From f676dcf62e8513a2faa676754155eeb23751eec6 Mon Sep 17 00:00:00 2001 From: David King Date: Nov 27 2014 09:11:55 +0000 Subject: Update to 1.6.28 - Fixes CVE-2014-3635 (fd.o#83622) - Fixes CVE-2014-3636 (fd.o#82820) - Fixes CVE-2014-3637 (fd.o#80559) - Fixes CVE-2014-3638 (fd.o#81053) - Fixes CVE-2014-3639 (fd.o#80919) - Fixes CVE-2014-7824 (fd.o#85105) --- diff --git a/.gitignore b/.gitignore index 4489cbc..f388415 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ /dbus-1.6.6.tar.gz /dbus-1.6.8.tar.gz /dbus-1.6.12.tar.gz +/dbus-1.6.28.tar.gz diff --git a/0001-CVE-2014-3477-deliver-activation-errors-correctly-fi.patch b/0001-CVE-2014-3477-deliver-activation-errors-correctly-fi.patch deleted file mode 100644 index 374ace1..0000000 --- a/0001-CVE-2014-3477-deliver-activation-errors-correctly-fi.patch +++ /dev/null @@ -1,150 +0,0 @@ -From cab1c56bb9d70469128d2ae1c40539c0d3b30f13 Mon Sep 17 00:00:00 2001 -From: Alban Crequy -Date: Tue, 20 May 2014 14:37:37 +0100 -Subject: [PATCH] CVE-2014-3477: deliver activation errors correctly, fixing - Denial of Service - -How it should work: - -When a D-Bus message activates a service, LSMs (SELinux or AppArmor) check -whether the message can be delivered after the service has been activated. The -service is considered activated when its well-known name is requested with -org.freedesktop.DBus.RequestName. When the message delivery is denied, the -service stays activated but should not receive the activating message (the -message which triggered the activation). dbus-daemon is supposed to drop the -activating message and reply to the sender with a D-Bus error message. - -However, it does not work as expected: - -1. The error message is delivered to the service instead of being delivered to - the sender. As an example, the error message could be something like: - - An SELinux policy prevents this sender from sending this - message to this recipient, [...] member="MaliciousMethod" - - If the sender and the service are malicious confederates and agree on a - protocol to insert information in the member name, the sender can leak - information to the service, even though the LSM attempted to block the - communication between the sender and the service. - -2. The error message is delivered as a reply to the RequestName call from - service. It means the activated service will believe it cannot request the - name and might exit. The sender could activate the service frequently and - systemd will give up activating it. Thus the denial of service. - -The following changes fix the bug: -- bus_activation_send_pending_auto_activation_messages() only returns an error - in case of OOM. The prototype is changed to return TRUE, or FALSE on OOM - (and its only caller sets the OOM error). -- When a client is not allowed to talk to the service, a D-Bus error message - is pre-allocated to be delivered to the client as part of the transaction. - The error is not propagated to the caller so RequestName will not fail - (except on OOM). - -[fixed a misleading comment -smcv] - -Bug: https://bugs.freedesktop.org/show_bug.cgi?id=78979 -Reviewed-by: Simon McVittie -Reviewed-by: Colin Walters ---- - bus/activation.c | 27 ++++++++++++++++++++------- - bus/activation.h | 3 +-- - bus/services.c | 5 +++-- - 3 files changed, 24 insertions(+), 11 deletions(-) - -diff --git a/bus/activation.c b/bus/activation.c -index ea48a26..280cc01 100644 ---- a/bus/activation.c -+++ b/bus/activation.c -@@ -1162,14 +1162,11 @@ bus_activation_service_created (BusActivation *activation, - dbus_bool_t - bus_activation_send_pending_auto_activation_messages (BusActivation *activation, - BusService *service, -- BusTransaction *transaction, -- DBusError *error) -+ BusTransaction *transaction) - { - BusPendingActivation *pending_activation; - DBusList *link; - -- _DBUS_ASSERT_ERROR_IS_CLEAR (error); -- - /* Check if it's a pending activation */ - pending_activation = _dbus_hash_table_lookup_string (activation->pending_activations, - bus_service_get_name (service)); -@@ -1186,6 +1183,9 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation - if (entry->auto_activation && (entry->connection == NULL || dbus_connection_get_is_connected (entry->connection))) - { - DBusConnection *addressed_recipient; -+ DBusError error; -+ -+ dbus_error_init (&error); - - addressed_recipient = bus_service_get_primary_owners_connection (service); - -@@ -1193,8 +1193,22 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation - if (!bus_dispatch_matches (transaction, - entry->connection, - addressed_recipient, -- entry->activation_message, error)) -- goto error; -+ entry->activation_message, &error)) -+ { -+ /* If permission is denied, we just want to return the error -+ * to the original method invoker; in particular, we don't -+ * want to make the RequestName call fail with that error -+ * (see fd.o #78979, CVE-2014-3477). */ -+ if (!bus_transaction_send_error_reply (transaction, entry->connection, -+ &error, entry->activation_message)) -+ { -+ bus_connection_send_oom_error (entry->connection, -+ entry->activation_message); -+ } -+ -+ link = next; -+ continue; -+ } - } - - link = next; -@@ -1203,7 +1217,6 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation - if (!add_restore_pending_to_transaction (transaction, pending_activation)) - { - _dbus_verbose ("Could not add cancel hook to transaction to revert removing pending activation\n"); -- BUS_SET_OOM (error); - goto error; - } - -diff --git a/bus/activation.h b/bus/activation.h -index 97f25b1..fc5d426 100644 ---- a/bus/activation.h -+++ b/bus/activation.h -@@ -62,8 +62,7 @@ dbus_bool_t dbus_activation_systemd_failure (BusActivation *activation, - - dbus_bool_t bus_activation_send_pending_auto_activation_messages (BusActivation *activation, - BusService *service, -- BusTransaction *transaction, -- DBusError *error); -+ BusTransaction *transaction); - - - #endif /* BUS_ACTIVATION_H */ -diff --git a/bus/services.c b/bus/services.c -index 01a720e..584485b 100644 ---- a/bus/services.c -+++ b/bus/services.c -@@ -588,8 +588,9 @@ bus_registry_acquire_service (BusRegistry *registry, - activation = bus_context_get_activation (registry->context); - retval = bus_activation_send_pending_auto_activation_messages (activation, - service, -- transaction, -- error); -+ transaction); -+ if (!retval) -+ BUS_SET_OOM (error); - - out: - return retval; --- -1.8.3.1 - diff --git a/0001-Handle-ETOOMANYREFS-when-sending-recursive-fds-SCM_R.patch b/0001-Handle-ETOOMANYREFS-when-sending-recursive-fds-SCM_R.patch deleted file mode 100644 index 8d05a7b..0000000 --- a/0001-Handle-ETOOMANYREFS-when-sending-recursive-fds-SCM_R.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 8c7176019fbc2e8fee41d93ce82ac2603fe57d67 Mon Sep 17 00:00:00 2001 -From: Alban Crequy -Date: Tue, 24 Jun 2014 17:57:14 +0100 -Subject: [PATCH] Handle ETOOMANYREFS when sending recursive fds (SCM_RIGHTS) - -Since Linux commit 25888e (from 2.6.37-rc4, Nov 2010), sendmsg() on Unix -sockets returns -1 errno=ETOOMANYREFS ("Too many references: cannot splice") -when the passfd mechanism (SCM_RIGHTS) is "abusively" used recursively by -applications. A malicious client could use this to force a victim system -service to be disconnected from the system bus; the victim would likely -respond by exiting. This is a denial of service (fd.o #80163, -CVE-2014-3532). - -This patch silently drops the D-Bus message on ETOOMANYREFS and does not close -the connection. - -Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80163 -Reviewed-by: Thiago Macieira -[altered commit message to explain DoS significance -smcv] -Reviewed-by: Simon McVittie ---- - dbus/dbus-sysdeps.c | 14 ++++++++++++++ - dbus/dbus-sysdeps.h | 1 + - dbus/dbus-transport-socket.c | 34 +++++++++++++++++++++++++++++++++- - 3 files changed, 48 insertions(+), 1 deletion(-) - -diff --git a/dbus/dbus-sysdeps.c b/dbus/dbus-sysdeps.c -index 04fb8d7..8ed7da9 100644 ---- a/dbus/dbus-sysdeps.c -+++ b/dbus/dbus-sysdeps.c -@@ -760,6 +760,20 @@ _dbus_get_is_errno_epipe (void) - } - - /** -+ * See if errno is ETOOMANYREFS -+ * @returns #TRUE if errno == ETOOMANYREFS -+ */ -+dbus_bool_t -+_dbus_get_is_errno_etoomanyrefs (void) -+{ -+#ifdef ETOOMANYREFS -+ return errno == ETOOMANYREFS; -+#else -+ return FALSE; -+#endif -+} -+ -+/** - * Get error message from errno - * @returns _dbus_strerror(errno) - */ -diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h -index eee9160..df4c5e0 100644 ---- a/dbus/dbus-sysdeps.h -+++ b/dbus/dbus-sysdeps.h -@@ -373,6 +373,7 @@ dbus_bool_t _dbus_get_is_errno_eagain_or_ewouldblock (void); - dbus_bool_t _dbus_get_is_errno_enomem (void); - dbus_bool_t _dbus_get_is_errno_eintr (void); - dbus_bool_t _dbus_get_is_errno_epipe (void); -+dbus_bool_t _dbus_get_is_errno_etoomanyrefs (void); - const char* _dbus_strerror_from_errno (void); - - void _dbus_disable_sigpipe (void); -diff --git a/dbus/dbus-transport-socket.c b/dbus/dbus-transport-socket.c -index 544d00a..26d2b73 100644 ---- a/dbus/dbus-transport-socket.c -+++ b/dbus/dbus-transport-socket.c -@@ -646,12 +646,44 @@ do_writing (DBusTransport *transport) - { - /* EINTR already handled for us */ - -- /* For some discussion of why we also ignore EPIPE here, see -+ /* If the other end closed the socket with close() or shutdown(), we -+ * receive EPIPE here but we must not close the socket yet: there -+ * might still be some data to read. See: - * http://lists.freedesktop.org/archives/dbus/2008-March/009526.html - */ - - if (_dbus_get_is_errno_eagain_or_ewouldblock () || _dbus_get_is_errno_epipe ()) - goto out; -+ -+ /* Since Linux commit 25888e (from 2.6.37-rc4, Nov 2010), sendmsg() -+ * on Unix sockets returns -1 errno=ETOOMANYREFS when the passfd -+ * mechanism (SCM_RIGHTS) is used recursively with a recursion level -+ * of maximum 4. The kernel does not have an API to check whether -+ * the passed fds can be forwarded and it can change asynchronously. -+ * See: -+ * https://bugs.freedesktop.org/show_bug.cgi?id=80163 -+ */ -+ -+ else if (_dbus_get_is_errno_etoomanyrefs ()) -+ { -+ /* We only send fds in the first byte of the message. -+ * ETOOMANYREFS cannot happen after. -+ */ -+ _dbus_assert (socket_transport->message_bytes_written == 0); -+ -+ _dbus_verbose (" discard message of %d bytes due to ETOOMANYREFS\n", -+ total_bytes_to_write); -+ -+ socket_transport->message_bytes_written = 0; -+ _dbus_string_set_length (&socket_transport->encoded_outgoing, 0); -+ _dbus_string_compact (&socket_transport->encoded_outgoing, 2048); -+ -+ /* The message was not actually sent but it needs to be removed -+ * from the outgoing queue -+ */ -+ _dbus_connection_message_sent_unlocked (transport->connection, -+ message); -+ } - else - { - _dbus_verbose ("Error writing to remote app: %s\n", --- -1.8.3.1 - diff --git a/0001-If-loader-contains-two-messages-with-fds-don-t-corru.patch b/0001-If-loader-contains-two-messages-with-fds-don-t-corru.patch deleted file mode 100644 index e272bce..0000000 --- a/0001-If-loader-contains-two-messages-with-fds-don-t-corru.patch +++ /dev/null @@ -1,40 +0,0 @@ -From b9c338e32390f953d4c9772daef31187a117b376 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 11 Jun 2014 12:24:20 +0100 -Subject: [PATCH] If loader contains two messages with fds, don't corrupt the - second - -There were two bugs here: we would previously overwrite the unused -fds with the already-used fds instead of the other way round, and -we would copy n bytes where we should have copied n ints. - -Additionally, sending crafted messages in a chosen sequence to a victim -system service could cause an invalid file descriptor to be present -when dbus-daemon tries to forward one of those crafted messages to the -victim, causing sendmsg() to fail with EBADF, which resulted in -disconnecting the victim service, which would likely respond to that -by exiting. This is a denial of service (fd.o #80469, CVE-2014-3533). - -Bug: https://bugs.freedesktop.org/show_bug.cgi?id=79694 -Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80469 -Reviewed-by: Alban Crequy ---- - dbus/dbus-message.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/dbus/dbus-message.c b/dbus/dbus-message.c -index a34ea1d..fc61ae7 100644 ---- a/dbus/dbus-message.c -+++ b/dbus/dbus-message.c -@@ -4129,7 +4129,7 @@ load_message (DBusMessageLoader *loader, - - message->n_unix_fds_allocated = message->n_unix_fds = n_unix_fds; - loader->n_unix_fds -= n_unix_fds; -- memmove(loader->unix_fds + n_unix_fds, loader->unix_fds, loader->n_unix_fds); -+ memmove (loader->unix_fds, loader->unix_fds + n_unix_fds, loader->n_unix_fds * sizeof (loader->unix_fds[0])); - } - else - message->unix_fds = NULL; --- -1.8.3.1 - diff --git a/0001-_dbus_babysitter_unref-avoid-infinite-loop-if-waitpi.patch b/0001-_dbus_babysitter_unref-avoid-infinite-loop-if-waitpi.patch deleted file mode 100644 index b97c9dc..0000000 --- a/0001-_dbus_babysitter_unref-avoid-infinite-loop-if-waitpi.patch +++ /dev/null @@ -1,57 +0,0 @@ -From fc600b6a8f0dec5642b45c1026dee24c9adb9bc2 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 4 Sep 2013 17:53:23 +0100 -Subject: [PATCH] _dbus_babysitter_unref: avoid infinite loop if waitpid() - returns EINTR - -If waitpid() failed with EINTR, we'd go back for another go, but -because ret is nonzero, we'd skip the waitpid() and just keep looping. - -Also avoid an unnecessary "goto" in favour of a proper loop, to make it -more clearly correct. - -Bug: https://bugs.freedesktop.org/show_bug.cgi?id=68945 -Reviewed-by: Colin Walters ---- - dbus/dbus-spawn.c | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - -diff --git a/dbus/dbus-spawn.c b/dbus/dbus-spawn.c -index ef00801..6e42f55 100644 ---- a/dbus/dbus-spawn.c -+++ b/dbus/dbus-spawn.c -@@ -304,23 +304,26 @@ _dbus_babysitter_unref (DBusBabysitter *sitter) - - /* If we couldn't reap the child then kill it, and - * try again - */ - if (ret == 0) - kill (sitter->sitter_pid, SIGKILL); - -- again: - if (ret == 0) -- ret = waitpid (sitter->sitter_pid, &status, 0); -+ { -+ do -+ { -+ ret = waitpid (sitter->sitter_pid, &status, 0); -+ } -+ while (_DBUS_UNLIKELY (ret < 0 && errno == EINTR)); -+ } - - if (ret < 0) - { -- if (errno == EINTR) -- goto again; -- else if (errno == ECHILD) -+ if (errno == ECHILD) - _dbus_warn ("Babysitter process not available to be reaped; should not happen\n"); - else - _dbus_warn ("Unexpected error %d in waitpid() for babysitter: %s\n", - errno, _dbus_strerror (errno)); - } - else - { --- -1.8.3.1 - diff --git a/0001-test-marshal-Ensure-we-use-suitably-aligned-buffers.patch b/0001-test-marshal-Ensure-we-use-suitably-aligned-buffers.patch deleted file mode 100644 index d7cea52..0000000 --- a/0001-test-marshal-Ensure-we-use-suitably-aligned-buffers.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 1a09d46b3cad370e4bd2c59ec6215fbf65351834 Mon Sep 17 00:00:00 2001 -From: Colin Walters -Date: Wed, 24 Jul 2013 21:48:58 +0100 -Subject: [PATCH] test/marshal: Ensure we use suitably aligned buffers - -This test was failing on s390; though it could fail -on other platforms too. Basically we need to be sure -we're passing at least word-aligned buffers to the -demarshalling code. malloc() will do that for us. ---- - test/marshal.c | 27 ++++++++++++++++++++++----- - 1 file changed, 22 insertions(+), 5 deletions(-) - -diff --git a/test/marshal.c b/test/marshal.c -index e9ac7e3..e65ee7c 100644 ---- a/test/marshal.c -+++ b/test/marshal.c -@@ -27,6 +27,7 @@ - #include - - #include -+#include - - #include - #include -@@ -244,14 +245,30 @@ int - main (int argc, - char **argv) - { -+ int ret; -+ char *aligned_le_blob; -+ char *aligned_be_blob; -+ - g_test_init (&argc, &argv, NULL); - -- g_test_add ("/demarshal/le", Fixture, le_blob, setup, test_endian, teardown); -- g_test_add ("/demarshal/be", Fixture, be_blob, setup, test_endian, teardown); -- g_test_add ("/demarshal/needed/le", Fixture, le_blob, setup, test_needed, -+ /* We have to pass in a buffer that's at least "default aligned", -+ * i.e. on GNU systems to 8 or 16. The linker may have only given -+ * us byte-alignment for the char[] static variables. -+ */ -+ aligned_le_blob = g_malloc (sizeof (le_blob)); -+ memcpy (aligned_le_blob, le_blob, sizeof (le_blob)); -+ aligned_be_blob = g_malloc (sizeof (be_blob)); -+ memcpy (aligned_be_blob, be_blob, sizeof (be_blob)); -+ -+ g_test_add ("/demarshal/le", Fixture, aligned_le_blob, setup, test_endian, teardown); -+ g_test_add ("/demarshal/be", Fixture, aligned_be_blob, setup, test_endian, teardown); -+ g_test_add ("/demarshal/needed/le", Fixture, aligned_le_blob, setup, test_needed, - teardown); -- g_test_add ("/demarshal/needed/be", Fixture, be_blob, setup, test_needed, -+ g_test_add ("/demarshal/needed/be", Fixture, aligned_be_blob, setup, test_needed, - teardown); - -- return g_test_run (); -+ ret = g_test_run (); -+ g_free (aligned_le_blob); -+ g_free (aligned_be_blob); -+ return ret; - } --- -1.8.1.4 - diff --git a/avoid-undefined-7c00ed22d9b5c33f5b33221e906946b11a9bde3b.patch b/avoid-undefined-7c00ed22d9b5c33f5b33221e906946b11a9bde3b.patch deleted file mode 100644 index 3f13319..0000000 --- a/avoid-undefined-7c00ed22d9b5c33f5b33221e906946b11a9bde3b.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 7c00ed22d9b5c33f5b33221e906946b11a9bde3b Mon Sep 17 00:00:00 2001 -From: DreamNik -Date: Sun, 29 Sep 2013 10:45:58 +0000 -Subject: make_and_run_test_nodes: avoid undefined behaviour - -In code that looks like n[i] = v(&i), where v increments i, C leaves it -undefined whether the old or new value of i is used to locate n[i]. -As it happens, gcc used the pre-increment value of i, but MSVC -used the post-increment value. - -Fix this by inserting a sequence point to disambiguate the intended order. - -Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69924 -Reviewed-by: Chengwei Yang -Reviewed-by: Simon McVittie -[wrote commit message, fixed whitespace -smcv] -Signed-off-by: Simon McVittie ---- -diff --git a/dbus/dbus-marshal-recursive-util.c b/dbus/dbus-marshal-recursive-util.c -index 9512414..a2aaaf9 100644 ---- a/dbus/dbus-marshal-recursive-util.c -+++ b/dbus/dbus-marshal-recursive-util.c -@@ -1785,10 +1785,13 @@ make_and_run_test_nodes (void) - start_next_test ("All values in one big toplevel %d iteration\n", 1); - { - TestTypeNode *nodes[N_VALUES]; -+ TestTypeNode *node; - - i = 0; -- while ((nodes[i] = value_generator (&i))) -- ; -+ while ((node = value_generator (&i))) -+ { -+ nodes[i - 1] = node; -+ } - - run_test_nodes (nodes, N_VALUES); - --- -cgit v0.9.0.2-2-gbebe diff --git a/dbus.spec b/dbus.spec index 4d0914a..adc5008 100644 --- a/dbus.spec +++ b/dbus.spec @@ -16,8 +16,8 @@ Summary: D-BUS message bus Name: dbus Epoch: 1 -Version: 1.6.12 -Release: 9%{?dist} +Version: 1.6.28 +Release: 1%{?dist} URL: http://www.freedesktop.org/software/dbus/ #VCS: git:git://git.freedesktop.org/git/dbus/dbus Source0: http://dbus.freedesktop.org/releases/dbus/%{name}-%{version}.tar.gz @@ -58,12 +58,6 @@ BuildRequires: /usr/bin/Xvfb # FIXME this should be upstreamed; need --daemon-bindir=/bin and --bindir=/usr/bin or something? Patch0: bindir.patch Patch1: 0001-name-test-Don-t-run-test-autolaunch-if-we-don-t-have.patch -Patch2: 0001-test-marshal-Ensure-we-use-suitably-aligned-buffers.patch -Patch3: avoid-undefined-7c00ed22d9b5c33f5b33221e906946b11a9bde3b.patch -Patch4: 0001-_dbus_babysitter_unref-avoid-infinite-loop-if-waitpi.patch -Patch5: 0001-CVE-2014-3477-deliver-activation-errors-correctly-fi.patch -Patch6: 0001-If-loader-contains-two-messages-with-fds-don-t-corru.patch -Patch7: 0001-Handle-ETOOMANYREFS-when-sending-recursive-fds-SCM_R.patch %description D-BUS is a system for sending messages between applications. It is @@ -114,12 +108,6 @@ in this separate package so server systems need not install X. %patch0 -p1 -b .bindir %patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 %build if test -f autogen.sh; then env NOCONFIGURE=1 ./autogen.sh; else autoreconf -v -f -i; fi @@ -268,6 +256,15 @@ fi %{_includedir}/* %changelog +* Thu Nov 27 2014 David King - 1:1.6.28-1 +- Update to 1.6.28 +- Fixes CVE-2014-3635 (fd.o#83622) +- Fixes CVE-2014-3636 (fd.o#82820) +- Fixes CVE-2014-3637 (fd.o#80559) +- Fixes CVE-2014-3638 (fd.o#81053) +- Fixes CVE-2014-3639 (fd.o#80919) +- Fixes CVE-2014-7824 (fd.o#85105) + * Wed Jul 2 2014 Colin Walters - 1:1.6.12-9 - Backport patches from dbus-1.6 - Fixes CVE-2014-3477 (fd.o#78979) diff --git a/sources b/sources index 260dc42..84c47b4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -a70edc50524f258eaf5c9a9994ed8748 dbus-1.6.12.tar.gz +80935a10a64620f1d0bded39735430a6 dbus-1.6.28.tar.gz