summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorsbd <sbd@pkgsrc.org>2010-12-30 03:37:21 +0000
committersbd <sbd@pkgsrc.org>2010-12-30 03:37:21 +0000
commiteea1a9c67b6b8f7710942ed56d238af2dd6a1a0c (patch)
tree461b993c2aa650d10ba33ce13e348c9ccb0997e0
parent9b8abe1c04b4eb5f924fe02dd42663dfef2aaafe (diff)
downloadpkgsrc-eea1a9c67b6b8f7710942ed56d238af2dd6a1a0c.tar.gz
Pullup ticket #3313 - requested by tron
Security patch for "sysutils/dbus" Revisions pulled up: - sysutils/dbus/Makefile 1.50 - sysutils/dbus/distinfo 1.36 - sysutils/dbus/patches/patch-CVE-2010-4352-1 1.1 - sysutils/dbus/patches/patch-CVE-2010-4352-2 1.1 - sysutils/dbus/patches/patch-CVE-2010-4352-3 1.1 - sysutils/dbus/patches/patch-CVE-2010-4352-4 1.1 ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: tron Date: Wed Dec 29 10:49:21 UTC 2010 Modified Files: pkgsrc/sysutils/dbus: Makefile distinfo Added Files: pkgsrc/sysutils/dbus/patches: patch-CVE-2010-4352-1 patch-CVE-2010-4352-2 patch-CVE-2010-4352-3 patch-CVE-2010-4352-4 Log Message: Add fix for vulnerability reported in CVE-2010-4352 (SA42580) taken from the "dbus" GIT repository.
-rw-r--r--sysutils/dbus/Makefile3
-rw-r--r--sysutils/dbus/distinfo6
-rw-r--r--sysutils/dbus/patches/patch-CVE-2010-4352-181
-rw-r--r--sysutils/dbus/patches/patch-CVE-2010-4352-287
-rw-r--r--sysutils/dbus/patches/patch-CVE-2010-4352-316
-rw-r--r--sysutils/dbus/patches/patch-CVE-2010-4352-429
6 files changed, 220 insertions, 2 deletions
diff --git a/sysutils/dbus/Makefile b/sysutils/dbus/Makefile
index e4bda6a042f..6fada49b0df 100644
--- a/sysutils/dbus/Makefile
+++ b/sysutils/dbus/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.48 2010/05/27 12:36:02 obache Exp $
+# $NetBSD: Makefile,v 1.48.4.1 2010/12/30 03:37:21 sbd Exp $
DISTNAME= dbus-1.2.4.6permissive
PKGNAME= dbus-1.2.4.6
+PKGREVISION= 2
CATEGORIES= sysutils
MASTER_SITES= http://dbus.freedesktop.org/releases/dbus/
diff --git a/sysutils/dbus/distinfo b/sysutils/dbus/distinfo
index ed58af0cf5a..759a3b4914a 100644
--- a/sysutils/dbus/distinfo
+++ b/sysutils/dbus/distinfo
@@ -1,8 +1,12 @@
-$NetBSD: distinfo,v 1.35 2010/02/21 19:32:25 tez Exp $
+$NetBSD: distinfo,v 1.35.6.1 2010/12/30 03:37:22 sbd Exp $
SHA1 (dbus-1.2.4.6permissive.tar.gz) = f71219624885fe2ec1990bb8bdd599e184dd5774
RMD160 (dbus-1.2.4.6permissive.tar.gz) = 05d1c5fae8ae763a9beb8c7d6f390f3ff54e9c30
Size (dbus-1.2.4.6permissive.tar.gz) = 1575270 bytes
+SHA1 (patch-CVE-2010-4352-1) = bc83f7a2b56558b6514de8de2d6319ad84f84fce
+SHA1 (patch-CVE-2010-4352-2) = 1427c2c4aea6cd21f5d19aa8fad90b87282b232b
+SHA1 (patch-CVE-2010-4352-3) = d5598dab11bad66c2f586e418a8b409ac5fc67d5
+SHA1 (patch-CVE-2010-4352-4) = 82a43bc19bf4ef73d6e2909dd1c948798585135d
SHA1 (patch-aa) = fd7cc2e11e15e13885e882e8de51e17af8a63d70
SHA1 (patch-ab) = b2761914edfe2c7666c5412abf79c5d7b87a2006
SHA1 (patch-ac) = 63aab0ffac02a9cb85a80e31bbb1234534db378b
diff --git a/sysutils/dbus/patches/patch-CVE-2010-4352-1 b/sysutils/dbus/patches/patch-CVE-2010-4352-1
new file mode 100644
index 00000000000..c6376df57da
--- /dev/null
+++ b/sysutils/dbus/patches/patch-CVE-2010-4352-1
@@ -0,0 +1,81 @@
+$NetBSD: patch-CVE-2010-4352-1,v 1.1.2.2 2010/12/30 03:37:22 sbd Exp $
+
+Fix for CVE-2010-4352 taken from here:
+
+http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=5042c1e5e6df31700215c9dc0618634911b0c9f5
+
+--- dbus/dbus-marshal-validate.c.orig 2009-05-06 18:26:48.000000000 +0100
++++ dbus/dbus-marshal-validate.c 2010-12-29 10:35:49.000000000 +0000
+@@ -289,16 +289,30 @@
+ return result;
+ }
+
++/* note: this function is also used to validate the header's values,
++ * since the header is a valid body with a particular signature.
++ */
+ static DBusValidity
+ validate_body_helper (DBusTypeReader *reader,
+ int byte_order,
+ dbus_bool_t walk_reader_to_end,
++ int total_depth,
+ const unsigned char *p,
+ const unsigned char *end,
+ const unsigned char **new_p)
+ {
+ int current_type;
+
++ /* The spec allows arrays and structs to each nest 32, for total
++ * nesting of 2*32. We want to impose the same limit on "dynamic"
++ * value nesting (not visible in the signature) which is introduced
++ * by DBUS_TYPE_VARIANT.
++ */
++ if (total_depth > (DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2))
++ {
++ return DBUS_INVALID_NESTED_TOO_DEEPLY;
++ }
++
+ while ((current_type = _dbus_type_reader_get_current_type (reader)) != DBUS_TYPE_INVALID)
+ {
+ const unsigned char *a;
+@@ -474,7 +488,9 @@
+ {
+ while (p < array_end)
+ {
+- validity = validate_body_helper (&sub, byte_order, FALSE, p, end, &p);
++ validity = validate_body_helper (&sub, byte_order, FALSE,
++ total_depth + 1,
++ p, end, &p);
+ if (validity != DBUS_VALID)
+ return validity;
+ }
+@@ -591,7 +607,9 @@
+
+ _dbus_assert (_dbus_type_reader_get_current_type (&sub) != DBUS_TYPE_INVALID);
+
+- validity = validate_body_helper (&sub, byte_order, FALSE, p, end, &p);
++ validity = validate_body_helper (&sub, byte_order, FALSE,
++ total_depth + 1,
++ p, end, &p);
+ if (validity != DBUS_VALID)
+ return validity;
+
+@@ -620,7 +638,9 @@
+
+ _dbus_type_reader_recurse (reader, &sub);
+
+- validity = validate_body_helper (&sub, byte_order, TRUE, p, end, &p);
++ validity = validate_body_helper (&sub, byte_order, TRUE,
++ total_depth + 1,
++ p, end, &p);
+ if (validity != DBUS_VALID)
+ return validity;
+ }
+@@ -705,7 +725,7 @@
+ p = _dbus_string_get_const_data_len (value_str, value_pos, len);
+ end = p + len;
+
+- validity = validate_body_helper (&reader, byte_order, TRUE, p, end, &p);
++ validity = validate_body_helper (&reader, byte_order, TRUE, 0, p, end, &p);
+ if (validity != DBUS_VALID)
+ return validity;
+
diff --git a/sysutils/dbus/patches/patch-CVE-2010-4352-2 b/sysutils/dbus/patches/patch-CVE-2010-4352-2
new file mode 100644
index 00000000000..1637839a9df
--- /dev/null
+++ b/sysutils/dbus/patches/patch-CVE-2010-4352-2
@@ -0,0 +1,87 @@
+$NetBSD: patch-CVE-2010-4352-2,v 1.1.2.2 2010/12/30 03:37:22 sbd Exp $
+
+Fix for CVE-2010-4352 taken from here:
+
+http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=5042c1e5e6df31700215c9dc0618634911b0c9f5
+
+--- dbus/dbus-message-factory.c.orig 2009-05-06 18:26:48.000000000 +0100
++++ dbus/dbus-message-factory.c 2010-12-29 10:35:49.000000000 +0000
+@@ -333,6 +333,53 @@
+ return message;
+ }
+
++static DBusMessage*
++message_with_nesting_levels (int levels)
++{
++ DBusMessage *message;
++ dbus_int32_t v_INT32;
++ DBusMessageIter *parents;
++ DBusMessageIter *children;
++ int i;
++
++ /* If levels is higher it breaks sig_refcount in DBusMessageRealIter
++ * in dbus-message.c, this assert is just to help you know you need
++ * to fix that if you hit it
++ */
++ _dbus_assert (levels < 256);
++
++ parents = dbus_new(DBusMessageIter, levels + 1);
++ children = dbus_new(DBusMessageIter, levels + 1);
++
++ v_INT32 = 42;
++ message = simple_method_call ();
++
++ i = 0;
++ dbus_message_iter_init_append (message, &parents[i]);
++ while (i < levels)
++ {
++ dbus_message_iter_open_container (&parents[i], DBUS_TYPE_VARIANT,
++ i == (levels - 1) ?
++ DBUS_TYPE_INT32_AS_STRING :
++ DBUS_TYPE_VARIANT_AS_STRING,
++ &children[i]);
++ ++i;
++ parents[i] = children[i-1];
++ }
++ --i;
++ dbus_message_iter_append_basic (&children[i], DBUS_TYPE_INT32, &v_INT32);
++ while (i >= 0)
++ {
++ dbus_message_iter_close_container (&parents[i], &children[i]);
++ --i;
++ }
++
++ dbus_free(parents);
++ dbus_free(children);
++
++ return message;
++}
++
+ static dbus_bool_t
+ generate_special (DBusMessageDataIter *iter,
+ DBusString *data,
+@@ -735,6 +782,24 @@
+
+ *expected_validity = DBUS_INVALID_DICT_ENTRY_HAS_NO_FIELDS;
+ }
++ else if (item_seq == 20)
++ {
++ /* 64 levels of nesting is OK */
++ message = message_with_nesting_levels(64);
++
++ generate_from_message (data, expected_validity, message);
++
++ *expected_validity = DBUS_VALID;
++ }
++ else if (item_seq == 21)
++ {
++ /* 65 levels of nesting is not OK */
++ message = message_with_nesting_levels(65);
++
++ generate_from_message (data, expected_validity, message);
++
++ *expected_validity = DBUS_INVALID_NESTED_TOO_DEEPLY;
++ }
+ else
+ {
+ return FALSE;
diff --git a/sysutils/dbus/patches/patch-CVE-2010-4352-3 b/sysutils/dbus/patches/patch-CVE-2010-4352-3
new file mode 100644
index 00000000000..f5f054d55bf
--- /dev/null
+++ b/sysutils/dbus/patches/patch-CVE-2010-4352-3
@@ -0,0 +1,16 @@
+$NetBSD: patch-CVE-2010-4352-3,v 1.1.2.2 2010/12/30 03:37:22 sbd Exp $
+
+Fix for CVE-2010-4352 taken from here:
+
+http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=5042c1e5e6df31700215c9dc0618634911b0c9f5
+
+--- dbus/dbus-marshal-validate.h.orig 2009-05-06 18:26:48.000000000 +0100
++++ dbus/dbus-marshal-validate.h 2010-12-29 10:35:49.000000000 +0000
+@@ -117,6 +117,7 @@
+ DBUS_INVALID_DICT_ENTRY_HAS_TOO_MANY_FIELDS = 53,
+ DBUS_INVALID_DICT_ENTRY_NOT_INSIDE_ARRAY = 54,
+ DBUS_INVALID_DICT_KEY_MUST_BE_BASIC_TYPE = 55,
++ DBUS_INVALID_NESTED_TOO_DEEPLY = 56,
+ DBUS_VALIDITY_LAST
+ } DBusValidity;
+
diff --git a/sysutils/dbus/patches/patch-CVE-2010-4352-4 b/sysutils/dbus/patches/patch-CVE-2010-4352-4
new file mode 100644
index 00000000000..0b8d0b154b2
--- /dev/null
+++ b/sysutils/dbus/patches/patch-CVE-2010-4352-4
@@ -0,0 +1,29 @@
+$NetBSD: patch-CVE-2010-4352-4,v 1.1.2.2 2010/12/30 03:37:22 sbd Exp $
+
+Fix for CVE-2010-4352 taken from here:
+
+http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=5042c1e5e6df31700215c9dc0618634911b0c9f5
+
+--- doc/dbus-specification.xml.orig 2009-04-17 20:45:29.000000000 +0100
++++ doc/dbus-specification.xml 2010-12-29 10:35:49.000000000 +0000
+@@ -561,12 +561,14 @@
+ </row><row>
+ <entry><literal>VARIANT</literal></entry>
+ <entry>
+- A variant type has a marshaled <literal>SIGNATURE</literal>
+- followed by a marshaled value with the type
+- given in the signature.
+- Unlike a message signature, the variant signature
+- can contain only a single complete type.
+- So "i", "ai" or "(ii)" is OK, but "ii" is not.
++ A variant type has a marshaled
++ <literal>SIGNATURE</literal> followed by a marshaled
++ value with the type given in the signature. Unlike
++ a message signature, the variant signature can
++ contain only a single complete type. So "i", "ai"
++ or "(ii)" is OK, but "ii" is not. Use of variants may not
++ cause a total message depth to be larger than 64, including
++ other container types such as structures.
+ </entry>
+ <entry>
+ 1 (alignment of the signature)