Initialize for dbus-1

.dbus-1.metadata

@@ -0,0 +1 @@
+47e96d9da9fb876ce3d8ac0b4c3d7e35e8ecdaa9fddd40e2515f516185b3ef52 dbus-1.12.2.tar.gz

.gitignore

@@ -0,0 +1 @@
+dbus-1.12.2.tar.gz

baselibs.conf

@@ -0,0 +1,6 @@
+dbus-1
+dbus-1-devel
+  requires "libdbus-1-3-<targettype> = <version>"
+libdbus-1-3
+  obsoletes "dbus-1-<targettype> < <version>"
+  provides "dbus-1-<targettype> = <version>"

dbus-1.desktop

@@ -0,0 +1,4 @@
+[Desktop Entry]
+Name=D-Bus API Documentation
+DocPath=/usr/share/doc/packages/dbus-1-devel/html/index.html
+X-DOC-SearchMethod=htdig

dbus-1.spec

@@ -0,0 +1,380 @@
+#
+# spec file for package dbus-1
+#
+# Copyright (c) 2022-2023 ZhuningOS
+#
+
+
+%define with_systemd 1
+%define _name   dbus
+%define _libname libdbus-1-3
+# Temporary code to disable service restart on update sflees@suse.de boo#1020301
+%global _backup /etc/sysconfig/services.rpmbak.%{name}-%{version}-%{release}
+%if 0%{?suse_version} <= 1320
+%define _userunitdir %{_prefix}/lib/systemd/user
+%endif
+%bcond_without selinux
+Name:           dbus-1
+Version:        1.12.2
+Release:        150400.18.8.1
+Summary:        D-Bus Message Bus System
+License:        GPL-2.0-or-later OR AFL-2.1
+Group:          System/Daemons
+Url:            http://dbus.freedesktop.org/
+Source0:        http://dbus.freedesktop.org/releases/dbus/%{_name}-%{version}.tar.gz
+Source2:        dbus-1.desktop
+Source3:        dbus_at_console.ck
+Source4:        baselibs.conf
+Patch0:         feature-suse-log-deny.patch
+# PATCH-FIX-OPENSUSE coolo@suse.de -- force a feature configure won't accept without x11 in buildrequires
+Patch1:         feature-suse-do-autolaunch.patch
+# Patch-Feature-opensuse sflees@suse.de, users shouldn't be allowed to start / stop the dbus service.
+Patch2:         feature-suse-refuse-manual-start-stop.patch
+Patch3:         fix-CVE-2019-12749.patch
+# bsc#1187105
+Patch4:         fix-upstream-userdb-constpointer.patch
+Patch5:         fix-upstream-CVE-2020-35512.patch
+# bsc#1172505
+Patch6:         fix-upstream-CVE-2020-12049.patch
+Patch7:         fix-upstream-CVE-2020-12049_2.patch
+Patch8:         fix-upstream-CVE-2022-42010.patch
+Patch9:         fix-upstream-CVE-2022-42011.patch
+Patch10:        fix-upstream-CVE-2022-42012.patch
+Patch11:        fix-upstream-CVE-2023-34969.patch
+BuildRequires:  audit-devel
+BuildRequires:  autoconf-archive
+BuildRequires:  doxygen
+BuildRequires:  libcap-ng-devel
+BuildRequires:  libexpat-devel >= 2.1.0
+BuildRequires:  libtool
+BuildRequires:  permissions
+BuildRequires:  pkg-config
+BuildRequires:  update-desktop-files
+BuildRequires:  xmlto
+BuildRequires:  pkgconfig(libsystemd) >= 209
+Requires(post): %{_libname} = %{version}
+Requires(post): update-alternatives
+Requires(pre):  permissions
+Requires(pre):  shadow
+Requires(preun): update-alternatives
+Provides:       dbus-launch
+BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+%if %{with selinux}
+BuildRequires:  libselinux-devel
+%endif
+
+%package -n %{_libname}
+Summary:        Library package for D-Bus
+Group:          Development/Libraries/Other
+
+%package devel
+Summary:        Developer package for D-Bus
+Group:          Development/Libraries/Other
+Requires:       %{_libname} = %{version}
+Requires:       dbus-1 = %{version}
+Requires:       glibc-devel
+
+%package devel-doc
+Summary:        Developer documentation package for D-Bus
+Group:          Development/Libraries/Other
+Requires:       dbus-1 = %{version}
+BuildArch:      noarch
+
+%description
+D-Bus is a message bus system, a simple way for applications to talk to
+one another. D-Bus supplies both a system daemon and a
+per-user-login-session daemon. Also, the message bus is built on top of
+a general one-to-one message passing framework, which can be used by
+any two apps to communicate directly (without going through the message
+bus daemon).
+
+%description -n %{_libname}
+D-Bus is a message bus system, a simple way for applications to talk to
+one another. D-Bus supplies both a system daemon and a
+per-user-login-session daemon. Also, the message bus is built on top of
+a general one-to-one message passing framework, which can be used by
+any two apps to communicate directly (without going through the message
+bus daemon).
+
+%description devel
+D-Bus is a message bus system, a simple way for applications to talk to
+one another. D-Bus supplies both a system daemon and a
+per-user-login-session daemon. Also, the message bus is built on top of
+a general one-to-one message passing framework, which can be used by
+any two apps to communicate directly (without going through the message
+bus daemon).
+
+%description devel-doc
+D-Bus is a message bus system, a simple way for applications to talk to
+one another. D-BUS supplies both a system daemon and a
+per-user-login-session daemon. Also, the message bus is built on top of
+a general one-to-one message passing framework, which can be used by
+any two apps to communicate directly (without going through the message
+bus daemon).
+
+%prep
+%setup -q -n %{_name}-%{version}
+%autopatch -p1
+
+%build
+echo 'HTML_TIMESTAMP=NO' >> Doxyfile.in
+autoreconf -fi
+# We use -fpie/-pie for the whole build; this is the recommended way to harden
+# the build upstream, see discussion in fdo#46570
+export CFLAGS="%{optflags} -fno-strict-aliasing -fPIC -fpie"
+export LDFLAGS="-pie"
+export CXXFLAGS="%{optflags} -fno-strict-aliasing"
+export V=1
+# is_opensuse was first defined after openSUSE 13.2
+%configure \
+    --disable-static \
+    --disable-asserts \
+    --libexecdir=%{_libexecdir}/dbus-1 \
+    --enable-inotify \
+    --enable-doxygen-docs \
+%if %{with selinux}
+    --enable-selinux \
+%endif
+    --enable-systemd \
+    --enable-user-session \
+    --enable-libaudit \
+%if 0%{?suse_version} <= 1315 && !0%{?is_opensuse}
+    --with-console-auth-dir=%{_localstatedir}/run/dbus/at_console/ \
+    --with-system-pid-file=%{_localstatedir}/run/dbus/pid \
+    --with-system-socket=%{_localstatedir}/run/dbus/system_bus_socket \
+%else
+    --with-console-auth-dir=/run/dbus/at_console/ \
+    --with-system-pid-file=/run/dbus/pid \
+    --with-system-socket=/run/dbus/system_bus_socket \
+%endif
+    --with-systemdsystemunitdir=%{_unitdir} \
+    --with-systemduserunitdir=%{_userunitdir} \
+    --without-x
+make %{?_smp_mflags}
+
+doxygen -u && doxygen
+./cleanup-man-pages.sh
+
+%check
+make check
+
+%install
+%make_install
+
+mkdir -p %{buildroot}/lib/dbus-1/system-services
+# dbus-launch, too
+mv -f %{buildroot}/%{_bindir}/dbus-launch %{buildroot}%{_bindir}/dbus-launch.nox11
+mkdir -p %{buildroot}%{_sbindir}
+ln -sf %{_sbindir}/service  %{buildroot}/%{_sbindir}/rcdbus
+%if 0%{?suse_version} <= 1315 && !0%{?is_opensuse}
+install -d %{buildroot}%{_localstatedir}/run/dbus
+%else
+install -d %{buildroot}/run/dbus
+%endif
+mkdir -p %{buildroot}/%{_datadir}/susehelp/meta/Development/Libraries/
+install -m 0644 %{SOURCE2} \
+    %{buildroot}/%{_datadir}/susehelp/meta/Development/Libraries/dbus-1.desktop
+mkdir -p %{buildroot}/%{_libdir}/pkgconfig
+mkdir -p %{buildroot}/lib/dbus-1/system-services
+
+for i in %{_sysconfdir}/dbus-1/session.d %{_sysconfdir}/dbus-1/system.d \
+       %{_datadir}/dbus-1/interfaces %{_datadir}/dbus-1/services \
+       %{_datadir}/dbus-1/system.d %{_datadir}/dbus-1/system-services; do
+  mkdir -p %{buildroot}$i
+done
+
+install -d %{buildroot}%{_sysconfdir}/ConsoleKit/run-session.d
+install -m 755 %{SOURCE3} %{buildroot}%{_sysconfdir}/ConsoleKit/run-session.d
+mkdir -p %{buildroot}%{_localstatedir}/lib/dbus
+
+# don't ship executables in doc
+chmod -x %{buildroot}%{_datadir}/doc/dbus/examples/GetAllMatchRules.py
+
+# Link the binaries that were in /bin back to /bin for compat (maybe remove for SLE-16)
+# Currently required to make upower work together with systemd
+mkdir -p %{buildroot}/bin
+
+ln -sf /%{_bindir}/dbus-cleanup-sockets %{buildroot}/bin/dbus-cleanup-sockets
+ln -sf /%{_bindir}/dbus-daemon %{buildroot}/bin/dbus-daemon
+ln -sf /%{_bindir}/dbus-monitor %{buildroot}/bin/dbus-monitor
+ln -sf /%{_bindir}/dbus-send %{buildroot}/bin/dbus-send
+ln -sf /%{_bindir}/dbus-test-tool %{buildroot}/bin/dbus-test-tool
+ln -sf /%{_bindir}/dbus-update-activation-environment %{buildroot}/bin/dbus-update-activation-environment
+ln -sf /%{_bindir}/dbus-uuidgen %{buildroot}/bin/dbus-uuidgen
+
+mkdir -p %{buildroot}%{_sysconfdir}/alternatives
+ln -s -f %{_sysconfdir}/alternatives/dbus-launch %{buildroot}%{_bindir}/dbus-launch
+
+find %{buildroot} -type f -name "*.la" -delete -print
+
+%verifyscript -n dbus-1
+%verify_permissions -e %{_libexecdir}/dbus-1/dbus-daemon-launch-helper
+
+%post -n %{_libname} -p /sbin/ldconfig
+%postun -n %{_libname} -p /sbin/ldconfig
+%pre
+getent group messagebus >/dev/null || \
+	%{_sbindir}/groupadd -r messagebus
+%if 0%{?suse_version} <= 1315 && !0%{?is_opensuse}
+getent passwd messagebus >/dev/null || \
+	%{_sbindir}/useradd -r -s /usr/bin/false -c "User for D-Bus" -d %{_localstatedir}/run/dbus -g messagebus messagebus
+%else
+getent passwd messagebus >/dev/null || \
+	%{_sbindir}/useradd -r -s /usr/bin/false -c "User for D-Bus" -d /run/dbus -g messagebus messagebus
+%endif
+%service_add_pre dbus.service dbus.socket
+
+%post
+if [ -e %{_localstatedir}/lib/dbus/machine-id -a -e %{_sysconfdir}/machine-id ]; then
+  cmp -s %{_localstatedir}/lib/dbus/machine-id %{_sysconfdir}/machine-id > /dev/null
+  if [ $? ]; then
+    rm -f %{_localstatedir}/lib/dbus/machine-id
+  fi
+fi
+if [ ! -L %{_localstatedir}/lib/dbus/machine-id ]; then
+  mkdir -p %{_localstatedir}/lib/dbus/
+  ln -s %{_sysconfdir}/machine-id %{_localstatedir}/lib/dbus/machine-id
+fi
+
+/sbin/ldconfig
+%set_permissions %{_libexecdir}/dbus-1/dbus-daemon-launch-helper
+%{_sbindir}/update-alternatives --install %{_bindir}/dbus-launch dbus-launch %{_bindir}/dbus-launch.nox11 10
+%service_add_post dbus.service dbus.socket
+%tmpfiles_create %_tmpfilesdir/dbus.conf
+
+%preun
+if [ "$1" = 0 ] ; then
+  %{_sbindir}/update-alternatives --remove dbus-launch %{_bindir}/dbus-launch.nox11
+fi
+%service_del_preun dbus.service dbus.socket
+
+%postun
+# immediately restarting the dbus service causes issues, As such wait for the next reboot to restart
+export DISABLE_RESTART_ON_UPDATE=yes
+%service_del_postun dbus.service dbus.socket
+
+%posttrans
+# See comments in pre
+if [ -s "%{_backup}" ]; then
+   mv -f %{_backup} /etc/sysconfig/services
+elif [ -e "%{_backup}" ]; then
+   rm -f /etc/sysconfig/services
+fi
+
+%files
+%defattr(-, root, root)
+%dir %{_localstatedir}/lib/dbus
+%dir /lib/dbus-1
+%dir /lib/dbus-1/system-services
+%dir %{_libexecdir}/dbus-1/
+%license COPYING
+%doc AUTHORS HACKING NEWS README
+%config(noreplace) %{_sysconfdir}/dbus-1/session.conf
+%config(noreplace) %{_sysconfdir}/dbus-1/system.conf
+%{_datadir}/dbus-1/session.conf
+%{_datadir}/dbus-1/system.conf
+%{_sysconfdir}/ConsoleKit
+%{_bindir}/dbus-cleanup-sockets
+%{_bindir}/dbus-daemon
+%{_bindir}/dbus-monitor
+%{_bindir}/dbus-run-session
+%{_bindir}/dbus-send
+%{_bindir}/dbus-test-tool
+%{_bindir}/dbus-update-activation-environment
+%{_bindir}/dbus-uuidgen
+/bin/dbus-cleanup-sockets
+/bin/dbus-daemon
+/bin/dbus-monitor
+/bin/dbus-send
+/bin/dbus-test-tool
+/bin/dbus-update-activation-environment
+/bin/dbus-uuidgen
+%{_mandir}/man1/dbus-cleanup-sockets.1*
+%{_mandir}/man1/dbus-daemon.1*
+%{_mandir}/man1/dbus-monitor.1*
+%{_mandir}/man1/dbus-run-session.1*
+%{_mandir}/man1/dbus-send.1*
+%{_mandir}/man1/dbus-test-tool.1*
+%{_mandir}/man1/dbus-update-activation-environment.1*
+%{_mandir}/man1/dbus-uuidgen.1*
+%{_mandir}/man1/dbus-launch.1*
+%{_sbindir}/rcdbus
+# See doc/system-activation.txt in source tarball for the rationale
+# behind these permissions
+%attr(4750,root,messagebus) %verify(not mode) %{_libexecdir}/dbus-1/dbus-daemon-launch-helper
+%if 0%{?suse_version} <= 1315 && !0%{?is_opensuse}
+%ghost %{_localstatedir}/run/dbus
+%else
+%ghost /run/dbus
+%endif
+%ghost %{_localstatedir}/lib/dbus/machine-id
+%{_libexecdir}/sysusers.d/dbus.conf
+%{_libexecdir}/tmpfiles.d/dbus.conf
+%{_unitdir}/dbus.service
+%{_unitdir}/dbus.socket
+# %dir %{_unitdir}/dbus.target.wants
+# %{_unitdir}/dbus.target.wants/dbus.socket
+%dir %{_unitdir}/multi-user.target.wants
+%{_unitdir}/multi-user.target.wants/dbus.service
+%dir %{_unitdir}/sockets.target.wants
+%{_unitdir}/sockets.target.wants/dbus.socket
+%{_userunitdir}/dbus.service
+%{_userunitdir}/dbus.socket
+%dir %{_userunitdir}/sockets.target.wants
+%{_userunitdir}/sockets.target.wants/dbus.socket
+%ghost %{_sysconfdir}/alternatives/dbus-launch
+%{_bindir}/dbus-launch.nox11
+%{_bindir}/dbus-launch
+
+%files -n %{_libname}
+%defattr(-, root, root)
+%{_libdir}/libdbus-1.so.*
+# Own those directories in the library instead of dbus-1, since dbus users
+# often ship files there
+%dir %{_sysconfdir}/dbus-1
+%dir %{_sysconfdir}/dbus-1/session.d
+%dir %{_sysconfdir}/dbus-1/system.d
+%dir %{_datadir}/dbus-1
+%dir %{_datadir}/dbus-1/interfaces
+%dir %{_datadir}/dbus-1/services
+%dir %{_datadir}/dbus-1/system.d
+%dir %{_datadir}/dbus-1/system-services
+
+%files devel
+%defattr(-,root,root)
+%{_includedir}/*
+%{_libdir}/libdbus-1.so
+%dir %{_libdir}/dbus-1.0
+%{_libdir}/dbus-1.0/include
+%{_libdir}/pkgconfig/dbus-1.pc
+%{_libdir}/cmake/
+%{_datadir}/xml/dbus-1
+
+%files devel-doc
+%defattr(-,root,root)
+%dir %{_datadir}/doc/dbus
+%dir %{_datadir}/doc/dbus/examples
+%{_datadir}/doc/dbus/api/
+%doc %{_datadir}/doc/dbus/dbus-faq.html
+%doc %{_datadir}/doc/dbus/dbus-specification.html
+%doc %{_datadir}/doc/dbus/dbus-test-plan.html
+%doc %{_datadir}/doc/dbus/dbus-tutorial.html
+%doc %{_datadir}/doc/dbus/diagram.*
+%doc %{_datadir}/doc/dbus/system-activation.txt
+%doc %{_datadir}/doc/dbus/dbus-cleanup-sockets.1.html
+%doc %{_datadir}/doc/dbus/dbus-daemon.1.html
+%doc %{_datadir}/doc/dbus/dbus-launch.1.html
+%doc %{_datadir}/doc/dbus/dbus-run-session.1.html
+%doc %{_datadir}/doc/dbus/dbus-monitor.1.html
+%doc %{_datadir}/doc/dbus/dbus-send.1.html
+%doc %{_datadir}/doc/dbus/dbus-uuidgen.1.html
+%doc %{_datadir}/doc/dbus/dbus.devhelp
+%doc %{_datadir}/doc/dbus/dbus-test-tool.1.html
+%doc %{_datadir}/doc/dbus/dbus-update-activation-environment.1.html
+%doc %{_datadir}/doc/dbus/examples/GetAllMatchRules.py
+%doc %{_datadir}/doc/dbus/examples/example-session-disable-stats.conf
+%doc %{_datadir}/doc/dbus/examples/example-system-enable-stats.conf
+%doc doc/*.txt doc/file-boilerplate.c doc/TODO
+%{_datadir}/susehelp
+
+%changelog

dbus_at_console.ck

@@ -0,0 +1,27 @@
+#!/bin/bash
+#
+# use consolekit to support legacy at_console setting
+#
+reason="$1"
+
+dir=/var/run/dbus/at_console
+
+# for at_console we are only interested in local sessions
+test "$CK_SESSION_IS_LOCAL" = true || exit 0
+test "$reason" = "session_added" -o "$reason" = "session_removed" || exit 0
+
+sessid=${CK_SESSION_ID##*/}
+sessid=${sessid//[^A-Za-z0-9]/_}
+test -n "$sessid" || exit 1
+
+name=`getent passwd "$CK_SESSION_USER_UID" 2>/dev/null | awk -F: '{print $1}'`
+
+test -n "$name" || exit 1
+
+if test "$reason" = "session_added"; then
+	mkdir -p "$dir/$name"
+	touch "$dir/$name/$sessid"
+else
+	rm "$dir/$name/$sessid"
+	rmdir "$dir/$name"
+fi

feature-suse-do-autolaunch.patch

@@ -0,0 +1,26 @@
+From: Stephan Kulow <coolo@suse.de>
+
+We want x11 autolaunch even if we have no x11 in the build environment
+
+Index: dbus-1.12.2/dbus/dbus-sysdeps-unix.c
+===================================================================
+--- dbus-1.12.2.orig/dbus/dbus-sysdeps-unix.c
++++ dbus-1.12.2/dbus/dbus-sysdeps-unix.c
+@@ -3552,7 +3552,7 @@ _dbus_get_tmpdir(void)
+   return tmpdir;
+ }
+ 
+-#if defined(DBUS_ENABLE_X11_AUTOLAUNCH) || defined(DBUS_ENABLE_LAUNCHD)
++#if 1
+ /**
+  * Execute a subprocess, returning up to 1024 bytes of output
+  * into @p result.
+@@ -3787,7 +3787,7 @@ _dbus_get_autolaunch_address (const char
+                               DBusString *address,
+                               DBusError  *error)
+ {
+-#ifdef DBUS_ENABLE_X11_AUTOLAUNCH
++#if 1
+   static const char arg_dbus_launch[] = "dbus-launch";
+   static const char arg_autolaunch[] = "--autolaunch";
+   static const char arg_binary_syntax[] = "--binary-syntax";

feature-suse-log-deny.patch

@@ -0,0 +1,11 @@
+--- a/bus/system.conf.in
++++ b/bus/system.conf.in
+@@ -48,7 +48,7 @@
+     <!-- Holes must be punched in service configuration files for
+          name ownership and sending method calls -->
+     <deny own="*"/>
+-    <deny send_type="method_call"/>
++    <deny send_type="method_call" log="true"/>
+ 
+     <!-- Signals and reply messages (method returns, errors) are allowed
+          by default -->

feature-suse-refuse-manual-start-stop.patch

@@ -0,0 +1,13 @@
+Index: dbus-1.12.2/bus/dbus.service.in
+===================================================================
+--- dbus-1.12.2.orig/bus/dbus.service.in
++++ dbus-1.12.2/bus/dbus.service.in
+@@ -2,6 +2,8 @@
+ Description=D-Bus System Message Bus
+ Documentation=man:dbus-daemon(1)
+ Requires=dbus.socket
++RefuseManualStart=true
++RefuseManualStop=true
+ 
+ [Service]
+ ExecStart=@EXPANDED_BINDIR@/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

fix-CVE-2019-12749.patch

@@ -0,0 +1,116 @@
+From 47b1a4c41004bf494b87370987b222c934b19016 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Thu, 30 May 2019 12:53:03 +0100
+Subject: [PATCH] auth: Reject DBUS_COOKIE_SHA1 for users other than the server
+ owner
+
+The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
+of a shared home directory by having the server write a secret "cookie"
+into a .dbus-keyrings subdirectory of the desired identity's home
+directory with 0700 permissions, and having the client prove that it can
+read the cookie. This never actually worked for non-malicious clients in
+the case where server uid != client uid (unless the server and client
+both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
+Unix uid 0) because an unprivileged server would fail to write out the
+cookie, and an unprivileged client would be unable to read the resulting
+file owned by the server.
+
+Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
+is owned by the uid of the server (a side-effect of a check added to
+harden our use of XDG_RUNTIME_DIR), further ruling out successful use
+by a non-malicious client with a uid differing from the server's.
+
+Joe Vennix of Apple Information Security discovered that the
+implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
+attack: a malicious client with write access to its own home directory
+could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
+read and write in unintended locations. In the worst case this could
+result in the DBusServer reusing a cookie that is known to the
+malicious client, and treating that cookie as evidence that a subsequent
+client connection came from an attacker-chosen uid, allowing
+authentication bypass.
+
+This is mitigated by the fact that by default, the well-known system
+dbus-daemon (since 2003) and the well-known session dbus-daemon (in
+stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
+authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
+at an early stage, before manipulating cookies. As a result, this
+vulnerability only applies to:
+
+* system or session dbus-daemons with non-standard configuration
+* third-party dbus-daemon invocations such as at-spi2-core (although
+  in practice at-spi2-core also only accepts EXTERNAL by default)
+* third-party uses of DBusServer such as the one in Upstart
+
+Avoiding symlink attacks in a portable way is difficult, because APIs
+like openat() and Linux /proc/self/fd are not universally available.
+However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
+a non-matching uid, we can solve this vulnerability in an easier way
+without regressions, by rejecting it early (before looking at
+~/.dbus-keyrings) whenever the requested identity doesn't match the
+identity of the process hosting the DBusServer.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
+Closes: CVE-2019-12749
+---
+ dbus/dbus-auth.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+Index: dbus-1.12.2/dbus/dbus-auth.c
+===================================================================
+--- dbus-1.12.2.orig/dbus/dbus-auth.c
++++ dbus-1.12.2/dbus/dbus-auth.c
+@@ -529,6 +529,7 @@ sha1_handle_first_client_response (DBusA
+   DBusString tmp2;
+   dbus_bool_t retval = FALSE;
+   DBusError error = DBUS_ERROR_INIT;
++  DBusCredentials *myself = NULL;
+ 
+   _dbus_string_set_length (&auth->challenge, 0);
+   
+@@ -565,6 +566,34 @@ sha1_handle_first_client_response (DBusA
+       return FALSE;
+     }
+ 
++  myself = _dbus_credentials_new_from_current_process ();
++
++  if (myself == NULL)
++    goto out;
++
++  if (!_dbus_credentials_same_user (myself, auth->desired_identity))
++    {
++      /*
++       * DBUS_COOKIE_SHA1 is not suitable for authenticating that the
++       * client is anyone other than the user owning the process
++       * containing the DBusServer: we probably aren't allowed to write
++       * to other users' home directories. Even if we can (for example
++       * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we
++       * must not, because the other user controls their home directory,
++       * and could carry out symlink attacks to make us read from or
++       * write to unintended locations. It's difficult to avoid symlink
++       * attacks in a portable way, so we just don't try. This isn't a
++       * regression, because DBUS_COOKIE_SHA1 never worked for other
++       * users anyway.
++       */
++      _dbus_verbose ("%s: client tried to authenticate as \"%s\", "
++                     "but that doesn't match this process",
++                     DBUS_AUTH_NAME (auth),
++                     _dbus_string_get_const_data (data));
++      retval = send_rejected (auth);
++      goto out;
++    }
++
+   /* we cache the keyring for speed, so here we drop it if it's the
+    * wrong one. FIXME caching the keyring here is useless since we use
+    * a different DBusAuth for every connection.
+@@ -679,6 +708,9 @@ sha1_handle_first_client_response (DBusA
+   _dbus_string_zero (&tmp2);
+   _dbus_string_free (&tmp2);
+ 
++  if (myself != NULL)
++    _dbus_credentials_unref (myself);
++
+   return retval;
+ }
+ 

fix-upstream-CVE-2020-12049.patch

@@ -0,0 +1,60 @@
+commit 8bc1381819e5a845331650bfa28dacf6d2ac1748
+Author: Simon McVittie <smcv@collabora.com>
+Date:   Thu Apr 16 14:41:48 2020 +0100
+
+    fdpass test: Assert that we don't leak file descriptors
+    
+    This version is for the dbus-1.12 branch, and doesn't rely on dbus!153
+    or dbus!120.
+    
+    Reproduces: dbus#294
+    Reproduces: CVE-2020-12049
+    Reproduces: GHSL-2020-057
+    Signed-off-by: Simon McVittie <smcv@collabora.com>
+
+Index: dbus-1.12.2/test/fdpass.c
+===================================================================
+--- dbus-1.12.2.orig/test/fdpass.c
++++ dbus-1.12.2/test/fdpass.c
+@@ -50,6 +50,14 @@
+ 
+ #include "test-utils-glib.h"
+ 
++#ifdef DBUS_ENABLE_EMBEDDED_TESTS
++#include <dbus/dbus-message-internal.h>
++#else
++typedef struct _DBusInitialFDs DBusInitialFDs;
++#define _dbus_check_fdleaks_enter() NULL
++#define _dbus_check_fdleaks_leave(fds) do {} while (0)
++#endif
++
+ /* Arbitrary; included here to avoid relying on the default */
+ #define MAX_MESSAGE_UNIX_FDS 20
+ /* This test won't work on Linux unless this is true. */
+@@ -91,6 +99,7 @@ typedef struct {
+     GQueue messages;
+ 
+     int fd_before;
++    DBusInitialFDs *initial_fds;
+ } Fixture;
+ 
+ static void oom (const gchar *doing) G_GNUC_NORETURN;
+@@ -172,6 +181,8 @@ test_connect (Fixture *f,
+ {
+   char *address;
+ 
++  f->initial_fds = _dbus_check_fdleaks_enter ();
++
+   g_assert (f->left_server_conn == NULL);
+   g_assert (f->right_server_conn == NULL);
+ 
+@@ -837,6 +848,9 @@ teardown (Fixture *f,
+   if (f->fd_before >= 0 && close (f->fd_before) < 0)
+     g_error ("%s", g_strerror (errno));
+ #endif
++
++  if (f->initial_fds != NULL)
++    _dbus_check_fdleaks_leave (f->initial_fds);
+ }
+ 
+ int

fix-upstream-CVE-2020-12049_2.patch

@@ -0,0 +1,69 @@
+commit 272d484283883fa9ff95b69d924fff6cd34842f5
+Author: Simon McVittie <smcv@collabora.com>
+Date:   Thu Apr 16 14:45:11 2020 +0100
+
+    sysdeps-unix: On MSG_CTRUNC, close the fds we did receive
+    
+    MSG_CTRUNC indicates that we have received fewer fds that we should
+    have done because the buffer was too small, but we were treating it
+    as though it indicated that we received *no* fds. If we received any,
+    we still have to make sure we close them, otherwise they will be leaked.
+    
+    On the system bus, if an attacker can induce us to leak fds in this
+    way, that's a local denial of service via resource exhaustion.
+    
+    Reported-by: Kevin Backhouse, GitHub Security Lab
+    Fixes: dbus#294
+    Fixes: CVE-2020-12049
+    Fixes: GHSL-2020-057
+
+diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
+index e8cd5b33..f9dc2a6e 100644
+--- a/dbus/dbus-sysdeps-unix.c
++++ b/dbus/dbus-sysdeps-unix.c
+@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
+       struct cmsghdr *cm;
+       dbus_bool_t found = FALSE;
+ 
+-      if (m.msg_flags & MSG_CTRUNC)
+-        {
+-          /* Hmm, apparently the control data was truncated. The bad
+-             thing is that we might have completely lost a couple of fds
+-             without chance to recover them. Hence let's treat this as a
+-             serious error. */
+-
+-          errno = ENOSPC;
+-          _dbus_string_set_length (buffer, start);
+-          return -1;
+-        }
+-
+       for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
+         if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
+           {
+@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
+       if (!found)
+         *n_fds = 0;
+ 
++      if (m.msg_flags & MSG_CTRUNC)
++        {
++          unsigned int i;
++
++          /* Hmm, apparently the control data was truncated. The bad
++             thing is that we might have completely lost a couple of fds
++             without chance to recover them. Hence let's treat this as a
++             serious error. */
++
++          /* We still need to close whatever fds we *did* receive,
++           * otherwise they'll never get closed. (CVE-2020-12049) */
++          for (i = 0; i < *n_fds; i++)
++            close (fds[i]);
++
++          *n_fds = 0;
++          errno = ENOSPC;
++          _dbus_string_set_length (buffer, start);
++          return -1;
++        }
++
+       /* put length back (doesn't actually realloc) */
+       _dbus_string_set_length (buffer, start + bytes_read);
+ 

fix-upstream-CVE-2020-35512.patch

@@ -0,0 +1,322 @@
+commit 2b7948ef907669e844b52c4fa2268d6e3162a70c
+Author: Simon McVittie <smcv@collabora.com>
+Date:   Tue Jun 30 19:29:06 2020 +0100
+
+    userdb: Reference-count DBusUserInfo, DBusGroupInfo
+    
+    Previously, the hash table indexed by uid (or gid) took ownership of the
+    single reference to the heap-allocated struct, and the hash table
+    indexed by username (or group name) had a borrowed pointer to the same
+    struct that exists in the other hash table.
+    
+    However, this can break down if you have two or more distinct usernames
+    that share a numeric identifier. This is generally a bad idea, because
+    the user-space model in such situations does not match the kernel-space
+    reality, and in particular there is no effective kernel-level security
+    boundary between such users, but it is sometimes done anyway.
+    
+    In this case, when the second username is looked up in the userdb, it
+    overwrites (replaces) the entry in the hash table that is indexed by
+    uid, freeing the DBusUserInfo. This results in both the key and the
+    value in the hash table that is indexed by username becoming dangling
+    pointers (use-after-free), leading to undefined behaviour, which is
+    certainly not what we want to see when doing access control.
+    
+    An equivalent situation can occur with groups, in the rare case where
+    a numeric group ID has two names (although I have not heard of this
+    being done in practice).
+    
+    Solve this by reference-counting the data structure. There are up to
+    three references in practice: one held temporarily while the lookup
+    function is populating and storing it, one held by the hash table that
+    is indexed by uid, and one held by the hash table that is indexed by
+    name.
+    
+    Closes: dbus#305
+    Signed-off-by: Simon McVittie <smcv@collabora.com>
+
+Index: dbus-1.12.2/dbus/dbus-sysdeps-unix.h
+===================================================================
+--- dbus-1.12.2.orig/dbus/dbus-sysdeps-unix.h
++++ dbus-1.12.2/dbus/dbus-sysdeps-unix.h
+@@ -105,6 +105,7 @@ typedef struct DBusGroupInfo DBusGroupIn
+  */
+ struct DBusUserInfo
+ {
++  size_t      refcount;       /**< Reference count */
+   dbus_uid_t  uid;            /**< UID */
+   dbus_gid_t  primary_gid;    /**< GID */
+   dbus_gid_t *group_ids;      /**< Groups IDs, *including* above primary group */
+@@ -118,6 +119,7 @@ struct DBusUserInfo
+  */
+ struct DBusGroupInfo
+ {
++  size_t      refcount;       /**< Reference count */
+   dbus_gid_t  gid;            /**< GID */
+   char       *groupname;      /**< Group name */
+ };
+Index: dbus-1.12.2/dbus/dbus-userdb-util.c
+===================================================================
+--- dbus-1.12.2.orig/dbus/dbus-userdb-util.c
++++ dbus-1.12.2/dbus/dbus-userdb-util.c
+@@ -38,6 +38,15 @@
+  * @{
+  */
+ 
++static DBusGroupInfo *
++_dbus_group_info_ref (DBusGroupInfo *info)
++{
++  _dbus_assert (info->refcount > 0);
++  _dbus_assert (info->refcount < SIZE_MAX);
++  info->refcount++;
++  return info;
++}
++
+ /**
+  * Checks to see if the UID sent in is the console user
+  *
+@@ -287,13 +296,14 @@ _dbus_user_database_lookup_group (DBusUs
+           dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL);
+           return NULL;
+         }
++      info->refcount = 1;
+ 
+       if (gid != DBUS_GID_UNSET)
+         {
+           if (!_dbus_group_info_fill_gid (info, gid, error))
+             {
+               _DBUS_ASSERT_ERROR_IS_SET (error);
+-              _dbus_group_info_free_allocated (info);
++              _dbus_group_info_unref (info);
+               return NULL;
+             }
+         }
+@@ -302,7 +312,7 @@ _dbus_user_database_lookup_group (DBusUs
+           if (!_dbus_group_info_fill (info, groupname, error))
+             {
+               _DBUS_ASSERT_ERROR_IS_SET (error);
+-              _dbus_group_info_free_allocated (info);
++              _dbus_group_info_unref (info);
+               return NULL;
+             }
+         }
+@@ -311,23 +321,35 @@ _dbus_user_database_lookup_group (DBusUs
+       gid = DBUS_GID_UNSET;
+       groupname = NULL;
+ 
+-      if (!_dbus_hash_table_insert_uintptr (db->groups, info->gid, info))
++      if (_dbus_hash_table_insert_uintptr (db->groups, info->gid, info))
++        {
++          _dbus_group_info_ref (info);
++        }
++      else
+         {
+           dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL);
+-          _dbus_group_info_free_allocated (info);
++          _dbus_group_info_unref (info);
+           return NULL;
+         }
+ 
+ 
+-      if (!_dbus_hash_table_insert_string (db->groups_by_name,
+-                                           info->groupname,
+-                                           info))
++      if (_dbus_hash_table_insert_string (db->groups_by_name,
++                                          info->groupname,
++                                          info))
++        {
++          _dbus_group_info_ref (info);
++        }
++      else
+         {
+           _dbus_hash_table_remove_uintptr (db->groups, info->gid);
++          _dbus_group_info_unref (info);
+           dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL);
+           return NULL;
+         }
+-      
++
++      /* Release the original reference */
++      _dbus_group_info_unref (info);
++
+       /* Return a borrowed reference to the DBusGroupInfo owned by the
+        * two hash tables */
+       return info;
+Index: dbus-1.12.2/dbus/dbus-userdb.c
+===================================================================
+--- dbus-1.12.2.orig/dbus/dbus-userdb.c
++++ dbus-1.12.2/dbus/dbus-userdb.c
+@@ -35,34 +35,57 @@
+  * @{
+  */
+ 
++static DBusUserInfo *
++_dbus_user_info_ref (DBusUserInfo *info)
++{
++  _dbus_assert (info->refcount > 0);
++  _dbus_assert (info->refcount < SIZE_MAX);
++  info->refcount++;
++  return info;
++}
++
+ /**
+- * Frees the given #DBusUserInfo's members with _dbus_user_info_free()
++ * Decrements the reference count. If it reaches 0,
++ * frees the given #DBusUserInfo's members with _dbus_user_info_free()
+  * and also calls dbus_free() on the block itself
+  *
+  * @param info the info
+  */
+ void
+-_dbus_user_info_free_allocated (DBusUserInfo *info)
++_dbus_user_info_unref (DBusUserInfo *info)
+ {
+   if (info == NULL) /* hash table will pass NULL */
+     return;
+ 
++  _dbus_assert (info->refcount > 0);
++  _dbus_assert (info->refcount < SIZE_MAX);
++
++  if (--info->refcount > 0)
++    return;
++
+   _dbus_user_info_free (info);
+   dbus_free (info);
+ }
+ 
+ /**
+- * Frees the given #DBusGroupInfo's members with _dbus_group_info_free()
++ * Decrements the reference count. If it reaches 0,
++ * frees the given #DBusGroupInfo's members with _dbus_group_info_free()
+  * and also calls dbus_free() on the block itself
+  *
+  * @param info the info
+  */
+ void
+-_dbus_group_info_free_allocated (DBusGroupInfo *info)
++_dbus_group_info_unref (DBusGroupInfo *info)
+ {
+   if (info == NULL) /* hash table will pass NULL */
+     return;
+ 
++  _dbus_assert (info->refcount > 0);
++  _dbus_assert (info->refcount < SIZE_MAX);
++
++  if (--info->refcount > 0)
++    return;
++
+   _dbus_group_info_free (info);
+   dbus_free (info);
+ }
+@@ -170,13 +193,14 @@ _dbus_user_database_lookup (DBusUserData
+           dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL);
+           return NULL;
+         }
++      info->refcount = 1;
+ 
+       if (uid != DBUS_UID_UNSET)
+         {
+           if (!_dbus_user_info_fill_uid (info, uid, error))
+             {
+               _DBUS_ASSERT_ERROR_IS_SET (error);
+-              _dbus_user_info_free_allocated (info);
++              _dbus_user_info_unref (info);
+               return NULL;
+             }
+         }
+@@ -185,7 +209,7 @@ _dbus_user_database_lookup (DBusUserData
+           if (!_dbus_user_info_fill (info, username, error))
+             {
+               _DBUS_ASSERT_ERROR_IS_SET (error);
+-              _dbus_user_info_free_allocated (info);
++              _dbus_user_info_unref (info);
+               return NULL;
+             }
+         }
+@@ -195,22 +219,33 @@ _dbus_user_database_lookup (DBusUserData
+       username = NULL;
+ 
+       /* insert into hash */
+-      if (!_dbus_hash_table_insert_uintptr (db->users, info->uid, info))
++      if (_dbus_hash_table_insert_uintptr (db->users, info->uid, info))
++        {
++          _dbus_user_info_ref (info);
++        }
++      else
+         {
+           dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL);
+-          _dbus_user_info_free_allocated (info);
++          _dbus_user_info_unref (info);
+           return NULL;
+         }
+ 
+-      if (!_dbus_hash_table_insert_string (db->users_by_name,
+-                                           info->username,
+-                                           info))
++      if (_dbus_hash_table_insert_string (db->users_by_name,
++                                          info->username,
++                                          info))
++        {
++          _dbus_user_info_ref (info);
++        }
++      else
+         {
+           _dbus_hash_table_remove_uintptr (db->users, info->uid);
+           dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL);
++          _dbus_user_info_unref (info);
+           return NULL;
+         }
+-      
++
++      _dbus_user_info_unref (info);
++
+       /* Return a borrowed pointer to the DBusUserInfo owned by the
+        * hash tables */
+       return info;
+@@ -570,24 +605,24 @@ _dbus_user_database_new (void)
+   db->refcount = 1;
+ 
+   db->users = _dbus_hash_table_new (DBUS_HASH_UINTPTR,
+-                                    NULL, (DBusFreeFunction) _dbus_user_info_free_allocated);
++                                    NULL, (DBusFreeFunction) _dbus_user_info_unref);
+   
+   if (db->users == NULL)
+     goto failed;
+ 
+   db->groups = _dbus_hash_table_new (DBUS_HASH_UINTPTR,
+-                                     NULL, (DBusFreeFunction) _dbus_group_info_free_allocated);
++                                     NULL, (DBusFreeFunction) _dbus_group_info_unref);
+   
+   if (db->groups == NULL)
+     goto failed;
+ 
+   db->users_by_name = _dbus_hash_table_new (DBUS_HASH_STRING,
+-                                            NULL, NULL);
++                                            NULL, (DBusFreeFunction) _dbus_user_info_unref);
+   if (db->users_by_name == NULL)
+     goto failed;
+   
+   db->groups_by_name = _dbus_hash_table_new (DBUS_HASH_STRING,
+-                                             NULL, NULL);
++                                             NULL, (DBusFreeFunction) _dbus_group_info_unref);
+   if (db->groups_by_name == NULL)
+     goto failed;
+   
+Index: dbus-1.12.2/dbus/dbus-userdb.h
+===================================================================
+--- dbus-1.12.2.orig/dbus/dbus-userdb.h
++++ dbus-1.12.2/dbus/dbus-userdb.h
+@@ -85,10 +85,10 @@ const DBusGroupInfo* _dbus_user_database
+                                                        dbus_gid_t        gid,
+                                                        const DBusString *groupname,
+                                                        DBusError        *error);
++
++void           _dbus_user_info_unref            (DBusUserInfo     *info);
+ DBUS_PRIVATE_EXPORT
+-void           _dbus_user_info_free_allocated   (DBusUserInfo     *info);
+-DBUS_PRIVATE_EXPORT
+-void           _dbus_group_info_free_allocated  (DBusGroupInfo    *info);
++void           _dbus_group_info_unref           (DBusGroupInfo    *info);
+ #endif /* DBUS_USERDB_INCLUDES_PRIVATE */
+ 
+ DBUS_PRIVATE_EXPORT

fix-upstream-CVE-2022-42010.patch

@@ -0,0 +1,108 @@
+commit 9d07424e9011e3bbe535e83043d335f3093d2916
+Author: Simon McVittie <smcv@collabora.com>
+Date:   Tue Sep 13 15:10:22 2022 +0100
+
+    dbus-marshal-validate: Check brackets in signature nest correctly
+    
+    In debug builds with assertions enabled, a signature with incorrectly
+    nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result
+    in an assertion failure.
+    
+    In production builds without assertions enabled, a signature with
+    incorrectly nested `()` and `{}` could potentially result in a crash
+    or incorrect message parsing, although we do not have a concrete example
+    of either of these failure modes.
+    
+    Thanks: Evgeny Vereshchagin
+    Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418
+    Resolves: CVE-2022-42010
+    Signed-off-by: Simon McVittie <smcv@collabora.com>
+
+diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
+index 4d492f3f..ae68414d 100644
+--- a/dbus/dbus-marshal-validate.c
++++ b/dbus/dbus-marshal-validate.c
+@@ -62,6 +62,8 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
+ 
+   int element_count;
+   DBusList *element_count_stack;
++  char opened_brackets[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2 + 1] = { '\0' };
++  char last_bracket;
+ 
+   result = DBUS_VALID;
+   element_count_stack = NULL;
+@@ -93,6 +95,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
+ 
+   while (p != end)
+     {
++      _dbus_assert (struct_depth + dict_entry_depth >= 0);
++      _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
++      _dbus_assert (opened_brackets[struct_depth + dict_entry_depth] == '\0');
++
+       switch (*p)
+         {
+         case DBUS_TYPE_BYTE:
+@@ -136,6 +142,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
+               goto out;
+             }
+ 
++          _dbus_assert (struct_depth + dict_entry_depth >= 1);
++          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
++          _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
++          opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_STRUCT_BEGIN_CHAR;
+           break;
+ 
+         case DBUS_STRUCT_END_CHAR:
+@@ -151,9 +161,20 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
+               goto out;
+             }
+ 
++          _dbus_assert (struct_depth + dict_entry_depth >= 1);
++          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
++          last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
++
++          if (last_bracket != DBUS_STRUCT_BEGIN_CHAR)
++            {
++              result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED;
++              goto out;
++            }
++
+           _dbus_list_pop_last (&element_count_stack);
+ 
+           struct_depth -= 1;
++          opened_brackets[struct_depth + dict_entry_depth] = '\0';
+           break;
+ 
+         case DBUS_DICT_ENTRY_BEGIN_CHAR:
+@@ -178,6 +199,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
+               goto out;
+             }
+ 
++          _dbus_assert (struct_depth + dict_entry_depth >= 1);
++          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
++          _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
++          opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_DICT_ENTRY_BEGIN_CHAR;
+           break;
+ 
+         case DBUS_DICT_ENTRY_END_CHAR:
+@@ -186,8 +211,19 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
+               result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
+               goto out;
+             }
+-            
++
++          _dbus_assert (struct_depth + dict_entry_depth >= 1);
++          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
++          last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
++
++          if (last_bracket != DBUS_DICT_ENTRY_BEGIN_CHAR)
++            {
++              result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
++              goto out;
++            }
++
+           dict_entry_depth -= 1;
++          opened_brackets[struct_depth + dict_entry_depth] = '\0';
+ 
+           element_count = 
+             _DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack));

fix-upstream-CVE-2022-42011.patch

@@ -0,0 +1,49 @@
+commit 079bbf16186e87fb0157adf8951f19864bc2ed69
+Author: Simon McVittie <smcv@collabora.com>
+Date:   Mon Sep 12 13:14:18 2022 +0100
+
+    dbus-marshal-validate: Validate length of arrays of fixed-length items
+    
+    This fast-path previously did not check that the array was made up
+    of an integer number of items. This could lead to assertion failures
+    and out-of-bounds accesses during subsequent message processing (which
+    assumes that the message has already been validated), particularly after
+    the addition of _dbus_header_remove_unknown_fields(), which makes it
+    more likely that dbus-daemon will apply non-trivial edits to messages.
+    
+    Thanks: Evgeny Vereshchagin
+    Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
+    Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
+    Resolves: CVE-2022-42011
+    Signed-off-by: Simon McVittie <smcv@collabora.com>
+
+Index: dbus-1.12.2/dbus/dbus-marshal-validate.c
+===================================================================
+--- dbus-1.12.2.orig/dbus/dbus-marshal-validate.c
++++ dbus-1.12.2/dbus/dbus-marshal-validate.c
+@@ -498,13 +498,24 @@ validate_body_helper (DBusTypeReader
+                  */ 
+                 if (dbus_type_is_fixed (array_elem_type))
+                   {
++                    /* Note that fixed-size types all have sizes equal to
++                     * their alignments, so this is really the item size. */
++                    alignment = _dbus_type_get_alignment (array_elem_type);
++                    _dbus_assert (alignment == 1 || alignment == 2 ||
++                                  alignment == 4 || alignment == 8);
++
++                    /* Because the alignment is a power of 2, this is
++                     * equivalent to: (claimed_len % alignment) != 0,
++                     * but avoids slower integer division */
++                    if ((claimed_len & (alignment - 1)) != 0)
++                      return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;
++
+                     /* bools need to be handled differently, because they can
+                      * have an invalid value
+                      */
+                     if (array_elem_type == DBUS_TYPE_BOOLEAN)
+                       {
+                         dbus_uint32_t v;
+-                        alignment = _dbus_type_get_alignment (array_elem_type);
+ 
+                         while (p < array_end)
+                           {

fix-upstream-CVE-2022-42012.patch

@@ -0,0 +1,66 @@
+commit 236f16e444e88a984cf12b09225e0f8efa6c5b44
+Author: Simon McVittie <smcv@collabora.com>
+Date:   Fri Sep 30 13:46:31 2022 +0100
+
+    dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed
+    
+    When a D-Bus message includes attached file descriptors, the body of the
+    message contains unsigned 32-bit indexes pointing into an out-of-band
+    array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to
+    these indexes as "handles" for the associated fds (not to be confused
+    with a Windows HANDLE, which is a kernel object).
+    
+    The assertion message removed by this commit is arguably correct up to
+    a point: fd-passing is only reasonable on a local machine, and no known
+    operating system allows processes of differing endianness even on a
+    multi-endian ARM or PowerPC CPU, so it makes little sense for the sender
+    to specify a byte-order that differs from the byte-order of the recipient.
+    
+    However, this doesn't account for the fact that a malicious sender
+    doesn't have to restrict itself to only doing things that make sense.
+    On a system with untrusted local users, a message sender could crash
+    the system dbus-daemon (a denial of service) by sending a message in
+    the opposite endianness that contains handles to file descriptors.
+    
+    Before this commit, if assertions are enabled, attempting to byteswap
+    a fd index would cleanly crash the message recipient with an assertion
+    failure. If assertions are disabled, attempting to byteswap a fd index
+    would silently do nothing without advancing the pointer p, causing the
+    message's type and the pointer into its contents to go out of sync, which
+    can result in a subsequent crash (the crash demonstrated by fuzzing was
+    a use-after-free, but other failure modes might be possible).
+    
+    In principle we could resolve this by rejecting wrong-endianness messages
+    from a local sender, but it's actually simpler and less code to treat
+    wrong-endianness messages as valid and byteswap them.
+    
+    Thanks: Evgeny Vereshchagin
+    Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds"
+    Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417
+    Resolves: CVE-2022-42012
+    Signed-off-by: Simon McVittie <smcv@collabora.com>
+
+Index: dbus-1.12.2/dbus/dbus-marshal-byteswap.c
+===================================================================
+--- dbus-1.12.2.orig/dbus/dbus-marshal-byteswap.c
++++ dbus-1.12.2/dbus/dbus-marshal-byteswap.c
+@@ -61,6 +61,7 @@ byteswap_body_helper (DBusTypeReader
+         case DBUS_TYPE_BOOLEAN:
+         case DBUS_TYPE_INT32:
+         case DBUS_TYPE_UINT32:
++        case DBUS_TYPE_UNIX_FD:
+           {
+             p = _DBUS_ALIGN_ADDRESS (p, 4);
+             *((dbus_uint32_t*)p) = DBUS_UINT32_SWAP_LE_BE (*((dbus_uint32_t*)p));
+@@ -188,11 +189,6 @@ byteswap_body_helper (DBusTypeReader
+           }
+           break;
+ 
+-        case DBUS_TYPE_UNIX_FD:
+-          /* fds can only be passed on a local machine, so byte order must always match */
+-          _dbus_assert_not_reached("attempted to byteswap unix fds which makes no sense");
+-          break;
+-
+         default:
+           _dbus_assert_not_reached ("invalid typecode in supposedly-validated signature");
+           break;

fix-upstream-CVE-2023-34969.patch

@@ -0,0 +1,96 @@
+From 37a4dc5835731a1f7a81f1b67c45b8dfb556dd1c Mon Sep 17 00:00:00 2001
+From: hongjinghao <q1204531485@163.com>
+Date: Mon, 5 Jun 2023 18:17:06 +0100
+Subject: [PATCH] bus: Assign a serial number for messages from the driver
+
+Normally, it's enough to rely on a message being given a serial number
+by the DBusConnection just before it is actually sent. However, in the
+rare case where the policy blocks the driver from sending a message
+(due to a deny rule or the outgoing message quota being full), we need
+to get a valid serial number sooner, so that we can copy it into the
+DBUS_HEADER_FIELD_REPLY_SERIAL field (which is mandatory) in the error
+message sent to monitors. Otherwise, the dbus-daemon will crash with
+an assertion failure if at least one Monitoring client is attached,
+because zero is not a valid serial number to copy.
+
+This fixes a denial-of-service vulnerability: if a privileged user is
+monitoring the well-known system bus using a Monitoring client like
+dbus-monitor or `busctl monitor`, then an unprivileged user can cause
+denial-of-service by triggering this crash. A mitigation for this
+vulnerability is to avoid attaching Monitoring clients to the system
+bus when they are not needed. If there are no Monitoring clients, then
+the vulnerable code is not reached.
+
+Co-authored-by: Simon McVittie <smcv@collabora.com>
+Resolves: dbus/dbus#457
+(cherry picked from commit b159849e031000d1dbc1ab876b5fc78a3ce9b534)
+---
+ bus/connection.c                | 15 +++++++++++++++
+ dbus/dbus-connection-internal.h |  2 ++
+ dbus/dbus-connection.c          | 11 ++++++++++-
+ 3 files changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/bus/connection.c b/bus/connection.c
+index b35834338..215f02307 100644
+--- a/bus/connection.c
++++ b/bus/connection.c
+@@ -2350,6 +2350,21 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
+   if (!dbus_message_set_sender (message, DBUS_SERVICE_DBUS))
+     return FALSE;
+ 
++  /* Make sure the message has a non-zero serial number, otherwise
++   * bus_transaction_capture_error_reply() will not be able to mock up
++   * a corresponding reply for it. Normally this would be delayed until
++   * the first time we actually send the message out from a
++   * connection, when the transaction is committed, but that's too late
++   * in this case.
++   */
++  if (dbus_message_get_serial (message) == 0)
++    {
++      dbus_uint32_t next_serial;
++
++      next_serial = _dbus_connection_get_next_client_serial (connection);
++      dbus_message_set_serial (message, next_serial);
++    }
++
+   if (bus_connection_is_active (connection))
+     {
+       if (!dbus_message_set_destination (message,
+diff --git a/dbus/dbus-connection-internal.h b/dbus/dbus-connection-internal.h
+index 483573212..ba79b1928 100644
+--- a/dbus/dbus-connection-internal.h
++++ b/dbus/dbus-connection-internal.h
+@@ -54,6 +54,8 @@ DBUS_PRIVATE_EXPORT
+ DBusConnection *  _dbus_connection_ref_unlocked                (DBusConnection     *connection);
+ DBUS_PRIVATE_EXPORT
+ void              _dbus_connection_unref_unlocked              (DBusConnection     *connection);
++DBUS_PRIVATE_EXPORT
++dbus_uint32_t     _dbus_connection_get_next_client_serial      (DBusConnection *connection);
+ void              _dbus_connection_queue_received_message_link (DBusConnection     *connection,
+                                                                 DBusList           *link);
+ dbus_bool_t       _dbus_connection_has_messages_to_send_unlocked (DBusConnection     *connection);
+diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c
+index c525b6dc1..09cef2788 100644
+--- a/dbus/dbus-connection.c
++++ b/dbus/dbus-connection.c
+@@ -1456,7 +1456,16 @@ _dbus_connection_unref_unlocked (DBusConnection *connection)
+     _dbus_connection_last_unref (connection);
+ }
+ 
+-static dbus_uint32_t
++/**
++ * Allocate and return the next non-zero serial number for outgoing messages.
++ *
++ * This method is only valid to call from single-threaded code, such as
++ * the dbus-daemon, or with the connection lock held.
++ *
++ * @param connection the connection
++ * @returns A suitable serial number for the next message to be sent on the connection.
++ */
++dbus_uint32_t
+ _dbus_connection_get_next_client_serial (DBusConnection *connection)
+ {
+   dbus_uint32_t serial;
+-- 
+GitLab
+

fix-upstream-userdb-constpointer.patch

@@ -0,0 +1,90 @@
+commit 6ee66ff7bcc91803111d950512f02651e664f74f
+Author: Simon McVittie <smcv@collabora.com>
+Date:   Tue Jun 30 19:13:17 2020 +0100
+
+    userdb: Make lookups return a const pointer
+    
+    This makes it more obvious that the returned pointer points to a
+    struct owned by the userdb, which must not be freed or have its
+    contents modified, and is only valid to dereference until the next
+    modification to the userdb's underlying hash tables (which in practice
+    means until the lock is released, because after that we have no
+    guarantees about what might be going on in another thread).
+    
+    Signed-off-by: Simon McVittie <smcv@collabora.com>
+
+Index: dbus-1.12.2/dbus/dbus-userdb-util.c
+===================================================================
+--- dbus-1.12.2.orig/dbus/dbus-userdb-util.c
++++ dbus-1.12.2/dbus/dbus-userdb-util.c
+@@ -240,9 +240,9 @@ _dbus_get_user_id_and_primary_group (con
+  * @param gid the group ID or #DBUS_GID_UNSET
+  * @param groupname group name or #NULL 
+  * @param error error to fill in
+- * @returns the entry in the database
++ * @returns the entry in the database (borrowed, do not free)
+  */
+-DBusGroupInfo*
++const DBusGroupInfo *
+ _dbus_user_database_lookup_group (DBusUserDatabase *db,
+                                   dbus_gid_t        gid,
+                                   const DBusString *groupname,
+@@ -328,6 +328,8 @@ _dbus_user_database_lookup_group (DBusUs
+           return NULL;
+         }
+       
++      /* Return a borrowed reference to the DBusGroupInfo owned by the
++       * two hash tables */
+       return info;
+     }
+ }
+Index: dbus-1.12.2/dbus/dbus-userdb.c
+===================================================================
+--- dbus-1.12.2.orig/dbus/dbus-userdb.c
++++ dbus-1.12.2/dbus/dbus-userdb.c
+@@ -122,9 +122,9 @@ _dbus_is_a_number (const DBusString *str
+  * @param uid the user ID or #DBUS_UID_UNSET
+  * @param username username or #NULL 
+  * @param error error to fill in
+- * @returns the entry in the database
++ * @returns the entry in the database (borrowed, do not free)
+  */
+-DBusUserInfo*
++const DBusUserInfo *
+ _dbus_user_database_lookup (DBusUserDatabase *db,
+                             dbus_uid_t        uid,
+                             const DBusString *username,
+@@ -211,6 +211,8 @@ _dbus_user_database_lookup (DBusUserData
+           return NULL;
+         }
+       
++      /* Return a borrowed pointer to the DBusUserInfo owned by the
++       * hash tables */
+       return info;
+     }
+ }
+Index: dbus-1.12.2/dbus/dbus-userdb.h
+===================================================================
+--- dbus-1.12.2.orig/dbus/dbus-userdb.h
++++ dbus-1.12.2/dbus/dbus-userdb.h
+@@ -76,15 +76,15 @@ dbus_bool_t       _dbus_user_database_ge
+                                                      DBusError            *error);
+ 
+ DBUS_PRIVATE_EXPORT
+-DBusUserInfo*  _dbus_user_database_lookup       (DBusUserDatabase *db,
++const DBusUserInfo *_dbus_user_database_lookup  (DBusUserDatabase *db,
+                                                  dbus_uid_t        uid,
+                                                  const DBusString *username,
+                                                  DBusError        *error);
+ DBUS_PRIVATE_EXPORT
+-DBusGroupInfo* _dbus_user_database_lookup_group (DBusUserDatabase *db,
+-                                                 dbus_gid_t        gid,
+-                                                 const DBusString *groupname,
+-                                                 DBusError        *error);
++const DBusGroupInfo* _dbus_user_database_lookup_group (DBusUserDatabase *db,
++                                                       dbus_gid_t        gid,
++                                                       const DBusString *groupname,
++                                                       DBusError        *error);
+ DBUS_PRIVATE_EXPORT
+ void           _dbus_user_info_free_allocated   (DBusUserInfo     *info);
+ DBUS_PRIVATE_EXPORT