diff options
Diffstat (limited to 'meta/recipes-core')
-rw-r--r-- | meta/recipes-core/dbus/dbus.inc | 1 | ||||
-rw-r--r-- | meta/recipes-core/dbus/dbus/CVE-2023-34969.patch | 96 |
2 files changed, 97 insertions, 0 deletions
diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc index 82e91c7b13..948aaf2e24 100644 --- a/meta/recipes-core/dbus/dbus.inc +++ b/meta/recipes-core/dbus/dbus.inc | |||
@@ -8,6 +8,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \ | |||
8 | file://tmpdir.patch \ | 8 | file://tmpdir.patch \ |
9 | file://dbus-1.init \ | 9 | file://dbus-1.init \ |
10 | file://clear-guid_from_server-if-send_negotiate_unix_f.patch \ | 10 | file://clear-guid_from_server-if-send_negotiate_unix_f.patch \ |
11 | file://CVE-2023-34969.patch \ | ||
11 | " | 12 | " |
12 | 13 | ||
13 | SRC_URI[sha256sum] = "bc42d196c1756ac520d61bf3ccd6f42013617def45dd1e591a6091abf51dca38" | 14 | SRC_URI[sha256sum] = "bc42d196c1756ac520d61bf3ccd6f42013617def45dd1e591a6091abf51dca38" |
diff --git a/meta/recipes-core/dbus/dbus/CVE-2023-34969.patch b/meta/recipes-core/dbus/dbus/CVE-2023-34969.patch new file mode 100644 index 0000000000..8f29185cf6 --- /dev/null +++ b/meta/recipes-core/dbus/dbus/CVE-2023-34969.patch | |||
@@ -0,0 +1,96 @@ | |||
1 | From 37a4dc5835731a1f7a81f1b67c45b8dfb556dd1c Mon Sep 17 00:00:00 2001 | ||
2 | From: hongjinghao <q1204531485@163.com> | ||
3 | Date: Mon, 5 Jun 2023 18:17:06 +0100 | ||
4 | Subject: [PATCH] bus: Assign a serial number for messages from the driver | ||
5 | |||
6 | Normally, it's enough to rely on a message being given a serial number | ||
7 | by the DBusConnection just before it is actually sent. However, in the | ||
8 | rare case where the policy blocks the driver from sending a message | ||
9 | (due to a deny rule or the outgoing message quota being full), we need | ||
10 | to get a valid serial number sooner, so that we can copy it into the | ||
11 | DBUS_HEADER_FIELD_REPLY_SERIAL field (which is mandatory) in the error | ||
12 | message sent to monitors. Otherwise, the dbus-daemon will crash with | ||
13 | an assertion failure if at least one Monitoring client is attached, | ||
14 | because zero is not a valid serial number to copy. | ||
15 | |||
16 | This fixes a denial-of-service vulnerability: if a privileged user is | ||
17 | monitoring the well-known system bus using a Monitoring client like | ||
18 | dbus-monitor or `busctl monitor`, then an unprivileged user can cause | ||
19 | denial-of-service by triggering this crash. A mitigation for this | ||
20 | vulnerability is to avoid attaching Monitoring clients to the system | ||
21 | bus when they are not needed. If there are no Monitoring clients, then | ||
22 | the vulnerable code is not reached. | ||
23 | |||
24 | Co-authored-by: Simon McVittie <smcv@collabora.com> | ||
25 | Resolves: dbus/dbus#457 | ||
26 | (cherry picked from commit b159849e031000d1dbc1ab876b5fc78a3ce9b534) | ||
27 | --- | ||
28 | bus/connection.c | 15 +++++++++++++++ | ||
29 | dbus/dbus-connection-internal.h | 2 ++ | ||
30 | dbus/dbus-connection.c | 11 ++++++++++- | ||
31 | 3 files changed, 27 insertions(+), 1 deletion(-) | ||
32 | |||
33 | diff --git a/bus/connection.c b/bus/connection.c | ||
34 | index b3583433..215f0230 100644 | ||
35 | --- a/bus/connection.c | ||
36 | +++ b/bus/connection.c | ||
37 | @@ -2350,6 +2350,21 @@ bus_transaction_send_from_driver (BusTransaction *transaction, | ||
38 | if (!dbus_message_set_sender (message, DBUS_SERVICE_DBUS)) | ||
39 | return FALSE; | ||
40 | |||
41 | + /* Make sure the message has a non-zero serial number, otherwise | ||
42 | + * bus_transaction_capture_error_reply() will not be able to mock up | ||
43 | + * a corresponding reply for it. Normally this would be delayed until | ||
44 | + * the first time we actually send the message out from a | ||
45 | + * connection, when the transaction is committed, but that's too late | ||
46 | + * in this case. | ||
47 | + */ | ||
48 | + if (dbus_message_get_serial (message) == 0) | ||
49 | + { | ||
50 | + dbus_uint32_t next_serial; | ||
51 | + | ||
52 | + next_serial = _dbus_connection_get_next_client_serial (connection); | ||
53 | + dbus_message_set_serial (message, next_serial); | ||
54 | + } | ||
55 | + | ||
56 | if (bus_connection_is_active (connection)) | ||
57 | { | ||
58 | if (!dbus_message_set_destination (message, | ||
59 | diff --git a/dbus/dbus-connection-internal.h b/dbus/dbus-connection-internal.h | ||
60 | index 48357321..ba79b192 100644 | ||
61 | --- a/dbus/dbus-connection-internal.h | ||
62 | +++ b/dbus/dbus-connection-internal.h | ||
63 | @@ -54,6 +54,8 @@ DBUS_PRIVATE_EXPORT | ||
64 | DBusConnection * _dbus_connection_ref_unlocked (DBusConnection *connection); | ||
65 | DBUS_PRIVATE_EXPORT | ||
66 | void _dbus_connection_unref_unlocked (DBusConnection *connection); | ||
67 | +DBUS_PRIVATE_EXPORT | ||
68 | +dbus_uint32_t _dbus_connection_get_next_client_serial (DBusConnection *connection); | ||
69 | void _dbus_connection_queue_received_message_link (DBusConnection *connection, | ||
70 | DBusList *link); | ||
71 | dbus_bool_t _dbus_connection_has_messages_to_send_unlocked (DBusConnection *connection); | ||
72 | diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c | ||
73 | index c525b6dc..09cef278 100644 | ||
74 | --- a/dbus/dbus-connection.c | ||
75 | +++ b/dbus/dbus-connection.c | ||
76 | @@ -1456,7 +1456,16 @@ _dbus_connection_unref_unlocked (DBusConnection *connection) | ||
77 | _dbus_connection_last_unref (connection); | ||
78 | } | ||
79 | |||
80 | -static dbus_uint32_t | ||
81 | +/** | ||
82 | + * Allocate and return the next non-zero serial number for outgoing messages. | ||
83 | + * | ||
84 | + * This method is only valid to call from single-threaded code, such as | ||
85 | + * the dbus-daemon, or with the connection lock held. | ||
86 | + * | ||
87 | + * @param connection the connection | ||
88 | + * @returns A suitable serial number for the next message to be sent on the connection. | ||
89 | + */ | ||
90 | +dbus_uint32_t | ||
91 | _dbus_connection_get_next_client_serial (DBusConnection *connection) | ||
92 | { | ||
93 | dbus_uint32_t serial; | ||
94 | -- | ||
95 | 2.25.1 | ||
96 | |||