[dbus/f14] Merge fixes from upstream for CVE-2011-2200

Colin Walters walters at fedoraproject.org
Thu Jul 28 18:47:20 UTC 2011 

commit 2422f26fbc4fdb5ce70209b65dd5aa382ab81996
Author: Colin Walters <walters at verbum.org>
Date:   Wed Jul 27 18:47:39 2011 -0400

    Merge fixes from upstream for CVE-2011-2200
    
    Conflicts:
    
    	dbus.spec

 ...r_byteswap-change-the-first-byte-of-the-m.patch |   44 ++++++++++++++++++++
 ...e_demarshal_bytes_needed-correct-a-wrong-.patch |   31 ++++++++++++++
 dbus.spec                                          |   11 ++++-
 3 files changed, 85 insertions(+), 1 deletions(-)
---
diff --git a/0001-_dbus_header_byteswap-change-the-first-byte-of-the-m.patch b/0001-_dbus_header_byteswap-change-the-first-byte-of-the-m.patch
new file mode 100644
index 0000000..5facb36
--- /dev/null
+++ b/0001-_dbus_header_byteswap-change-the-first-byte-of-the-m.patch
@@ -0,0 +1,44 @@
+From c3223ba6c401ba81df1305851312a47c485e6cd7 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <simon.mcvittie at collabora.co.uk>
+Date: Thu, 9 Jun 2011 17:52:10 +0100
+Subject: [PATCH] _dbus_header_byteswap: change the first byte of the message,
+ not just the struct member
+
+This has been wrong approximately forever, for instance see:
+http://lists.freedesktop.org/archives/dbus/2007-March/007357.html
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=38120
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629938
+Reviewed-by: Will Thompson <will.thompson at collabora.co.uk>
+---
+ dbus/dbus-marshal-header.c |    6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/dbus/dbus-marshal-header.c b/dbus/dbus-marshal-header.c
+index 3f31d7a..a6c9b80 100644
+--- a/dbus/dbus-marshal-header.c
++++ b/dbus/dbus-marshal-header.c
+@@ -1468,14 +1468,20 @@ void
+ _dbus_header_byteswap (DBusHeader *header,
+                        int         new_order)
+ {
++  unsigned char byte_order;
++
+   if (header->byte_order == new_order)
+     return;
+ 
++  byte_order = _dbus_string_get_byte (&header->data, BYTE_ORDER_OFFSET);
++  _dbus_assert (header->byte_order == byte_order);
++
+   _dbus_marshal_byteswap (&_dbus_header_signature_str,
+                           0, header->byte_order,
+                           new_order,
+                           &header->data, 0);
+ 
++  _dbus_string_set_byte (&header->data, BYTE_ORDER_OFFSET, new_order);
+   header->byte_order = new_order;
+ }
+ 
+-- 
+1.7.6
+
diff --git a/0001-dbus_message_demarshal_bytes_needed-correct-a-wrong-.patch b/0001-dbus_message_demarshal_bytes_needed-correct-a-wrong-.patch
new file mode 100644
index 0000000..127f728
--- /dev/null
+++ b/0001-dbus_message_demarshal_bytes_needed-correct-a-wrong-.patch
@@ -0,0 +1,31 @@
+From 90ac05171d018e5d2cc0c3a3195b59425a626f96 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <simon.mcvittie at collabora.co.uk>
+Date: Thu, 9 Jun 2011 18:35:43 +0100
+Subject: [PATCH] dbus_message_demarshal_bytes_needed: correct a wrong
+ assertion
+
+It's entirely possible for a message to indicate how many bytes we need,
+without actually being complete.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=38120
+Reviewed-by: Will Thompson <will.thompson at collabora.co.uk>
+---
+ dbus/dbus-message.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/dbus/dbus-message.c b/dbus/dbus-message.c
+index 24ef5ac..a59ed9b 100644
+--- a/dbus/dbus-message.c
++++ b/dbus/dbus-message.c
+@@ -4680,7 +4680,7 @@ dbus_message_demarshal_bytes_needed(const char *buf,
+ 
+   if (validity == DBUS_VALID)
+     {
+-      _dbus_assert(have_message);
++      _dbus_assert (have_message || (header_len + body_len) > len);
+       return header_len + body_len;
+     }
+   else
+-- 
+1.7.6
+
diff --git a/dbus.spec b/dbus.spec
index 667c58e..e2b8dc1 100644
--- a/dbus.spec
+++ b/dbus.spec
@@ -10,7 +10,7 @@ Summary: D-BUS message bus
 Name: dbus
 Epoch: 1
 Version: 1.4.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 URL: http://www.freedesktop.org/software/dbus/
 #VCS: git:git://git.freedesktop.org/git/dbus/dbus
 Source0: http://dbus.freedesktop.org/releases/dbus/%{name}-%{version}.tar.gz
@@ -48,6 +48,10 @@ Patch1: dbus-1.0.1-generate-xml-docs.patch
 
 Patch2: CVE-2010-4352.patch
 
+# CVE 2011-2200
+Patch3: 0001-_dbus_header_byteswap-change-the-first-byte-of-the-m.patch
+Patch4: 0001-dbus_message_demarshal_bytes_needed-correct-a-wrong-.patch
+
 %description
 D-BUS is a system for sending messages between applications. It is
 used both for the system-wide message bus service, and as a
@@ -101,6 +105,8 @@ in this separate package so server systems need not install X.
 %patch0 -p1 -b .bindir
 %patch1 -p1 -b .generate-xml-docs
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
 
 autoreconf -f -i
 
@@ -245,6 +251,9 @@ fi
 %{_includedir}/*
 
 %changelog
+* Thu Jul 28 2011 Colin Walters <walters at verbum.org> - 1:1.4.0-3
+- CVE-2011-2200
+
 * Mon Dec 20 2010 Colin Walters <walters at verbum.org> - 1:1.4.0-2
 - CVE-2010-4352

More information about the scm-commits mailing list