2 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch b/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch
new file mode 100644
index 0000000000..ac7a4b7a71
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch
@@ -0,0 +1,78 @@
+From 872b085f12f56da25a2dbd9bd0b2dff31d5aea63 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Thu, 16 Apr 2020 14:45:11 +0100
+Subject: [PATCH] sysdeps-unix: On MSG_CTRUNC, close the fds we did receive
+MSG_CTRUNC indicates that we have received fewer fds that we should
+have done because the buffer was too small, but we were treating it
+as though it indicated that we received *no* fds. If we received any,
+we still have to make sure we close them, otherwise they will be leaked.
+On the system bus, if an attacker can induce us to leak fds in this
+way, that's a local denial of service via resource exhaustion.
+Reported-by: Kevin Backhouse, GitHub Security Lab
+Fixes: dbus#294
+Fixes: CVE-2020-12049
+Fixes: GHSL-2020-057
+Upstream-Status: Backport [https://gitlab.freedesktop.org/dbus/dbus/-/commit/872b085f12f56da25a2dbd9bd0b2dff31d5aea63]
+CVE: CVE-2020-12049
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ dbus/dbus-sysdeps-unix.c | 32 ++++++++++++++++++++------------
+ 1 file changed, 20 insertions(+), 12 deletions(-)
+diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
+index b5fc2466..b176dae1 100644
+--- a/dbus/dbus-sysdeps-unix.c
+++ b/dbus/dbus-sysdeps-unix.c
+@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
+       struct cmsghdr *cm;
+       dbus_bool_t found = FALSE;
+ 
+-      if (m.msg_flags & MSG_CTRUNC)
+-        {
+-          /* Hmm, apparently the control data was truncated. The bad
+-             thing is that we might have completely lost a couple of fds
+-             without chance to recover them. Hence let's treat this as a
+-             serious error. */
+-
+-          errno = ENOSPC;
+-          _dbus_string_set_length (buffer, start);
+-          return -1;
+-        }
+-
+       for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
+         if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
+           {
+@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
+       if (!found)
+         *n_fds = 0;
+ 
+      if (m.msg_flags & MSG_CTRUNC)
+        {
+          unsigned int i;
+
+          /* Hmm, apparently the control data was truncated. The bad
+             thing is that we might have completely lost a couple of fds
+             without chance to recover them. Hence let's treat this as a
+             serious error. */
+
+          /* We still need to close whatever fds we *did* receive,
+           * otherwise they'll never get closed. (CVE-2020-12049) */
+          for (i = 0; i < *n_fds; i++)
+            close (fds[i]);
+
+          *n_fds = 0;
+          errno = ENOSPC;
+          _dbus_string_set_length (buffer, start);
+          return -1;
+        }
+
+       /* put length back (doesn't actually realloc) */
+       _dbus_string_set_length (buffer, start + bytes_read);
+ 
+-- 
+2.25.1
diff --git a/meta/recipes-core/dbus/dbus_1.12.16.bb b/meta/recipes-core/dbus/dbus_1.12.16.bb
index cfdbec09d0..92508cbeb8 100644
--- a/meta/recipes-core/dbus/dbus_1.12.16.bb
+++ b/meta/recipes-core/dbus/dbus_1.12.16.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
           file://tmpdir.patch \
           file://dbus-1.init \
           file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+           file://CVE-2020-12049.patch \
 "
 SRC_URI[md5sum] = "2dbeae80dfc9e3632320c6a53d5e8890"

diff --git a/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch b/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch new file mode 100644 index 0000000000..ac7a4b7a71 --- /dev/null +++ b/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch
@@ -0,0 +1,78 @@
		1	From 872b085f12f56da25a2dbd9bd0b2dff31d5aea63 Mon Sep 17 00:00:00 2001
		2	From: Simon McVittie <smcv@collabora.com>
		3	Date: Thu, 16 Apr 2020 14:45:11 +0100
		4	Subject: [PATCH] sysdeps-unix: On MSG_CTRUNC, close the fds we did receive
		5
		6	MSG_CTRUNC indicates that we have received fewer fds that we should
		7	have done because the buffer was too small, but we were treating it
		8	as though it indicated that we received no fds. If we received any,
		9	we still have to make sure we close them, otherwise they will be leaked.
		10
		11	On the system bus, if an attacker can induce us to leak fds in this
		12	way, that's a local denial of service via resource exhaustion.
		13
		14	Reported-by: Kevin Backhouse, GitHub Security Lab
		15	Fixes: dbus#294
		16	Fixes: CVE-2020-12049
		17	Fixes: GHSL-2020-057
		18
		19	Upstream-Status: Backport [https://gitlab.freedesktop.org/dbus/dbus/-/commit/872b085f12f56da25a2dbd9bd0b2dff31d5aea63]
		20	CVE: CVE-2020-12049
		21	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		22	---
		23	dbus/dbus-sysdeps-unix.c \| 32 ++++++++++++++++++++------------
		24	1 file changed, 20 insertions(+), 12 deletions(-)
		25
		26	diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
		27	index b5fc2466..b176dae1 100644
		28	--- a/dbus/dbus-sysdeps-unix.c
		29	+++ b/dbus/dbus-sysdeps-unix.c
		30	@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
		31	struct cmsghdr *cm;
		32	dbus_bool_t found = FALSE;
		33
		34	- if (m.msg_flags & MSG_CTRUNC)
		35	- {
		36	- /* Hmm, apparently the control data was truncated. The bad
		37	- thing is that we might have completely lost a couple of fds
		38	- without chance to recover them. Hence let's treat this as a
		39	- serious error. */
		40	-
		41	- errno = ENOSPC;
		42	- _dbus_string_set_length (buffer, start);
		43	- return -1;
		44	- }
		45	-
		46	for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
		47	if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
		48	{
		49	@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
		50	if (!found)
		51	*n_fds = 0;
		52
		53	+ if (m.msg_flags & MSG_CTRUNC)
		54	+ {
		55	+ unsigned int i;
		56	+
		57	+ /* Hmm, apparently the control data was truncated. The bad
		58	+ thing is that we might have completely lost a couple of fds
		59	+ without chance to recover them. Hence let's treat this as a
		60	+ serious error. */
		61	+
		62	+ /* We still need to close whatever fds we did receive,
		63	+ * otherwise they'll never get closed. (CVE-2020-12049) */
		64	+ for (i = 0; i < *n_fds; i++)
		65	+ close (fds[i]);
		66	+
		67	+ *n_fds = 0;
		68	+ errno = ENOSPC;
		69	+ _dbus_string_set_length (buffer, start);
		70	+ return -1;
		71	+ }
		72	+
		73	/* put length back (doesn't actually realloc) */
		74	_dbus_string_set_length (buffer, start + bytes_read);
		75
		76	--
		77	2.25.1
		78


diff --git a/meta/recipes-core/dbus/dbus_1.12.16.bb b/meta/recipes-core/dbus/dbus_1.12.16.bb index cfdbec09d0..92508cbeb8 100644 --- a/meta/recipes-core/dbus/dbus_1.12.16.bb +++ b/meta/recipes-core/dbus/dbus_1.12.16.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
16	file://tmpdir.patch \	16	file://tmpdir.patch \
17	file://dbus-1.init \	17	file://dbus-1.init \
18	file://clear-guid_from_server-if-send_negotiate_unix_f.patch \	18	file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
		19	file://CVE-2020-12049.patch \
19	"	20	"
20		21
21	SRC_URI[md5sum] = "2dbeae80dfc9e3632320c6a53d5e8890"	22	SRC_URI[md5sum] = "2dbeae80dfc9e3632320c6a53d5e8890"