diff --git a/SOURCES/33e0595b1c7cf8fa0e7ca3a353f4380c1307dc25.patch b/SOURCES/33e0595b1c7cf8fa0e7ca3a353f4380c1307dc25.patch new file mode 100644 index 0000000..9260d5a --- /dev/null +++ b/SOURCES/33e0595b1c7cf8fa0e7ca3a353f4380c1307dc25.patch @@ -0,0 +1,155 @@ +From 33e0595b1c7cf8fa0e7ca3a353f4380c1307dc25 Mon Sep 17 00:00:00 2001 +From: David Rheinsberg +Date: Thu, 5 May 2022 10:50:31 +0200 +Subject: [PATCH] test-config: add tests for some config samples + +Add infrastructure to easily parse config-samples in our test. This +allows us to add any reports about broken configurations easily, and +making sure we will not run into the same issues again. + +Signed-off-by: David Rheinsberg +--- + src/launch/test-config.c | 97 +++++++++++++++++++++++++++++++++++++--- + 1 file changed, 91 insertions(+), 6 deletions(-) + +diff --git a/src/launch/test-config.c b/src/launch/test-config.c +index 0401a434..c2f8765e 100644 +--- a/src/launch/test-config.c ++++ b/src/launch/test-config.c +@@ -9,6 +9,7 @@ + #include "launch/config.h" + #include "launch/nss-cache.h" + #include "util/dirwatch.h" ++#include "util/syscall.h" + + static const char *test_type2str[_CONFIG_NODE_N] = { + [CONFIG_NODE_BUSCONFIG] = "busconfig", +@@ -35,12 +36,23 @@ static const char *test_type2str[_CONFIG_NODE_N] = { + [CONFIG_NODE_ASSOCIATE] = "associate", + }; + +-static void print_config(const char *path) { ++static int config_memfd(const char *data) { ++ ssize_t n; ++ int fd; ++ ++ fd = syscall_memfd_create("dbus-broker-test-config", 0); ++ c_assert(fd >= 0); ++ n = write(fd, data, strlen(data)); ++ c_assert(n == (ssize_t)strlen(data)); ++ ++ return fd; ++} ++ ++static int parse_config(ConfigRoot **rootp, const char *path) { + _c_cleanup_(config_parser_deinit) ConfigParser parser = CONFIG_PARSER_NULL(parser); + _c_cleanup_(config_root_freep) ConfigRoot *root = NULL; + _c_cleanup_(nss_cache_deinit) NSSCache nss_cache = NSS_CACHE_INIT; + _c_cleanup_(dirwatch_freep) Dirwatch *dirwatch = NULL; +- ConfigNode *i_node; + int r; + + r = dirwatch_new(&dirwatch); +@@ -49,6 +61,32 @@ static void print_config(const char *path) { + config_parser_init(&parser); + + r = config_parser_read(&parser, &root, path, &nss_cache, dirwatch); ++ if (r) ++ return r; ++ ++ *rootp = root; ++ root = NULL; ++ return 0; ++} ++ ++static int parse_config_inline(ConfigRoot **rootp, const char *data) { ++ _c_cleanup_(c_closep) int fd = -1; ++ _c_cleanup_(c_freep) char *path = NULL; ++ int r; ++ ++ fd = config_memfd(data); ++ r = asprintf(&path, "/proc/self/fd/%d", fd); ++ c_assert(r > 0); ++ ++ return parse_config(rootp, path); ++} ++ ++static void print_config(const char *path) { ++ _c_cleanup_(config_root_freep) ConfigRoot *root = NULL; ++ ConfigNode *i_node; ++ int r; ++ ++ r = parse_config(&root, path); + c_assert(!r); + + c_list_for_each_entry(i_node, &root->node_list, root_link) { +@@ -56,18 +94,65 @@ static void print_config(const char *path) { + } + } + +-static void test_config(void) { ++static void test_config_base(void) { + _c_cleanup_(config_parser_deinit) ConfigParser parser = CONFIG_PARSER_NULL(parser); + + config_parser_init(&parser); + config_parser_deinit(&parser); + } + ++static void test_config_sample0(void) { ++ _c_cleanup_(config_root_freep) ConfigRoot *root = NULL; ++ const char *data; ++ int r; ++ ++ data = ++" \ ++\ ++\ ++ \ ++ \ ++ \ ++ \ ++ \ ++ "; ++ ++ r = parse_config_inline(&root, data); ++ c_assert(r == CONFIG_E_INVALID); ++} ++ ++static void test_config_sample1(void) { ++ _c_cleanup_(config_root_freep) ConfigRoot *root = NULL; ++ const char *data; ++ int r; ++ ++ data = ++" \ ++\ ++\ ++ \ ++ \ ++ \ ++ \ ++ \ ++ \ ++"; ++ ++ r = parse_config_inline(&root, data); ++ c_assert(r == CONFIG_E_INVALID); ++} ++ + int main(int argc, char **argv) { +- if (argc < 2) +- test_config(); +- else ++ if (argc > 1) { + print_config(argv[1]); ++ return 0; ++ } ++ ++ test_config_base(); ++ test_config_sample0(); ++ test_config_sample1(); + + return 0; + } diff --git a/SOURCES/cve-2022-31212.patch b/SOURCES/cve-2022-31212.patch new file mode 100644 index 0000000..0b2f460 --- /dev/null +++ b/SOURCES/cve-2022-31212.patch @@ -0,0 +1,66 @@ +From 7fd15f8e272136955f7ffc37df29fbca9ddceca1 Mon Sep 17 00:00:00 2001 +From: David Rheinsberg +Date: Tue, 19 Apr 2022 13:11:02 +0200 +Subject: [PATCH] strnspn: fix buffer overflow + +Fix the strnspn and strncspn functions to use a properly sized buffer. +It used to be 1 byte too short. Checking for `0xff` in a string will +thus write `0xff` once byte beyond the stack space of the local buffer. + +Note that the public API does not allow to pass `0xff` to those +functions. Therefore, this is a read-only buffer overrun, possibly +causing bogus reports from the parser, but still well-defined. + +Reported-by: Steffen Robertz +Signed-off-by: David Rheinsberg +--- + /subprojects/c-shquote/src/c-shquote.c | 4 ++-- + /subprojects/c-shquote/src/test-private.c | 6 ++++++ + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a//subprojects/c-shquote/src/c-shquote.c b//subprojects/c-shquote/src/c-shquote.c +index b268906..abb55d6 100644 +--- a//subprojects/c-shquote/src/c-shquote.c ++++ b//subprojects/c-shquote/src/c-shquote.c +@@ -85,7 +85,7 @@ int c_shquote_consume_char(char **outp, + size_t c_shquote_strnspn(const char *string, + size_t n_string, + const char *accept) { +- bool buffer[UCHAR_MAX] = {}; ++ bool buffer[UCHAR_MAX + 1] = {}; + + for ( ; *accept; ++accept) + buffer[(unsigned char)*accept] = true; +@@ -100,7 +100,7 @@ size_t c_shquote_strnspn(const char *string, + size_t c_shquote_strncspn(const char *string, + size_t n_string, + const char *reject) { +- bool buffer[UCHAR_MAX] = {}; ++ bool buffer[UCHAR_MAX + 1] = {}; + + if (strlen(reject) == 1) { + const char *p; +diff --git a//subprojects/c-shquote/src/test-private.c b//subprojects/c-shquote/src/test-private.c +index 57a7250..c6afe40 100644 +--- a//subprojects/c-shquote/src/test-private.c ++++ b//subprojects/c-shquote/src/test-private.c +@@ -148,6 +148,9 @@ static void test_strnspn(void) { + + len = c_shquote_strnspn("ab", 2, "bc"); + c_assert(len == 0); ++ ++ len = c_shquote_strnspn("ab", 2, "\xff"); ++ c_assert(len == 0); + } + + static void test_strncspn(void) { +@@ -167,6 +170,9 @@ static void test_strncspn(void) { + + len = c_shquote_strncspn("ab", 2, "cd"); + c_assert(len == 2); ++ ++ len = c_shquote_strncspn("ab", 2, "\xff"); ++ c_assert(len == 2); + } + + static void test_discard_comment(void) { diff --git a/SOURCES/cve-2022-31213.patch b/SOURCES/cve-2022-31213.patch new file mode 100644 index 0000000..683084b --- /dev/null +++ b/SOURCES/cve-2022-31213.patch @@ -0,0 +1,35 @@ +From 4fefc3908ce527de4ca3d7386886c2447d6b4c14 Mon Sep 17 00:00:00 2001 +From: David Rheinsberg +Date: Tue, 19 Apr 2022 13:29:53 +0200 +Subject: [PATCH] launch/config: keep empty cdata around + +We expect the `node->cdata` pointer to contain the actual content of an +XML entry. Make sure it is initialized to an empty string, so we can +dereference it without checking for validity everywhere. + +Note that we want it to be an owned string, to allow claiming the value. +We will avoid any `n_cdata + 'static ""` here, to keep the code simple. +The performance of that strdup() merely affects XML parsing, no bus +runtime. + +Reported-by: Steffen Robertz +Signed-off-by: David Rheinsberg +--- + src/launch/config.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/launch/config.c b/src/launch/config.c +index 490d7b7d..cb7e3fae 100644 +--- a/src/launch/config.c ++++ b/src/launch/config.c +@@ -133,6 +133,10 @@ int config_node_new(ConfigNode **nodep, ConfigNode *parent, unsigned int type) { + break; + } + ++ node->cdata = strdup(""); ++ if (!node->cdata) ++ return error_origin(-ENOMEM); ++ + *nodep = node; + node = NULL; + return 0; diff --git a/SPECS/dbus-broker.spec b/SPECS/dbus-broker.spec index 1be1236..75a05ec 100644 --- a/SPECS/dbus-broker.spec +++ b/SPECS/dbus-broker.spec @@ -2,13 +2,16 @@ Name: dbus-broker Version: 28 -Release: 5%{?dist} +Release: 7%{?dist} Summary: Linux D-Bus Message Broker License: ASL 2.0 URL: https://github.com/bus1/dbus-broker Source0: https://github.com/bus1/dbus-broker/releases/download/v%{version}/dbus-broker-%{version}.tar.xz Patch0000: https://github.com/bus1/dbus-broker/commit/1add8a7d60e46806e0ef87994d3024245db0d84a.patch Patch0001: https://github.com/bus1/dbus-broker/commit/b82b670bfec6600d0144bcb9ca635fb07c80118f.patch +Patch0002: cve-2022-31212.patch +Patch0003: cve-2022-31213.patch +Patch0004: https://github.com/bus1/dbus-broker/commit/33e0595b1c7cf8fa0e7ca3a353f4380c1307dc25.patch %{?systemd_requires} BuildRequires: pkgconfig(audit) BuildRequires: pkgconfig(expat) @@ -95,6 +98,16 @@ fi %{_userunitdir}/dbus-broker.service %changelog +* Mon Aug 22 2022 Frantisek Sumsal - 28-7 +- Add coverage for CVE-2022-31213 and other config-file-related issues +Related: CVE-2022-31213 + +* Tue Aug 02 2022 Jakub Martisko - 28-6 +- Fix a stack buffer over-read in the c-shquote library +- Fix null pointer reference when supplying a malformed XML config file +Resolves: CVE-2022-31212 +Resolves: CVE-2022-31213 + * Mon Aug 09 2021 Mohan Boddu - 28-5 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688