diff --git a/SOURCES/dbus-1.10.24-fix-CVE-2020-12049.patch b/SOURCES/dbus-1.10.24-fix-CVE-2020-12049.patch new file mode 100644 index 0000000..d8a6686 --- /dev/null +++ b/SOURCES/dbus-1.10.24-fix-CVE-2020-12049.patch @@ -0,0 +1,78 @@ +From 3418f4e500e6589e21bfcc545b3d4d1d70b17390 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Thu, 16 Apr 2020 14:45:11 +0100 +Subject: [PATCH] sysdeps-unix: On MSG_CTRUNC, close the fds we did receive + +MSG_CTRUNC indicates that we have received fewer fds that we should +have done because the buffer was too small, but we were treating it +as though it indicated that we received *no* fds. If we received any, +we still have to make sure we close them, otherwise they will be leaked. + +On the system bus, if an attacker can induce us to leak fds in this +way, that's a local denial of service via resource exhaustion. + +[Backport to dbus-1.10: Change signedness of iterator due to +commit ab8cb96e "_dbus_read_socket_with_unix_fds: make n_fds unsigned" +not having been applied to this branch.] + +Reported-by: Kevin Backhouse, GitHub Security Lab +Fixes: dbus#294 +Fixes: CVE-2020-12049 +Fixes: GHSL-2020-057 +--- + dbus/dbus-sysdeps-unix.c | 32 ++++++++++++++++++++------------ + 1 file changed, 20 insertions(+), 12 deletions(-) + +diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c +index b73097124..6303dbc4c 100644 +--- a/dbus/dbus-sysdeps-unix.c ++++ b/dbus/dbus-sysdeps-unix.c +@@ -432,18 +432,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd, + struct cmsghdr *cm; + dbus_bool_t found = FALSE; + +- if (m.msg_flags & MSG_CTRUNC) +- { +- /* Hmm, apparently the control data was truncated. The bad +- thing is that we might have completely lost a couple of fds +- without chance to recover them. Hence let's treat this as a +- serious error. */ +- +- errno = ENOSPC; +- _dbus_string_set_length (buffer, start); +- return -1; +- } +- + for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm)) + if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS) + { +@@ -498,6 +486,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd, + if (!found) + *n_fds = 0; + ++ if (m.msg_flags & MSG_CTRUNC) ++ { ++ int i; ++ ++ /* Hmm, apparently the control data was truncated. The bad ++ thing is that we might have completely lost a couple of fds ++ without chance to recover them. Hence let's treat this as a ++ serious error. */ ++ ++ /* We still need to close whatever fds we *did* receive, ++ * otherwise they'll never get closed. (CVE-2020-12049) */ ++ for (i = 0; i < *n_fds; i++) ++ close (fds[i]); ++ ++ *n_fds = 0; ++ errno = ENOSPC; ++ _dbus_string_set_length (buffer, start); ++ return -1; ++ } ++ + /* put length back (doesn't actually realloc) */ + _dbus_string_set_length (buffer, start + bytes_read); + +-- +GitLab + diff --git a/SPECS/dbus.spec b/SPECS/dbus.spec index 5aed0f7..06f620e 100644 --- a/SPECS/dbus.spec +++ b/SPECS/dbus.spec @@ -18,7 +18,7 @@ Name: dbus Epoch: 1 Version: 1.10.24 -Release: 13%{?dist} +Release: 14%{?dist} Summary: D-BUS message bus Group: System Environment/Libraries @@ -44,6 +44,8 @@ Patch4: dbus-1.10.24-dbus-send-man-page-typo.patch Patch5: 0001-bus-raise-fd-limits-before-dropping-privs.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1470310 Patch6: dbus-1.10.24-dbus-launch-chdir.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1851991 +Patch7: dbus-1.10.24-fix-CVE-2020-12049.patch BuildRequires: libtool BuildRequires: expat-devel >= %{expat_version} @@ -145,6 +147,7 @@ in this separate package so server systems need not install X. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 %build # Avoid rpath. @@ -381,6 +384,9 @@ popd %{_includedir}/* %changelog +* Tue Jun 30 2020 David King - 1:1.10.24-14 +- Fix CVE-2020-12049 (#1851991) + * Tue Dec 11 2018 David King - 1:1.10.24-13 - Add a symlink for dbus-daemon-launch-helper (#1568856)