[jackhill/guix/guix.git] / gnu / packages / patches / dbus-CVE-2020-12049.patch

Fix CVE-2020-12049:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12049
https://lists.freedesktop.org/archives/ftp-release/2020-June/000753.html

Taken from upstream:

https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5

diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
--- a/dbus/dbus-sysdeps-unix.c
+++ b/dbus/dbus-sysdeps-unix.c
@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
       struct cmsghdr *cm;
       dbus_bool_t found = FALSE;
 
-      if (m.msg_flags & MSG_CTRUNC)
-        {
-          /* Hmm, apparently the control data was truncated. The bad
-             thing is that we might have completely lost a couple of fds
-             without chance to recover them. Hence let's treat this as a
-             serious error. */
-
-          errno = ENOSPC;
-          _dbus_string_set_length (buffer, start);
-          return -1;
-        }
-
       for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
         if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
           {
@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
       if (!found)
         *n_fds = 0;
 
+      if (m.msg_flags & MSG_CTRUNC)
+        {
+          unsigned int i;
+
+          /* Hmm, apparently the control data was truncated. The bad
+             thing is that we might have completely lost a couple of fds
+             without chance to recover them. Hence let's treat this as a
+             serious error. */
+
+          /* We still need to close whatever fds we *did* receive,
+           * otherwise they'll never get closed. (CVE-2020-12049) */
+          for (i = 0; i < *n_fds; i++)
+            close (fds[i]);
+
+          *n_fds = 0;
+          errno = ENOSPC;
+          _dbus_string_set_length (buffer, start);
+          return -1;
+        }
+
       /* put length back (doesn't actually realloc) */
       _dbus_string_set_length (buffer, start + bytes_read);
Commit	Line	Data
9a46e0dd MB	1	Fix CVE-2020-12049:
	2
	3	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12049
	4	https://lists.freedesktop.org/archives/ftp-release/2020-June/000753.html
	5
	6	Taken from upstream:
	7
	8	https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5
	9
	10	diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
	11	--- a/dbus/dbus-sysdeps-unix.c
	12	+++ b/dbus/dbus-sysdeps-unix.c
	13	@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
	14	struct cmsghdr *cm;
	15	dbus_bool_t found = FALSE;
	16
	17	- if (m.msg_flags & MSG_CTRUNC)
	18	- {
	19	- /* Hmm, apparently the control data was truncated. The bad
	20	- thing is that we might have completely lost a couple of fds
	21	- without chance to recover them. Hence let's treat this as a
	22	- serious error. */
	23	-
	24	- errno = ENOSPC;
	25	- _dbus_string_set_length (buffer, start);
	26	- return -1;
	27	- }
	28	-
	29	for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
	30	if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
	31	{
	32	@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
	33	if (!found)
	34	*n_fds = 0;
	35
	36	+ if (m.msg_flags & MSG_CTRUNC)
	37	+ {
	38	+ unsigned int i;
	39	+
	40	+ /* Hmm, apparently the control data was truncated. The bad
	41	+ thing is that we might have completely lost a couple of fds
	42	+ without chance to recover them. Hence let's treat this as a
	43	+ serious error. */
	44	+
	45	+ /* We still need to close whatever fds we did receive,
	46	+ * otherwise they'll never get closed. (CVE-2020-12049) */
	47	+ for (i = 0; i < *n_fds; i++)
	48	+ close (fds[i]);
	49	+
	50	+ *n_fds = 0;
	51	+ errno = ENOSPC;
	52	+ _dbus_string_set_length (buffer, start);
	53	+ return -1;
	54	+ }
	55	+
	56	/* put length back (doesn't actually realloc) */
	57	_dbus_string_set_length (buffer, start + bytes_read);
	58