[dbus/f15] Merge fixes from upstream for CVE-2011-2200
Colin Walters
walters at fedoraproject.org
Wed Jul 27 22:47:44 UTC 2011
commit d95131a6877aedab4f75e7a1a3b9b99fe0261077
Author: Colin Walters <walters at verbum.org>
Date: Wed Jul 27 18:47:39 2011 -0400
Merge fixes from upstream for CVE-2011-2200
...r_byteswap-change-the-first-byte-of-the-m.patch | 44 ++++++++++++++++++++
...e_demarshal_bytes_needed-correct-a-wrong-.patch | 31 ++++++++++++++
dbus.spec | 11 ++++-
3 files changed, 85 insertions(+), 1 deletions(-)
---
diff --git a/0001-_dbus_header_byteswap-change-the-first-byte-of-the-m.patch b/0001-_dbus_header_byteswap-change-the-first-byte-of-the-m.patch
new file mode 100644
index 0000000..5facb36
--- /dev/null
+++ b/0001-_dbus_header_byteswap-change-the-first-byte-of-the-m.patch
@@ -0,0 +1,44 @@
+From c3223ba6c401ba81df1305851312a47c485e6cd7 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <simon.mcvittie at collabora.co.uk>
+Date: Thu, 9 Jun 2011 17:52:10 +0100
+Subject: [PATCH] _dbus_header_byteswap: change the first byte of the message,
+ not just the struct member
+
+This has been wrong approximately forever, for instance see:
+http://lists.freedesktop.org/archives/dbus/2007-March/007357.html
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=38120
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629938
+Reviewed-by: Will Thompson <will.thompson at collabora.co.uk>
+---
+ dbus/dbus-marshal-header.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/dbus/dbus-marshal-header.c b/dbus/dbus-marshal-header.c
+index 3f31d7a..a6c9b80 100644
+--- a/dbus/dbus-marshal-header.c
++++ b/dbus/dbus-marshal-header.c
+@@ -1468,14 +1468,20 @@ void
+ _dbus_header_byteswap (DBusHeader *header,
+ int new_order)
+ {
++ unsigned char byte_order;
++
+ if (header->byte_order == new_order)
+ return;
+
++ byte_order = _dbus_string_get_byte (&header->data, BYTE_ORDER_OFFSET);
++ _dbus_assert (header->byte_order == byte_order);
++
+ _dbus_marshal_byteswap (&_dbus_header_signature_str,
+ 0, header->byte_order,
+ new_order,
+ &header->data, 0);
+
++ _dbus_string_set_byte (&header->data, BYTE_ORDER_OFFSET, new_order);
+ header->byte_order = new_order;
+ }
+
+--
+1.7.6
+
diff --git a/0001-dbus_message_demarshal_bytes_needed-correct-a-wrong-.patch b/0001-dbus_message_demarshal_bytes_needed-correct-a-wrong-.patch
new file mode 100644
index 0000000..127f728
--- /dev/null
+++ b/0001-dbus_message_demarshal_bytes_needed-correct-a-wrong-.patch
@@ -0,0 +1,31 @@
+From 90ac05171d018e5d2cc0c3a3195b59425a626f96 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <simon.mcvittie at collabora.co.uk>
+Date: Thu, 9 Jun 2011 18:35:43 +0100
+Subject: [PATCH] dbus_message_demarshal_bytes_needed: correct a wrong
+ assertion
+
+It's entirely possible for a message to indicate how many bytes we need,
+without actually being complete.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=38120
+Reviewed-by: Will Thompson <will.thompson at collabora.co.uk>
+---
+ dbus/dbus-message.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/dbus/dbus-message.c b/dbus/dbus-message.c
+index 24ef5ac..a59ed9b 100644
+--- a/dbus/dbus-message.c
++++ b/dbus/dbus-message.c
+@@ -4680,7 +4680,7 @@ dbus_message_demarshal_bytes_needed(const char *buf,
+
+ if (validity == DBUS_VALID)
+ {
+- _dbus_assert(have_message);
++ _dbus_assert (have_message || (header_len + body_len) > len);
+ return header_len + body_len;
+ }
+ else
+--
+1.7.6
+
diff --git a/dbus.spec b/dbus.spec
index b8bc35d..ad2e77d 100644
--- a/dbus.spec
+++ b/dbus.spec
@@ -9,7 +9,7 @@ Summary: D-BUS message bus
Name: dbus
Epoch: 1
Version: 1.4.6
-Release: 4%{?dist}
+Release: 5%{?dist}
URL: http://www.freedesktop.org/software/dbus/
#VCS: git:git://git.freedesktop.org/git/dbus/dbus
Source0: http://dbus.freedesktop.org/releases/dbus/%{name}-%{version}.tar.gz
@@ -50,6 +50,10 @@ Patch2: 0001-activation-Use-_dbus_system_log-for-activation-infor.patch
# https://bugs.freedesktop.org/show_bug.cgi?id=35750
Patch3: 0001-activation-Strip-out-code-to-compare-by-Exec.patch
+# CVE 2011-2200
+Patch4: 0001-_dbus_header_byteswap-change-the-first-byte-of-the-m.patch
+Patch5: 0001-dbus_message_demarshal_bytes_needed-correct-a-wrong-.patch
+
%description
D-BUS is a system for sending messages between applications. It is
used both for the system-wide message bus service, and as a
@@ -104,6 +108,8 @@ in this separate package so server systems need not install X.
%patch1 -p1 -b .generate-xml-docs
%patch2 -p1
%patch3 -p1
+%patch4 -p1
+%patch5 -p1
autoreconf -f -i
@@ -248,6 +254,9 @@ fi
%{_includedir}/*
%changelog
+* Wed Jul 27 2011 Colin Walters <walters at verbum.org> - 1:1.4.6-5
+- Merge fixes from upstream for CVE-2011-2200
+
* Mon May 2 2011 Colin Walters <walters at verbum.org> - 1:1.4.6-4
- Update activation logging patch to what's upstream; don't log when
something is already activated (#701055)
More information about the scm-commits
mailing list