From ad543f975b5702508d7fd407a90fe969f6615166 Mon Sep 17 00:00:00 2001
From: Leo <thinkabit.ukim@gmail.com>
Date: Wed, 3 Jun 2020 11:16:50 -0300
Subject: main/dbus: fix CVE-2020-12049

---
 main/dbus/APKBUILD             |   8 +++-
 main/dbus/CVE-2020-12049.patch | 103 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 109 insertions(+), 2 deletions(-)
 create mode 100644 main/dbus/CVE-2020-12049.patch

(limited to 'main/dbus')

diff --git a/main/dbus/APKBUILD b/main/dbus/APKBUILD
index ee9fdc492a0..fae169cfdab 100644
--- a/main/dbus/APKBUILD
+++ b/main/dbus/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=dbus
 pkgver=1.10.28
-pkgrel=0
+pkgrel=1
 pkgdesc="Freedesktop.org message bus system"
 url="http://www.freedesktop.org/Software/dbus"
 pkggroups="messagebus"
@@ -17,12 +17,15 @@ makedepends="$depends_dev expat-dev libx11-dev autoconf automake libtool xmlto
 install="$pkgname.pre-install $pkgname.post-install"
 source="https://dbus.freedesktop.org/releases/dbus/dbus-$pkgver.tar.gz
 	fix-int64-print.patch
+	CVE-2020-12049.patch
 	$pkgname.initd
 	"
 
 # secfixes:
+#   1.12.28-r1:
+#     - CVE-2020-12049
 #   1.10.28-r0:
-#   - CVE-2019-12749
+#     - CVE-2019-12749
 
 prepare() {
 	default_prepare
@@ -75,4 +78,5 @@ x11() {
 
 sha512sums="d699e5c115dd33c7667c32bf66db0a211e98678ba4b6a155541a705af2819cd45868ca9d33d57a2df7fb1a1ac072e09c8607157a7cd3f8664292c118ae164f61  dbus-1.10.28.tar.gz
 5f07d8cb377ab80c927a77236c3f3437f08351161e594c62a1ad43f0324c2dba3cc98d50257ae27b9a4f5148571c5f26f35db8b40f13c72e92f267d5356c87f0  fix-int64-print.patch
+f05e2d14f072da81186e8a70d0895b37ee8f17c566b71865a72419218562e0f08544b7ea04daf6682dec5ff9ebab440c015f57a05abfb93610ec77caf9c2da97  CVE-2020-12049.patch
 df74e7d6a4f76f777d356e94bd23422b17656aa51a5b2d3c655fcabb32c84f2f06b9f5cd8827920d51842f89e8c0d968a6e723315e4bf216e55711fcda9b0ee9  dbus.initd"
diff --git a/main/dbus/CVE-2020-12049.patch b/main/dbus/CVE-2020-12049.patch
new file mode 100644
index 00000000000..f1b04b4a650
--- /dev/null
+++ b/main/dbus/CVE-2020-12049.patch
@@ -0,0 +1,103 @@
+This is a combination of
+
+https://gitlab.freedesktop.org/dbus/dbus/-/commit/8bc1381819e5a845331650bfa28dacf6d2ac1748.patch
+https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5.patch
+
+Applied against the 1.10 tree (the commits are for 1.12)
+
+diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
+index b730971..4b0e390 100644
+--- a/dbus/dbus-sysdeps-unix.c
++++ b/dbus/dbus-sysdeps-unix.c
+@@ -432,18 +432,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
+       struct cmsghdr *cm;
+       dbus_bool_t found = FALSE;
+ 
+-      if (m.msg_flags & MSG_CTRUNC)
+-        {
+-          /* Hmm, apparently the control data was truncated. The bad
+-             thing is that we might have completely lost a couple of fds
+-             without chance to recover them. Hence let's treat this as a
+-             serious error. */
+-
+-          errno = ENOSPC;
+-          _dbus_string_set_length (buffer, start);
+-          return -1;
+-        }
+-
+       for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
+         if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
+           {
+@@ -498,6 +486,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
+       if (!found)
+         *n_fds = 0;
+ 
++      if (m.msg_flags & MSG_CTRUNC)
++        {
++          unsigned int i;
++
++          /* Hmm, apparently the control data was truncated. The bad
++             thing is that we might have completely lost a couple of fds
++             without chance to recover them. Hence let's treat this as a
++             serious error. */
++
++          /* We still need to close whatever fds we *did* receive,
++           * otherwise they'll never get closed. (CVE-2020-12049) */
++          for (i = 0; i < *n_fds; i++)
++            close (fds[i]);
++
++          *n_fds = 0;
++          errno = ENOSPC;
++          _dbus_string_set_length (buffer, start);
++          return -1;
++        }
++
+       /* put length back (doesn't actually realloc) */
+       _dbus_string_set_length (buffer, start + bytes_read);
+ 
+diff --git a/test/fdpass.c b/test/fdpass.c
+index 665b4a1..d8d9c67 100644
+--- a/test/fdpass.c
++++ b/test/fdpass.c
+@@ -50,6 +50,14 @@
+ 
+ #include "test-utils-glib.h"
+ 
++#ifdef DBUS_ENABLE_EMBEDDED_TESTS
++#include <dbus/dbus-message-internal.h>
++#else
++typedef struct _DBusInitialFDs DBusInitialFDs;
++#define _dbus_check_fdleaks_enter() NULL
++#define _dbus_check_fdleaks_leave(fds) do {} while (0)
++#endif
++
+ /* Arbitrary; included here to avoid relying on the default */
+ #define MAX_MESSAGE_UNIX_FDS 20
+ /* This test won't work on Linux unless this is true. */
+@@ -91,6 +99,7 @@ typedef struct {
+     GQueue messages;
+ 
+     int fd_before;
++    DBusInitialFDs *initial_fds;
+ } Fixture;
+ 
+ static void oom (const gchar *doing) G_GNUC_NORETURN;
+@@ -172,6 +181,8 @@ test_connect (Fixture *f,
+ {
+   char *address;
+ 
++  f->initial_fds = _dbus_check_fdleaks_enter ();
++
+   g_assert (f->left_server_conn == NULL);
+   g_assert (f->right_server_conn == NULL);
+ 
+@@ -835,6 +846,9 @@ teardown (Fixture *f,
+   if (f->fd_before >= 0 && close (f->fd_before) < 0)
+     g_error ("%s", g_strerror (errno));
+ #endif
++
++  if (f->initial_fds != NULL)
++    _dbus_check_fdleaks_leave (f->initial_fds);
+ }
+ 
+ int
-- 
cgit v1.2.3