Bug#962068: marked as done (stretch-pu: package dbus/1.10.30-0+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 
<b8d89cdfeeda7b6d1ef96a8706a20f9525c2151b.ca...@adam-barratt.org.uk>
and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #962068,
regarding stretch-pu: package dbus/1.10.30-0+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
962068: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962068
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

dbus 1.10.30 fixes a local denial of service vulnerability for which
the Security Team have indicated they do not intend to issue a DSA
(the same one as 1.12.18).

If possible I would like to continue to fix dbus issues in stretch via
new upstream releases; this one only contains the CVE fix, plus its
regression test and the usual Autotools noise.

Proposed diff (modulo `dch -r`) attached, filtered through:

git diff --stat -p origin/debian/stretch.. | \
filterdiff -p1 \
--exclude=Makefile.in --exclude='**/Makefile.in' \
--exclude=aclocal.m4 \
--exclude=aminclude_static.am \
--exclude=build-aux/compile \
--exclude=build-aux/depcomp \
--exclude=build-aux/install-sh \
--exclude=build-aux/ltmain.sh \
--exclude=build-aux/missing \
--exclude=build-aux/tap-driver.sh \
--exclude=configure \
--exclude=m4/libtool.m4

Thanks,
    smcv

 Makefile.in                | 39 ++++++++++++++++++++--------------
 NEWS                       | 33 +++++++++++++++++++++++++++++
 aclocal.m4                 | 52 ++++++++++++++++++++++++----------------------
 build-aux/compile          |  6 +++---
 build-aux/depcomp          |  2 +-
 build-aux/install-sh       | 13 +++++++++++-
 build-aux/ltmain.sh        | 10 +++++----
 build-aux/missing          |  2 +-
 build-aux/tap-driver.sh    |  2 +-
 bus/Makefile.in            |  4 ++--
 bus/connection.c           |  7 ++++---
 configure                  | 36 +++++++++++++++++---------------
 configure.ac               |  4 ++--
 dbus/Makefile.in           |  4 ++--
 dbus/dbus-sysdeps-unix.c   | 32 +++++++++++++++++-----------
 debian/changelog           |  8 +++++++
 doc/Makefile.in            |  4 ++--
 m4/libtool.m4              |  6 +++---
 test/Makefile.in           |  4 ++--
 test/fdpass.c              | 14 +++++++++++++
 test/name-test/Makefile.in |  4 ++--
 tools/Makefile.in          |  4 ++--
 22 files changed, 189 insertions(+), 101 deletions(-)

diff --git a/NEWS b/NEWS
index 46652396..9b33a786 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,36 @@
+dbus 1.10.x end-of-life plans
+==
+
+The dbus 1.10.x branch was originally released in 2015. It currently
+receives security-fix releases whenever necessary, but it is planned to
+reach end-of-life status at the end of Debian 9's official security
+support (approximately July 2020). If you are a dbus downstream
+maintainer in a long-lived OS distribution and you want to use the
+upstream dbus-1.10 git branch as a place to share backported security
+fixes with other distributions, please contact the dbus maintainers via
+the dbus-security mailing list on lists.freedesktop.org.
+
+dbus 1.10.30 (2020-06-02)
+==
+
+The “centaur bus” release.
+
+Denial of service fixes:
+
+• CVE-2020-12049: If a message contains more file descriptors than can
+  be sent, close those that did get through before reporting error.
+  Previously, a local attacker could cause the system dbus-daemon (or
+  another system service with its own DBusServer) to run out of file
+  descriptors, by repeatedly connecting to the server and sending fds that
+  would get leaked.
+  Thanks to Kevin Backhouse of GitHub Security Lab.
+  (dbus#294, GHSL-2020-057; Simon McVittie)
+
+Other fixes:
+
+• Fix a crash when the dbus-daemon is terminated while one or more
+  monitors are active (dbus#291, dbus!140; Simon McVittie)
+
 dbus 1.10.28 (2019-06-11)
 ==
 
diff --git a/bus/connection.c b/bus/connection.c
index 31ed6be7..05daa6a4 100644
--- a/bus/connection.c
+++ b/bus/connection.c
@@ -540,9 +540,6 @@ bus_connections_unref (BusConnections *connections)
 
       _dbus_assert (connections->n_incomplete == 0);
 
-      /* drop all monitors */
-      _dbus_list_clear (&connections->monitors);
-
       /* drop all real connections */
       while (connections->completed != NULL)
         {
@@ -558,6 +555,10 @@ bus_connections_unref (BusConnections *connections)
 
       _dbus_assert (connections->n_completed == 0);
 
+      /* disconnecting all the connections should have emptied the list of
+       * monitors (each link is removed in bus_connection_disconnected) */
+      _dbus_assert (connections->monitors == NULL);
+
       bus_expire_list_free (connections->pending_replies);
       
       _dbus_loop_remove_timeout (bus_context_get_loop (connections->context),
diff --git a/configure.ac b/configure.ac
index 04ebae5f..ee3da6a9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3,7 +3,7 @@ AC_PREREQ([2.63])
 
 m4_define([dbus_major_version], [1])
 m4_define([dbus_minor_version], [10])
-m4_define([dbus_micro_version], [28])
+m4_define([dbus_micro_version], [30])
 m4_define([dbus_version],
           [dbus_major_version.dbus_minor_version.dbus_micro_version])
 AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])
@@ -38,7 +38,7 @@ LT_CURRENT=17
 
 ## increment any time the source changes; set to
 ##  0 if you increment CURRENT
-LT_REVISION=16
+LT_REVISION=17
 
 ## increment if any interfaces have been added; set to 0
 ## if any interfaces have been changed or removed. removal has
diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
index b7309712..6303dbc4 100644
--- a/dbus/dbus-sysdeps-unix.c
+++ b/dbus/dbus-sysdeps-unix.c
@@ -432,18 +432,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
       struct cmsghdr *cm;
       dbus_bool_t found = FALSE;
 
-      if (m.msg_flags & MSG_CTRUNC)
-        {
-          /* Hmm, apparently the control data was truncated. The bad
-             thing is that we might have completely lost a couple of fds
-             without chance to recover them. Hence let's treat this as a
-             serious error. */
-
-          errno = ENOSPC;
-          _dbus_string_set_length (buffer, start);
-          return -1;
-        }
-
       for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
         if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
           {
@@ -498,6 +486,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
       if (!found)
         *n_fds = 0;
 
+      if (m.msg_flags & MSG_CTRUNC)
+        {
+          int i;
+
+          /* Hmm, apparently the control data was truncated. The bad
+             thing is that we might have completely lost a couple of fds
+             without chance to recover them. Hence let's treat this as a
+             serious error. */
+
+          /* We still need to close whatever fds we *did* receive,
+           * otherwise they'll never get closed. (CVE-2020-12049) */
+          for (i = 0; i < *n_fds; i++)
+            close (fds[i]);
+
+          *n_fds = 0;
+          errno = ENOSPC;
+          _dbus_string_set_length (buffer, start);
+          return -1;
+        }
+
       /* put length back (doesn't actually realloc) */
       _dbus_string_set_length (buffer, start + bytes_read);
 
diff --git a/debian/changelog b/debian/changelog
index 2b8cdecb..d1420e1e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+dbus (1.10.30-0+deb9u1~1) UNRELEASED; urgency=medium
+
+  * New upstream stable release
+    - CVE-2020-12049: Prevent a denial of service attack in which a local
+      user can make the system dbus-daemon run out of file descriptors
+
+ -- Simon McVittie <s...@debian.org>  Tue, 02 Jun 2020 17:02:37 +0100
+
 dbus (1.10.28-0+deb9u1) stretch-security; urgency=medium
 
   * New upstream stable release
diff --git a/test/fdpass.c b/test/fdpass.c
index 665b4a12..d8d9c670 100644
--- a/test/fdpass.c
+++ b/test/fdpass.c
@@ -50,6 +50,14 @@
 
 #include "test-utils-glib.h"
 
+#ifdef DBUS_ENABLE_EMBEDDED_TESTS
+#include <dbus/dbus-message-internal.h>
+#else
+typedef struct _DBusInitialFDs DBusInitialFDs;
+#define _dbus_check_fdleaks_enter() NULL
+#define _dbus_check_fdleaks_leave(fds) do {} while (0)
+#endif
+
 /* Arbitrary; included here to avoid relying on the default */
 #define MAX_MESSAGE_UNIX_FDS 20
 /* This test won't work on Linux unless this is true. */
@@ -91,6 +99,7 @@ typedef struct {
     GQueue messages;
 
     int fd_before;
+    DBusInitialFDs *initial_fds;
 } Fixture;
 
 static void oom (const gchar *doing) G_GNUC_NORETURN;
@@ -172,6 +181,8 @@ test_connect (Fixture *f,
 {
   char *address;
 
+  f->initial_fds = _dbus_check_fdleaks_enter ();
+
   g_assert (f->left_server_conn == NULL);
   g_assert (f->right_server_conn == NULL);
 
@@ -835,6 +846,9 @@ teardown (Fixture *f,
   if (f->fd_before >= 0 && close (f->fd_before) < 0)
     g_error ("%s", g_strerror (errno));
 #endif
+
+  if (f->initial_fds != NULL)
+    _dbus_check_fdleaks_leave (f->initial_fds);
 }
 
 int

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam

--- End Message ---