| 1 | Fix CVE-2020-12049: |
| 2 | |
| 3 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12049 |
| 4 | https://lists.freedesktop.org/archives/ftp-release/2020-June/000753.html |
| 5 | |
| 6 | Taken from upstream: |
| 7 | |
| 8 | https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5 |
| 9 | |
| 10 | diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c |
| 11 | --- a/dbus/dbus-sysdeps-unix.c |
| 12 | +++ b/dbus/dbus-sysdeps-unix.c |
| 13 | @@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd, |
| 14 | struct cmsghdr *cm; |
| 15 | dbus_bool_t found = FALSE; |
| 16 | |
| 17 | - if (m.msg_flags & MSG_CTRUNC) |
| 18 | - { |
| 19 | - /* Hmm, apparently the control data was truncated. The bad |
| 20 | - thing is that we might have completely lost a couple of fds |
| 21 | - without chance to recover them. Hence let's treat this as a |
| 22 | - serious error. */ |
| 23 | - |
| 24 | - errno = ENOSPC; |
| 25 | - _dbus_string_set_length (buffer, start); |
| 26 | - return -1; |
| 27 | - } |
| 28 | - |
| 29 | for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm)) |
| 30 | if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS) |
| 31 | { |
| 32 | @@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd, |
| 33 | if (!found) |
| 34 | *n_fds = 0; |
| 35 | |
| 36 | + if (m.msg_flags & MSG_CTRUNC) |
| 37 | + { |
| 38 | + unsigned int i; |
| 39 | + |
| 40 | + /* Hmm, apparently the control data was truncated. The bad |
| 41 | + thing is that we might have completely lost a couple of fds |
| 42 | + without chance to recover them. Hence let's treat this as a |
| 43 | + serious error. */ |
| 44 | + |
| 45 | + /* We still need to close whatever fds we *did* receive, |
| 46 | + * otherwise they'll never get closed. (CVE-2020-12049) */ |
| 47 | + for (i = 0; i < *n_fds; i++) |
| 48 | + close (fds[i]); |
| 49 | + |
| 50 | + *n_fds = 0; |
| 51 | + errno = ENOSPC; |
| 52 | + _dbus_string_set_length (buffer, start); |
| 53 | + return -1; |
| 54 | + } |
| 55 | + |
| 56 | /* put length back (doesn't actually realloc) */ |
| 57 | _dbus_string_set_length (buffer, start + bytes_read); |
| 58 | |