ZhuningOS/dbus-1
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Initialize for dbus-1

Browse source
This commit is contained in:
zyppe 2024-02-06 18:30:52 +08:00
commit 99996659ae
19 changed files with 3670 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.dbus-1.metadata Normal file
View file

@ -0,0 +1 @@
47e96d9da9fb876ce3d8ac0b4c3d7e35e8ecdaa9fddd40e2515f516185b3ef52 dbus-1.12.2.tar.gz

1
.gitignore vendored Normal file
View file

@ -0,0 +1 @@
dbus-1.12.2.tar.gz

6
baselibs.conf Normal file
View file

@ -0,0 +1,6 @@
dbus-1
dbus-1-devel
requires "libdbus-1-3-<targettype> = <version>"
libdbus-1-3
obsoletes "dbus-1-<targettype> < <version>"
provides "dbus-1-<targettype> = <version>"

2225
dbus-1.changes Normal file
View file

File diff suppressed because it is too large Load diff

4
dbus-1.desktop Normal file
View file

@ -0,0 +1,4 @@
[Desktop Entry]
Name=D-Bus API Documentation
DocPath=/usr/share/doc/packages/dbus-1-devel/html/index.html
X-DOC-SearchMethod=htdig

380
dbus-1.spec Normal file
View file

@ -0,0 +1,380 @@
#
# spec file for package dbus-1
#
# Copyright (c) 2022-2023 ZhuningOS
#
%define with_systemd 1
%define _name dbus
%define _libname libdbus-1-3
# Temporary code to disable service restart on update sflees@suse.de boo#1020301
%global _backup /etc/sysconfig/services.rpmbak.%{name}-%{version}-%{release}
%if 0%{?suse_version} <= 1320
%define _userunitdir %{_prefix}/lib/systemd/user
%endif
%bcond_without selinux
Name: dbus-1
Version: 1.12.2
Release: 150400.18.8.1
Summary: D-Bus Message Bus System
License: GPL-2.0-or-later OR AFL-2.1
Group: System/Daemons
Url: http://dbus.freedesktop.org/
Source0: http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz
Source2: dbus-1.desktop
Source3: dbus_at_console.ck
Source4: baselibs.conf
Patch0: feature-suse-log-deny.patch
# PATCH-FIX-OPENSUSE coolo@suse.de -- force a feature configure won't accept without x11 in buildrequires
Patch1: feature-suse-do-autolaunch.patch
# Patch-Feature-opensuse sflees@suse.de, users shouldn't be allowed to start / stop the dbus service.
Patch2: feature-suse-refuse-manual-start-stop.patch
Patch3: fix-CVE-2019-12749.patch
# bsc#1187105
Patch4: fix-upstream-userdb-constpointer.patch
Patch5: fix-upstream-CVE-2020-35512.patch
# bsc#1172505
Patch6: fix-upstream-CVE-2020-12049.patch
Patch7: fix-upstream-CVE-2020-12049_2.patch
Patch8: fix-upstream-CVE-2022-42010.patch
Patch9: fix-upstream-CVE-2022-42011.patch
Patch10: fix-upstream-CVE-2022-42012.patch
Patch11: fix-upstream-CVE-2023-34969.patch
BuildRequires: audit-devel
BuildRequires: autoconf-archive
BuildRequires: doxygen
BuildRequires: libcap-ng-devel
BuildRequires: libexpat-devel >= 2.1.0
BuildRequires: libtool
BuildRequires: permissions
BuildRequires: pkg-config
BuildRequires: update-desktop-files
BuildRequires: xmlto
BuildRequires: pkgconfig(libsystemd) >= 209
Requires(post): %{_libname} = %{version}
Requires(post): update-alternatives
Requires(pre): permissions
Requires(pre): shadow
Requires(preun): update-alternatives
Provides: dbus-launch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if %{with selinux}
BuildRequires: libselinux-devel
%endif
%package -n %{_libname}
Summary: Library package for D-Bus
Group: Development/Libraries/Other
%package devel
Summary: Developer package for D-Bus
Group: Development/Libraries/Other
Requires: %{_libname} = %{version}
Requires: dbus-1 = %{version}
Requires: glibc-devel
%package devel-doc
Summary: Developer documentation package for D-Bus
Group: Development/Libraries/Other
Requires: dbus-1 = %{version}
BuildArch: noarch
%description
D-Bus is a message bus system, a simple way for applications to talk to
one another. D-Bus supplies both a system daemon and a
per-user-login-session daemon. Also, the message bus is built on top of
a general one-to-one message passing framework, which can be used by
any two apps to communicate directly (without going through the message
bus daemon).
%description -n %{_libname}
D-Bus is a message bus system, a simple way for applications to talk to
one another. D-Bus supplies both a system daemon and a
per-user-login-session daemon. Also, the message bus is built on top of
a general one-to-one message passing framework, which can be used by
any two apps to communicate directly (without going through the message
bus daemon).
%description devel
D-Bus is a message bus system, a simple way for applications to talk to
one another. D-Bus supplies both a system daemon and a
per-user-login-session daemon. Also, the message bus is built on top of
a general one-to-one message passing framework, which can be used by
any two apps to communicate directly (without going through the message
bus daemon).
%description devel-doc
D-Bus is a message bus system, a simple way for applications to talk to
one another. D-BUS supplies both a system daemon and a
per-user-login-session daemon. Also, the message bus is built on top of
a general one-to-one message passing framework, which can be used by
any two apps to communicate directly (without going through the message
bus daemon).
%prep
%setup -q -n %{_name}-%{version}
%autopatch -p1
%build
echo 'HTML_TIMESTAMP=NO' >> Doxyfile.in
autoreconf -fi
# We use -fpie/-pie for the whole build; this is the recommended way to harden
# the build upstream, see discussion in fdo#46570
export CFLAGS="%{optflags} -fno-strict-aliasing -fPIC -fpie"
export LDFLAGS="-pie"
export CXXFLAGS="%{optflags} -fno-strict-aliasing"
export V=1
# is_opensuse was first defined after openSUSE 13.2
%configure \
--disable-static \
--disable-asserts \
--libexecdir=%{_libexecdir}/dbus-1 \
--enable-inotify \
--enable-doxygen-docs \
%if %{with selinux}
--enable-selinux \
%endif
--enable-systemd \
--enable-user-session \
--enable-libaudit \
%if 0%{?suse_version} <= 1315 && !0%{?is_opensuse}
--with-console-auth-dir=%{_localstatedir}/run/dbus/at_console/ \
--with-system-pid-file=%{_localstatedir}/run/dbus/pid \
--with-system-socket=%{_localstatedir}/run/dbus/system_bus_socket \
%else
--with-console-auth-dir=/run/dbus/at_console/ \
--with-system-pid-file=/run/dbus/pid \
--with-system-socket=/run/dbus/system_bus_socket \
%endif
--with-systemdsystemunitdir=%{_unitdir} \
--with-systemduserunitdir=%{_userunitdir} \
--without-x
make %{?_smp_mflags}
doxygen -u && doxygen
./cleanup-man-pages.sh
%check
make check
%install
%make_install
mkdir -p %{buildroot}/lib/dbus-1/system-services
# dbus-launch, too
mv -f %{buildroot}/%{_bindir}/dbus-launch %{buildroot}%{_bindir}/dbus-launch.nox11
mkdir -p %{buildroot}%{_sbindir}
ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcdbus
%if 0%{?suse_version} <= 1315 && !0%{?is_opensuse}
install -d %{buildroot}%{_localstatedir}/run/dbus
%else
install -d %{buildroot}/run/dbus
%endif
mkdir -p %{buildroot}/%{_datadir}/susehelp/meta/Development/Libraries/
install -m 0644 %{SOURCE2} \
%{buildroot}/%{_datadir}/susehelp/meta/Development/Libraries/dbus-1.desktop
mkdir -p %{buildroot}/%{_libdir}/pkgconfig
mkdir -p %{buildroot}/lib/dbus-1/system-services
for i in %{_sysconfdir}/dbus-1/session.d %{_sysconfdir}/dbus-1/system.d \
%{_datadir}/dbus-1/interfaces %{_datadir}/dbus-1/services \
%{_datadir}/dbus-1/system.d %{_datadir}/dbus-1/system-services; do
mkdir -p %{buildroot}$i
done
install -d %{buildroot}%{_sysconfdir}/ConsoleKit/run-session.d
install -m 755 %{SOURCE3} %{buildroot}%{_sysconfdir}/ConsoleKit/run-session.d
mkdir -p %{buildroot}%{_localstatedir}/lib/dbus
# don't ship executables in doc
chmod -x %{buildroot}%{_datadir}/doc/dbus/examples/GetAllMatchRules.py
# Link the binaries that were in /bin back to /bin for compat (maybe remove for SLE-16)
# Currently required to make upower work together with systemd
mkdir -p %{buildroot}/bin
ln -sf /%{_bindir}/dbus-cleanup-sockets %{buildroot}/bin/dbus-cleanup-sockets
ln -sf /%{_bindir}/dbus-daemon %{buildroot}/bin/dbus-daemon
ln -sf /%{_bindir}/dbus-monitor %{buildroot}/bin/dbus-monitor
ln -sf /%{_bindir}/dbus-send %{buildroot}/bin/dbus-send
ln -sf /%{_bindir}/dbus-test-tool %{buildroot}/bin/dbus-test-tool
ln -sf /%{_bindir}/dbus-update-activation-environment %{buildroot}/bin/dbus-update-activation-environment
ln -sf /%{_bindir}/dbus-uuidgen %{buildroot}/bin/dbus-uuidgen
mkdir -p %{buildroot}%{_sysconfdir}/alternatives
ln -s -f %{_sysconfdir}/alternatives/dbus-launch %{buildroot}%{_bindir}/dbus-launch
find %{buildroot} -type f -name "*.la" -delete -print
%verifyscript -n dbus-1
%verify_permissions -e %{_libexecdir}/dbus-1/dbus-daemon-launch-helper
%post -n %{_libname} -p /sbin/ldconfig
%postun -n %{_libname} -p /sbin/ldconfig
%pre
getent group messagebus >/dev/null || \
%{_sbindir}/groupadd -r messagebus
%if 0%{?suse_version} <= 1315 && !0%{?is_opensuse}
getent passwd messagebus >/dev/null || \
%{_sbindir}/useradd -r -s /usr/bin/false -c "User for D-Bus" -d %{_localstatedir}/run/dbus -g messagebus messagebus
%else
getent passwd messagebus >/dev/null || \
%{_sbindir}/useradd -r -s /usr/bin/false -c "User for D-Bus" -d /run/dbus -g messagebus messagebus
%endif
%service_add_pre dbus.service dbus.socket
%post
if [ -e %{_localstatedir}/lib/dbus/machine-id -a -e %{_sysconfdir}/machine-id ]; then
cmp -s %{_localstatedir}/lib/dbus/machine-id %{_sysconfdir}/machine-id > /dev/null
if [ $? ]; then
rm -f %{_localstatedir}/lib/dbus/machine-id
fi
fi
if [ ! -L %{_localstatedir}/lib/dbus/machine-id ]; then
mkdir -p %{_localstatedir}/lib/dbus/
ln -s %{_sysconfdir}/machine-id %{_localstatedir}/lib/dbus/machine-id
fi
/sbin/ldconfig
%set_permissions %{_libexecdir}/dbus-1/dbus-daemon-launch-helper
%{_sbindir}/update-alternatives --install %{_bindir}/dbus-launch dbus-launch %{_bindir}/dbus-launch.nox11 10
%service_add_post dbus.service dbus.socket
%tmpfiles_create %_tmpfilesdir/dbus.conf
%preun
if [ "$1" = 0 ] ; then
%{_sbindir}/update-alternatives --remove dbus-launch %{_bindir}/dbus-launch.nox11
fi
%service_del_preun dbus.service dbus.socket
%postun
# immediately restarting the dbus service causes issues, As such wait for the next reboot to restart
export DISABLE_RESTART_ON_UPDATE=yes
%service_del_postun dbus.service dbus.socket
%posttrans
# See comments in pre
if [ -s "%{_backup}" ]; then
mv -f %{_backup} /etc/sysconfig/services
elif [ -e "%{_backup}" ]; then
rm -f /etc/sysconfig/services
fi
%files
%defattr(-, root, root)
%dir %{_localstatedir}/lib/dbus
%dir /lib/dbus-1
%dir /lib/dbus-1/system-services
%dir %{_libexecdir}/dbus-1/
%license COPYING
%doc AUTHORS HACKING NEWS README
%config(noreplace) %{_sysconfdir}/dbus-1/session.conf
%config(noreplace) %{_sysconfdir}/dbus-1/system.conf
%{_datadir}/dbus-1/session.conf
%{_datadir}/dbus-1/system.conf
%{_sysconfdir}/ConsoleKit
%{_bindir}/dbus-cleanup-sockets
%{_bindir}/dbus-daemon
%{_bindir}/dbus-monitor
%{_bindir}/dbus-run-session
%{_bindir}/dbus-send
%{_bindir}/dbus-test-tool
%{_bindir}/dbus-update-activation-environment
%{_bindir}/dbus-uuidgen
/bin/dbus-cleanup-sockets
/bin/dbus-daemon
/bin/dbus-monitor
/bin/dbus-send
/bin/dbus-test-tool
/bin/dbus-update-activation-environment
/bin/dbus-uuidgen
%{_mandir}/man1/dbus-cleanup-sockets.1*
%{_mandir}/man1/dbus-daemon.1*
%{_mandir}/man1/dbus-monitor.1*
%{_mandir}/man1/dbus-run-session.1*
%{_mandir}/man1/dbus-send.1*
%{_mandir}/man1/dbus-test-tool.1*
%{_mandir}/man1/dbus-update-activation-environment.1*
%{_mandir}/man1/dbus-uuidgen.1*
%{_mandir}/man1/dbus-launch.1*
%{_sbindir}/rcdbus
# See doc/system-activation.txt in source tarball for the rationale
# behind these permissions
%attr(4750,root,messagebus) %verify(not mode) %{_libexecdir}/dbus-1/dbus-daemon-launch-helper
%if 0%{?suse_version} <= 1315 && !0%{?is_opensuse}
%ghost %{_localstatedir}/run/dbus
%else
%ghost /run/dbus
%endif
%ghost %{_localstatedir}/lib/dbus/machine-id
%{_libexecdir}/sysusers.d/dbus.conf
%{_libexecdir}/tmpfiles.d/dbus.conf
%{_unitdir}/dbus.service
%{_unitdir}/dbus.socket
# %dir %{_unitdir}/dbus.target.wants
# %{_unitdir}/dbus.target.wants/dbus.socket
%dir %{_unitdir}/multi-user.target.wants
%{_unitdir}/multi-user.target.wants/dbus.service
%dir %{_unitdir}/sockets.target.wants
%{_unitdir}/sockets.target.wants/dbus.socket
%{_userunitdir}/dbus.service
%{_userunitdir}/dbus.socket
%dir %{_userunitdir}/sockets.target.wants
%{_userunitdir}/sockets.target.wants/dbus.socket
%ghost %{_sysconfdir}/alternatives/dbus-launch
%{_bindir}/dbus-launch.nox11
%{_bindir}/dbus-launch
%files -n %{_libname}
%defattr(-, root, root)
%{_libdir}/libdbus-1.so.*
# Own those directories in the library instead of dbus-1, since dbus users
# often ship files there
%dir %{_sysconfdir}/dbus-1
%dir %{_sysconfdir}/dbus-1/session.d
%dir %{_sysconfdir}/dbus-1/system.d
%dir %{_datadir}/dbus-1
%dir %{_datadir}/dbus-1/interfaces
%dir %{_datadir}/dbus-1/services
%dir %{_datadir}/dbus-1/system.d
%dir %{_datadir}/dbus-1/system-services
%files devel
%defattr(-,root,root)
%{_includedir}/*
%{_libdir}/libdbus-1.so
%dir %{_libdir}/dbus-1.0
%{_libdir}/dbus-1.0/include
%{_libdir}/pkgconfig/dbus-1.pc
%{_libdir}/cmake/
%{_datadir}/xml/dbus-1
%files devel-doc
%defattr(-,root,root)
%dir %{_datadir}/doc/dbus
%dir %{_datadir}/doc/dbus/examples
%{_datadir}/doc/dbus/api/
%doc %{_datadir}/doc/dbus/dbus-faq.html
%doc %{_datadir}/doc/dbus/dbus-specification.html
%doc %{_datadir}/doc/dbus/dbus-test-plan.html
%doc %{_datadir}/doc/dbus/dbus-tutorial.html
%doc %{_datadir}/doc/dbus/diagram.*
%doc %{_datadir}/doc/dbus/system-activation.txt
%doc %{_datadir}/doc/dbus/dbus-cleanup-sockets.1.html
%doc %{_datadir}/doc/dbus/dbus-daemon.1.html
%doc %{_datadir}/doc/dbus/dbus-launch.1.html
%doc %{_datadir}/doc/dbus/dbus-run-session.1.html
%doc %{_datadir}/doc/dbus/dbus-monitor.1.html
%doc %{_datadir}/doc/dbus/dbus-send.1.html
%doc %{_datadir}/doc/dbus/dbus-uuidgen.1.html
%doc %{_datadir}/doc/dbus/dbus.devhelp
%doc %{_datadir}/doc/dbus/dbus-test-tool.1.html
%doc %{_datadir}/doc/dbus/dbus-update-activation-environment.1.html
%doc %{_datadir}/doc/dbus/examples/GetAllMatchRules.py
%doc %{_datadir}/doc/dbus/examples/example-session-disable-stats.conf
%doc %{_datadir}/doc/dbus/examples/example-system-enable-stats.conf
%doc doc/*.txt doc/file-boilerplate.c doc/TODO
%{_datadir}/susehelp
%changelog

27
dbus_at_console.ck Normal file
View file

@ -0,0 +1,27 @@
#!/bin/bash
#
# use consolekit to support legacy at_console setting
#
reason="$1"
dir=/var/run/dbus/at_console
# for at_console we are only interested in local sessions
test "$CK_SESSION_IS_LOCAL" = true || exit 0
test "$reason" = "session_added" -o "$reason" = "session_removed" || exit 0
sessid=${CK_SESSION_ID##*/}
sessid=${sessid//[^A-Za-z0-9]/_}
test -n "$sessid" || exit 1
name=`getent passwd "$CK_SESSION_USER_UID" 2>/dev/null | awk -F: '{print $1}'`
test -n "$name" || exit 1
if test "$reason" = "session_added"; then
mkdir -p "$dir/$name"
touch "$dir/$name/$sessid"
else
rm "$dir/$name/$sessid"
rmdir "$dir/$name"
fi

26
feature-suse-do-autolaunch.patch Normal file
View file

@ -0,0 +1,26 @@
From: Stephan Kulow <coolo@suse.de>
We want x11 autolaunch even if we have no x11 in the build environment
Index: dbus-1.12.2/dbus/dbus-sysdeps-unix.c
===================================================================
--- dbus-1.12.2.orig/dbus/dbus-sysdeps-unix.c
+++ dbus-1.12.2/dbus/dbus-sysdeps-unix.c
@@ -3552,7 +3552,7 @@ _dbus_get_tmpdir(void)
return tmpdir;
}
-#if defined(DBUS_ENABLE_X11_AUTOLAUNCH) || defined(DBUS_ENABLE_LAUNCHD)
+#if 1
/**
* Execute a subprocess, returning up to 1024 bytes of output
* into @p result.
@@ -3787,7 +3787,7 @@ _dbus_get_autolaunch_address (const char
DBusString *address,
DBusError *error)
{
-#ifdef DBUS_ENABLE_X11_AUTOLAUNCH
+#if 1
static const char arg_dbus_launch[] = "dbus-launch";
static const char arg_autolaunch[] = "--autolaunch";
static const char arg_binary_syntax[] = "--binary-syntax";

11
feature-suse-log-deny.patch Normal file
View file

@ -0,0 +1,11 @@
--- a/bus/system.conf.in
+++ b/bus/system.conf.in
@@ -48,7 +48,7 @@
<!-- Holes must be punched in service configuration files for
name ownership and sending method calls -->
<deny own="*"/>
- <deny send_type="method_call"/>
+ <deny send_type="method_call" log="true"/>
<!-- Signals and reply messages (method returns, errors) are allowed
by default -->

13
feature-suse-refuse-manual-start-stop.patch Normal file
View file

@ -0,0 +1,13 @@
Index: dbus-1.12.2/bus/dbus.service.in
===================================================================
--- dbus-1.12.2.orig/bus/dbus.service.in
+++ dbus-1.12.2/bus/dbus.service.in
@@ -2,6 +2,8 @@
Description=D-Bus System Message Bus
Documentation=man:dbus-daemon(1)
Requires=dbus.socket
+RefuseManualStart=true
+RefuseManualStop=true
[Service]
ExecStart=@EXPANDED_BINDIR@/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

116
fix-CVE-2019-12749.patch Normal file
View file

@ -0,0 +1,116 @@
From 47b1a4c41004bf494b87370987b222c934b19016 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Thu, 30 May 2019 12:53:03 +0100
Subject: [PATCH] auth: Reject DBUS_COOKIE_SHA1 for users other than the server
owner
The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
of a shared home directory by having the server write a secret "cookie"
into a .dbus-keyrings subdirectory of the desired identity's home
directory with 0700 permissions, and having the client prove that it can
read the cookie. This never actually worked for non-malicious clients in
the case where server uid != client uid (unless the server and client
both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
Unix uid 0) because an unprivileged server would fail to write out the
cookie, and an unprivileged client would be unable to read the resulting
file owned by the server.
Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
is owned by the uid of the server (a side-effect of a check added to
harden our use of XDG_RUNTIME_DIR), further ruling out successful use
by a non-malicious client with a uid differing from the server's.
Joe Vennix of Apple Information Security discovered that the
implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
attack: a malicious client with write access to its own home directory
could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
read and write in unintended locations. In the worst case this could
result in the DBusServer reusing a cookie that is known to the
malicious client, and treating that cookie as evidence that a subsequent
client connection came from an attacker-chosen uid, allowing
authentication bypass.
This is mitigated by the fact that by default, the well-known system
dbus-daemon (since 2003) and the well-known session dbus-daemon (in
stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
at an early stage, before manipulating cookies. As a result, this
vulnerability only applies to:
* system or session dbus-daemons with non-standard configuration
* third-party dbus-daemon invocations such as at-spi2-core (although
in practice at-spi2-core also only accepts EXTERNAL by default)
* third-party uses of DBusServer such as the one in Upstart
Avoiding symlink attacks in a portable way is difficult, because APIs
like openat() and Linux /proc/self/fd are not universally available.
However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
a non-matching uid, we can solve this vulnerability in an easier way
without regressions, by rejecting it early (before looking at
~/.dbus-keyrings) whenever the requested identity doesn't match the
identity of the process hosting the DBusServer.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
Closes: CVE-2019-12749
---
dbus/dbus-auth.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
Index: dbus-1.12.2/dbus/dbus-auth.c
===================================================================
--- dbus-1.12.2.orig/dbus/dbus-auth.c
+++ dbus-1.12.2/dbus/dbus-auth.c
@@ -529,6 +529,7 @@ sha1_handle_first_client_response (DBusA
DBusString tmp2;
dbus_bool_t retval = FALSE;
DBusError error = DBUS_ERROR_INIT;
+ DBusCredentials *myself = NULL;
_dbus_string_set_length (&auth->challenge, 0);
@@ -565,6 +566,34 @@ sha1_handle_first_client_response (DBusA
return FALSE;
}
+ myself = _dbus_credentials_new_from_current_process ();
+
+ if (myself == NULL)
+ goto out;
+
+ if (!_dbus_credentials_same_user (myself, auth->desired_identity))
+ {
+ /*
+ * DBUS_COOKIE_SHA1 is not suitable for authenticating that the
+ * client is anyone other than the user owning the process
+ * containing the DBusServer: we probably aren't allowed to write
+ * to other users' home directories. Even if we can (for example
+ * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we
+ * must not, because the other user controls their home directory,
+ * and could carry out symlink attacks to make us read from or
+ * write to unintended locations. It's difficult to avoid symlink
+ * attacks in a portable way, so we just don't try. This isn't a
+ * regression, because DBUS_COOKIE_SHA1 never worked for other
+ * users anyway.
+ */
+ _dbus_verbose ("%s: client tried to authenticate as \"%s\", "
+ "but that doesn't match this process",
+ DBUS_AUTH_NAME (auth),
+ _dbus_string_get_const_data (data));
+ retval = send_rejected (auth);
+ goto out;
+ }
+
/* we cache the keyring for speed, so here we drop it if it's the
* wrong one. FIXME caching the keyring here is useless since we use
* a different DBusAuth for every connection.
@@ -679,6 +708,9 @@ sha1_handle_first_client_response (DBusA
_dbus_string_zero (&tmp2);
_dbus_string_free (&tmp2);
+ if (myself != NULL)
+ _dbus_credentials_unref (myself);
+
return retval;
}

60
fix-upstream-CVE-2020-12049.patch Normal file
View file

@ -0,0 +1,60 @@
commit 8bc1381819e5a845331650bfa28dacf6d2ac1748
Author: Simon McVittie <smcv@collabora.com>
Date: Thu Apr 16 14:41:48 2020 +0100
fdpass test: Assert that we don't leak file descriptors
This version is for the dbus-1.12 branch, and doesn't rely on dbus!153
or dbus!120.
Reproduces: dbus#294
Reproduces: CVE-2020-12049
Reproduces: GHSL-2020-057
Signed-off-by: Simon McVittie <smcv@collabora.com>
Index: dbus-1.12.2/test/fdpass.c
===================================================================
--- dbus-1.12.2.orig/test/fdpass.c
+++ dbus-1.12.2/test/fdpass.c
@@ -50,6 +50,14 @@
#include "test-utils-glib.h"
+#ifdef DBUS_ENABLE_EMBEDDED_TESTS
+#include <dbus/dbus-message-internal.h>
+#else
+typedef struct _DBusInitialFDs DBusInitialFDs;
+#define _dbus_check_fdleaks_enter() NULL
+#define _dbus_check_fdleaks_leave(fds) do {} while (0)
+#endif
+
/* Arbitrary; included here to avoid relying on the default */
#define MAX_MESSAGE_UNIX_FDS 20
/* This test won't work on Linux unless this is true. */
@@ -91,6 +99,7 @@ typedef struct {
GQueue messages;
int fd_before;
+ DBusInitialFDs *initial_fds;
} Fixture;
static void oom (const gchar *doing) G_GNUC_NORETURN;
@@ -172,6 +181,8 @@ test_connect (Fixture *f,
{
char *address;
+ f->initial_fds = _dbus_check_fdleaks_enter ();
+
g_assert (f->left_server_conn == NULL);
g_assert (f->right_server_conn == NULL);
@@ -837,6 +848,9 @@ teardown (Fixture *f,
if (f->fd_before >= 0 && close (f->fd_before) < 0)
g_error ("%s", g_strerror (errno));
#endif
+
+ if (f->initial_fds != NULL)
+ _dbus_check_fdleaks_leave (f->initial_fds);
}
int

69
fix-upstream-CVE-2020-12049_2.patch Normal file
View file

@ -0,0 +1,69 @@
commit 272d484283883fa9ff95b69d924fff6cd34842f5
Author: Simon McVittie <smcv@collabora.com>
Date: Thu Apr 16 14:45:11 2020 +0100
sysdeps-unix: On MSG_CTRUNC, close the fds we did receive
MSG_CTRUNC indicates that we have received fewer fds that we should
have done because the buffer was too small, but we were treating it
as though it indicated that we received *no* fds. If we received any,
we still have to make sure we close them, otherwise they will be leaked.
On the system bus, if an attacker can induce us to leak fds in this
way, that's a local denial of service via resource exhaustion.
Reported-by: Kevin Backhouse, GitHub Security Lab
Fixes: dbus#294
Fixes: CVE-2020-12049
Fixes: GHSL-2020-057
diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
index e8cd5b33..f9dc2a6e 100644
--- a/dbus/dbus-sysdeps-unix.c
+++ b/dbus/dbus-sysdeps-unix.c
@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
struct cmsghdr *cm;
dbus_bool_t found = FALSE;
- if (m.msg_flags & MSG_CTRUNC)
- {
- /* Hmm, apparently the control data was truncated. The bad
- thing is that we might have completely lost a couple of fds
- without chance to recover them. Hence let's treat this as a
- serious error. */
-
- errno = ENOSPC;
- _dbus_string_set_length (buffer, start);
- return -1;
- }
-
for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
{
@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
if (!found)
*n_fds = 0;
+ if (m.msg_flags & MSG_CTRUNC)
+ {
+ unsigned int i;
+
+ /* Hmm, apparently the control data was truncated. The bad
+ thing is that we might have completely lost a couple of fds
+ without chance to recover them. Hence let's treat this as a
+ serious error. */
+
+ /* We still need to close whatever fds we *did* receive,
+ * otherwise they'll never get closed. (CVE-2020-12049) */
+ for (i = 0; i < *n_fds; i++)
+ close (fds[i]);
+
+ *n_fds = 0;
+ errno = ENOSPC;
+ _dbus_string_set_length (buffer, start);
+ return -1;
+ }
+
/* put length back (doesn't actually realloc) */
_dbus_string_set_length (buffer, start + bytes_read);

322
fix-upstream-CVE-2020-35512.patch Normal file
View file

@ -0,0 +1,322 @@
commit 2b7948ef907669e844b52c4fa2268d6e3162a70c
Author: Simon McVittie <smcv@collabora.com>
Date: Tue Jun 30 19:29:06 2020 +0100
userdb: Reference-count DBusUserInfo, DBusGroupInfo
Previously, the hash table indexed by uid (or gid) took ownership of the
single reference to the heap-allocated struct, and the hash table
indexed by username (or group name) had a borrowed pointer to the same
struct that exists in the other hash table.
However, this can break down if you have two or more distinct usernames
that share a numeric identifier. This is generally a bad idea, because
the user-space model in such situations does not match the kernel-space
reality, and in particular there is no effective kernel-level security
boundary between such users, but it is sometimes done anyway.
In this case, when the second username is looked up in the userdb, it
overwrites (replaces) the entry in the hash table that is indexed by
uid, freeing the DBusUserInfo. This results in both the key and the
value in the hash table that is indexed by username becoming dangling
pointers (use-after-free), leading to undefined behaviour, which is
certainly not what we want to see when doing access control.
An equivalent situation can occur with groups, in the rare case where
a numeric group ID has two names (although I have not heard of this
being done in practice).
Solve this by reference-counting the data structure. There are up to
three references in practice: one held temporarily while the lookup
function is populating and storing it, one held by the hash table that
is indexed by uid, and one held by the hash table that is indexed by
name.
Closes: dbus#305
Signed-off-by: Simon McVittie <smcv@collabora.com>
Index: dbus-1.12.2/dbus/dbus-sysdeps-unix.h
===================================================================
--- dbus-1.12.2.orig/dbus/dbus-sysdeps-unix.h
+++ dbus-1.12.2/dbus/dbus-sysdeps-unix.h
@@ -105,6 +105,7 @@ typedef struct DBusGroupInfo DBusGroupIn
*/
struct DBusUserInfo
{
+ size_t refcount; /**< Reference count */
dbus_uid_t uid; /**< UID */
dbus_gid_t primary_gid; /**< GID */
dbus_gid_t *group_ids; /**< Groups IDs, *including* above primary group */
@@ -118,6 +119,7 @@ struct DBusUserInfo
*/
struct DBusGroupInfo
{
+ size_t refcount; /**< Reference count */
dbus_gid_t gid; /**< GID */
char *groupname; /**< Group name */
};
Index: dbus-1.12.2/dbus/dbus-userdb-util.c
===================================================================
--- dbus-1.12.2.orig/dbus/dbus-userdb-util.c
+++ dbus-1.12.2/dbus/dbus-userdb-util.c
@@ -38,6 +38,15 @@
* @{
*/
+static DBusGroupInfo *
+_dbus_group_info_ref (DBusGroupInfo *info)
+{
+ _dbus_assert (info->refcount > 0);
+ _dbus_assert (info->refcount < SIZE_MAX);
+ info->refcount++;
+ return info;
+}
+
/**
* Checks to see if the UID sent in is the console user
*
@@ -287,13 +296,14 @@ _dbus_user_database_lookup_group (DBusUs
dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL);
return NULL;
}
+ info->refcount = 1;
if (gid != DBUS_GID_UNSET)
{
if (!_dbus_group_info_fill_gid (info, gid, error))
{
_DBUS_ASSERT_ERROR_IS_SET (error);
- _dbus_group_info_free_allocated (info);
+ _dbus_group_info_unref (info);
return NULL;
}
}
@@ -302,7 +312,7 @@ _dbus_user_database_lookup_group (DBusUs
if (!_dbus_group_info_fill (info, groupname, error))
{
_DBUS_ASSERT_ERROR_IS_SET (error);
- _dbus_group_info_free_allocated (info);
+ _dbus_group_info_unref (info);
return NULL;
}
}
@@ -311,23 +321,35 @@ _dbus_user_database_lookup_group (DBusUs
gid = DBUS_GID_UNSET;
groupname = NULL;
- if (!_dbus_hash_table_insert_uintptr (db->groups, info->gid, info))
+ if (_dbus_hash_table_insert_uintptr (db->groups, info->gid, info))
+ {
+ _dbus_group_info_ref (info);
+ }
+ else
{
dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL);
- _dbus_group_info_free_allocated (info);
+ _dbus_group_info_unref (info);
return NULL;
}
- if (!_dbus_hash_table_insert_string (db->groups_by_name,
- info->groupname,
- info))
+ if (_dbus_hash_table_insert_string (db->groups_by_name,
+ info->groupname,
+ info))
+ {
+ _dbus_group_info_ref (info);
+ }
+ else
{
_dbus_hash_table_remove_uintptr (db->groups, info->gid);
+ _dbus_group_info_unref (info);
dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL);
return NULL;
}
-
+
+ /* Release the original reference */
+ _dbus_group_info_unref (info);
+
/* Return a borrowed reference to the DBusGroupInfo owned by the
* two hash tables */
return info;
Index: dbus-1.12.2/dbus/dbus-userdb.c
===================================================================
--- dbus-1.12.2.orig/dbus/dbus-userdb.c
+++ dbus-1.12.2/dbus/dbus-userdb.c
@@ -35,34 +35,57 @@
* @{
*/
+static DBusUserInfo *
+_dbus_user_info_ref (DBusUserInfo *info)
+{
+ _dbus_assert (info->refcount > 0);
+ _dbus_assert (info->refcount < SIZE_MAX);
+ info->refcount++;
+ return info;
+}
+
/**
- * Frees the given #DBusUserInfo's members with _dbus_user_info_free()
+ * Decrements the reference count. If it reaches 0,
+ * frees the given #DBusUserInfo's members with _dbus_user_info_free()
* and also calls dbus_free() on the block itself
*
* @param info the info
*/
void
-_dbus_user_info_free_allocated (DBusUserInfo *info)
+_dbus_user_info_unref (DBusUserInfo *info)
{
if (info == NULL) /* hash table will pass NULL */
return;
+ _dbus_assert (info->refcount > 0);
+ _dbus_assert (info->refcount < SIZE_MAX);
+
+ if (--info->refcount > 0)
+ return;
+
_dbus_user_info_free (info);
dbus_free (info);
}
/**
- * Frees the given #DBusGroupInfo's members with _dbus_group_info_free()
+ * Decrements the reference count. If it reaches 0,
+ * frees the given #DBusGroupInfo's members with _dbus_group_info_free()
* and also calls dbus_free() on the block itself
*
* @param info the info
*/
void
-_dbus_group_info_free_allocated (DBusGroupInfo *info)
+_dbus_group_info_unref (DBusGroupInfo *info)
{
if (info == NULL) /* hash table will pass NULL */
return;
+ _dbus_assert (info->refcount > 0);
+ _dbus_assert (info->refcount < SIZE_MAX);
+
+ if (--info->refcount > 0)
+ return;
+
_dbus_group_info_free (info);
dbus_free (info);
}
@@ -170,13 +193,14 @@ _dbus_user_database_lookup (DBusUserData
dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL);
return NULL;
}
+ info->refcount = 1;
if (uid != DBUS_UID_UNSET)
{
if (!_dbus_user_info_fill_uid (info, uid, error))
{
_DBUS_ASSERT_ERROR_IS_SET (error);
- _dbus_user_info_free_allocated (info);
+ _dbus_user_info_unref (info);
return NULL;
}
}
@@ -185,7 +209,7 @@ _dbus_user_database_lookup (DBusUserData
if (!_dbus_user_info_fill (info, username, error))
{
_DBUS_ASSERT_ERROR_IS_SET (error);
- _dbus_user_info_free_allocated (info);
+ _dbus_user_info_unref (info);
return NULL;
}
}
@@ -195,22 +219,33 @@ _dbus_user_database_lookup (DBusUserData
username = NULL;
/* insert into hash */
- if (!_dbus_hash_table_insert_uintptr (db->users, info->uid, info))
+ if (_dbus_hash_table_insert_uintptr (db->users, info->uid, info))
+ {
+ _dbus_user_info_ref (info);
+ }
+ else
{
dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL);
- _dbus_user_info_free_allocated (info);
+ _dbus_user_info_unref (info);
return NULL;
}
- if (!_dbus_hash_table_insert_string (db->users_by_name,
- info->username,
- info))
+ if (_dbus_hash_table_insert_string (db->users_by_name,
+ info->username,
+ info))
+ {
+ _dbus_user_info_ref (info);
+ }
+ else
{
_dbus_hash_table_remove_uintptr (db->users, info->uid);
dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL);
+ _dbus_user_info_unref (info);
return NULL;
}
-
+
+ _dbus_user_info_unref (info);
+
/* Return a borrowed pointer to the DBusUserInfo owned by the
* hash tables */
return info;
@@ -570,24 +605,24 @@ _dbus_user_database_new (void)
db->refcount = 1;
db->users = _dbus_hash_table_new (DBUS_HASH_UINTPTR,
- NULL, (DBusFreeFunction) _dbus_user_info_free_allocated);
+ NULL, (DBusFreeFunction) _dbus_user_info_unref);
if (db->users == NULL)
goto failed;
db->groups = _dbus_hash_table_new (DBUS_HASH_UINTPTR,
- NULL, (DBusFreeFunction) _dbus_group_info_free_allocated);
+ NULL, (DBusFreeFunction) _dbus_group_info_unref);
if (db->groups == NULL)
goto failed;
db->users_by_name = _dbus_hash_table_new (DBUS_HASH_STRING,
- NULL, NULL);
+ NULL, (DBusFreeFunction) _dbus_user_info_unref);
if (db->users_by_name == NULL)
goto failed;
db->groups_by_name = _dbus_hash_table_new (DBUS_HASH_STRING,
- NULL, NULL);
+ NULL, (DBusFreeFunction) _dbus_group_info_unref);
if (db->groups_by_name == NULL)
goto failed;
Index: dbus-1.12.2/dbus/dbus-userdb.h
===================================================================
--- dbus-1.12.2.orig/dbus/dbus-userdb.h
+++ dbus-1.12.2/dbus/dbus-userdb.h
@@ -85,10 +85,10 @@ const DBusGroupInfo* _dbus_user_database
dbus_gid_t gid,
const DBusString *groupname,
DBusError *error);
+
+void _dbus_user_info_unref (DBusUserInfo *info);
DBUS_PRIVATE_EXPORT
-void _dbus_user_info_free_allocated (DBusUserInfo *info);
-DBUS_PRIVATE_EXPORT
-void _dbus_group_info_free_allocated (DBusGroupInfo *info);
+void _dbus_group_info_unref (DBusGroupInfo *info);
#endif /* DBUS_USERDB_INCLUDES_PRIVATE */
DBUS_PRIVATE_EXPORT

108
fix-upstream-CVE-2022-42010.patch Normal file
View file

@ -0,0 +1,108 @@
commit 9d07424e9011e3bbe535e83043d335f3093d2916
Author: Simon McVittie <smcv@collabora.com>
Date: Tue Sep 13 15:10:22 2022 +0100
dbus-marshal-validate: Check brackets in signature nest correctly
In debug builds with assertions enabled, a signature with incorrectly
nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result
in an assertion failure.
In production builds without assertions enabled, a signature with
incorrectly nested `()` and `{}` could potentially result in a crash
or incorrect message parsing, although we do not have a concrete example
of either of these failure modes.
Thanks: Evgeny Vereshchagin
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418
Resolves: CVE-2022-42010
Signed-off-by: Simon McVittie <smcv@collabora.com>
diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
index 4d492f3f..ae68414d 100644
--- a/dbus/dbus-marshal-validate.c
+++ b/dbus/dbus-marshal-validate.c
@@ -62,6 +62,8 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
int element_count;
DBusList *element_count_stack;
+ char opened_brackets[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2 + 1] = { '\0' };
+ char last_bracket;
result = DBUS_VALID;
element_count_stack = NULL;
@@ -93,6 +95,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
while (p != end)
{
+ _dbus_assert (struct_depth + dict_entry_depth >= 0);
+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
+ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth] == '\0');
+
switch (*p)
{
case DBUS_TYPE_BYTE:
@@ -136,6 +142,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
goto out;
}
+ _dbus_assert (struct_depth + dict_entry_depth >= 1);
+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
+ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
+ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_STRUCT_BEGIN_CHAR;
break;
case DBUS_STRUCT_END_CHAR:
@@ -151,9 +161,20 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
goto out;
}
+ _dbus_assert (struct_depth + dict_entry_depth >= 1);
+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
+ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
+
+ if (last_bracket != DBUS_STRUCT_BEGIN_CHAR)
+ {
+ result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED;
+ goto out;
+ }
+
_dbus_list_pop_last (&element_count_stack);
struct_depth -= 1;
+ opened_brackets[struct_depth + dict_entry_depth] = '\0';
break;
case DBUS_DICT_ENTRY_BEGIN_CHAR:
@@ -178,6 +199,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
goto out;
}
+ _dbus_assert (struct_depth + dict_entry_depth >= 1);
+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
+ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
+ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_DICT_ENTRY_BEGIN_CHAR;
break;
case DBUS_DICT_ENTRY_END_CHAR:
@@ -186,8 +211,19 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
goto out;
}
-
+
+ _dbus_assert (struct_depth + dict_entry_depth >= 1);
+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
+ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
+
+ if (last_bracket != DBUS_DICT_ENTRY_BEGIN_CHAR)
+ {
+ result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
+ goto out;
+ }
+
dict_entry_depth -= 1;
+ opened_brackets[struct_depth + dict_entry_depth] = '\0';
element_count =
_DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack));

49
fix-upstream-CVE-2022-42011.patch Normal file
View file

@ -0,0 +1,49 @@
commit 079bbf16186e87fb0157adf8951f19864bc2ed69
Author: Simon McVittie <smcv@collabora.com>
Date: Mon Sep 12 13:14:18 2022 +0100
dbus-marshal-validate: Validate length of arrays of fixed-length items
This fast-path previously did not check that the array was made up
of an integer number of items. This could lead to assertion failures
and out-of-bounds accesses during subsequent message processing (which
assumes that the message has already been validated), particularly after
the addition of _dbus_header_remove_unknown_fields(), which makes it
more likely that dbus-daemon will apply non-trivial edits to messages.
Thanks: Evgeny Vereshchagin
Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
Resolves: CVE-2022-42011
Signed-off-by: Simon McVittie <smcv@collabora.com>
Index: dbus-1.12.2/dbus/dbus-marshal-validate.c
===================================================================
--- dbus-1.12.2.orig/dbus/dbus-marshal-validate.c
+++ dbus-1.12.2/dbus/dbus-marshal-validate.c
@@ -498,13 +498,24 @@ validate_body_helper (DBusTypeReader
*/
if (dbus_type_is_fixed (array_elem_type))
{
+ /* Note that fixed-size types all have sizes equal to
+ * their alignments, so this is really the item size. */
+ alignment = _dbus_type_get_alignment (array_elem_type);
+ _dbus_assert (alignment == 1 || alignment == 2 ||
+ alignment == 4 || alignment == 8);
+
+ /* Because the alignment is a power of 2, this is
+ * equivalent to: (claimed_len % alignment) != 0,
+ * but avoids slower integer division */
+ if ((claimed_len & (alignment - 1)) != 0)
+ return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;
+
/* bools need to be handled differently, because they can
* have an invalid value
*/
if (array_elem_type == DBUS_TYPE_BOOLEAN)
{
dbus_uint32_t v;
- alignment = _dbus_type_get_alignment (array_elem_type);
while (p < array_end)
{

66
fix-upstream-CVE-2022-42012.patch Normal file
View file

@ -0,0 +1,66 @@
commit 236f16e444e88a984cf12b09225e0f8efa6c5b44
Author: Simon McVittie <smcv@collabora.com>
Date: Fri Sep 30 13:46:31 2022 +0100
dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed
When a D-Bus message includes attached file descriptors, the body of the
message contains unsigned 32-bit indexes pointing into an out-of-band
array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to
these indexes as "handles" for the associated fds (not to be confused
with a Windows HANDLE, which is a kernel object).
The assertion message removed by this commit is arguably correct up to
a point: fd-passing is only reasonable on a local machine, and no known
operating system allows processes of differing endianness even on a
multi-endian ARM or PowerPC CPU, so it makes little sense for the sender
to specify a byte-order that differs from the byte-order of the recipient.
However, this doesn't account for the fact that a malicious sender
doesn't have to restrict itself to only doing things that make sense.
On a system with untrusted local users, a message sender could crash
the system dbus-daemon (a denial of service) by sending a message in
the opposite endianness that contains handles to file descriptors.
Before this commit, if assertions are enabled, attempting to byteswap
a fd index would cleanly crash the message recipient with an assertion
failure. If assertions are disabled, attempting to byteswap a fd index
would silently do nothing without advancing the pointer p, causing the
message's type and the pointer into its contents to go out of sync, which
can result in a subsequent crash (the crash demonstrated by fuzzing was
a use-after-free, but other failure modes might be possible).
In principle we could resolve this by rejecting wrong-endianness messages
from a local sender, but it's actually simpler and less code to treat
wrong-endianness messages as valid and byteswap them.
Thanks: Evgeny Vereshchagin
Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds"
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417
Resolves: CVE-2022-42012
Signed-off-by: Simon McVittie <smcv@collabora.com>
Index: dbus-1.12.2/dbus/dbus-marshal-byteswap.c
===================================================================
--- dbus-1.12.2.orig/dbus/dbus-marshal-byteswap.c
+++ dbus-1.12.2/dbus/dbus-marshal-byteswap.c
@@ -61,6 +61,7 @@ byteswap_body_helper (DBusTypeReader
case DBUS_TYPE_BOOLEAN:
case DBUS_TYPE_INT32:
case DBUS_TYPE_UINT32:
+ case DBUS_TYPE_UNIX_FD:
{
p = _DBUS_ALIGN_ADDRESS (p, 4);
*((dbus_uint32_t*)p) = DBUS_UINT32_SWAP_LE_BE (*((dbus_uint32_t*)p));
@@ -188,11 +189,6 @@ byteswap_body_helper (DBusTypeReader
}
break;
- case DBUS_TYPE_UNIX_FD:
- /* fds can only be passed on a local machine, so byte order must always match */
- _dbus_assert_not_reached("attempted to byteswap unix fds which makes no sense");
- break;
-
default:
_dbus_assert_not_reached ("invalid typecode in supposedly-validated signature");
break;

96
fix-upstream-CVE-2023-34969.patch Normal file
View file

@ -0,0 +1,96 @@
From 37a4dc5835731a1f7a81f1b67c45b8dfb556dd1c Mon Sep 17 00:00:00 2001
From: hongjinghao <q1204531485@163.com>
Date: Mon, 5 Jun 2023 18:17:06 +0100
Subject: [PATCH] bus: Assign a serial number for messages from the driver
Normally, it's enough to rely on a message being given a serial number
by the DBusConnection just before it is actually sent. However, in the
rare case where the policy blocks the driver from sending a message
(due to a deny rule or the outgoing message quota being full), we need
to get a valid serial number sooner, so that we can copy it into the
DBUS_HEADER_FIELD_REPLY_SERIAL field (which is mandatory) in the error
message sent to monitors. Otherwise, the dbus-daemon will crash with
an assertion failure if at least one Monitoring client is attached,
because zero is not a valid serial number to copy.
This fixes a denial-of-service vulnerability: if a privileged user is
monitoring the well-known system bus using a Monitoring client like
dbus-monitor or `busctl monitor`, then an unprivileged user can cause
denial-of-service by triggering this crash. A mitigation for this
vulnerability is to avoid attaching Monitoring clients to the system
bus when they are not needed. If there are no Monitoring clients, then
the vulnerable code is not reached.
Co-authored-by: Simon McVittie <smcv@collabora.com>
Resolves: dbus/dbus#457
(cherry picked from commit b159849e031000d1dbc1ab876b5fc78a3ce9b534)
---
bus/connection.c | 15 +++++++++++++++
dbus/dbus-connection-internal.h | 2 ++
dbus/dbus-connection.c | 11 ++++++++++-
3 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/bus/connection.c b/bus/connection.c
index b35834338..215f02307 100644
--- a/bus/connection.c
+++ b/bus/connection.c
@@ -2350,6 +2350,21 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
if (!dbus_message_set_sender (message, DBUS_SERVICE_DBUS))
return FALSE;
+ /* Make sure the message has a non-zero serial number, otherwise
+ * bus_transaction_capture_error_reply() will not be able to mock up
+ * a corresponding reply for it. Normally this would be delayed until
+ * the first time we actually send the message out from a
+ * connection, when the transaction is committed, but that's too late
+ * in this case.
+ */
+ if (dbus_message_get_serial (message) == 0)
+ {
+ dbus_uint32_t next_serial;
+
+ next_serial = _dbus_connection_get_next_client_serial (connection);
+ dbus_message_set_serial (message, next_serial);
+ }
+
if (bus_connection_is_active (connection))
{
if (!dbus_message_set_destination (message,
diff --git a/dbus/dbus-connection-internal.h b/dbus/dbus-connection-internal.h
index 483573212..ba79b1928 100644
--- a/dbus/dbus-connection-internal.h
+++ b/dbus/dbus-connection-internal.h
@@ -54,6 +54,8 @@ DBUS_PRIVATE_EXPORT
DBusConnection * _dbus_connection_ref_unlocked (DBusConnection *connection);
DBUS_PRIVATE_EXPORT
void _dbus_connection_unref_unlocked (DBusConnection *connection);
+DBUS_PRIVATE_EXPORT
+dbus_uint32_t _dbus_connection_get_next_client_serial (DBusConnection *connection);
void _dbus_connection_queue_received_message_link (DBusConnection *connection,
DBusList *link);
dbus_bool_t _dbus_connection_has_messages_to_send_unlocked (DBusConnection *connection);
diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c
index c525b6dc1..09cef2788 100644
--- a/dbus/dbus-connection.c
+++ b/dbus/dbus-connection.c
@@ -1456,7 +1456,16 @@ _dbus_connection_unref_unlocked (DBusConnection *connection)
_dbus_connection_last_unref (connection);
}
-static dbus_uint32_t
+/**
+ * Allocate and return the next non-zero serial number for outgoing messages.
+ *
+ * This method is only valid to call from single-threaded code, such as
+ * the dbus-daemon, or with the connection lock held.
+ *
+ * @param connection the connection
+ * @returns A suitable serial number for the next message to be sent on the connection.
+ */
+dbus_uint32_t
_dbus_connection_get_next_client_serial (DBusConnection *connection)
{
dbus_uint32_t serial;
--
GitLab

90
fix-upstream-userdb-constpointer.patch Normal file
View file

@ -0,0 +1,90 @@
commit 6ee66ff7bcc91803111d950512f02651e664f74f
Author: Simon McVittie <smcv@collabora.com>
Date: Tue Jun 30 19:13:17 2020 +0100
userdb: Make lookups return a const pointer
This makes it more obvious that the returned pointer points to a
struct owned by the userdb, which must not be freed or have its
contents modified, and is only valid to dereference until the next
modification to the userdb's underlying hash tables (which in practice
means until the lock is released, because after that we have no
guarantees about what might be going on in another thread).
Signed-off-by: Simon McVittie <smcv@collabora.com>
Index: dbus-1.12.2/dbus/dbus-userdb-util.c
===================================================================
--- dbus-1.12.2.orig/dbus/dbus-userdb-util.c
+++ dbus-1.12.2/dbus/dbus-userdb-util.c
@@ -240,9 +240,9 @@ _dbus_get_user_id_and_primary_group (con
* @param gid the group ID or #DBUS_GID_UNSET
* @param groupname group name or #NULL
* @param error error to fill in
- * @returns the entry in the database
+ * @returns the entry in the database (borrowed, do not free)
*/
-DBusGroupInfo*
+const DBusGroupInfo *
_dbus_user_database_lookup_group (DBusUserDatabase *db,
dbus_gid_t gid,
const DBusString *groupname,
@@ -328,6 +328,8 @@ _dbus_user_database_lookup_group (DBusUs
return NULL;
}
+ /* Return a borrowed reference to the DBusGroupInfo owned by the
+ * two hash tables */
return info;
}
}
Index: dbus-1.12.2/dbus/dbus-userdb.c
===================================================================
--- dbus-1.12.2.orig/dbus/dbus-userdb.c
+++ dbus-1.12.2/dbus/dbus-userdb.c
@@ -122,9 +122,9 @@ _dbus_is_a_number (const DBusString *str
* @param uid the user ID or #DBUS_UID_UNSET
* @param username username or #NULL
* @param error error to fill in
- * @returns the entry in the database
+ * @returns the entry in the database (borrowed, do not free)
*/
-DBusUserInfo*
+const DBusUserInfo *
_dbus_user_database_lookup (DBusUserDatabase *db,
dbus_uid_t uid,
const DBusString *username,
@@ -211,6 +211,8 @@ _dbus_user_database_lookup (DBusUserData
return NULL;
}
+ /* Return a borrowed pointer to the DBusUserInfo owned by the
+ * hash tables */
return info;
}
}
Index: dbus-1.12.2/dbus/dbus-userdb.h
===================================================================
--- dbus-1.12.2.orig/dbus/dbus-userdb.h
+++ dbus-1.12.2/dbus/dbus-userdb.h
@@ -76,15 +76,15 @@ dbus_bool_t _dbus_user_database_ge
DBusError *error);
DBUS_PRIVATE_EXPORT
-DBusUserInfo* _dbus_user_database_lookup (DBusUserDatabase *db,
+const DBusUserInfo *_dbus_user_database_lookup (DBusUserDatabase *db,
dbus_uid_t uid,
const DBusString *username,
DBusError *error);
DBUS_PRIVATE_EXPORT
-DBusGroupInfo* _dbus_user_database_lookup_group (DBusUserDatabase *db,
- dbus_gid_t gid,
- const DBusString *groupname,
- DBusError *error);
+const DBusGroupInfo* _dbus_user_database_lookup_group (DBusUserDatabase *db,
+ dbus_gid_t gid,
+ const DBusString *groupname,
+ DBusError *error);
DBUS_PRIVATE_EXPORT
void _dbus_user_info_free_allocated (DBusUserInfo *info);
DBUS_PRIVATE_EXPORT