main/dbus: fix CVE-2020-12049

author: Leo <thinkabit.ukim@gmail.com> 2020-06-03 11:13:44 -0300
committer: Leo <thinkabit.ukim@gmail.com> 2020-06-03 15:31:39 +0000
commit: 2e63f747fe1e60480c416caab757d16e9c4765e7 (patch)
tree: 7c941359e7d09e83052377a2bad796230c8f0b73
parent: 9677580919b73ca6eff94d3d31b9a846b4e40612 (diff)
3 files changed, 150 insertions, 3 deletions
diff --git a/main/dbus/APKBUILD b/main/dbus/APKBUILD
index 26d941eaef7..0313841dfc0 100644
--- a/main/dbus/APKBUILD
+++ b/main/dbus/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=dbus
 pkgver=1.12.16
-pkgrel=0
+pkgrel=1
 pkgdesc="Freedesktop.org message bus system"
 url="https://www.freedesktop.org/Software/dbus"
 pkggroups="messagebus"
@@ -16,11 +16,15 @@ makedepends="$depends_dev expat-dev libx11-dev autoconf automake libtool xmlto
 install="$pkgname.pre-install $pkgname.post-install"
 source="https://dbus.freedesktop.org/releases/dbus/dbus-$pkgver.tar.gz
 	$pkgname.initd
+	CVE-2020-12049-part1.patch
+	CVE-2020-12049-part2.patch
 	"
 
 # secfixes:
+#   1.12.16-r1:
+#     - CVE-2020-12049
 #   1.12.16-r0:
-#   - CVE-2019-12749
+#     - CVE-2019-12749
 
 build() {
 	cd "$srcdir"/$pkgname-$pkgver
@@ -68,4 +72,6 @@ x11() {
 }
 
 sha512sums="27ae805170e9515a8bb0fba5f29d414edc70e3b6b28b7b65bbea47035b8eafa9ac4820cdc92645be6035f6748f8aa45679e1ffc84ba74a64859a3056d318b9bb  dbus-1.12.16.tar.gz
-f3d924e0f0fdced39f0470fac362834acf9f346acdfadbcdf44f627a1b550a69d1d04b3760ff06dc86a7335824f48d3c1faa09a17071e08731705a5fb016a155  dbus.initd"
+f3d924e0f0fdced39f0470fac362834acf9f346acdfadbcdf44f627a1b550a69d1d04b3760ff06dc86a7335824f48d3c1faa09a17071e08731705a5fb016a155  dbus.initd
+553babd159d4a24876f02f024db2821afce69ada16fee9e34bd19001e18515ccf15de0493eab1acb6d9a457a4116b3760f61db082b2934d2d0a937d20dce2936  CVE-2020-12049-part1.patch
+2513c9167d4c7b95b50fdff9b4615a675873bbc2f3b9dbce2527bf1acdf6d9815435fb0e2ac73840ac1dd6c212288cdab0dd8cf85790123c2a03fb74ffd2a20e  CVE-2020-12049-part2.patch"
diff --git a/main/dbus/CVE-2020-12049-part1.patch b/main/dbus/CVE-2020-12049-part1.patch
new file mode 100644
index 00000000000..40b16c3f100
--- /dev/null
+++ b/main/dbus/CVE-2020-12049-part1.patch
@@ -0,0 +1,75 @@
+From 272d484283883fa9ff95b69d924fff6cd34842f5 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Thu, 16 Apr 2020 14:45:11 +0100
+Subject: [PATCH] sysdeps-unix: On MSG_CTRUNC, close the fds we did receive
+
+MSG_CTRUNC indicates that we have received fewer fds that we should
+have done because the buffer was too small, but we were treating it
+as though it indicated that we received *no* fds. If we received any,
+we still have to make sure we close them, otherwise they will be leaked.
+
+On the system bus, if an attacker can induce us to leak fds in this
+way, that's a local denial of service via resource exhaustion.
+
+Reported-by: Kevin Backhouse, GitHub Security Lab
+Fixes: dbus#294
+Fixes: CVE-2020-12049
+Fixes: GHSL-2020-057
+---
+ dbus/dbus-sysdeps-unix.c | 32 ++++++++++++++++++++------------
+ 1 file changed, 20 insertions(+), 12 deletions(-)
+
+diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
+index e8cd5b33..f9dc2a6e 100644
+--- a/dbus/dbus-sysdeps-unix.c
++++ b/dbus/dbus-sysdeps-unix.c
+@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
+       struct cmsghdr *cm;
+       dbus_bool_t found = FALSE;
+ 
+-      if (m.msg_flags & MSG_CTRUNC)
+-        {
+-          /* Hmm, apparently the control data was truncated. The bad
+-             thing is that we might have completely lost a couple of fds
+-             without chance to recover them. Hence let's treat this as a
+-             serious error. */
+-
+-          errno = ENOSPC;
+-          _dbus_string_set_length (buffer, start);
+-          return -1;
+-        }
+-
+       for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
+         if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
+           {
+@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
+       if (!found)
+         *n_fds = 0;
+ 
++      if (m.msg_flags & MSG_CTRUNC)
++        {
++          unsigned int i;
++
++          /* Hmm, apparently the control data was truncated. The bad
++             thing is that we might have completely lost a couple of fds
++             without chance to recover them. Hence let's treat this as a
++             serious error. */
++
++          /* We still need to close whatever fds we *did* receive,
++           * otherwise they'll never get closed. (CVE-2020-12049) */
++          for (i = 0; i < *n_fds; i++)
++            close (fds[i]);
++
++          *n_fds = 0;
++          errno = ENOSPC;
++          _dbus_string_set_length (buffer, start);
++          return -1;
++        }
++
+       /* put length back (doesn't actually realloc) */
+       _dbus_string_set_length (buffer, start + bytes_read);
+ 
+-- 
+2.26.2
+
+
diff --git a/main/dbus/CVE-2020-12049-part2.patch b/main/dbus/CVE-2020-12049-part2.patch
new file mode 100644
index 00000000000..1f64048acec
--- /dev/null
+++ b/main/dbus/CVE-2020-12049-part2.patch
@@ -0,0 +1,66 @@
+From 8bc1381819e5a845331650bfa28dacf6d2ac1748 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Thu, 16 Apr 2020 14:41:48 +0100
+Subject: [PATCH] fdpass test: Assert that we don't leak file descriptors
+
+This version is for the dbus-1.12 branch, and doesn't rely on dbus!153
+or dbus!120.
+
+Reproduces: dbus#294
+Reproduces: CVE-2020-12049
+Reproduces: GHSL-2020-057
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+---
+ test/fdpass.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/test/fdpass.c b/test/fdpass.c
+index 4a3edc4e..8bad675f 100644
+--- a/test/fdpass.c
++++ b/test/fdpass.c
+@@ -50,6 +50,14 @@
+ 
+ #include "test-utils-glib.h"
+ 
++#ifdef DBUS_ENABLE_EMBEDDED_TESTS
++#include <dbus/dbus-message-internal.h>
++#else
++typedef struct _DBusInitialFDs DBusInitialFDs;
++#define _dbus_check_fdleaks_enter() NULL
++#define _dbus_check_fdleaks_leave(fds) do {} while (0)
++#endif
++
+ /* Arbitrary; included here to avoid relying on the default */
+ #define MAX_MESSAGE_UNIX_FDS 20
+ /* This test won't work on Linux unless this is true. */
+@@ -92,6 +100,7 @@ typedef struct {
+     GQueue messages;
+ 
+     int fd_before;
++    DBusInitialFDs *initial_fds;
+ } Fixture;
+ 
+ static void oom (const gchar *doing) G_GNUC_NORETURN;
+@@ -176,6 +185,8 @@ test_connect (Fixture *f,
+   if (f->skip)
+     return;
+ 
++  f->initial_fds = _dbus_check_fdleaks_enter ();
++
+   g_assert (f->left_server_conn == NULL);
+   g_assert (f->right_server_conn == NULL);
+ 
+@@ -871,6 +882,9 @@ teardown (Fixture *f,
+   if (f->fd_before >= 0 && close (f->fd_before) < 0)
+     g_error ("%s", g_strerror (errno));
+ #endif
++
++  if (f->initial_fds != NULL)
++    _dbus_check_fdleaks_leave (f->initial_fds);
+ }
+ 
+ int
+-- 
+2.26.2
+
+
author	Leo <thinkabit.ukim@gmail.com>	2020-06-03 11:13:44 -0300
committer	Leo <thinkabit.ukim@gmail.com>	2020-06-03 15:31:39 +0000
commit	2e63f747fe1e60480c416caab757d16e9c4765e7 (patch)
tree	7c941359e7d09e83052377a2bad796230c8f0b73
parent	9677580919b73ca6eff94d3d31b9a846b4e40612 (diff)