3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12049
4 https://lists.freedesktop.org/archives/ftp-release/2020-June/000753.html
8 https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5
10 diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
11 --- a/dbus/dbus-sysdeps-unix.c
12 +++ b/dbus/dbus-sysdeps-unix.c
13 @@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
15 dbus_bool_t found = FALSE;
17 - if (m.msg_flags & MSG_CTRUNC)
19 - /* Hmm, apparently the control data was truncated. The bad
20 - thing is that we might have completely lost a couple of fds
21 - without chance to recover them. Hence let's treat this as a
25 - _dbus_string_set_length (buffer, start);
29 for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
30 if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
32 @@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
36 + if (m.msg_flags & MSG_CTRUNC)
40 + /* Hmm, apparently the control data was truncated. The bad
41 + thing is that we might have completely lost a couple of fds
42 + without chance to recover them. Hence let's treat this as a
45 + /* We still need to close whatever fds we *did* receive,
46 + * otherwise they'll never get closed. (CVE-2020-12049) */
47 + for (i = 0; i < *n_fds; i++)
52 + _dbus_string_set_length (buffer, start);
56 /* put length back (doesn't actually realloc) */
57 _dbus_string_set_length (buffer, start + bytes_read);