From 4d5d3bb949b97606d84921217882f66e2053158e Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 02 2016 13:53:30 +0000
Subject: import dbus-1.6.12-14.el7_2


---

diff --git a/SOURCES/dbus-1.6.12-avoid-corrupting-multiple-fds.patch b/SOURCES/dbus-1.6.12-avoid-corrupting-multiple-fds.patch
new file mode 100644
index 0000000..ec49262
--- /dev/null
+++ b/SOURCES/dbus-1.6.12-avoid-corrupting-multiple-fds.patch
@@ -0,0 +1,36 @@
+From 07f4c12efe3b9bd45d109bc5fbaf6d9dbf69d78e Mon Sep 17 00:00:00 2001
+From: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Date: Wed, 11 Jun 2014 12:24:20 +0100
+Subject: If loader contains two messages with fds, don't corrupt the second
+
+There were two bugs here: we would previously overwrite the unused
+fds with the already-used fds instead of the other way round, and
+we would copy n bytes where we should have copied n ints.
+
+Additionally, sending crafted messages in a chosen sequence to a victim
+system service could cause an invalid file descriptor to be present
+when dbus-daemon tries to forward one of those crafted messages to the
+victim, causing sendmsg() to fail with EBADF, which resulted in
+disconnecting the victim service, which would likely respond to that
+by exiting. This is a denial of service (fd.o #80469, CVE-2014-3533).
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=79694
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80469
+Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
+
+diff --git a/dbus/dbus-message.c b/dbus/dbus-message.c
+index c6953d0..78df755 100644
+--- a/dbus/dbus-message.c
++++ b/dbus/dbus-message.c
+@@ -4204,7 +4204,7 @@ load_message (DBusMessageLoader *loader,
+ 
+       message->n_unix_fds_allocated = message->n_unix_fds = n_unix_fds;
+       loader->n_unix_fds -= n_unix_fds;
+-      memmove(loader->unix_fds + n_unix_fds, loader->unix_fds, loader->n_unix_fds);
++      memmove (loader->unix_fds, loader->unix_fds + n_unix_fds, loader->n_unix_fds * sizeof (loader->unix_fds[0]));
+     }
+   else
+     message->unix_fds = NULL;
+-- 
+cgit v0.10.2
+
diff --git a/SPECS/dbus.spec b/SPECS/dbus.spec
index 048ed94..d51b616 100644
--- a/SPECS/dbus.spec
+++ b/SPECS/dbus.spec
@@ -13,7 +13,7 @@ Summary: D-BUS message bus
 Name: dbus
 Epoch: 1
 Version: 1.6.12
-Release: 13%{?dist}
+Release: 14%{?dist}
 URL: http://www.freedesktop.org/software/dbus/
 #VCS: git:git://git.freedesktop.org/git/dbus/dbus
 Source0: http://dbus.freedesktop.org/releases/dbus/%{name}-%{version}.tar.gz
@@ -62,6 +62,9 @@ Patch8: dbus-1.6.12-reduce-session-conf-fd-limits.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=949022
 Patch9: dbus-1.6.12-refresh-man-pages-and-dbus-launch-help.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1325870
+Patch10: dbus-1.6.12-avoid-corrupting-multiple-fds.patch
+
 %description
 D-BUS is a system for sending messages between applications. It is
 used both for the system-wide message bus service, and as a
@@ -119,6 +122,7 @@ in this separate package so server systems need not install X.
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
 
 %build
 if test -f autogen.sh; then env NOCONFIGURE=1 ./autogen.sh; else autoreconf -v -f -i; fi
@@ -264,6 +268,9 @@ fi
 %{_includedir}/*
 
 %changelog
+* Tue Apr 26 2016 David King <dking@redhat.com> - 1:1.6.12-14
+- Close multiple fds correctly (#1325870)
+
 * Fri May 29 2015 David King <dking@redhat.com> - 1:1.6.12-13
 - Fix bogus dates in changelog (#1054193)