diff -Nru dbus-1.4.18/debian/changelog dbus-1.4.18/debian/changelog --- dbus-1.4.18/debian/changelog 2012-10-03 16:36:23.000000000 +0000 +++ dbus-1.4.18/debian/changelog 2013-06-13 14:24:23.000000000 +0000 @@ -1,3 +1,14 @@ +dbus (1.4.18-1ubuntu1.4) precise-security; urgency=low + + * SECURITY UPDATE: denial of service via _dbus_printf_string_upper_bound() + length. + - debian/patches/CVE-2013-2168.patch: use a copy of va_list in + dbus/dbus-sysdeps-unix.c, dbus/dbus-sysdeps-win.c, added test to + test/Makefile.am, test/internals/printf.c. + - CVE-2013-2168 + + -- Marc Deslauriers Thu, 13 Jun 2013 10:23:58 -0400 + dbus (1.4.18-1ubuntu1.3) precise-security; urgency=low * REGRESSION FIX: some applications launched with the activation helper diff -Nru dbus-1.4.18/debian/patches/CVE-2013-2168.patch dbus-1.4.18/debian/patches/CVE-2013-2168.patch --- dbus-1.4.18/debian/patches/CVE-2013-2168.patch 1970-01-01 00:00:00.000000000 +0000 +++ dbus-1.4.18/debian/patches/CVE-2013-2168.patch 2013-06-13 14:23:47.000000000 +0000 @@ -0,0 +1,193 @@ +Description: fix denial of service via _dbus_printf_string_upper_bound() length. +Origin: upstream, http://cgit.freedesktop.org/dbus/dbus/commit/?id=954d75b2b64e4799f360d2a6bf9cff6d9fee37e7 +Origin: upstream, http://cgit.freedesktop.org/dbus/dbus/commit/?id=2420f7ae8b72405de1a41760b213e2e0849b2b8d + +Index: dbus-1.4.18/dbus/dbus-sysdeps-unix.c +=================================================================== +--- dbus-1.4.18.orig/dbus/dbus-sysdeps-unix.c 2013-06-13 10:23:04.179216250 -0400 ++++ dbus-1.4.18/dbus/dbus-sysdeps-unix.c 2013-06-13 10:23:04.171216249 -0400 +@@ -3030,8 +3030,11 @@ + char static_buf[1024]; + int bufsize = sizeof (static_buf); + int len; ++ va_list args_copy; + +- len = vsnprintf (static_buf, bufsize, format, args); ++ DBUS_VA_COPY (args_copy, args); ++ len = vsnprintf (static_buf, bufsize, format, args_copy); ++ va_end (args_copy); + + /* If vsnprintf() returned non-negative, then either the string fits in + * static_buf, or this OS has the POSIX and C99 behaviour where vsnprintf +@@ -3047,8 +3050,12 @@ + * or the real length could be coincidentally the same. Which is it? + * If vsnprintf returns the truncated length, we'll go to the slow + * path. */ +- if (vsnprintf (static_buf, 1, format, args) == 1) ++ DBUS_VA_COPY (args_copy, args); ++ ++ if (vsnprintf (static_buf, 1, format, args_copy) == 1) + len = -1; ++ ++ va_end (args_copy); + } + + /* If vsnprintf() returned negative, we have to do more work. +@@ -3064,7 +3071,10 @@ + if (buf == NULL) + return -1; + +- len = vsnprintf (buf, bufsize, format, args); ++ DBUS_VA_COPY (args_copy, args); ++ len = vsnprintf (buf, bufsize, format, args_copy); ++ va_end (args_copy); ++ + dbus_free (buf); + + /* If the reported length is exactly the buffer size, round up to the +Index: dbus-1.4.18/dbus/dbus-sysdeps-win.c +=================================================================== +--- dbus-1.4.18.orig/dbus/dbus-sysdeps-win.c 2013-06-13 10:23:04.179216250 -0400 ++++ dbus-1.4.18/dbus/dbus-sysdeps-win.c 2013-06-13 10:23:04.175216250 -0400 +@@ -538,9 +538,12 @@ + char buf[1024]; + int bufsize; + int len; ++ va_list args_copy; + + bufsize = sizeof (buf); +- len = _vsnprintf (buf, bufsize - 1, format, args); ++ DBUS_VA_COPY (args_copy, args); ++ len = _vsnprintf (buf, bufsize - 1, format, args_copy); ++ va_end (args_copy); + + while (len == -1) /* try again */ + { +@@ -553,7 +556,9 @@ + if (p == NULL) + return -1; + +- len = _vsnprintf (p, bufsize - 1, format, args); ++ DBUS_VA_COPY (args_copy, args); ++ len = _vsnprintf (p, bufsize - 1, format, args_copy); ++ va_end (args_copy); + free (p); + } + +Index: dbus-1.4.18/test/Makefile.am +=================================================================== +--- dbus-1.4.18.orig/test/Makefile.am 2013-06-13 10:23:04.179216250 -0400 ++++ dbus-1.4.18/test/Makefile.am 2013-06-13 10:23:42.895217241 -0400 +@@ -97,6 +97,10 @@ + spawn_test_LDADD=$(TEST_LIBS) + spawn_test_LDFLAGS=@R_DYNAMIC_LDFLAG@ + ++test_printf_SOURCES = internals/printf.c ++test_printf_CPPFLAGS = -DDBUS_STATIC_BUILD $(GLIB_CFLAGS) ++test_printf_LDADD = $(top_builddir)/dbus/libdbus-internal.la ++ + test_refs_SOURCES = internals/refs.c + test_refs_CPPFLAGS = -DDBUS_STATIC_BUILD $(GLIB_CFLAGS) + test_refs_LDADD = libdbus-testutils.la $(GLIB_LIBS) $(TEST_LIBS) +@@ -119,6 +123,7 @@ + test-refs \ + test-relay \ + test-syslog \ ++ test-printf \ + $(NULL) + + installcheck_tests = +Index: dbus-1.4.18/test/internals/printf.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ dbus-1.4.18/test/internals/printf.c 2013-06-13 10:23:04.175216250 -0400 +@@ -0,0 +1,89 @@ ++/* Regression test for _dbus_printf_string_upper_bound ++ * ++ * Author: Simon McVittie ++ * Copyright © 2013 Intel Corporation ++ * ++ * Permission is hereby granted, free of charge, to any person ++ * obtaining a copy of this software and associated documentation files ++ * (the "Software"), to deal in the Software without restriction, ++ * including without limitation the rights to use, copy, modify, merge, ++ * publish, distribute, sublicense, and/or sell copies of the Software, ++ * and to permit persons to whom the Software is furnished to do so, ++ * subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be ++ * included in all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS ++ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ++ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN ++ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE ++ * SOFTWARE. ++ */ ++ ++#include ++ ++#define DBUS_COMPILATION /* this test uses libdbus-internal */ ++#include ++#include ++#include ++#include "test-utils.h" ++ ++#include ++#include ++ ++static void ++do_test (int minimum, ++ const char *format, ++ ...) ++{ ++ va_list ap; ++ int result; ++ ++ va_start (ap, format); ++ result = _dbus_printf_string_upper_bound (format, ap); ++ va_end (ap); ++ ++ if (result < minimum) ++ { ++ fprintf (stderr, "expected at least %d, got %d\n", minimum, result); ++ abort (); ++ } ++} ++ ++#define X_TIMES_8 "XXXXXXXX" ++#define X_TIMES_16 X_TIMES_8 X_TIMES_8 ++#define X_TIMES_32 X_TIMES_16 X_TIMES_16 ++#define X_TIMES_64 X_TIMES_32 X_TIMES_32 ++#define X_TIMES_128 X_TIMES_64 X_TIMES_64 ++#define X_TIMES_256 X_TIMES_128 X_TIMES_128 ++#define X_TIMES_512 X_TIMES_256 X_TIMES_256 ++#define X_TIMES_1024 X_TIMES_512 X_TIMES_512 ++ ++int ++main (int argc, ++ char **argv) ++{ ++ char buf[] = X_TIMES_1024 X_TIMES_1024 X_TIMES_1024 X_TIMES_1024; ++ int i; ++ ++ do_test (1, "%d", 0); ++ do_test (7, "%d", 1234567); ++ do_test (3, "%f", 3.5); ++ ++ do_test (0, "%s", ""); ++ do_test (1024, "%s", X_TIMES_1024); ++ do_test (1025, "%s", X_TIMES_1024 "Y"); ++ ++ for (i = 4096; i > 0; i--) ++ { ++ buf[i] = '\0'; ++ do_test (i, "%s", buf); ++ do_test (i + 3, "%s:%d", buf, 42); ++ } ++ ++ return 0; ++} diff -Nru dbus-1.4.18/debian/patches/series dbus-1.4.18/debian/patches/series --- dbus-1.4.18/debian/patches/series 2012-10-03 10:10:49.000000000 +0000 +++ dbus-1.4.18/debian/patches/series 2013-06-13 14:17:49.000000000 +0000 @@ -9,3 +9,4 @@ 0005-activation-implement-upstart-activation.patch CVE-2012-3524-dbus.patch CVE-2012-3524-regression-fix.patch +CVE-2013-2168.patch