4 files changed, 4 insertions, 262 deletions
diff --git a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch
deleted file mode 100644
index 47f4f1e0d3..0000000000
--- a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 3fb065b0752db1e298e4ada52cf4adc414f5e946 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Fri, 30 Sep 2022 13:46:31 +0100
-Subject: [PATCH] dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed
-When a D-Bus message includes attached file descriptors, the body of the
-message contains unsigned 32-bit indexes pointing into an out-of-band
-array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to
-these indexes as "handles" for the associated fds (not to be confused
-with a Windows HANDLE, which is a kernel object).
-The assertion message removed by this commit is arguably correct up to
-a point: fd-passing is only reasonable on a local machine, and no known
-operating system allows processes of differing endianness even on a
-multi-endian ARM or PowerPC CPU, so it makes little sense for the sender
-to specify a byte-order that differs from the byte-order of the recipient.
-However, this doesn't account for the fact that a malicious sender
-doesn't have to restrict itself to only doing things that make sense.
-On a system with untrusted local users, a message sender could crash
-the system dbus-daemon (a denial of service) by sending a message in
-the opposite endianness that contains handles to file descriptors.
-Before this commit, if assertions are enabled, attempting to byteswap
-a fd index would cleanly crash the message recipient with an assertion
-failure. If assertions are disabled, attempting to byteswap a fd index
-would silently do nothing without advancing the pointer p, causing the
-message's type and the pointer into its contents to go out of sync, which
-can result in a subsequent crash (the crash demonstrated by fuzzing was
-a use-after-free, but other failure modes might be possible).
-In principle we could resolve this by rejecting wrong-endianness messages
-from a local sender, but it's actually simpler and less code to treat
-wrong-endianness messages as valid and byteswap them.
-Thanks: Evgeny Vereshchagin
-Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds"
-Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417
-Resolves: CVE-2022-42012
-Upstream-Status: Backport from [https://gitlab.freedesktop.org/dbus/dbus/-/commit/3fb065b0752db1e298e4ada52cf4adc414f5e946]
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit 236f16e444e88a984cf12b09225e0f8efa6c5b44)
-Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
---
- dbus/dbus-marshal-byteswap.c | 6 +-----
- 1 file changed, 1 insertion(+), 5 deletions(-)
-diff --git a/dbus/dbus-marshal-byteswap.c b/dbus/dbus-marshal-byteswap.c
-index 27695aaf..7104e9c6 100644
--- a/dbus/dbus-marshal-byteswap.c
-+++ b/dbus/dbus-marshal-byteswap.c
-@@ -61,6 +61,7 @@ byteswap_body_helper (DBusTypeReader       *reader,
-         case DBUS_TYPE_BOOLEAN:
-         case DBUS_TYPE_INT32:
-         case DBUS_TYPE_UINT32:
-+        case DBUS_TYPE_UNIX_FD:
-           {
-             p = _DBUS_ALIGN_ADDRESS (p, 4);
-             *((dbus_uint32_t*)p) = DBUS_UINT32_SWAP_LE_BE (*((dbus_uint32_t*)p));
-@@ -188,11 +189,6 @@ byteswap_body_helper (DBusTypeReader       *reader,
-           }
-           break;
- 
-        case DBUS_TYPE_UNIX_FD:
-          /* fds can only be passed on a local machine, so byte order must always match */
-          _dbus_assert_not_reached("attempted to byteswap unix fds which makes no sense");
-          break;
-
-         default:
-           _dbus_assert_not_reached ("invalid typecode in supposedly-validated signature");
-           break;
-- 
-2.34.1
diff --git a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch
deleted file mode 100644
index f2e14fb8d5..0000000000
--- a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From 3e53a785dee8d1432156188a2c4260e4cbc78c4d Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Tue, 13 Sep 2022 15:10:22 +0100
-Subject: [PATCH] dbus-marshal-validate: Check brackets in signature nest
- correctly
-In debug builds with assertions enabled, a signature with incorrectly
-nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result
-in an assertion failure.
-In production builds without assertions enabled, a signature with
-incorrectly nested `()` and `{}` could potentially result in a crash
-or incorrect message parsing, although we do not have a concrete example
-of either of these failure modes.
-Thanks: Evgeny Vereshchagin
-Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418
-Resolves: CVE-2022-42010
-Upstream-Status: Backport [https://gitlab.freedesktop.org/dbus/dbus/-/commit/3e53a785dee8d1432156188a2c4260e4cbc78c4d]
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit 9d07424e9011e3bbe535e83043d335f3093d2916)
-Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
---
- dbus/dbus-marshal-validate.c | 38 +++++++++++++++++++++++++++++++++++-
- 1 file changed, 37 insertions(+), 1 deletion(-)
-diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
-index 4d492f3f..ae68414d 100644
--- a/dbus/dbus-marshal-validate.c
-+++ b/dbus/dbus-marshal-validate.c
-@@ -62,6 +62,8 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
- 
-   int element_count;
-   DBusList *element_count_stack;
-+  char opened_brackets[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2 + 1] = { '\0' };
-+  char last_bracket;
- 
-   result = DBUS_VALID;
-   element_count_stack = NULL;
-@@ -93,6 +95,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
- 
-   while (p != end)
-     {
-+      _dbus_assert (struct_depth + dict_entry_depth >= 0);
-+      _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
-+      _dbus_assert (opened_brackets[struct_depth + dict_entry_depth] == '\0');
-+
-       switch (*p)
-         {
-         case DBUS_TYPE_BYTE:
-@@ -136,6 +142,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
-               goto out;
-             }
- 
-+          _dbus_assert (struct_depth + dict_entry_depth >= 1);
-+          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
-+          _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
-+          opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_STRUCT_BEGIN_CHAR;
-           break;
- 
-         case DBUS_STRUCT_END_CHAR:
-@@ -151,9 +161,20 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
-               goto out;
-             }
- 
-+          _dbus_assert (struct_depth + dict_entry_depth >= 1);
-+          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
-+          last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
-+
-+          if (last_bracket != DBUS_STRUCT_BEGIN_CHAR)
-+            {
-+              result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED;
-+              goto out;
-+            }
-+
-           _dbus_list_pop_last (&element_count_stack);
- 
-           struct_depth -= 1;
-+          opened_brackets[struct_depth + dict_entry_depth] = '\0';
-           break;
- 
-         case DBUS_DICT_ENTRY_BEGIN_CHAR:
-@@ -178,6 +199,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
-               goto out;
-             }
- 
-+          _dbus_assert (struct_depth + dict_entry_depth >= 1);
-+          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
-+          _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
-+          opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_DICT_ENTRY_BEGIN_CHAR;
-           break;
- 
-         case DBUS_DICT_ENTRY_END_CHAR:
-@@ -186,8 +211,19 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
-               result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
-               goto out;
-             }
-            
-+
-+          _dbus_assert (struct_depth + dict_entry_depth >= 1);
-+          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
-+          last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
-+
-+          if (last_bracket != DBUS_DICT_ENTRY_BEGIN_CHAR)
-+            {
-+              result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
-+              goto out;
-+            }
-+
-           dict_entry_depth -= 1;
-+          opened_brackets[struct_depth + dict_entry_depth] = '\0';
- 
-           element_count = 
-             _DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack));
-- 
-2.34.1
diff --git a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch
deleted file mode 100644
index f953326f78..0000000000
--- a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From b9e6a7523085a2cfceaffca7ba1ab4251f12a984 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Mon, 12 Sep 2022 13:14:18 +0100
-Subject: [PATCH] dbus-marshal-validate: Validate length of arrays of
- fixed-length items
-This fast-path previously did not check that the array was made up
-of an integer number of items. This could lead to assertion failures
-and out-of-bounds accesses during subsequent message processing (which
-assumes that the message has already been validated), particularly after
-the addition of _dbus_header_remove_unknown_fields(), which makes it
-more likely that dbus-daemon will apply non-trivial edits to messages.
-Thanks: Evgeny Vereshchagin
-Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
-Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
-Resolves: CVE-2022-42011
-Upstream-Status: Backport from
-[https://gitlab.freedesktop.org/dbus/dbus/-/commit/b9e6a7523085a2cfceaffca7ba1ab4251f12a984]
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit 079bbf16186e87fb0157adf8951f19864bc2ed69)
-Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
---
- dbus/dbus-marshal-validate.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
-index ae68414d..7d0d6cf7 100644
--- a/dbus/dbus-marshal-validate.c
-+++ b/dbus/dbus-marshal-validate.c
-@@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader       *reader,
-                  */ 
-                 if (dbus_type_is_fixed (array_elem_type))
-                   {
-+                    /* Note that fixed-size types all have sizes equal to
-+                     * their alignments, so this is really the item size. */
-+                    alignment = _dbus_type_get_alignment (array_elem_type);
-+                    _dbus_assert (alignment == 1 || alignment == 2 ||
-+                                  alignment == 4 || alignment == 8);
-+
-+                    /* Because the alignment is a power of 2, this is
-+                     * equivalent to: (claimed_len % alignment) != 0,
-+                     * but avoids slower integer division */
-+                    if ((claimed_len & (alignment - 1)) != 0)
-+                      return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;
-+
-                     /* bools need to be handled differently, because they can
-                      * have an invalid value
-                      */
-                     if (array_elem_type == DBUS_TYPE_BOOLEAN)
-                       {
-                         dbus_uint32_t v;
-                        alignment = _dbus_type_get_alignment (array_elem_type);
- 
-                         while (p < array_end)
-                           {
-- 
-2.34.1
diff --git a/meta/recipes-core/dbus/dbus_1.14.0.bb b/meta/recipes-core/dbus/dbus_1.14.4.bb
index 484629e987..9684f0c6e2 100644
--- a/meta/recipes-core/dbus/dbus_1.14.0.bb
+++ b/meta/recipes-core/dbus/dbus_1.14.4.bb
@@ -6,19 +6,17 @@ SECTION = "base"
 inherit autotools pkgconfig gettext upstream-version-is-even ptest-gnome
 LICENSE = "AFL-2.1 | GPL-2.0-or-later"
-LIC_FILES_CHKSUM = "file://COPYING;md5=10dded3b58148f3f1fd804b26354af3e \
+LIC_FILES_CHKSUM = "file://COPYING;md5=6423dcd74d7be9715b0db247fd889da3 \
-                    file://dbus/dbus.h;beginline=6;endline=20;md5=866739837ccd835350af94dccd6457d8"
+                    file://dbus/dbus.h;beginline=6;endline=20;md5=866739837ccd835350af94dccd6457d8 \
+                    "
 SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.xz \
           file://run-ptest \
           file://tmpdir.patch \
           file://dbus-1.init \
-           file://0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch \
-           file://0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch \
-           file://0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch \
 "
-SRC_URI[sha256sum] = "ccd7cce37596e0a19558fd6648d1272ab43f011d80c8635aea8fd0bad58aebd4"
+SRC_URI[sha256sum] = "7c0f9b8e5ec0ff2479383e62c0084a3a29af99edf1514e9f659b81b30d4e353e"
 EXTRA_OECONF = "--disable-xml-docs \
                --disable-doxygen-docs \

diff --git a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch deleted file mode 100644 index 47f4f1e0d3..0000000000 --- a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch +++ /dev/null
@@ -1,76 +0,0 @@
1	From 3fb065b0752db1e298e4ada52cf4adc414f5e946 Mon Sep 17 00:00:00 2001
2	From: Simon McVittie <smcv@collabora.com>
3	Date: Fri, 30 Sep 2022 13:46:31 +0100
4	Subject: [PATCH] dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed
5
6	When a D-Bus message includes attached file descriptors, the body of the
7	message contains unsigned 32-bit indexes pointing into an out-of-band
8	array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to
9	these indexes as "handles" for the associated fds (not to be confused
10	with a Windows HANDLE, which is a kernel object).
11
12	The assertion message removed by this commit is arguably correct up to
13	a point: fd-passing is only reasonable on a local machine, and no known
14	operating system allows processes of differing endianness even on a
15	multi-endian ARM or PowerPC CPU, so it makes little sense for the sender
16	to specify a byte-order that differs from the byte-order of the recipient.
17
18	However, this doesn't account for the fact that a malicious sender
19	doesn't have to restrict itself to only doing things that make sense.
20	On a system with untrusted local users, a message sender could crash
21	the system dbus-daemon (a denial of service) by sending a message in
22	the opposite endianness that contains handles to file descriptors.
23
24	Before this commit, if assertions are enabled, attempting to byteswap
25	a fd index would cleanly crash the message recipient with an assertion
26	failure. If assertions are disabled, attempting to byteswap a fd index
27	would silently do nothing without advancing the pointer p, causing the
28	message's type and the pointer into its contents to go out of sync, which
29	can result in a subsequent crash (the crash demonstrated by fuzzing was
30	a use-after-free, but other failure modes might be possible).
31
32	In principle we could resolve this by rejecting wrong-endianness messages
33	from a local sender, but it's actually simpler and less code to treat
34	wrong-endianness messages as valid and byteswap them.
35
36	Thanks: Evgeny Vereshchagin
37	Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds"
38	Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417
39	Resolves: CVE-2022-42012
40
41	Upstream-Status: Backport from [https://gitlab.freedesktop.org/dbus/dbus/-/commit/3fb065b0752db1e298e4ada52cf4adc414f5e946]
42
43	Signed-off-by: Simon McVittie <smcv@collabora.com>
44	(cherry picked from commit 236f16e444e88a984cf12b09225e0f8efa6c5b44)
45	Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
46	---
47	dbus/dbus-marshal-byteswap.c \| 6 +-----
48	1 file changed, 1 insertion(+), 5 deletions(-)
49
50	diff --git a/dbus/dbus-marshal-byteswap.c b/dbus/dbus-marshal-byteswap.c
51	index 27695aaf..7104e9c6 100644
52	--- a/dbus/dbus-marshal-byteswap.c
53	+++ b/dbus/dbus-marshal-byteswap.c
54	@@ -61,6 +61,7 @@ byteswap_body_helper (DBusTypeReader *reader,
55	case DBUS_TYPE_BOOLEAN:
56	case DBUS_TYPE_INT32:
57	case DBUS_TYPE_UINT32:
58	+ case DBUS_TYPE_UNIX_FD:
59	{
60	p = _DBUS_ALIGN_ADDRESS (p, 4);
61	((dbus_uint32_t)p) = DBUS_UINT32_SWAP_LE_BE (((dbus_uint32_t)p));
62	@@ -188,11 +189,6 @@ byteswap_body_helper (DBusTypeReader *reader,
63	}
64	break;
65
66	- case DBUS_TYPE_UNIX_FD:
67	- /* fds can only be passed on a local machine, so byte order must always match */
68	- _dbus_assert_not_reached("attempted to byteswap unix fds which makes no sense");
69	- break;
70	-
71	default:
72	_dbus_assert_not_reached ("invalid typecode in supposedly-validated signature");
73	break;
74	--
75	2.34.1
76


diff --git a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch deleted file mode 100644 index f2e14fb8d5..0000000000 --- a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch +++ /dev/null
@@ -1,119 +0,0 @@
1	From 3e53a785dee8d1432156188a2c4260e4cbc78c4d Mon Sep 17 00:00:00 2001
2	From: Simon McVittie <smcv@collabora.com>
3	Date: Tue, 13 Sep 2022 15:10:22 +0100
4	Subject: [PATCH] dbus-marshal-validate: Check brackets in signature nest
5	correctly
6
7	In debug builds with assertions enabled, a signature with incorrectly
8	nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result
9	in an assertion failure.
10
11	In production builds without assertions enabled, a signature with
12	incorrectly nested `()` and `{}` could potentially result in a crash
13	or incorrect message parsing, although we do not have a concrete example
14	of either of these failure modes.
15
16	Thanks: Evgeny Vereshchagin
17	Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418
18	Resolves: CVE-2022-42010
19
20	Upstream-Status: Backport [https://gitlab.freedesktop.org/dbus/dbus/-/commit/3e53a785dee8d1432156188a2c4260e4cbc78c4d]
21
22	Signed-off-by: Simon McVittie <smcv@collabora.com>
23	(cherry picked from commit 9d07424e9011e3bbe535e83043d335f3093d2916)
24	Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
25	---
26	dbus/dbus-marshal-validate.c \| 38 +++++++++++++++++++++++++++++++++++-
27	1 file changed, 37 insertions(+), 1 deletion(-)
28
29	diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
30	index 4d492f3f..ae68414d 100644
31	--- a/dbus/dbus-marshal-validate.c
32	+++ b/dbus/dbus-marshal-validate.c
33	@@ -62,6 +62,8 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
34
35	int element_count;
36	DBusList *element_count_stack;
37	+ char opened_brackets[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2 + 1] = { '\0' };
38	+ char last_bracket;
39
40	result = DBUS_VALID;
41	element_count_stack = NULL;
42	@@ -93,6 +95,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
43
44	while (p != end)
45	{
46	+ _dbus_assert (struct_depth + dict_entry_depth >= 0);
47	+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
48	+ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth] == '\0');
49	+
50	switch (*p)
51	{
52	case DBUS_TYPE_BYTE:
53	@@ -136,6 +142,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
54	goto out;
55	}
56
57	+ _dbus_assert (struct_depth + dict_entry_depth >= 1);
58	+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
59	+ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
60	+ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_STRUCT_BEGIN_CHAR;
61	break;
62
63	case DBUS_STRUCT_END_CHAR:
64	@@ -151,9 +161,20 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
65	goto out;
66	}
67
68	+ _dbus_assert (struct_depth + dict_entry_depth >= 1);
69	+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
70	+ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
71	+
72	+ if (last_bracket != DBUS_STRUCT_BEGIN_CHAR)
73	+ {
74	+ result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED;
75	+ goto out;
76	+ }
77	+
78	_dbus_list_pop_last (&element_count_stack);
79
80	struct_depth -= 1;
81	+ opened_brackets[struct_depth + dict_entry_depth] = '\0';
82	break;
83
84	case DBUS_DICT_ENTRY_BEGIN_CHAR:
85	@@ -178,6 +199,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
86	goto out;
87	}
88
89	+ _dbus_assert (struct_depth + dict_entry_depth >= 1);
90	+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
91	+ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
92	+ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_DICT_ENTRY_BEGIN_CHAR;
93	break;
94
95	case DBUS_DICT_ENTRY_END_CHAR:
96	@@ -186,8 +211,19 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
97	result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
98	goto out;
99	}
100	-
101	+
102	+ _dbus_assert (struct_depth + dict_entry_depth >= 1);
103	+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
104	+ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
105	+
106	+ if (last_bracket != DBUS_DICT_ENTRY_BEGIN_CHAR)
107	+ {
108	+ result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
109	+ goto out;
110	+ }
111	+
112	dict_entry_depth -= 1;
113	+ opened_brackets[struct_depth + dict_entry_depth] = '\0';
114
115	element_count =
116	_DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack));
117	--
118	2.34.1
119


diff --git a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch deleted file mode 100644 index f953326f78..0000000000 --- a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch +++ /dev/null
@@ -1,61 +0,0 @@
1	From b9e6a7523085a2cfceaffca7ba1ab4251f12a984 Mon Sep 17 00:00:00 2001
2	From: Simon McVittie <smcv@collabora.com>
3	Date: Mon, 12 Sep 2022 13:14:18 +0100
4	Subject: [PATCH] dbus-marshal-validate: Validate length of arrays of
5	fixed-length items
6
7	This fast-path previously did not check that the array was made up
8	of an integer number of items. This could lead to assertion failures
9	and out-of-bounds accesses during subsequent message processing (which
10	assumes that the message has already been validated), particularly after
11	the addition of _dbus_header_remove_unknown_fields(), which makes it
12	more likely that dbus-daemon will apply non-trivial edits to messages.
13
14	Thanks: Evgeny Vereshchagin
15	Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
16	Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
17	Resolves: CVE-2022-42011
18
19	Upstream-Status: Backport from
20	[https://gitlab.freedesktop.org/dbus/dbus/-/commit/b9e6a7523085a2cfceaffca7ba1ab4251f12a984]
21
22	Signed-off-by: Simon McVittie <smcv@collabora.com>
23	(cherry picked from commit 079bbf16186e87fb0157adf8951f19864bc2ed69)
24	Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
25	---
26	dbus/dbus-marshal-validate.c \| 13 ++++++++++++-
27	1 file changed, 12 insertions(+), 1 deletion(-)
28
29	diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
30	index ae68414d..7d0d6cf7 100644
31	--- a/dbus/dbus-marshal-validate.c
32	+++ b/dbus/dbus-marshal-validate.c
33	@@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader *reader,
34	*/
35	if (dbus_type_is_fixed (array_elem_type))
36	{
37	+ /* Note that fixed-size types all have sizes equal to
38	+ * their alignments, so this is really the item size. */
39	+ alignment = _dbus_type_get_alignment (array_elem_type);
40	+ _dbus_assert (alignment == 1 \|\| alignment == 2 \|\|
41	+ alignment == 4 \|\| alignment == 8);
42	+
43	+ /* Because the alignment is a power of 2, this is
44	+ * equivalent to: (claimed_len % alignment) != 0,
45	+ * but avoids slower integer division */
46	+ if ((claimed_len & (alignment - 1)) != 0)
47	+ return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;
48	+
49	/* bools need to be handled differently, because they can
50	* have an invalid value
51	*/
52	if (array_elem_type == DBUS_TYPE_BOOLEAN)
53	{
54	dbus_uint32_t v;
55	- alignment = _dbus_type_get_alignment (array_elem_type);
56
57	while (p < array_end)
58	{
59	--
60	2.34.1
61


diff --git a/meta/recipes-core/dbus/dbus_1.14.0.bb b/meta/recipes-core/dbus/dbus_1.14.4.bb index 484629e987..9684f0c6e2 100644 --- a/meta/recipes-core/dbus/dbus_1.14.0.bb +++ b/meta/recipes-core/dbus/dbus_1.14.4.bb
@@ -6,19 +6,17 @@ SECTION = "base"
6	inherit autotools pkgconfig gettext upstream-version-is-even ptest-gnome	6	inherit autotools pkgconfig gettext upstream-version-is-even ptest-gnome
7		7
8	LICENSE = "AFL-2.1 \| GPL-2.0-or-later"	8	LICENSE = "AFL-2.1 \| GPL-2.0-or-later"
9	LIC_FILES_CHKSUM = "file://COPYING;md5=10dded3b58148f3f1fd804b26354af3e \	9	LIC_FILES_CHKSUM = "file://COPYING;md5=6423dcd74d7be9715b0db247fd889da3 \
10	file://dbus/dbus.h;beginline=6;endline=20;md5=866739837ccd835350af94dccd6457d8"	10	file://dbus/dbus.h;beginline=6;endline=20;md5=866739837ccd835350af94dccd6457d8 \
		11	"
11		12
12	SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.xz \	13	SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.xz \
13	file://run-ptest \	14	file://run-ptest \
14	file://tmpdir.patch \	15	file://tmpdir.patch \
15	file://dbus-1.init \	16	file://dbus-1.init \
16	file://0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch \
17	file://0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch \
18	file://0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch \
19	"	17	"
20		18
21	SRC_URI[sha256sum] = "ccd7cce37596e0a19558fd6648d1272ab43f011d80c8635aea8fd0bad58aebd4"	19	SRC_URI[sha256sum] = "7c0f9b8e5ec0ff2479383e62c0084a3a29af99edf1514e9f659b81b30d4e353e"
22		20
23	EXTRA_OECONF = "--disable-xml-docs \	21	EXTRA_OECONF = "--disable-xml-docs \
24	--disable-doxygen-docs \	22	--disable-doxygen-docs \