diff -Nru dbus-1.12.2/debian/changelog dbus-1.12.2/debian/changelog --- dbus-1.12.2/debian/changelog 2019-06-10 18:05:17.000000000 +0000 +++ dbus-1.12.2/debian/changelog 2020-06-11 18:25:30.000000000 +0000 @@ -1,3 +1,14 @@ +dbus (1.12.2-1ubuntu1.2) bionic-security; urgency=medium + + * SECURITY UPDATE: DoS via file descriptor leak + - debian/patches/CVE-2020-12049-1.patch: on MSG_CTRUNC, close the fds + we did receive in dbus/dbus-sysdeps-unix.c. + - debian/patches/CVE-2020-12049-2.patch: assert that we don't leak file + descriptors in test/fdpass.c. + - CVE-2020-12049 + + -- Marc Deslauriers Thu, 11 Jun 2020 14:25:30 -0400 + dbus (1.12.2-1ubuntu1.1) bionic-security; urgency=medium * SECURITY UPDATE: DBUS_COOKIE_SHA1 implementation flaw diff -Nru dbus-1.12.2/debian/patches/CVE-2020-12049-1.patch dbus-1.12.2/debian/patches/CVE-2020-12049-1.patch --- dbus-1.12.2/debian/patches/CVE-2020-12049-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ dbus-1.12.2/debian/patches/CVE-2020-12049-1.patch 2020-06-11 18:24:51.000000000 +0000 @@ -0,0 +1,74 @@ +From 272d484283883fa9ff95b69d924fff6cd34842f5 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Thu, 16 Apr 2020 14:45:11 +0100 +Subject: [PATCH] sysdeps-unix: On MSG_CTRUNC, close the fds we did receive + +MSG_CTRUNC indicates that we have received fewer fds that we should +have done because the buffer was too small, but we were treating it +as though it indicated that we received *no* fds. If we received any, +we still have to make sure we close them, otherwise they will be leaked. + +On the system bus, if an attacker can induce us to leak fds in this +way, that's a local denial of service via resource exhaustion. + +Reported-by: Kevin Backhouse, GitHub Security Lab +Fixes: dbus#294 +Fixes: CVE-2020-12049 +Fixes: GHSL-2020-057 +--- + dbus/dbus-sysdeps-unix.c | 32 ++++++++++++++++++++------------ + 1 file changed, 20 insertions(+), 12 deletions(-) + +diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c +index e8cd5b334..f9dc2a6e5 100644 +--- a/dbus/dbus-sysdeps-unix.c ++++ b/dbus/dbus-sysdeps-unix.c +@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd, + struct cmsghdr *cm; + dbus_bool_t found = FALSE; + +- if (m.msg_flags & MSG_CTRUNC) +- { +- /* Hmm, apparently the control data was truncated. The bad +- thing is that we might have completely lost a couple of fds +- without chance to recover them. Hence let's treat this as a +- serious error. */ +- +- errno = ENOSPC; +- _dbus_string_set_length (buffer, start); +- return -1; +- } +- + for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm)) + if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS) + { +@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd, + if (!found) + *n_fds = 0; + ++ if (m.msg_flags & MSG_CTRUNC) ++ { ++ unsigned int i; ++ ++ /* Hmm, apparently the control data was truncated. The bad ++ thing is that we might have completely lost a couple of fds ++ without chance to recover them. Hence let's treat this as a ++ serious error. */ ++ ++ /* We still need to close whatever fds we *did* receive, ++ * otherwise they'll never get closed. (CVE-2020-12049) */ ++ for (i = 0; i < *n_fds; i++) ++ close (fds[i]); ++ ++ *n_fds = 0; ++ errno = ENOSPC; ++ _dbus_string_set_length (buffer, start); ++ return -1; ++ } ++ + /* put length back (doesn't actually realloc) */ + _dbus_string_set_length (buffer, start + bytes_read); + +-- +2.26.2 + diff -Nru dbus-1.12.2/debian/patches/CVE-2020-12049-2.patch dbus-1.12.2/debian/patches/CVE-2020-12049-2.patch --- dbus-1.12.2/debian/patches/CVE-2020-12049-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ dbus-1.12.2/debian/patches/CVE-2020-12049-2.patch 2020-06-11 18:24:59.000000000 +0000 @@ -0,0 +1,60 @@ +From 8bc1381819e5a845331650bfa28dacf6d2ac1748 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Thu, 16 Apr 2020 14:41:48 +0100 +Subject: [PATCH] fdpass test: Assert that we don't leak file descriptors + +This version is for the dbus-1.12 branch, and doesn't rely on dbus!153 +or dbus!120. + +Reproduces: dbus#294 +Reproduces: CVE-2020-12049 +Reproduces: GHSL-2020-057 +Signed-off-by: Simon McVittie +--- + test/fdpass.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/test/fdpass.c ++++ b/test/fdpass.c +@@ -50,6 +50,14 @@ + + #include "test-utils-glib.h" + ++#ifdef DBUS_ENABLE_EMBEDDED_TESTS ++#include ++#else ++typedef struct _DBusInitialFDs DBusInitialFDs; ++#define _dbus_check_fdleaks_enter() NULL ++#define _dbus_check_fdleaks_leave(fds) do {} while (0) ++#endif ++ + /* Arbitrary; included here to avoid relying on the default */ + #define MAX_MESSAGE_UNIX_FDS 20 + /* This test won't work on Linux unless this is true. */ +@@ -91,6 +99,7 @@ typedef struct { + GQueue messages; + + int fd_before; ++ DBusInitialFDs *initial_fds; + } Fixture; + + static void oom (const gchar *doing) G_GNUC_NORETURN; +@@ -172,6 +181,8 @@ test_connect (Fixture *f, + { + char *address; + ++ f->initial_fds = _dbus_check_fdleaks_enter (); ++ + g_assert (f->left_server_conn == NULL); + g_assert (f->right_server_conn == NULL); + +@@ -837,6 +848,9 @@ teardown (Fixture *f, + if (f->fd_before >= 0 && close (f->fd_before) < 0) + g_error ("%s", g_strerror (errno)); + #endif ++ ++ if (f->initial_fds != NULL) ++ _dbus_check_fdleaks_leave (f->initial_fds); + } + + int diff -Nru dbus-1.12.2/debian/patches/series dbus-1.12.2/debian/patches/series --- dbus-1.12.2/debian/patches/series 2019-06-10 18:05:10.000000000 +0000 +++ dbus-1.12.2/debian/patches/series 2020-06-11 18:24:55.000000000 +0000 @@ -3,3 +3,5 @@ ubuntu/dont-stop-dbus.patch 0001-auth-Reject-DBUS_COOKIE_SHA1-for-users-other-than-th.patch 0002-test-Add-basic-test-coverage-for-DBUS_COOKIE_SHA1.patch +CVE-2020-12049-1.patch +CVE-2020-12049-2.patch