diff --git a/SOURCES/dbus-1.12.8-fix-CVE-2020-12049.patch b/SOURCES/dbus-1.12.8-fix-CVE-2020-12049.patch new file mode 100644 index 0000000..181751f --- /dev/null +++ b/SOURCES/dbus-1.12.8-fix-CVE-2020-12049.patch @@ -0,0 +1,74 @@ +From 872b085f12f56da25a2dbd9bd0b2dff31d5aea63 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Thu, 16 Apr 2020 14:45:11 +0100 +Subject: [PATCH] sysdeps-unix: On MSG_CTRUNC, close the fds we did receive + +MSG_CTRUNC indicates that we have received fewer fds that we should +have done because the buffer was too small, but we were treating it +as though it indicated that we received *no* fds. If we received any, +we still have to make sure we close them, otherwise they will be leaked. + +On the system bus, if an attacker can induce us to leak fds in this +way, that's a local denial of service via resource exhaustion. + +Reported-by: Kevin Backhouse, GitHub Security Lab +Fixes: dbus#294 +Fixes: CVE-2020-12049 +Fixes: GHSL-2020-057 +--- + dbus/dbus-sysdeps-unix.c | 32 ++++++++++++++++++++------------ + 1 file changed, 20 insertions(+), 12 deletions(-) + +diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c +index b5fc24663..b176dae1a 100644 +--- a/dbus/dbus-sysdeps-unix.c ++++ b/dbus/dbus-sysdeps-unix.c +@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd, + struct cmsghdr *cm; + dbus_bool_t found = FALSE; + +- if (m.msg_flags & MSG_CTRUNC) +- { +- /* Hmm, apparently the control data was truncated. The bad +- thing is that we might have completely lost a couple of fds +- without chance to recover them. Hence let's treat this as a +- serious error. */ +- +- errno = ENOSPC; +- _dbus_string_set_length (buffer, start); +- return -1; +- } +- + for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm)) + if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS) + { +@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd, + if (!found) + *n_fds = 0; + ++ if (m.msg_flags & MSG_CTRUNC) ++ { ++ unsigned int i; ++ ++ /* Hmm, apparently the control data was truncated. The bad ++ thing is that we might have completely lost a couple of fds ++ without chance to recover them. Hence let's treat this as a ++ serious error. */ ++ ++ /* We still need to close whatever fds we *did* receive, ++ * otherwise they'll never get closed. (CVE-2020-12049) */ ++ for (i = 0; i < *n_fds; i++) ++ close (fds[i]); ++ ++ *n_fds = 0; ++ errno = ENOSPC; ++ _dbus_string_set_length (buffer, start); ++ return -1; ++ } ++ + /* put length back (doesn't actually realloc) */ + _dbus_string_set_length (buffer, start + bytes_read); + +-- +GitLab + diff --git a/SPECS/dbus.spec b/SPECS/dbus.spec index 483812b..d6c8268 100644 --- a/SPECS/dbus.spec +++ b/SPECS/dbus.spec @@ -19,7 +19,7 @@ Name: dbus Epoch: 1 Version: 1.12.8 -Release: 9%{?dist} +Release: 11%{?dist} Summary: D-BUS message bus Group: System Environment/Libraries @@ -33,6 +33,8 @@ Source1: 00-start-message-bus.sh Patch0: 0001-tools-Use-Python3-for-GetAllMatchRules.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1725570 Patch1: dbus-1.12.8-fix-CVE-2019-12749.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1851997 +Patch2: dbus-1.12.8-fix-CVE-2020-12049.patch BuildRequires: autoconf-archive BuildRequires: libtool @@ -214,6 +216,7 @@ ln -s dbus.service %{buildroot}%{_unitdir}/messagebus.service ## %find_lang %{gettext_package} install --directory %{buildroot}/var/lib/dbus +install --directory %{buildroot}/run/dbus install -pm 644 -t %{buildroot}%{_pkgdocdir} \ doc/introspect.dtd doc/introspect.xsl doc/system-activation.txt @@ -396,6 +399,12 @@ popd %changelog +* Tue Jun 30 2020 David King - 1:1.12.8-11 +- Fix CVE-2020-12049 (#1851997) + +* Mon Apr 06 2020 David King - 1:1.12.8-10 +- Improve permissions on ghosted /run/dbus (#1797833) + * Thu Aug 01 2019 David King - 1:1.12.8-9 - Ensure that patches are applied (#1725570)