From 9a46e0dd843a2f4c832f74e9a503e7200c934eb7 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Tue, 2 Jun 2020 23:40:19 +0200 Subject: [PATCH] gnu: dbus: Fix CVE-2020-12049. * gnu/packages/patches/dbus-CVE-2020-12049.patch: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/glib.scm (dbus/fixed): New variable. (dbus)[replacement]: New field. --- gnu/local.mk | 1 + gnu/packages/glib.scm | 10 ++++ .../patches/dbus-CVE-2020-12049.patch | 58 +++++++++++++++++++ 3 files changed, 69 insertions(+) create mode 100644 gnu/packages/patches/dbus-CVE-2020-12049.patch diff --git a/gnu/local.mk b/gnu/local.mk index 4a8a855502..babcb8f6ad 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -855,6 +855,7 @@ dist_patch_DATA = \ %D%/packages/patches/datefudge-gettimeofday.patch \ %D%/packages/patches/dbacl-include-locale.h.patch \ %D%/packages/patches/dbus-helper-search-path.patch \ + %D%/packages/patches/dbus-CVE-2020-12049.patch \ %D%/packages/patches/dbus-c++-gcc-compat.patch \ %D%/packages/patches/dbus-c++-threading-mutex.patch \ %D%/packages/patches/dconf-meson-0.52.patch \ diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm index 12ba6e939b..94dc6adf6f 100644 --- a/gnu/packages/glib.scm +++ b/gnu/packages/glib.scm @@ -88,6 +88,7 @@ (define dbus (package (name "dbus") (version "1.12.16") + (replacement dbus/fixed) (source (origin (method url-fetch) (uri (string-append @@ -164,6 +165,15 @@ (define dbus shared NFS home directories.") (license license:gpl2+))) ; or Academic Free License 2.1 +;; Replacement package to fix CVE-2020-12049. +(define dbus/fixed + (package + (inherit dbus) + (source (origin + (inherit (package-source dbus)) + (patches (append (search-patches "dbus-CVE-2020-12049.patch") + (origin-patches (package-source dbus)))))))) + (define glib (package (name "glib") diff --git a/gnu/packages/patches/dbus-CVE-2020-12049.patch b/gnu/packages/patches/dbus-CVE-2020-12049.patch new file mode 100644 index 0000000000..71280144a1 --- /dev/null +++ b/gnu/packages/patches/dbus-CVE-2020-12049.patch @@ -0,0 +1,58 @@ +Fix CVE-2020-12049: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12049 +https://lists.freedesktop.org/archives/ftp-release/2020-June/000753.html + +Taken from upstream: + +https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5 + +diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c +--- a/dbus/dbus-sysdeps-unix.c ++++ b/dbus/dbus-sysdeps-unix.c +@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd, + struct cmsghdr *cm; + dbus_bool_t found = FALSE; + +- if (m.msg_flags & MSG_CTRUNC) +- { +- /* Hmm, apparently the control data was truncated. The bad +- thing is that we might have completely lost a couple of fds +- without chance to recover them. Hence let's treat this as a +- serious error. */ +- +- errno = ENOSPC; +- _dbus_string_set_length (buffer, start); +- return -1; +- } +- + for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm)) + if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS) + { +@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd, + if (!found) + *n_fds = 0; + ++ if (m.msg_flags & MSG_CTRUNC) ++ { ++ unsigned int i; ++ ++ /* Hmm, apparently the control data was truncated. The bad ++ thing is that we might have completely lost a couple of fds ++ without chance to recover them. Hence let's treat this as a ++ serious error. */ ++ ++ /* We still need to close whatever fds we *did* receive, ++ * otherwise they'll never get closed. (CVE-2020-12049) */ ++ for (i = 0; i < *n_fds; i++) ++ close (fds[i]); ++ ++ *n_fds = 0; ++ errno = ENOSPC; ++ _dbus_string_set_length (buffer, start); ++ return -1; ++ } ++ + /* put length back (doesn't actually realloc) */ + _dbus_string_set_length (buffer, start + bytes_read); +