + errsv = errno; + + if (res != 0) +@@ -821,16 +834,27 @@ handle_overwrite_open (const char *filename, + if (!S_ISREG (original_stat.st_mode)) + { + if (S_ISDIR (original_stat.st_mode)) +- g_set_error_literal (error, +- G_IO_ERROR, +- G_IO_ERROR_IS_DIRECTORY, +- _("Target file is a directory")); +- else +- g_set_error_literal (error, +- G_IO_ERROR, +- G_IO_ERROR_NOT_REGULAR_FILE, +- _("Target file is not a regular file")); +- goto err_out; ++ { ++ g_set_error_literal (error, ++ G_IO_ERROR, ++ G_IO_ERROR_IS_DIRECTORY, ++ _("Target file is a directory")); ++ goto err_out; ++ } ++ else if (!is_symlink || ++#ifdef S_ISLNK ++ !S_ISLNK (original_stat.st_mode) ++#else ++ FALSE ++#endif ++ ) ++ { ++ g_set_error_literal (error, ++ G_IO_ERROR, ++ G_IO_ERROR_NOT_REGULAR_FILE, ++ _("Target file is not a regular file")); ++ goto err_out; ++ } + } + + if (etag != NULL) +@@ -911,7 +935,8 @@ handle_overwrite_open (const char *filename, + } + } + +- g_close (fd, NULL); ++ if (fd >= 0) ++ g_close (fd, NULL); + *temp_filename = tmp_filename; + return tmpfd; + } +diff --git a/gio/tests/file.c b/gio/tests/file.c +index 98eeb85d4..44db6e295 100644 +--- a/gio/tests/file.c ++++ b/gio/tests/file.c +@@ -671,8 +671,6 @@ test_replace_cancel (void) + guint count; + GError *error = NULL; + +- g_test_bug ("629301"); +- + path = g_dir_make_tmp ("g_file_replace_cancel_XXXXXX", &error); + g_assert_no_error (error); + tmpdir = g_file_new_for_path (path); +@@ -779,6 +777,110 @@ test_replace_cancel (void) + g_object_unref (tmpdir); + } + ++static void ++test_replace_symlink (void) ++{ ++#ifdef G_OS_UNIX ++ gchar *tmpdir_path = NULL; ++ GFile *tmpdir = NULL, *source_file = NULL, *target_file = NULL; ++ GFileOutputStream *stream = NULL; ++ const gchar *new_contents = "this is a test message which should be written to source and not target"; ++ gsize n_written; ++ GFileEnumerator *enumerator = NULL; ++ GFileInfo *info = NULL; ++ gchar *contents = NULL; ++ gsize length = 0; ++ GError *local_error = NULL; ++ ++ /* Create a fresh, empty working directory. */ ++ tmpdir_path = g_dir_make_tmp ("g_file_replace_symlink_XXXXXX", &local_error); ++ g_assert_no_error (local_error); ++ tmpdir = g_file_new_for_path (tmpdir_path); ++ ++ g_test_message ("Using temporary directory %s", tmpdir_path); ++ g_free (tmpdir_path); ++ ++ /* Create symlink `source` which points to `target`. */ ++ source_file = g_file_get_child (tmpdir, "source"); ++ target_file = g_file_get_child (tmpdir, "target"); ++ g_file_make_symbolic_link (source_file, "target", NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ /* Ensure that `target` doesn’t exist */ ++ g_assert_false (g_file_query_exists (target_file, NULL)); ++ ++ /* Replace the `source` symlink with a regular file using ++ * %G_FILE_CREATE_REPLACE_DESTINATION, which should replace it *without* ++ * following the symlink */ ++ stream = g_file_replace (source_file, NULL, FALSE /* no backup */, ++ G_FILE_CREATE_REPLACE_DESTINATION, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_output_stream_write_all (G_OUTPUT_STREAM (stream), new_contents, strlen (new_contents), ++ &n_written, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_cmpint (n_written, ==, strlen (new_contents)); ++ ++ g_output_stream_close (G_OUTPUT_STREAM (stream), NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_clear_object (&stream); ++ ++ /* At this point, there should still only be one file: `source`. It should ++ * now be a regular file. `target` should not exist. */ ++ enumerator = g_file_enumerate_children (tmpdir, ++ G_FILE_ATTRIBUTE_STANDARD_NAME "," ++ G_FILE_ATTRIBUTE_STANDARD_TYPE, ++ G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ info = g_file_enumerator_next_file (enumerator, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_nonnull (info); ++ ++ g_assert_cmpstr (g_file_info_get_name (info), ==, "source"); ++ g_assert_cmpint (g_file_info_get_file_type (info), ==, G_FILE_TYPE_REGULAR); ++ ++ g_clear_object (&info); ++ ++ info = g_file_enumerator_next_file (enumerator, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_null (info); ++ ++ g_file_enumerator_close (enumerator, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_clear_object (&enumerator); ++ ++ /* Double-check that `target` doesn’t exist */ ++ g_assert_false (g_file_query_exists (target_file, NULL)); ++ ++ /* Check the content of `source`. */ ++ g_file_load_contents (source_file, ++ NULL, ++ &contents, ++ &length, ++ NULL, ++ &local_error); ++ g_assert_no_error (local_error); ++ g_assert_cmpstr (contents, ==, new_contents); ++ g_assert_cmpuint (length, ==, strlen (new_contents)); ++ g_free (contents); ++ ++ /* Tidy up. */ ++ g_file_delete (source_file, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_file_delete (tmpdir, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_clear_object (&target_file); ++ g_clear_object (&source_file); ++ g_clear_object (&tmpdir); ++#else /* if !G_OS_UNIX */ ++ g_test_skip ("Symlink replacement tests can only be run on Unix") ++#endif ++} ++ + static void + on_file_deleted (GObject *object, + GAsyncResult *result, +@@ -1170,6 +1272,7 @@ main (int argc, char *argv[]) + g_test_add_data_func ("/file/async-create-delete/4096", GINT_TO_POINTER (4096), test_create_delete); + g_test_add_func ("/file/replace-load", test_replace_load); + g_test_add_func ("/file/replace-cancel", test_replace_cancel); ++ g_test_add_func ("/file/replace-symlink", test_replace_symlink); + g_test_add_func ("/file/async-delete", test_async_delete); + #ifdef G_OS_UNIX + g_test_add_func ("/file/copy-preserve-mode", test_copy_preserve_mode); +-- +2.31.1 + +From 7f0b0d7fd744ad2f51236444005db49c80a0293d Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 24 Feb 2021 17:42:24 +0000 +Subject: [PATCH 3/3] glocalfileoutputstream: Add a missing O_CLOEXEC flag to + replace() + +Signed-off-by: Philip Withnall +--- + gio/glocalfileoutputstream.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c +index 4a7766f68..275770fa4 100644 +--- a/gio/glocalfileoutputstream.c ++++ b/gio/glocalfileoutputstream.c +@@ -56,6 +56,12 @@ + #define O_BINARY 0 + #endif + ++#ifndef O_CLOEXEC ++#define O_CLOEXEC 0 ++#else ++#define HAVE_O_CLOEXEC 1 ++#endif ++ + struct _GLocalFileOutputStreamPrivate { + char *tmp_filename; + char *original_filename; +@@ -1127,7 +1133,7 @@ _g_local_file_output_stream_replace (const char *filename, + sync_on_close = FALSE; + + /* If the file doesn't exist, create it */ +- open_flags = O_CREAT | O_EXCL | O_BINARY; ++ open_flags = O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC; + if (readable) + open_flags |= O_RDWR; + else +@@ -1157,8 +1163,11 @@ _g_local_file_output_stream_replace (const char *filename, + set_error_from_open_errno (filename, error); + return NULL; + } +- +- ++#if !defined(HAVE_O_CLOEXEC) && defined(F_SETFD) ++ else ++ fcntl (fd, F_SETFD, FD_CLOEXEC); ++#endif ++ + stream = g_object_new (G_TYPE_LOCAL_FILE_OUTPUT_STREAM, NULL); + stream->priv->fd = fd; + stream->priv->sync_on_close = sync_on_close; +-- +2.31.1 + diff --git a/SOURCES/ghmac-gnutls.patch b/SOURCES/ghmac-gnutls.patch index 6ba3313..8b5babb 100644 --- a/SOURCES/ghmac-gnutls.patch +++ b/SOURCES/ghmac-gnutls.patch @@ -1,7 +1,7 @@ -From 440a178c5aad19050a3d5b5d76881931138af680 Mon Sep 17 00:00:00 2001 +From c5cc0bb6f2d6e468c7402915a0a4e6799f0febdf Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 7 Jun 2019 18:44:43 +0000 -Subject: [PATCH 1/2] ghmac: Split off wrapper functions into ghmac-utils.c +Subject: [PATCH 1/3] ghmac: Split off wrapper functions into ghmac-utils.c Prep for adding a GnuTLS HMAC implementation; these are just utility functions that call the "core" API. @@ -14,7 +14,7 @@ utility functions that call the "core" API. create mode 100644 glib/ghmac-utils.c diff --git a/glib/Makefile.am b/glib/Makefile.am -index 8da549c7f..c367b09ad 100644 +index c0c3b92f0..43fa17051 100644 --- a/glib/Makefile.am +++ b/glib/Makefile.am @@ -126,6 +126,7 @@ libglib_2_0_la_SOURCES = \ @@ -297,7 +297,7 @@ index 9b58fd81c..7db38e34a 100644 - (const guchar *) str, length); -} diff --git a/glib/meson.build b/glib/meson.build -index 9df77b6f9..c7f28b5b6 100644 +index c81e99f9c..306a67f13 100644 --- a/glib/meson.build +++ b/glib/meson.build @@ -138,6 +138,7 @@ glib_sources = files( @@ -309,13 +309,12 @@ index 9df77b6f9..c7f28b5b6 100644 'ghostutils.c', 'giochannel.c', -- -2.21.0 +2.31.1 - -From 423355787ba9133b310c0b72708024b1428d7d14 Mon Sep 17 00:00:00 2001 +From 3befcf1eb31e0fa7a988b22a9c24240218cd4744 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 7 Jun 2019 19:36:54 +0000 -Subject: [PATCH 2/2] Add a gnutls backend for GHmac +Subject: [PATCH 2/3] Add a gnutls backend for GHmac For RHEL we want apps to use FIPS-certified crypto libraries, and HMAC apparently counts as "keyed" and hence needs to @@ -329,26 +328,53 @@ Most distributors ship glib-networking built with GnuTLS, and most apps use glib-networking, so this isn't a net-new library in most cases. -However, a fun wrinkle is that the GnuTLS HMAC API doesn't expose -the necessary bits to implement `g_hmac_copy()`; OpenSSL does. -I chose to just make that abort for now since I didn't find -apps using it. +======================================================================= + +mcatanzaro note: + +I've updated Colin's original patch with several enhancements: + +Implement g_hmac_copy() using gnutls_hmac_copy(), which didn't exist +when Colin developed this patch. + +Removed use of GSlice + +Better error checking in g_hmac_new(). It is possible for +gnutls_hmac_init() to fail if running in FIPS mode and an MD5 digest is +requested. In this case, we should return NULL rather than returning a +broken GHmac with a NULL gnutls_hmac_hd_t. This was leading to a later +null pointer dereference inside gnutls_hmac_update(). Applications are +responsible for checking to ensure the return value of g_hmac_new() is +not NULL since it is annotated as nullable. Added documentation to +indicate this possibility. + +Properly handle length -1 in g_hmac_update(). This means we've been +given a NUL-terminated string and should use strlen(). GnuTLS doesn't +accept -1, so let's call strlen() ourselves. + +Crash the application with g_error() if gnutls_hmac() fails for any +reason. This is necessary because g_hmac_update() is not fallible, so we +have no way to indicate error. Crashing seems better than returning the +wrong result later when g_hmac_get_string() or g_hmac_get_digest() is +later called. (Those functions are also not fallible.) Fortunately, I +don't think this error should actually be hit in practice. + +https://gitlab.gnome.org/GNOME/glib/-/merge_requests/903 --- - glib/Makefile.am | 9 ++- - glib/gchecksum.c | 9 +-- - glib/gchecksumprivate.h | 32 +++++++++ - glib/ghmac-gnutls.c | 151 ++++++++++++++++++++++++++++++++++++++++ - glib/ghmac.c | 1 + + glib/Makefile.am | 8 +- + glib/gchecksum.c | 9 +- + glib/gchecksumprivate.h | 32 +++++++ + glib/ghmac-gnutls.c | 182 ++++++++++++++++++++++++++++++++++++++++ + glib/ghmac.c | 13 +++ glib/meson.build | 10 ++- - glib/tests/hmac.c | 6 ++ meson.build | 7 ++ meson_options.txt | 5 ++ - 9 files changed, 221 insertions(+), 9 deletions(-) + 8 files changed, 258 insertions(+), 8 deletions(-) create mode 100644 glib/gchecksumprivate.h create mode 100644 glib/ghmac-gnutls.c diff --git a/glib/Makefile.am b/glib/Makefile.am -index c367b09ad..b0a721ad0 100644 +index 43fa17051..1175bbe40 100644 --- a/glib/Makefile.am +++ b/glib/Makefile.am @@ -125,7 +125,7 @@ libglib_2_0_la_SOURCES = \ @@ -360,7 +386,7 @@ index c367b09ad..b0a721ad0 100644 ghmac-utils.c \ ghook.c \ ghostutils.c \ -@@ -352,11 +352,14 @@ pcre_lib = pcre/libpcre.la +@@ -352,11 +352,15 @@ pcre_lib = pcre/libpcre.la pcre_inc = endif @@ -372,8 +398,8 @@ index c367b09ad..b0a721ad0 100644 libglib_2_0_la_LIBADD = libcharset/libcharset.la $(printf_la) @GIO@ @GSPAWN@ @PLATFORMDEP@ @ICONV_LIBS@ @G_LIBS_EXTRA@ $(pcre_lib) $(G_THREAD_LIBS_EXTRA) $(G_THREAD_LIBS_FOR_GTHREAD) $(LIBSYSTEMD_LIBS) libglib_2_0_la_DEPENDENCIES = libcharset/libcharset.la $(printf_la) @GIO@ @GSPAWN@ @PLATFORMDEP@ $(glib_win32_res) $(glib_def) --libglib_2_0_la_LDFLAGS = $(GLIB_LINK_FLAGS) \ -+libglib_2_0_la_LDFLAGS = $(GLIB_LINK_FLAGS) $(gnutls_libs) \ + libglib_2_0_la_LDFLAGS = $(GLIB_LINK_FLAGS) \ ++ $(gnutls_libs) \ $(glib_win32_res_ldflag) \ -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) \ -export-dynamic $(no_undefined) @@ -452,10 +478,10 @@ index 000000000..86c7a3b61 \ No newline at end of file diff --git a/glib/ghmac-gnutls.c b/glib/ghmac-gnutls.c new file mode 100644 -index 000000000..3b4dfb872 +index 000000000..522b9b302 --- /dev/null +++ b/glib/ghmac-gnutls.c -@@ -0,0 +1,160 @@ +@@ -0,0 +1,182 @@ +/* ghmac.h - data hashing functions + * + * Copyright (C) 2011 Collabora Ltd. @@ -506,9 +532,11 @@ index 000000000..3b4dfb872 + gsize key_len) +{ + gnutls_mac_algorithm_t algo; -+ GHmac *hmac = g_slice_new0 (GHmac); ++ GHmac *hmac = g_new0 (GHmac, 1); ++ int ret; ++ + hmac->ref_count = 1; -+ hmac->digest_type = digest_type; ++ hmac->digest_type = digest_type; + + switch (digest_type) + { @@ -531,7 +559,15 @@ index 000000000..3b4dfb872 + g_return_val_if_reached (NULL); + } + -+ gnutls_hmac_init (&hmac->hmac, algo, key, key_len); ++ ret = gnutls_hmac_init (&hmac->hmac, algo, key, key_len); ++ if (ret != 0) ++ { ++ /* There is no way to report an error here, but one possible cause of ++ * failure is that the requested digest may be disabled by FIPS mode. ++ */ ++ g_free (hmac->hmac); ++ return NULL; ++ } + + return hmac; +} @@ -543,11 +579,15 @@ index 000000000..3b4dfb872 + + g_return_val_if_fail (hmac != NULL, NULL); + -+ copy = g_slice_new0 (GHmac); ++ copy = g_new0 (GHmac, 1); + copy->ref_count = 1; + copy->digest_type = hmac->digest_type; + copy->hmac = gnutls_hmac_copy (hmac->hmac); + ++ /* g_hmac_copy is not allowed to fail, so we'll have to crash on error. */ ++ if (!copy->hmac) ++ g_error ("gnutls_hmac_copy failed"); ++ + return copy; +} + @@ -570,7 +610,7 @@ index 000000000..3b4dfb872 + { + gnutls_hmac_deinit (hmac->hmac, NULL); + g_free (hmac->digest_str); -+ g_slice_free (GHmac, hmac); ++ g_free (hmac); + } +} + @@ -580,10 +620,18 @@ index 000000000..3b4dfb872 + const guchar *data, + gssize length) +{ ++ int ret; ++ + g_return_if_fail (hmac != NULL); + g_return_if_fail (length == 0 || data != NULL); + -+ gnutls_hmac (hmac->hmac, data, length); ++ if (length == -1) ++ length = strlen ((const char *)data); ++ ++ /* g_hmac_update is not allowed to fail, so we'll have to crash on error. */ ++ ret = gnutls_hmac (hmac->hmac, data, length); ++ if (ret != 0) ++ g_error ("gnutls_hmac failed: %s", gnutls_strerror (ret)); +} + +const gchar * @@ -617,7 +665,7 @@ index 000000000..3b4dfb872 + *digest_len = g_checksum_type_get_length (hmac->digest_type); +} diff --git a/glib/ghmac.c b/glib/ghmac.c -index 7db38e34a..b12eb07c4 100644 +index 7db38e34a..b03a5aea7 100644 --- a/glib/ghmac.c +++ b/glib/ghmac.c @@ -33,6 +33,7 @@ @@ -628,11 +676,38 @@ index 7db38e34a..b12eb07c4 100644 /** * SECTION:hmac +@@ -84,6 +85,18 @@ struct _GHmac + * Support for digests of type %G_CHECKSUM_SHA512 has been added in GLib 2.42. + * Support for %G_CHECKSUM_SHA384 was added in GLib 2.52. + * ++ * Note that #GHmac creation may fail, in which case this function will ++ * return %NULL. Since there is no error parameter, it is not possible ++ * to indicate why. ++ * ++ * In Fedora, CentOS Stream, and Red Hat Enterprise Linux, GLib is ++ * configured to use GnuTLS to implement #GHmac in order to support FIPS ++ * compliance. This introduces additional failure possibilities that are ++ * not present in upstream GLib. For example, the creation of a #GHmac ++ * will fail if @digest_type is %G_CHECKSUM_MD5 and the system is ++ * running in FIPS mode. #GHmac creation may also fail if GLib is unable ++ * to load GnuTLS. ++ * + * Returns: the newly created #GHmac, or %NULL. + * Use g_hmac_unref() to free the memory allocated by it. + * diff --git a/glib/meson.build b/glib/meson.build -index c7f28b5b6..a2f9da81c 100644 +index 306a67f13..07d41456d 100644 --- a/glib/meson.build +++ b/glib/meson.build -@@ -137,7 +137,6 @@ glib_sources = files( +@@ -127,6 +127,7 @@ glib_sources = files( + 'gbytes.c', + 'gcharset.c', + 'gchecksum.c', ++ 'gchecksumprivate.h', + 'gconvert.c', + 'gdataset.c', + 'gdate.c', +@@ -137,7 +138,6 @@ glib_sources = files( 'gfileutils.c', 'ggettext.c', 'ghash.c', @@ -640,15 +715,7 @@ index c7f28b5b6..a2f9da81c 100644 'ghmac-utils.c', 'ghook.c', 'ghostutils.c', -@@ -185,6 +184,7 @@ glib_sources = files( - 'gunidecomp.c', - 'gurifuncs.c', - 'gutils.c', -+ 'gchecksumprivate.h', - 'guuid.c', - 'gvariant.c', - 'gvariant-core.c', -@@ -222,6 +222,12 @@ else +@@ -223,6 +223,12 @@ else glib_dtrace_hdr = [] endif @@ -661,17 +728,17 @@ index c7f28b5b6..a2f9da81c 100644 pcre_static_args = [] if use_pcre_static_flag -@@ -238,7 +244,7 @@ libglib = library('glib-2.0', +@@ -239,7 +245,7 @@ libglib = library('glib-2.0', link_args : platform_ldflags + noseh_link_args, include_directories : configinc, link_with : [charset_lib, gnulib_lib], - dependencies : [pcre, thread_dep, libintl, librt] + libiconv + platform_deps, -+ dependencies : [pcre, thread_dep, libintl, librt] + libiconv + platform_deps + libgnutls_dep, ++ dependencies : [pcre, thread_dep, libintl, librt] + libgnutls_dep + libiconv + platform_deps, c_args : ['-DG_LOG_DOMAIN="GLib"', '-DGLIB_COMPILATION'] + pcre_static_args + glib_hidden_visibility_args ) diff --git a/meson.build b/meson.build -index 0cefee51d..81b16b004 100644 +index 0cefee51d..eaf8d3900 100644 --- a/meson.build +++ b/meson.build @@ -1596,6 +1596,13 @@ if host_system == 'linux' and get_option('libmount') @@ -705,5 +772,63 @@ index 4504c6858..d18c42a36 100644 type : 'boolean', value : false, -- -2.21.0 +2.31.1 +From 87280b23902290dcf843a42d06cedeef571a673f Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 1 Jul 2021 15:51:26 -0500 +Subject: [PATCH 3/3] Add more tests for GHmac + +This will test a few problems that we hit recently: + +g_hmac_copy() is broken, https://bugzilla.redhat.com/show_bug.cgi?id=1786538 + +Crash in g_hmac_update() in FIPS mode, https://bugzilla.redhat.com/show_bug.cgi?id=1971533 + +Crash when passing -1 length to g_hmac_update() (discovered in #1971533) +--- + glib/tests/hmac.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/glib/tests/hmac.c b/glib/tests/hmac.c +index 3ac3206df..16b2fac9c 100644 +--- a/glib/tests/hmac.c ++++ b/glib/tests/hmac.c +@@ -493,6 +493,27 @@ test_hmac_for_bytes (void) + g_bytes_unref (data); + } + ++static void ++test_ghmac_gnutls_regressions (void) ++{ ++ GHmac *hmac; ++ GHmac *copy; ++ ++ hmac = g_hmac_new (G_CHECKSUM_SHA256, (const guchar *)"abc123", sizeof ("abc123")); ++ g_assert_nonnull (hmac); ++ ++ /* Ensure g_hmac_update() does not crash when called with -1. */ ++ g_hmac_update (hmac, (const guchar *)"You win again, gravity!", -1); ++ ++ /* Ensure g_hmac_copy() does not crash. */ ++ copy = g_hmac_copy (hmac); ++ g_assert_nonnull (hmac); ++ g_hmac_unref (hmac); ++ ++ g_assert_cmpstr (g_hmac_get_string (copy), ==, "795ba6900bcb22e8ce65c2ec02db4e85697da921deb960ee3143bf88a4a60f83"); ++ g_hmac_unref (copy); ++} ++ + int + main (int argc, + char **argv) +@@ -545,6 +566,7 @@ main (int argc, + g_test_add_func ("/hmac/for-data", test_hmac_for_data); + g_test_add_func ("/hmac/for-string", test_hmac_for_string); + g_test_add_func ("/hmac/for-bytes", test_hmac_for_bytes); ++ g_test_add_func ("/hmac/ghmac-gnutls-regressions", test_ghmac_gnutls_regressions); + + return g_test_run (); + } +-- +2.31.1 diff --git a/SOURCES/gmain-corruption.patch b/SOURCES/gmain-corruption.patch new file mode 100644 index 0000000..0aa509d --- /dev/null +++ b/SOURCES/gmain-corruption.patch @@ -0,0 +1,386 @@ +From 2bad3cb3bf8f0cc3f45057061f9a538ecf7742b6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 14 Feb 2019 17:46:33 +0200 +Subject: [PATCH 1/5] Use atomic reference counting for GSource + +If attached to a context already it would use a mutex instead but at +least before that the reference counting is not thread-safe currently. +--- + glib/gmain.c | 50 +++++++++++++++----------------------------------- + 1 file changed, 15 insertions(+), 35 deletions(-) + +diff --git a/glib/gmain.c b/glib/gmain.c +index 26e68823d..5b91c3117 100644 +--- a/glib/gmain.c ++++ b/glib/gmain.c +@@ -374,15 +374,6 @@ typedef struct _GSourceIter + #define SOURCE_DESTROYED(source) (((source)->flags & G_HOOK_FLAG_ACTIVE) == 0) + #define SOURCE_BLOCKED(source) (((source)->flags & G_SOURCE_BLOCKED) != 0) + +-#define SOURCE_UNREF(source, context) \ +- G_STMT_START { \ +- if ((source)->ref_count > 1) \ +- (source)->ref_count--; \ +- else \ +- g_source_unref_internal ((source), (context), TRUE); \ +- } G_STMT_END +- +- + /* Forward declarations */ + + static void g_source_unref_internal (GSource *source, +@@ -977,10 +968,10 @@ g_source_iter_next (GSourceIter *iter, GSource **source) + */ + + if (iter->source && iter->may_modify) +- SOURCE_UNREF (iter->source, iter->context); ++ g_source_unref_internal (iter->source, iter->context, TRUE); + iter->source = next_source; + if (iter->source && iter->may_modify) +- iter->source->ref_count++; ++ g_source_ref (iter->source); + + *source = iter->source; + return *source != NULL; +@@ -994,7 +985,7 @@ g_source_iter_clear (GSourceIter *iter) + { + if (iter->source && iter->may_modify) + { +- SOURCE_UNREF (iter->source, iter->context); ++ g_source_unref_internal (iter->source, iter->context, TRUE); + iter->source = NULL; + } + } +@@ -1135,7 +1126,7 @@ g_source_attach_unlocked (GSource *source, + + source->context = context; + source->source_id = id; +- source->ref_count++; ++ g_source_ref (source); + + g_hash_table_insert (context->sources, GUINT_TO_POINTER (id), source); + +@@ -1675,7 +1666,7 @@ g_source_set_funcs (GSource *source, + { + g_return_if_fail (source != NULL); + g_return_if_fail (source->context == NULL); +- g_return_if_fail (source->ref_count > 0); ++ g_return_if_fail (g_atomic_int_get (&source->ref_count) > 0); + g_return_if_fail (funcs != NULL); + + source->source_funcs = funcs; +@@ -2050,19 +2041,9 @@ g_source_set_name_by_id (guint tag, + GSource * + g_source_ref (GSource *source) + { +- GMainContext *context; +- + g_return_val_if_fail (source != NULL, NULL); + +- context = source->context; +- +- if (context) +- LOCK_CONTEXT (context); +- +- source->ref_count++; +- +- if (context) +- UNLOCK_CONTEXT (context); ++ g_atomic_int_inc (&source->ref_count); + + return source; + } +@@ -2078,12 +2059,11 @@ g_source_unref_internal (GSource *source, + GSourceCallbackFuncs *old_cb_funcs = NULL; + + g_return_if_fail (source != NULL); +- ++ + if (!have_lock && context) + LOCK_CONTEXT (context); + +- source->ref_count--; +- if (source->ref_count == 0) ++ if (g_atomic_int_dec_and_test (&source->ref_count)) + { + TRACE (GLIB_SOURCE_BEFORE_FREE (source, context, + source->source_funcs->finalize)); +@@ -2107,20 +2087,20 @@ g_source_unref_internal (GSource *source, + { + /* Temporarily increase the ref count again so that GSource methods + * can be called from finalize(). */ +- source->ref_count++; ++ g_atomic_int_inc (&source->ref_count); + if (context) + UNLOCK_CONTEXT (context); + source->source_funcs->finalize (source); + if (context) + LOCK_CONTEXT (context); +- source->ref_count--; ++ g_atomic_int_add (&source->ref_count, -1); + } + + if (old_cb_funcs) + { + /* Temporarily increase the ref count again so that GSource methods + * can be called from callback_funcs.unref(). */ +- source->ref_count++; ++ g_atomic_int_inc (&source->ref_count); + if (context) + UNLOCK_CONTEXT (context); + +@@ -2128,7 +2108,7 @@ g_source_unref_internal (GSource *source, + + if (context) + LOCK_CONTEXT (context); +- source->ref_count--; ++ g_atomic_int_add (&source->ref_count, -1); + } + + g_free (source->name); +@@ -3201,7 +3181,7 @@ g_main_dispatch (GMainContext *context) + } + } + +- SOURCE_UNREF (source, context); ++ g_source_unref_internal (source, context, TRUE); + } + + g_ptr_array_set_size (context->pending_dispatches, 0); +@@ -3440,7 +3420,7 @@ g_main_context_prepare (GMainContext *context, + for (i = 0; i < context->pending_dispatches->len; i++) + { + if (context->pending_dispatches->pdata[i]) +- SOURCE_UNREF ((GSource *)context->pending_dispatches->pdata[i], context); ++ g_source_unref_internal ((GSource *)context->pending_dispatches->pdata[i], context, TRUE); + } + g_ptr_array_set_size (context->pending_dispatches, 0); + +@@ -3788,7 +3768,7 @@ g_main_context_check (GMainContext *context, + + if (source->flags & G_SOURCE_READY) + { +- source->ref_count++; ++ g_source_ref (source); + g_ptr_array_add (context->pending_dispatches, source); + + n_ready++; +-- +2.31.1 + +From 323d0c7658a9a44efc327840c0667044a4b98f89 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 3 Feb 2020 15:38:28 +0200 +Subject: [PATCH 2/5] GMainContext - Fix GSource iterator if iteration can + modify the list + +We first have to ref the next source and then unref the previous one. +This might be the last reference to the previous source, and freeing the +previous source might unref and free the next one which would then leave +use with a dangling pointer here. + +Fixes https://gitlab.gnome.org/GNOME/glib/issues/2031 +--- + glib/gmain.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/glib/gmain.c b/glib/gmain.c +index 5b91c3117..a3ea1d36c 100644 +--- a/glib/gmain.c ++++ b/glib/gmain.c +@@ -965,13 +965,17 @@ g_source_iter_next (GSourceIter *iter, GSource **source) + * GSourceList to be removed from source_lists (if iter->source is + * the only source in its list, and it is destroyed), so we have to + * keep it reffed until after we advance iter->current_list, above. ++ * ++ * Also we first have to ref the next source before unreffing the ++ * previous one as unreffing the previous source can potentially ++ * free the next one. + */ ++ if (next_source && iter->may_modify) ++ g_source_ref (next_source); + + if (iter->source && iter->may_modify) + g_source_unref_internal (iter->source, iter->context, TRUE); + iter->source = next_source; +- if (iter->source && iter->may_modify) +- g_source_ref (iter->source); + + *source = iter->source; + return *source != NULL; +-- +2.31.1 + +From fc051ec83d8894dd754bf364562ba9be9ff999fc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 3 Feb 2020 15:35:51 +0200 +Subject: [PATCH 3/5] GMainContext - Fix memory leaks and memory corruption + when freeing sources while freeing a context + +Instead of destroying sources directly while freeing the context, and +potentially freeing them if this was the last reference to them, collect +new references of all sources in a separate list before and at the same +time invalidate their context so that they can't access it anymore. Only +once all sources have their context invalidated, destroy them while +still keeping a reference to them. Once all sources are destroyed we get +rid of the additional references and free them if nothing else keeps a +reference to them anymore. + +This fixes a regression introduced by 26056558be in 2012. + +The previous code that invalidated the context of each source and then +destroyed it before going to the next source without keeping an +additional reference caused memory leaks or memory corruption depending +on the order of the sources in the sources lists. + +If a source was destroyed it might happen that this was the last +reference to this source, and it would then be freed. This would cause +the finalize function to be called, which might destroy and unref +another source and potentially free it. This other source would then +either +- go through the normal free logic and change the intern linked list + between the sources, while other sources that are unreffed as part of + the main context freeing would not. As such the list would be in an + inconsistent state and we might dereference freed memory. +- go through the normal destroy and free logic but because the context + pointer was already invalidated it would simply mark the source as + destroyed without actually removing it from the context. This would + then cause a memory leak because the reference owned by the context is + not freed. + +Fixes https://github.com/gtk-rs/glib/issues/583 while still keeping +https://bugzilla.gnome.org/show_bug.cgi?id=661767 fixes. +--- + glib/gmain.c | 35 ++++++++++++++++++++++++++++++++++- + 1 file changed, 34 insertions(+), 1 deletion(-) + +diff --git a/glib/gmain.c b/glib/gmain.c +index a3ea1d36c..1c249ad02 100644 +--- a/glib/gmain.c ++++ b/glib/gmain.c +@@ -534,6 +534,7 @@ g_main_context_unref (GMainContext *context) + GSourceIter iter; + GSource *source; + GList *sl_iter; ++ GSList *s_iter, *remaining_sources = NULL; + GSourceList *list; + guint i; + +@@ -553,10 +554,30 @@ g_main_context_unref (GMainContext *context) + + /* g_source_iter_next() assumes the context is locked. */ + LOCK_CONTEXT (context); +- g_source_iter_init (&iter, context, TRUE); ++ ++ /* First collect all remaining sources from the sources lists and store a ++ * new reference in a separate list. Also set the context of the sources ++ * to NULL so that they can't access a partially destroyed context anymore. ++ * ++ * We have to do this first so that we have a strong reference to all ++ * sources and destroying them below does not also free them, and so that ++ * none of the sources can access the context from their finalize/dispose ++ * functions. */ ++ g_source_iter_init (&iter, context, FALSE); + while (g_source_iter_next (&iter, &source)) + { + source->context = NULL; ++ remaining_sources = g_slist_prepend (remaining_sources, g_source_ref (source)); ++ } ++ g_source_iter_clear (&iter); ++ ++ /* Next destroy all sources. As we still hold a reference to all of them, ++ * this won't cause any of them to be freed yet and especially prevents any ++ * source that unrefs another source from its finalize function to be freed. ++ */ ++ for (s_iter = remaining_sources; s_iter; s_iter = s_iter->next) ++ { ++ source = s_iter->data; + g_source_destroy_internal (source, context, TRUE); + } + UNLOCK_CONTEXT (context); +@@ -581,6 +602,18 @@ g_main_context_unref (GMainContext *context) + g_cond_clear (&context->cond); + + g_free (context); ++ ++ /* And now finally get rid of our references to the sources. This will cause ++ * them to be freed unless something else still has a reference to them. Due ++ * to setting the context pointers in the sources to NULL above, this won't ++ * ever access the context or the internal linked list inside the GSource. ++ * We already removed the sources completely from the context above. */ ++ for (s_iter = remaining_sources; s_iter; s_iter = s_iter->next) ++ { ++ source = s_iter->data; ++ g_source_unref_internal (source, NULL, FALSE); ++ } ++ g_slist_free (remaining_sources); + } + + /* Helper function used by mainloop/overflow test. +-- +2.31.1 + +From 1d16e92028f235ed9cd786070832d5bd71017661 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 11 Feb 2020 09:34:38 +0200 +Subject: [PATCH 4/5] GMainContext - Move mutex unlocking in destructor right + before freeing the mutex + +This does not have any behaviour changes but is cleaner. The mutex is +only unlocked now after all operations on the context are done and right +before freeing the mutex and the context itself. +--- + glib/gmain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/glib/gmain.c b/glib/gmain.c +index 1c249ad02..44e6ed0c3 100644 +--- a/glib/gmain.c ++++ b/glib/gmain.c +@@ -580,7 +580,6 @@ g_main_context_unref (GMainContext *context) + source = s_iter->data; + g_source_destroy_internal (source, context, TRUE); + } +- UNLOCK_CONTEXT (context); + + for (sl_iter = context->source_lists; sl_iter; sl_iter = sl_iter->next) + { +@@ -591,6 +590,7 @@ g_main_context_unref (GMainContext *context) + + g_hash_table_destroy (context->sources); + ++ UNLOCK_CONTEXT (context); + g_mutex_clear (&context->mutex); + + g_ptr_array_free (context->pending_dispatches, TRUE); +-- +2.31.1 + +From 02ad7294ad5895178df73a6cd8546c6e67097493 Mon Sep 17 00:00:00 2001 +From: Benjamin Berg +Date: Tue, 13 Oct 2020 15:09:43 +0200 +Subject: [PATCH 5/5] gmain: Fix possible locking issue in source unref + +When unref'ing child sources, the lock is already held. But instead of +passing TRUE to g_source_unref_internal it currently passes whether the +lock was already held outside of the current invocation. Just pass TRUE +to fix this possible issue. +--- + glib/gmain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/glib/gmain.c b/glib/gmain.c +index 44e6ed0c3..95992253d 100644 +--- a/glib/gmain.c ++++ b/glib/gmain.c +@@ -2164,7 +2164,7 @@ g_source_unref_internal (GSource *source, + g_slist_remove (source->priv->child_sources, child_source); + child_source->priv->parent_source = NULL; + +- g_source_unref_internal (child_source, context, have_lock); ++ g_source_unref_internal (child_source, context, TRUE); + } + + g_slice_free (GSourcePrivate, source->priv); +-- +2.31.1 diff --git a/SOURCES/0001-tests-Allocate-gvariant-data-from-the-heap-to-guaran.patch b/SOURCES/gvariant-tests.patch similarity index 66% rename from SOURCES/0001-tests-Allocate-gvariant-data-from-the-heap-to-guaran.patch rename to SOURCES/gvariant-tests.patch index 9107242..5381817 100644 --- a/SOURCES/0001-tests-Allocate-gvariant-data-from-the-heap-to-guaran.patch +++ b/SOURCES/gvariant-tests.patch @@ -94,3 +94,49 @@ index 6e417f6c1..a7b19826d 100644 -- 2.19.1 +From 4ef58e5661849317a1110c9b93957f2c608677dd Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Thu, 3 Jan 2019 08:21:40 +0000 +Subject: [PATCH 2/2] gvariant test: Also force alignment for tuple test data + +glib!552 (commit 9eed22b3) fixed this for the tests that failed on i686, +but this additional test failed on Debian's s390x port +(IBM z/Architecture, 64-bit big-endian). + +Signed-off-by: Simon McVittie +--- + glib/tests/gvariant.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c +index a7b19826d..c4a996c1f 100644 +--- a/glib/tests/gvariant.c ++++ b/glib/tests/gvariant.c +@@ -4820,6 +4820,7 @@ test_normal_checking_array_offsets (void) + static void + test_normal_checking_tuple_offsets (void) + { ++ gpointer aligned_data; + const guint8 data[] = { + 0x07, 0xe5, 0x00, 0x07, 0x00, 0x07, + '(', 'a', 's', 'a', 's', 'a', 's', 'a', 's', 'a', 's', 'a', 's', ')', +@@ -4828,13 +4829,15 @@ test_normal_checking_tuple_offsets (void) + GVariant *variant = NULL; + GVariant *normal_variant = NULL; + +- variant = g_variant_new_from_data (G_VARIANT_TYPE_VARIANT, data, size, +- FALSE, NULL, NULL); ++ aligned_data = g_memdup (data, size); /* guarantee alignment */ ++ variant = g_variant_new_from_data (G_VARIANT_TYPE_VARIANT, aligned_data, ++ size, FALSE, NULL, NULL); + g_assert_nonnull (variant); + + normal_variant = g_variant_get_normal_form (variant); + g_assert_nonnull (normal_variant); + ++ g_free (aligned_data); + g_variant_unref (normal_variant); + g_variant_unref (variant); + } +-- +2.19.1 diff --git a/SPECS/glib2.spec b/SPECS/glib2.spec index 5e22638..57c539c 100644 --- a/SPECS/glib2.spec +++ b/SPECS/glib2.spec @@ -5,7 +5,7 @@ Name: glib2 Version: 2.56.4 -Release: 9%{?dist} +Release: 156%{?dist} Summary: A library of handy utility functions License: LGPLv2+ @@ -37,38 +37,71 @@ BuildRequires: python3-devel # for GIO content-type support Recommends: shared-mime-info -# Downstream patches -Patch01: 0001-gdbus-unix-addresses-test-don-t-g_debug-when-also-te.patch - -# Backported from git master -Patch10: 0001-codegen-Change-pointer-casting-to-remove-type-punnin.patch -Patch11: 0001-spawn-add-shebang-line-to-script.patch -Patch12: 0001-build-sys-Pass-CFLAGS-to-DTRACE.patch -Patch13: 0001-gfile-Limit-access-to-files-when-copying.patch - -# Backported from git glib-2-56 branch -Patch20: 0001-tests-Allocate-gvariant-data-from-the-heap-to-guaran.patch -Patch21: 0002-gvariant-test-Also-force-alignment-for-tuple-test-da.patch - -# Backported from 2.58 (for 3.32 GNOME rebase) -Patch30: backport-per-desktop-overrides.patch - -# https://gitlab.gnome.org/GNOME/glib/merge_requests/903 +# Implement RHEL 8 core crypto components policy # https://bugzilla.redhat.com/show_bug.cgi?id=1630260 -Patch37: ghmac-gnutls.patch +# https://gitlab.gnome.org/GNOME/glib/merge_requests/903 +Patch0: ghmac-gnutls.patch -# Backported from git -Patch40: 0001-gdbus-codegen-honor-Property.EmitsChangedSignal-anno.patch +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/50 +Patch1: 50.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/309 +Patch2: 309.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/403 +Patch3: 409.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/546 +Patch4: 546.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/876 +Patch5: CVE-2019-12450.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/552 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/569 +Patch6: gvariant-tests.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/105 +Patch7: 105.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/532 +Patch8: 532.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1777213 -Patch50: 0001-gcredentialsprivate-Document-the-various-private-mac.patch -Patch51: 0001-GDBus-prefer-getsockopt-style-credentials-passing-AP.patch -Patch52: 0001-credentials-Invalid-Linux-struct-ucred-means-no-info.patch +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1176 +Patch9: 1176.patch -# Mostly from https://gitlab.gnome.org/GNOME/glib/-/commits/master/gio/gkeyfilesettingsbackend.c -Patch60: keyfile-backend.patch -# https://gitlab.gnome.org/GNOME/glib/-/issues/1658 -Patch61: CVE-2019-13012.patch +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/450 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/603 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/974 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/984 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/985 +Patch10: keyfile-backend.patch +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/604 +Patch11: CVE-2019-13012.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1942 +Patch12: CVE-2021-27218.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1927 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2000 +Patch13: CVE-2021-27219.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1981 +Patch14: CVE-2021-28153.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1938284 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1369 +Patch15: 1369.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1948988 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/873 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1353 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1691 +Patch16: gmain-corruption.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1713 +Patch17: 1713.patch %description GLib is the low-level core library that forms the basis for projects @@ -267,6 +300,35 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %{_datadir}/installed-tests %changelog +* Thu Jul 01 2021 Michael Catanzaro - 2.56.4-15 +- Fix test failure introduced in previous update +- Related: #1971533 + +* Wed Jun 23 2021 Michael Catanzaro - 2.56.4-14 +- Refresh GHmac patchset +- Resolves: #1971533 + +* Thu May 20 2021 Michael Catanzaro - 2.56.4-13 +- Rename and consolidate existing patches for better maintainability +- Refresh CVE-2021-27219 patcheset, using better-targeted fixes + Resolves: #1939108 + +* Wed May 05 2021 Michael Catanzaro - 2.56.4-12 +- Fix various problems in GMainContext + Resolves: #1948988 + +* Tue May 04 2021 Michael Catanzaro - 2.56.4-11 +- Remove CHARSETALIASDIR environment variable + Resolves: #1938284 + +* Wed Mar 31 2021 Michael Catanzaro - 2.56.4-10 +- Fix CVE-2021-27218 + Resolves: #1939072 +- Fix CVE-2021-27219 + Resolves: #1939108 +- Fix CVE-2021-28153 + Resolves: #1939118 + * Tue Nov 10 2020 Michael Catanzaro - 2.56.4-9 - Update GHmac patch to implement g_hmac_copy() Resolves: #1786538