Bug#962068: stretch-pu: package dbus/1.10.30-0+deb9u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
dbus 1.10.30 fixes a local denial of service vulnerability for which
the Security Team have indicated they do not intend to issue a DSA
(the same one as 1.12.18).
If possible I would like to continue to fix dbus issues in stretch via
new upstream releases; this one only contains the CVE fix, plus its
regression test and the usual Autotools noise.
Proposed diff (modulo `dch -r`) attached, filtered through:
git diff --stat -p origin/debian/stretch.. | \
filterdiff -p1 \
--exclude=Makefile.in --exclude='**/Makefile.in' \
--exclude=aclocal.m4 \
--exclude=aminclude_static.am \
--exclude=build-aux/compile \
--exclude=build-aux/depcomp \
--exclude=build-aux/install-sh \
--exclude=build-aux/ltmain.sh \
--exclude=build-aux/missing \
--exclude=build-aux/tap-driver.sh \
--exclude=configure \
--exclude=m4/libtool.m4
Thanks,
smcv
Makefile.in | 39 ++++++++++++++++++++--------------
NEWS | 33 +++++++++++++++++++++++++++++
aclocal.m4 | 52 ++++++++++++++++++++++++----------------------
build-aux/compile | 6 +++---
build-aux/depcomp | 2 +-
build-aux/install-sh | 13 +++++++++++-
build-aux/ltmain.sh | 10 +++++----
build-aux/missing | 2 +-
build-aux/tap-driver.sh | 2 +-
bus/Makefile.in | 4 ++--
bus/connection.c | 7 ++++---
configure | 36 +++++++++++++++++---------------
configure.ac | 4 ++--
dbus/Makefile.in | 4 ++--
dbus/dbus-sysdeps-unix.c | 32 +++++++++++++++++-----------
debian/changelog | 8 +++++++
doc/Makefile.in | 4 ++--
m4/libtool.m4 | 6 +++---
test/Makefile.in | 4 ++--
test/fdpass.c | 14 +++++++++++++
test/name-test/Makefile.in | 4 ++--
tools/Makefile.in | 4 ++--
22 files changed, 189 insertions(+), 101 deletions(-)
diff --git a/NEWS b/NEWS
index 46652396..9b33a786 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,36 @@
+dbus 1.10.x end-of-life plans
+==
+
+The dbus 1.10.x branch was originally released in 2015. It currently
+receives security-fix releases whenever necessary, but it is planned to
+reach end-of-life status at the end of Debian 9's official security
+support (approximately July 2020). If you are a dbus downstream
+maintainer in a long-lived OS distribution and you want to use the
+upstream dbus-1.10 git branch as a place to share backported security
+fixes with other distributions, please contact the dbus maintainers via
+the dbus-security mailing list on lists.freedesktop.org.
+
+dbus 1.10.30 (2020-06-02)
+==
+
+The “centaur bus” release.
+
+Denial of service fixes:
+
+• CVE-2020-12049: If a message contains more file descriptors than can
+ be sent, close those that did get through before reporting error.
+ Previously, a local attacker could cause the system dbus-daemon (or
+ another system service with its own DBusServer) to run out of file
+ descriptors, by repeatedly connecting to the server and sending fds that
+ would get leaked.
+ Thanks to Kevin Backhouse of GitHub Security Lab.
+ (dbus#294, GHSL-2020-057; Simon McVittie)
+
+Other fixes:
+
+• Fix a crash when the dbus-daemon is terminated while one or more
+ monitors are active (dbus#291, dbus!140; Simon McVittie)
+
dbus 1.10.28 (2019-06-11)
==
diff --git a/bus/connection.c b/bus/connection.c
index 31ed6be7..05daa6a4 100644
--- a/bus/connection.c
+++ b/bus/connection.c
@@ -540,9 +540,6 @@ bus_connections_unref (BusConnections *connections)
_dbus_assert (connections->n_incomplete == 0);
- /* drop all monitors */
- _dbus_list_clear (&connections->monitors);
-
/* drop all real connections */
while (connections->completed != NULL)
{
@@ -558,6 +555,10 @@ bus_connections_unref (BusConnections *connections)
_dbus_assert (connections->n_completed == 0);
+ /* disconnecting all the connections should have emptied the list of
+ * monitors (each link is removed in bus_connection_disconnected) */
+ _dbus_assert (connections->monitors == NULL);
+
bus_expire_list_free (connections->pending_replies);
_dbus_loop_remove_timeout (bus_context_get_loop (connections->context),
diff --git a/configure.ac b/configure.ac
index 04ebae5f..ee3da6a9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3,7 +3,7 @@ AC_PREREQ([2.63])
m4_define([dbus_major_version], [1])
m4_define([dbus_minor_version], [10])
-m4_define([dbus_micro_version], [28])
+m4_define([dbus_micro_version], [30])
m4_define([dbus_version],
[dbus_major_version.dbus_minor_version.dbus_micro_version])
AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])
@@ -38,7 +38,7 @@ LT_CURRENT=17
## increment any time the source changes; set to
## 0 if you increment CURRENT
-LT_REVISION=16
+LT_REVISION=17
## increment if any interfaces have been added; set to 0
## if any interfaces have been changed or removed. removal has
diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
index b7309712..6303dbc4 100644
--- a/dbus/dbus-sysdeps-unix.c
+++ b/dbus/dbus-sysdeps-unix.c
@@ -432,18 +432,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
struct cmsghdr *cm;
dbus_bool_t found = FALSE;
- if (m.msg_flags & MSG_CTRUNC)
- {
- /* Hmm, apparently the control data was truncated. The bad
- thing is that we might have completely lost a couple of fds
- without chance to recover them. Hence let's treat this as a
- serious error. */
-
- errno = ENOSPC;
- _dbus_string_set_length (buffer, start);
- return -1;
- }
-
for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
{
@@ -498,6 +486,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
if (!found)
*n_fds = 0;
+ if (m.msg_flags & MSG_CTRUNC)
+ {
+ int i;
+
+ /* Hmm, apparently the control data was truncated. The bad
+ thing is that we might have completely lost a couple of fds
+ without chance to recover them. Hence let's treat this as a
+ serious error. */
+
+ /* We still need to close whatever fds we *did* receive,
+ * otherwise they'll never get closed. (CVE-2020-12049) */
+ for (i = 0; i < *n_fds; i++)
+ close (fds[i]);
+
+ *n_fds = 0;
+ errno = ENOSPC;
+ _dbus_string_set_length (buffer, start);
+ return -1;
+ }
+
/* put length back (doesn't actually realloc) */
_dbus_string_set_length (buffer, start + bytes_read);
diff --git a/debian/changelog b/debian/changelog
index 2b8cdecb..d1420e1e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+dbus (1.10.30-0+deb9u1~1) UNRELEASED; urgency=medium
+
+ * New upstream stable release
+ - CVE-2020-12049: Prevent a denial of service attack in which a local
+ user can make the system dbus-daemon run out of file descriptors
+
+ -- Simon McVittie <smcv@debian.org> Tue, 02 Jun 2020 17:02:37 +0100
+
dbus (1.10.28-0+deb9u1) stretch-security; urgency=medium
* New upstream stable release
diff --git a/test/fdpass.c b/test/fdpass.c
index 665b4a12..d8d9c670 100644
--- a/test/fdpass.c
+++ b/test/fdpass.c
@@ -50,6 +50,14 @@
#include "test-utils-glib.h"
+#ifdef DBUS_ENABLE_EMBEDDED_TESTS
+#include <dbus/dbus-message-internal.h>
+#else
+typedef struct _DBusInitialFDs DBusInitialFDs;
+#define _dbus_check_fdleaks_enter() NULL
+#define _dbus_check_fdleaks_leave(fds) do {} while (0)
+#endif
+
/* Arbitrary; included here to avoid relying on the default */
#define MAX_MESSAGE_UNIX_FDS 20
/* This test won't work on Linux unless this is true. */
@@ -91,6 +99,7 @@ typedef struct {
GQueue messages;
int fd_before;
+ DBusInitialFDs *initial_fds;
} Fixture;
static void oom (const gchar *doing) G_GNUC_NORETURN;
@@ -172,6 +181,8 @@ test_connect (Fixture *f,
{
char *address;
+ f->initial_fds = _dbus_check_fdleaks_enter ();
+
g_assert (f->left_server_conn == NULL);
g_assert (f->right_server_conn == NULL);
@@ -835,6 +846,9 @@ teardown (Fixture *f,
if (f->fd_before >= 0 && close (f->fd_before) < 0)
g_error ("%s", g_strerror (errno));
#endif
+
+ if (f->initial_fds != NULL)
+ _dbus_check_fdleaks_leave (f->initial_fds);
}
int
Reply to: