[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/02: gnu: dbus: Fix CVE-2020-12049.
From: |
guix-commits |
Subject: |
01/02: gnu: dbus: Fix CVE-2020-12049. |
Date: |
Tue, 2 Jun 2020 17:43:10 -0400 (EDT) |
mbakke pushed a commit to branch master
in repository guix.
commit 9a46e0dd843a2f4c832f74e9a503e7200c934eb7
Author: Marius Bakke <marius@gnu.org>
AuthorDate: Tue Jun 2 23:40:19 2020 +0200
gnu: dbus: Fix CVE-2020-12049.
* gnu/packages/patches/dbus-CVE-2020-12049.patch: New file.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/glib.scm (dbus/fixed): New variable.
(dbus)[replacement]: New field.
---
gnu/local.mk | 1 +
gnu/packages/glib.scm | 10 +++++
gnu/packages/patches/dbus-CVE-2020-12049.patch | 58 ++++++++++++++++++++++++++
3 files changed, 69 insertions(+)
diff --git a/gnu/local.mk b/gnu/local.mk
index 4a8a855..babcb8f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -855,6 +855,7 @@ dist_patch_DATA =
\
%D%/packages/patches/datefudge-gettimeofday.patch \
%D%/packages/patches/dbacl-include-locale.h.patch \
%D%/packages/patches/dbus-helper-search-path.patch \
+ %D%/packages/patches/dbus-CVE-2020-12049.patch \
%D%/packages/patches/dbus-c++-gcc-compat.patch \
%D%/packages/patches/dbus-c++-threading-mutex.patch \
%D%/packages/patches/dconf-meson-0.52.patch \
diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index 12ba6e9..94dc6ad 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -88,6 +88,7 @@
(package
(name "dbus")
(version "1.12.16")
+ (replacement dbus/fixed)
(source (origin
(method url-fetch)
(uri (string-append
@@ -164,6 +165,15 @@ or through unencrypted TCP/IP suitable for use behind a
firewall with
shared NFS home directories.")
(license license:gpl2+))) ; or Academic Free License
2.1
+;; Replacement package to fix CVE-2020-12049.
+(define dbus/fixed
+ (package
+ (inherit dbus)
+ (source (origin
+ (inherit (package-source dbus))
+ (patches (append (search-patches "dbus-CVE-2020-12049.patch")
+ (origin-patches (package-source dbus))))))))
+
(define glib
(package
(name "glib")
diff --git a/gnu/packages/patches/dbus-CVE-2020-12049.patch
b/gnu/packages/patches/dbus-CVE-2020-12049.patch
new file mode 100644
index 0000000..7128014
--- /dev/null
+++ b/gnu/packages/patches/dbus-CVE-2020-12049.patch
@@ -0,0 +1,58 @@
+Fix CVE-2020-12049:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12049
+https://lists.freedesktop.org/archives/ftp-release/2020-June/000753.html
+
+Taken from upstream:
+
+https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5
+
+diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
+--- a/dbus/dbus-sysdeps-unix.c
++++ b/dbus/dbus-sysdeps-unix.c
+@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
+ struct cmsghdr *cm;
+ dbus_bool_t found = FALSE;
+
+- if (m.msg_flags & MSG_CTRUNC)
+- {
+- /* Hmm, apparently the control data was truncated. The bad
+- thing is that we might have completely lost a couple of fds
+- without chance to recover them. Hence let's treat this as a
+- serious error. */
+-
+- errno = ENOSPC;
+- _dbus_string_set_length (buffer, start);
+- return -1;
+- }
+-
+ for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
+ if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
+ {
+@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
+ if (!found)
+ *n_fds = 0;
+
++ if (m.msg_flags & MSG_CTRUNC)
++ {
++ unsigned int i;
++
++ /* Hmm, apparently the control data was truncated. The bad
++ thing is that we might have completely lost a couple of fds
++ without chance to recover them. Hence let's treat this as a
++ serious error. */
++
++ /* We still need to close whatever fds we *did* receive,
++ * otherwise they'll never get closed. (CVE-2020-12049) */
++ for (i = 0; i < *n_fds; i++)
++ close (fds[i]);
++
++ *n_fds = 0;
++ errno = ENOSPC;
++ _dbus_string_set_length (buffer, start);
++ return -1;
++ }
++
+ /* put length back (doesn't actually realloc) */
+ _dbus_string_set_length (buffer, start + bytes_read);
+