summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorMarius Bakke <marius@gnu.org>2020-06-02 23:40:19 +0200
committerMarius Bakke <marius@gnu.org>2020-06-02 23:41:35 +0200
commit9a46e0dd843a2f4c832f74e9a503e7200c934eb7 (patch)
treebdd1a84911e1bf91686ea99a3aa2410a6a62cf53 /gnu/packages/patches
parent395659d86d98afaba4d311ca5618f49a4548f6ae (diff)
downloadguix-9a46e0dd843a2f4c832f74e9a503e7200c934eb7.tar.gz
gnu: dbus: Fix CVE-2020-12049.
* gnu/packages/patches/dbus-CVE-2020-12049.patch: New file.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/glib.scm (dbus/fixed): New variable.
(dbus)[replacement]: New field.
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/dbus-CVE-2020-12049.patch58
1 files changed, 58 insertions, 0 deletions
diff --git a/gnu/packages/patches/dbus-CVE-2020-12049.patch b/gnu/packages/patches/dbus-CVE-2020-12049.patch
new file mode 100644
index 0000000000..71280144a1
--- /dev/null
+++ b/gnu/packages/patches/dbus-CVE-2020-12049.patch
@@ -0,0 +1,58 @@
+Fix CVE-2020-12049:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12049
+https://lists.freedesktop.org/archives/ftp-release/2020-June/000753.html
+
+Taken from upstream:
+
+https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5
+
+diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
+--- a/dbus/dbus-sysdeps-unix.c
++++ b/dbus/dbus-sysdeps-unix.c
+@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
+       struct cmsghdr *cm;
+       dbus_bool_t found = FALSE;
+ 
+-      if (m.msg_flags & MSG_CTRUNC)
+-        {
+-          /* Hmm, apparently the control data was truncated. The bad
+-             thing is that we might have completely lost a couple of fds
+-             without chance to recover them. Hence let's treat this as a
+-             serious error. */
+-
+-          errno = ENOSPC;
+-          _dbus_string_set_length (buffer, start);
+-          return -1;
+-        }
+-
+       for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
+         if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
+           {
+@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
+       if (!found)
+         *n_fds = 0;
+ 
++      if (m.msg_flags & MSG_CTRUNC)
++        {
++          unsigned int i;
++
++          /* Hmm, apparently the control data was truncated. The bad
++             thing is that we might have completely lost a couple of fds
++             without chance to recover them. Hence let's treat this as a
++             serious error. */
++
++          /* We still need to close whatever fds we *did* receive,
++           * otherwise they'll never get closed. (CVE-2020-12049) */
++          for (i = 0; i < *n_fds; i++)
++            close (fds[i]);
++
++          *n_fds = 0;
++          errno = ENOSPC;
++          _dbus_string_set_length (buffer, start);
++          return -1;
++        }
++
+       /* put length back (doesn't actually realloc) */
+       _dbus_string_set_length (buffer, start + bytes_read);
+