Pullup ticket #3313 - requested by tron

Security patch for "sysutils/dbus"

Revisions pulled up:
- sysutils/dbus/Makefile			1.50
- sysutils/dbus/distinfo			1.36
- sysutils/dbus/patches/patch-CVE-2010-4352-1	1.1
- sysutils/dbus/patches/patch-CVE-2010-4352-2	1.1
- sysutils/dbus/patches/patch-CVE-2010-4352-3	1.1
- sysutils/dbus/patches/patch-CVE-2010-4352-4	1.1

-------------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Wed Dec 29 10:49:21 UTC 2010

   Modified Files:
   	pkgsrc/sysutils/dbus: Makefile distinfo
   Added Files:
   	pkgsrc/sysutils/dbus/patches: patch-CVE-2010-4352-1
   	    patch-CVE-2010-4352-2 patch-CVE-2010-4352-3 patch-CVE-2010-4352-4

   Log Message:
   Add fix for vulnerability reported in CVE-2010-4352 (SA42580) taken
   from the "dbus" GIT repository.

6 files changed, 220 insertions, 2 deletions

diff --git a/sysutils/dbus/Makefile b/sysutils/dbus/Makefile
index e4bda6a042f..6fada49b0df 100644
--- a/sysutils/dbus/Makefile
+++ b/sysutils/dbus/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.48 2010/05/27 12:36:02 obache Exp $
+# $NetBSD: Makefile,v 1.48.4.1 2010/12/30 03:37:21 sbd Exp $
 
 DISTNAME=	dbus-1.2.4.6permissive
 PKGNAME=	dbus-1.2.4.6
+PKGREVISION=	2
 CATEGORIES=	sysutils
 MASTER_SITES=	http://dbus.freedesktop.org/releases/dbus/
 
diff --git a/sysutils/dbus/distinfo b/sysutils/dbus/distinfo
index ed58af0cf5a..759a3b4914a 100644
--- a/sysutils/dbus/distinfo
+++ b/sysutils/dbus/distinfo
@@ -1,8 +1,12 @@
-$NetBSD: distinfo,v 1.35 2010/02/21 19:32:25 tez Exp $
+$NetBSD: distinfo,v 1.35.6.1 2010/12/30 03:37:22 sbd Exp $
 
 SHA1 (dbus-1.2.4.6permissive.tar.gz) = f71219624885fe2ec1990bb8bdd599e184dd5774
 RMD160 (dbus-1.2.4.6permissive.tar.gz) = 05d1c5fae8ae763a9beb8c7d6f390f3ff54e9c30
 Size (dbus-1.2.4.6permissive.tar.gz) = 1575270 bytes
+SHA1 (patch-CVE-2010-4352-1) = bc83f7a2b56558b6514de8de2d6319ad84f84fce
+SHA1 (patch-CVE-2010-4352-2) = 1427c2c4aea6cd21f5d19aa8fad90b87282b232b
+SHA1 (patch-CVE-2010-4352-3) = d5598dab11bad66c2f586e418a8b409ac5fc67d5
+SHA1 (patch-CVE-2010-4352-4) = 82a43bc19bf4ef73d6e2909dd1c948798585135d
 SHA1 (patch-aa) = fd7cc2e11e15e13885e882e8de51e17af8a63d70
 SHA1 (patch-ab) = b2761914edfe2c7666c5412abf79c5d7b87a2006
 SHA1 (patch-ac) = 63aab0ffac02a9cb85a80e31bbb1234534db378b
diff --git a/sysutils/dbus/patches/patch-CVE-2010-4352-1 b/sysutils/dbus/patches/patch-CVE-2010-4352-1
new file mode 100644
index 00000000000..c6376df57da
--- /dev/null
+++ b/sysutils/dbus/patches/patch-CVE-2010-4352-1
@@ -0,0 +1,81 @@
+$NetBSD: patch-CVE-2010-4352-1,v 1.1.2.2 2010/12/30 03:37:22 sbd Exp $
+
+Fix for CVE-2010-4352 taken from here:
+
+http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=5042c1e5e6df31700215c9dc0618634911b0c9f5
+
+--- dbus/dbus-marshal-validate.c.orig	2009-05-06 18:26:48.000000000 +0100
++++ dbus/dbus-marshal-validate.c	2010-12-29 10:35:49.000000000 +0000
+@@ -289,16 +289,30 @@
+   return result;
+ }
+ 
++/* note: this function is also used to validate the header's values,
++ * since the header is a valid body with a particular signature.
++ */
+ static DBusValidity
+ validate_body_helper (DBusTypeReader       *reader,
+                       int                   byte_order,
+                       dbus_bool_t           walk_reader_to_end,
++                      int                   total_depth,
+                       const unsigned char  *p,
+                       const unsigned char  *end,
+                       const unsigned char **new_p)
+ {
+   int current_type;
+ 
++  /* The spec allows arrays and structs to each nest 32, for total
++   * nesting of 2*32. We want to impose the same limit on "dynamic"
++   * value nesting (not visible in the signature) which is introduced
++   * by DBUS_TYPE_VARIANT.
++   */
++  if (total_depth > (DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2))
++    {
++      return DBUS_INVALID_NESTED_TOO_DEEPLY;
++    }
++
+   while ((current_type = _dbus_type_reader_get_current_type (reader)) != DBUS_TYPE_INVALID)
+     {
+       const unsigned char *a;
+@@ -474,7 +488,9 @@
+                   {
+                     while (p < array_end)
+                       {
+-                        validity = validate_body_helper (&sub, byte_order, FALSE, p, end, &p);
++                        validity = validate_body_helper (&sub, byte_order, FALSE,
++                                                         total_depth + 1,
++                                                         p, end, &p);
+                         if (validity != DBUS_VALID)
+                           return validity;
+                       }
+@@ -591,7 +607,9 @@
+ 
+             _dbus_assert (_dbus_type_reader_get_current_type (&sub) != DBUS_TYPE_INVALID);
+ 
+-            validity = validate_body_helper (&sub, byte_order, FALSE, p, end, &p);
++            validity = validate_body_helper (&sub, byte_order, FALSE,
++                                             total_depth + 1,
++                                             p, end, &p);
+             if (validity != DBUS_VALID)
+               return validity;
+ 
+@@ -620,7 +638,9 @@
+ 
+             _dbus_type_reader_recurse (reader, &sub);
+ 
+-            validity = validate_body_helper (&sub, byte_order, TRUE, p, end, &p);
++            validity = validate_body_helper (&sub, byte_order, TRUE,
++                                             total_depth + 1,
++                                             p, end, &p);
+             if (validity != DBUS_VALID)
+               return validity;
+           }
+@@ -705,7 +725,7 @@
+   p = _dbus_string_get_const_data_len (value_str, value_pos, len);
+   end = p + len;
+ 
+-  validity = validate_body_helper (&reader, byte_order, TRUE, p, end, &p);
++  validity = validate_body_helper (&reader, byte_order, TRUE, 0, p, end, &p);
+   if (validity != DBUS_VALID)
+     return validity;
+   
diff --git a/sysutils/dbus/patches/patch-CVE-2010-4352-2 b/sysutils/dbus/patches/patch-CVE-2010-4352-2
new file mode 100644
index 00000000000..1637839a9df
--- /dev/null
+++ b/sysutils/dbus/patches/patch-CVE-2010-4352-2
@@ -0,0 +1,87 @@
+$NetBSD: patch-CVE-2010-4352-2,v 1.1.2.2 2010/12/30 03:37:22 sbd Exp $
+
+Fix for CVE-2010-4352 taken from here:
+
+http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=5042c1e5e6df31700215c9dc0618634911b0c9f5
+
+--- dbus/dbus-message-factory.c.orig	2009-05-06 18:26:48.000000000 +0100
++++ dbus/dbus-message-factory.c	2010-12-29 10:35:49.000000000 +0000
+@@ -333,6 +333,53 @@
+   return message;
+ }
+ 
++static DBusMessage*
++message_with_nesting_levels (int levels)
++{
++  DBusMessage *message;
++  dbus_int32_t v_INT32;
++  DBusMessageIter *parents;
++  DBusMessageIter *children;
++  int i;
++
++  /* If levels is higher it breaks sig_refcount in DBusMessageRealIter
++   * in dbus-message.c, this assert is just to help you know you need
++   * to fix that if you hit it
++   */
++  _dbus_assert (levels < 256);
++
++  parents = dbus_new(DBusMessageIter, levels + 1);
++  children = dbus_new(DBusMessageIter, levels + 1);
++
++  v_INT32 = 42;
++  message = simple_method_call ();
++
++  i = 0;
++  dbus_message_iter_init_append (message, &parents[i]);
++  while (i < levels)
++    {
++      dbus_message_iter_open_container (&parents[i], DBUS_TYPE_VARIANT,
++                                        i == (levels - 1) ?
++                                        DBUS_TYPE_INT32_AS_STRING :
++                                        DBUS_TYPE_VARIANT_AS_STRING,
++                                        &children[i]);
++      ++i;
++      parents[i] = children[i-1];
++    }
++  --i;
++  dbus_message_iter_append_basic (&children[i], DBUS_TYPE_INT32, &v_INT32);
++  while (i >= 0)
++    {
++      dbus_message_iter_close_container (&parents[i], &children[i]);
++      --i;
++    }
++
++  dbus_free(parents);
++  dbus_free(children);
++
++  return message;
++}
++
+ static dbus_bool_t
+ generate_special (DBusMessageDataIter   *iter,
+                   DBusString            *data,
+@@ -735,6 +782,24 @@
+       
+       *expected_validity = DBUS_INVALID_DICT_ENTRY_HAS_NO_FIELDS;
+     }
++  else if (item_seq == 20)
++    {
++      /* 64 levels of nesting is OK */
++      message = message_with_nesting_levels(64);
++
++      generate_from_message (data, expected_validity, message);
++
++      *expected_validity = DBUS_VALID;
++    }
++  else if (item_seq == 21)
++    {
++      /* 65 levels of nesting is not OK */
++      message = message_with_nesting_levels(65);
++
++      generate_from_message (data, expected_validity, message);
++
++      *expected_validity = DBUS_INVALID_NESTED_TOO_DEEPLY;
++    }
+   else
+     {
+       return FALSE;
diff --git a/sysutils/dbus/patches/patch-CVE-2010-4352-3 b/sysutils/dbus/patches/patch-CVE-2010-4352-3
new file mode 100644
index 00000000000..f5f054d55bf
--- /dev/null
+++ b/sysutils/dbus/patches/patch-CVE-2010-4352-3
@@ -0,0 +1,16 @@
+$NetBSD: patch-CVE-2010-4352-3,v 1.1.2.2 2010/12/30 03:37:22 sbd Exp $
+
+Fix for CVE-2010-4352 taken from here:
+
+http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=5042c1e5e6df31700215c9dc0618634911b0c9f5
+
+--- dbus/dbus-marshal-validate.h.orig	2009-05-06 18:26:48.000000000 +0100
++++ dbus/dbus-marshal-validate.h	2010-12-29 10:35:49.000000000 +0000
+@@ -117,6 +117,7 @@
+   DBUS_INVALID_DICT_ENTRY_HAS_TOO_MANY_FIELDS = 53,
+   DBUS_INVALID_DICT_ENTRY_NOT_INSIDE_ARRAY = 54,
+   DBUS_INVALID_DICT_KEY_MUST_BE_BASIC_TYPE = 55,
++  DBUS_INVALID_NESTED_TOO_DEEPLY = 56,
+   DBUS_VALIDITY_LAST
+ } DBusValidity;
+ 
diff --git a/sysutils/dbus/patches/patch-CVE-2010-4352-4 b/sysutils/dbus/patches/patch-CVE-2010-4352-4
new file mode 100644
index 00000000000..0b8d0b154b2
--- /dev/null
+++ b/sysutils/dbus/patches/patch-CVE-2010-4352-4
@@ -0,0 +1,29 @@
+$NetBSD: patch-CVE-2010-4352-4,v 1.1.2.2 2010/12/30 03:37:22 sbd Exp $
+
+Fix for CVE-2010-4352 taken from here:
+
+http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=5042c1e5e6df31700215c9dc0618634911b0c9f5
+
+--- doc/dbus-specification.xml.orig	2009-04-17 20:45:29.000000000 +0100
++++ doc/dbus-specification.xml	2010-12-29 10:35:49.000000000 +0000
+@@ -561,12 +561,14 @@
+ 	      </row><row>
+                 <entry><literal>VARIANT</literal></entry>
+                 <entry>
+-                  A variant type has a marshaled <literal>SIGNATURE</literal>
+-                  followed by a marshaled value with the type
+-                  given in the signature.
+-                  Unlike a message signature, the variant signature 
+-                  can contain only a single complete type.
+-                  So "i", "ai" or "(ii)" is OK, but "ii" is not.
++                  A variant type has a marshaled
++                  <literal>SIGNATURE</literal> followed by a marshaled
++                  value with the type given in the signature.  Unlike
++                  a message signature, the variant signature can
++                  contain only a single complete type.  So "i", "ai"
++                  or "(ii)" is OK, but "ii" is not.  Use of variants may not
++                  cause a total message depth to be larger than 64, including
++		  other container types such as structures.
+                 </entry>
+                 <entry>
+                   1 (alignment of the signature)