diff options
author | Xiangyu Chen <xiangyu.chen@eng.windriver.com> | 2022-11-28 09:54:56 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-12-07 15:02:45 +0000 |
commit | 4744f7895e726d3750061f9af999036359bac184 (patch) | |
tree | f527c1c85020a7dbc85e6b68719147b9a0be5b4b | |
parent | c2419998808b032a91f0358c6f043d7321a6acf9 (diff) | |
download | poky-4744f7895e726d3750061f9af999036359bac184.tar.gz |
dbus: upgrade 1.14.0 -> 1.14.4
License-Update: D-Bus changed to dbus.
1.14.4 has contians following CVEs, removing local patches:
CVE-2022-42012: 0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch
[https://github.com/freedesktop/dbus/commit/3fb065b0752db1e298e4ada52cf4adc414f5e946]
CVE-2022-42011: 0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch
[https://github.com/freedesktop/dbus/commit/b9e6a7523085a2cfceaffca7ba1ab4251f12a984]
CVE-2022-42010: 0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch
[https://github.com/freedesktop/dbus/commit/3e53a785dee8d1432156188a2c4260e4cbc78c4d]
(From OE-Core rev: 300216ca357ae58fbe52e49c76832b66f15c6c13)
Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch | 76 | ||||
-rw-r--r-- | meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch | 119 | ||||
-rw-r--r-- | meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch | 61 | ||||
-rw-r--r-- | meta/recipes-core/dbus/dbus_1.14.4.bb (renamed from meta/recipes-core/dbus/dbus_1.14.0.bb) | 10 |
4 files changed, 4 insertions, 262 deletions
diff --git a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch deleted file mode 100644 index 47f4f1e0d3..0000000000 --- a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch +++ /dev/null | |||
@@ -1,76 +0,0 @@ | |||
1 | From 3fb065b0752db1e298e4ada52cf4adc414f5e946 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon McVittie <smcv@collabora.com> | ||
3 | Date: Fri, 30 Sep 2022 13:46:31 +0100 | ||
4 | Subject: [PATCH] dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed | ||
5 | |||
6 | When a D-Bus message includes attached file descriptors, the body of the | ||
7 | message contains unsigned 32-bit indexes pointing into an out-of-band | ||
8 | array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to | ||
9 | these indexes as "handles" for the associated fds (not to be confused | ||
10 | with a Windows HANDLE, which is a kernel object). | ||
11 | |||
12 | The assertion message removed by this commit is arguably correct up to | ||
13 | a point: fd-passing is only reasonable on a local machine, and no known | ||
14 | operating system allows processes of differing endianness even on a | ||
15 | multi-endian ARM or PowerPC CPU, so it makes little sense for the sender | ||
16 | to specify a byte-order that differs from the byte-order of the recipient. | ||
17 | |||
18 | However, this doesn't account for the fact that a malicious sender | ||
19 | doesn't have to restrict itself to only doing things that make sense. | ||
20 | On a system with untrusted local users, a message sender could crash | ||
21 | the system dbus-daemon (a denial of service) by sending a message in | ||
22 | the opposite endianness that contains handles to file descriptors. | ||
23 | |||
24 | Before this commit, if assertions are enabled, attempting to byteswap | ||
25 | a fd index would cleanly crash the message recipient with an assertion | ||
26 | failure. If assertions are disabled, attempting to byteswap a fd index | ||
27 | would silently do nothing without advancing the pointer p, causing the | ||
28 | message's type and the pointer into its contents to go out of sync, which | ||
29 | can result in a subsequent crash (the crash demonstrated by fuzzing was | ||
30 | a use-after-free, but other failure modes might be possible). | ||
31 | |||
32 | In principle we could resolve this by rejecting wrong-endianness messages | ||
33 | from a local sender, but it's actually simpler and less code to treat | ||
34 | wrong-endianness messages as valid and byteswap them. | ||
35 | |||
36 | Thanks: Evgeny Vereshchagin | ||
37 | Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds" | ||
38 | Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417 | ||
39 | Resolves: CVE-2022-42012 | ||
40 | |||
41 | Upstream-Status: Backport from [https://gitlab.freedesktop.org/dbus/dbus/-/commit/3fb065b0752db1e298e4ada52cf4adc414f5e946] | ||
42 | |||
43 | Signed-off-by: Simon McVittie <smcv@collabora.com> | ||
44 | (cherry picked from commit 236f16e444e88a984cf12b09225e0f8efa6c5b44) | ||
45 | Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com> | ||
46 | --- | ||
47 | dbus/dbus-marshal-byteswap.c | 6 +----- | ||
48 | 1 file changed, 1 insertion(+), 5 deletions(-) | ||
49 | |||
50 | diff --git a/dbus/dbus-marshal-byteswap.c b/dbus/dbus-marshal-byteswap.c | ||
51 | index 27695aaf..7104e9c6 100644 | ||
52 | --- a/dbus/dbus-marshal-byteswap.c | ||
53 | +++ b/dbus/dbus-marshal-byteswap.c | ||
54 | @@ -61,6 +61,7 @@ byteswap_body_helper (DBusTypeReader *reader, | ||
55 | case DBUS_TYPE_BOOLEAN: | ||
56 | case DBUS_TYPE_INT32: | ||
57 | case DBUS_TYPE_UINT32: | ||
58 | + case DBUS_TYPE_UNIX_FD: | ||
59 | { | ||
60 | p = _DBUS_ALIGN_ADDRESS (p, 4); | ||
61 | *((dbus_uint32_t*)p) = DBUS_UINT32_SWAP_LE_BE (*((dbus_uint32_t*)p)); | ||
62 | @@ -188,11 +189,6 @@ byteswap_body_helper (DBusTypeReader *reader, | ||
63 | } | ||
64 | break; | ||
65 | |||
66 | - case DBUS_TYPE_UNIX_FD: | ||
67 | - /* fds can only be passed on a local machine, so byte order must always match */ | ||
68 | - _dbus_assert_not_reached("attempted to byteswap unix fds which makes no sense"); | ||
69 | - break; | ||
70 | - | ||
71 | default: | ||
72 | _dbus_assert_not_reached ("invalid typecode in supposedly-validated signature"); | ||
73 | break; | ||
74 | -- | ||
75 | 2.34.1 | ||
76 | |||
diff --git a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch deleted file mode 100644 index f2e14fb8d5..0000000000 --- a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch +++ /dev/null | |||
@@ -1,119 +0,0 @@ | |||
1 | From 3e53a785dee8d1432156188a2c4260e4cbc78c4d Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon McVittie <smcv@collabora.com> | ||
3 | Date: Tue, 13 Sep 2022 15:10:22 +0100 | ||
4 | Subject: [PATCH] dbus-marshal-validate: Check brackets in signature nest | ||
5 | correctly | ||
6 | |||
7 | In debug builds with assertions enabled, a signature with incorrectly | ||
8 | nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result | ||
9 | in an assertion failure. | ||
10 | |||
11 | In production builds without assertions enabled, a signature with | ||
12 | incorrectly nested `()` and `{}` could potentially result in a crash | ||
13 | or incorrect message parsing, although we do not have a concrete example | ||
14 | of either of these failure modes. | ||
15 | |||
16 | Thanks: Evgeny Vereshchagin | ||
17 | Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418 | ||
18 | Resolves: CVE-2022-42010 | ||
19 | |||
20 | Upstream-Status: Backport [https://gitlab.freedesktop.org/dbus/dbus/-/commit/3e53a785dee8d1432156188a2c4260e4cbc78c4d] | ||
21 | |||
22 | Signed-off-by: Simon McVittie <smcv@collabora.com> | ||
23 | (cherry picked from commit 9d07424e9011e3bbe535e83043d335f3093d2916) | ||
24 | Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com> | ||
25 | --- | ||
26 | dbus/dbus-marshal-validate.c | 38 +++++++++++++++++++++++++++++++++++- | ||
27 | 1 file changed, 37 insertions(+), 1 deletion(-) | ||
28 | |||
29 | diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c | ||
30 | index 4d492f3f..ae68414d 100644 | ||
31 | --- a/dbus/dbus-marshal-validate.c | ||
32 | +++ b/dbus/dbus-marshal-validate.c | ||
33 | @@ -62,6 +62,8 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, | ||
34 | |||
35 | int element_count; | ||
36 | DBusList *element_count_stack; | ||
37 | + char opened_brackets[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2 + 1] = { '\0' }; | ||
38 | + char last_bracket; | ||
39 | |||
40 | result = DBUS_VALID; | ||
41 | element_count_stack = NULL; | ||
42 | @@ -93,6 +95,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, | ||
43 | |||
44 | while (p != end) | ||
45 | { | ||
46 | + _dbus_assert (struct_depth + dict_entry_depth >= 0); | ||
47 | + _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); | ||
48 | + _dbus_assert (opened_brackets[struct_depth + dict_entry_depth] == '\0'); | ||
49 | + | ||
50 | switch (*p) | ||
51 | { | ||
52 | case DBUS_TYPE_BYTE: | ||
53 | @@ -136,6 +142,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, | ||
54 | goto out; | ||
55 | } | ||
56 | |||
57 | + _dbus_assert (struct_depth + dict_entry_depth >= 1); | ||
58 | + _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); | ||
59 | + _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0'); | ||
60 | + opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_STRUCT_BEGIN_CHAR; | ||
61 | break; | ||
62 | |||
63 | case DBUS_STRUCT_END_CHAR: | ||
64 | @@ -151,9 +161,20 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, | ||
65 | goto out; | ||
66 | } | ||
67 | |||
68 | + _dbus_assert (struct_depth + dict_entry_depth >= 1); | ||
69 | + _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); | ||
70 | + last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1]; | ||
71 | + | ||
72 | + if (last_bracket != DBUS_STRUCT_BEGIN_CHAR) | ||
73 | + { | ||
74 | + result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED; | ||
75 | + goto out; | ||
76 | + } | ||
77 | + | ||
78 | _dbus_list_pop_last (&element_count_stack); | ||
79 | |||
80 | struct_depth -= 1; | ||
81 | + opened_brackets[struct_depth + dict_entry_depth] = '\0'; | ||
82 | break; | ||
83 | |||
84 | case DBUS_DICT_ENTRY_BEGIN_CHAR: | ||
85 | @@ -178,6 +199,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, | ||
86 | goto out; | ||
87 | } | ||
88 | |||
89 | + _dbus_assert (struct_depth + dict_entry_depth >= 1); | ||
90 | + _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); | ||
91 | + _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0'); | ||
92 | + opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_DICT_ENTRY_BEGIN_CHAR; | ||
93 | break; | ||
94 | |||
95 | case DBUS_DICT_ENTRY_END_CHAR: | ||
96 | @@ -186,8 +211,19 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, | ||
97 | result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED; | ||
98 | goto out; | ||
99 | } | ||
100 | - | ||
101 | + | ||
102 | + _dbus_assert (struct_depth + dict_entry_depth >= 1); | ||
103 | + _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); | ||
104 | + last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1]; | ||
105 | + | ||
106 | + if (last_bracket != DBUS_DICT_ENTRY_BEGIN_CHAR) | ||
107 | + { | ||
108 | + result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED; | ||
109 | + goto out; | ||
110 | + } | ||
111 | + | ||
112 | dict_entry_depth -= 1; | ||
113 | + opened_brackets[struct_depth + dict_entry_depth] = '\0'; | ||
114 | |||
115 | element_count = | ||
116 | _DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack)); | ||
117 | -- | ||
118 | 2.34.1 | ||
119 | |||
diff --git a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch deleted file mode 100644 index f953326f78..0000000000 --- a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch +++ /dev/null | |||
@@ -1,61 +0,0 @@ | |||
1 | From b9e6a7523085a2cfceaffca7ba1ab4251f12a984 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon McVittie <smcv@collabora.com> | ||
3 | Date: Mon, 12 Sep 2022 13:14:18 +0100 | ||
4 | Subject: [PATCH] dbus-marshal-validate: Validate length of arrays of | ||
5 | fixed-length items | ||
6 | |||
7 | This fast-path previously did not check that the array was made up | ||
8 | of an integer number of items. This could lead to assertion failures | ||
9 | and out-of-bounds accesses during subsequent message processing (which | ||
10 | assumes that the message has already been validated), particularly after | ||
11 | the addition of _dbus_header_remove_unknown_fields(), which makes it | ||
12 | more likely that dbus-daemon will apply non-trivial edits to messages. | ||
13 | |||
14 | Thanks: Evgeny Vereshchagin | ||
15 | Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays" | ||
16 | Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413 | ||
17 | Resolves: CVE-2022-42011 | ||
18 | |||
19 | Upstream-Status: Backport from | ||
20 | [https://gitlab.freedesktop.org/dbus/dbus/-/commit/b9e6a7523085a2cfceaffca7ba1ab4251f12a984] | ||
21 | |||
22 | Signed-off-by: Simon McVittie <smcv@collabora.com> | ||
23 | (cherry picked from commit 079bbf16186e87fb0157adf8951f19864bc2ed69) | ||
24 | Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com> | ||
25 | --- | ||
26 | dbus/dbus-marshal-validate.c | 13 ++++++++++++- | ||
27 | 1 file changed, 12 insertions(+), 1 deletion(-) | ||
28 | |||
29 | diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c | ||
30 | index ae68414d..7d0d6cf7 100644 | ||
31 | --- a/dbus/dbus-marshal-validate.c | ||
32 | +++ b/dbus/dbus-marshal-validate.c | ||
33 | @@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader *reader, | ||
34 | */ | ||
35 | if (dbus_type_is_fixed (array_elem_type)) | ||
36 | { | ||
37 | + /* Note that fixed-size types all have sizes equal to | ||
38 | + * their alignments, so this is really the item size. */ | ||
39 | + alignment = _dbus_type_get_alignment (array_elem_type); | ||
40 | + _dbus_assert (alignment == 1 || alignment == 2 || | ||
41 | + alignment == 4 || alignment == 8); | ||
42 | + | ||
43 | + /* Because the alignment is a power of 2, this is | ||
44 | + * equivalent to: (claimed_len % alignment) != 0, | ||
45 | + * but avoids slower integer division */ | ||
46 | + if ((claimed_len & (alignment - 1)) != 0) | ||
47 | + return DBUS_INVALID_ARRAY_LENGTH_INCORRECT; | ||
48 | + | ||
49 | /* bools need to be handled differently, because they can | ||
50 | * have an invalid value | ||
51 | */ | ||
52 | if (array_elem_type == DBUS_TYPE_BOOLEAN) | ||
53 | { | ||
54 | dbus_uint32_t v; | ||
55 | - alignment = _dbus_type_get_alignment (array_elem_type); | ||
56 | |||
57 | while (p < array_end) | ||
58 | { | ||
59 | -- | ||
60 | 2.34.1 | ||
61 | |||
diff --git a/meta/recipes-core/dbus/dbus_1.14.0.bb b/meta/recipes-core/dbus/dbus_1.14.4.bb index 484629e987..9684f0c6e2 100644 --- a/meta/recipes-core/dbus/dbus_1.14.0.bb +++ b/meta/recipes-core/dbus/dbus_1.14.4.bb | |||
@@ -6,19 +6,17 @@ SECTION = "base" | |||
6 | inherit autotools pkgconfig gettext upstream-version-is-even ptest-gnome | 6 | inherit autotools pkgconfig gettext upstream-version-is-even ptest-gnome |
7 | 7 | ||
8 | LICENSE = "AFL-2.1 | GPL-2.0-or-later" | 8 | LICENSE = "AFL-2.1 | GPL-2.0-or-later" |
9 | LIC_FILES_CHKSUM = "file://COPYING;md5=10dded3b58148f3f1fd804b26354af3e \ | 9 | LIC_FILES_CHKSUM = "file://COPYING;md5=6423dcd74d7be9715b0db247fd889da3 \ |
10 | file://dbus/dbus.h;beginline=6;endline=20;md5=866739837ccd835350af94dccd6457d8" | 10 | file://dbus/dbus.h;beginline=6;endline=20;md5=866739837ccd835350af94dccd6457d8 \ |
11 | " | ||
11 | 12 | ||
12 | SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.xz \ | 13 | SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.xz \ |
13 | file://run-ptest \ | 14 | file://run-ptest \ |
14 | file://tmpdir.patch \ | 15 | file://tmpdir.patch \ |
15 | file://dbus-1.init \ | 16 | file://dbus-1.init \ |
16 | file://0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch \ | ||
17 | file://0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch \ | ||
18 | file://0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch \ | ||
19 | " | 17 | " |
20 | 18 | ||
21 | SRC_URI[sha256sum] = "ccd7cce37596e0a19558fd6648d1272ab43f011d80c8635aea8fd0bad58aebd4" | 19 | SRC_URI[sha256sum] = "7c0f9b8e5ec0ff2479383e62c0084a3a29af99edf1514e9f659b81b30d4e353e" |
22 | 20 | ||
23 | EXTRA_OECONF = "--disable-xml-docs \ | 21 | EXTRA_OECONF = "--disable-xml-docs \ |
24 | --disable-doxygen-docs \ | 22 | --disable-doxygen-docs \ |