gnu: dbus: Fix CVE-2020-12049.

* gnu/packages/patches/dbus-CVE-2020-12049.patch: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/glib.scm (dbus/fixed): New variable. (dbus)[replacement]: New field.
2020-06-02 23:40:19 +02:00 · 2020-06-02 23:40:19 +02:00 · 9a46e0dd84
parent 395659d86d
commit 9a46e0dd84
3 changed files with 69 additions and 0 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -855,6 +855,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/datefudge-gettimeofday.patch		\
  %D%/packages/patches/dbacl-include-locale.h.patch		\
  %D%/packages/patches/dbus-helper-search-path.patch		\
  %D%/packages/patches/dbus-CVE-2020-12049.patch		\
  %D%/packages/patches/dbus-c++-gcc-compat.patch		\
  %D%/packages/patches/dbus-c++-threading-mutex.patch		\
  %D%/packages/patches/dconf-meson-0.52.patch			\
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@ -88,6 +88,7 @@
  (package
    (name "dbus")
    (version "1.12.16")
    (replacement dbus/fixed)
    (source (origin
              (method url-fetch)
              (uri (string-append
@ -164,6 +165,15 @@ or through unencrypted TCP/IP suitable for use behind a firewall with
 shared NFS home directories.")
    (license license:gpl2+)))                     ; or Academic Free License 2.1
 ;; Replacement package to fix CVE-2020-12049.
 (define dbus/fixed
  (package
    (inherit dbus)
    (source (origin
              (inherit (package-source dbus))
              (patches (append (search-patches "dbus-CVE-2020-12049.patch")
                               (origin-patches (package-source dbus))))))))
 (define glib
  (package
   (name "glib")
--- a/gnu/packages/patches/dbus-CVE-2020-12049.patch
+++ b/gnu/packages/patches/dbus-CVE-2020-12049.patch
@ -0,0 +1,58 @@
 Fix CVE-2020-12049:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12049
 https://lists.freedesktop.org/archives/ftp-release/2020-June/000753.html
 Taken from upstream:
 https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5
 diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
 --- a/dbus/dbus-sysdeps-unix.c
 +++ b/dbus/dbus-sysdeps-unix.c
@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
       struct cmsghdr *cm;
       dbus_bool_t found = FALSE;
 -      if (m.msg_flags & MSG_CTRUNC)
 -        {
 -          /* Hmm, apparently the control data was truncated. The bad
 -             thing is that we might have completely lost a couple of fds
 -             without chance to recover them. Hence let's treat this as a
 -             serious error. */
 -
 -          errno = ENOSPC;
 -          _dbus_string_set_length (buffer, start);
 -          return -1;
 -        }
 -
       for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
         if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
           {
@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
       if (!found)
         *n_fds = 0;
 +      if (m.msg_flags & MSG_CTRUNC)
 +        {
 +          unsigned int i;
 +
 +          /* Hmm, apparently the control data was truncated. The bad
 +             thing is that we might have completely lost a couple of fds
 +             without chance to recover them. Hence let's treat this as a
 +             serious error. */
 +
 +          /* We still need to close whatever fds we *did* receive,
 +           * otherwise they'll never get closed. (CVE-2020-12049) */
 +          for (i = 0; i < *n_fds; i++)
 +            close (fds[i]);
 +
 +          *n_fds = 0;
 +          errno = ENOSPC;
 +          _dbus_string_set_length (buffer, start);
 +          return -1;
 +        }
 +
       /* put length back (doesn't actually realloc) */
       _dbus_string_set_length (buffer, start + bytes_read);