diff options
-rw-r--r-- | sysutils/dbus/Makefile | 3 | ||||
-rw-r--r-- | sysutils/dbus/distinfo | 6 | ||||
-rw-r--r-- | sysutils/dbus/patches/patch-CVE-2010-4352-1 | 81 | ||||
-rw-r--r-- | sysutils/dbus/patches/patch-CVE-2010-4352-2 | 87 | ||||
-rw-r--r-- | sysutils/dbus/patches/patch-CVE-2010-4352-3 | 16 | ||||
-rw-r--r-- | sysutils/dbus/patches/patch-CVE-2010-4352-4 | 29 |
6 files changed, 220 insertions, 2 deletions
diff --git a/sysutils/dbus/Makefile b/sysutils/dbus/Makefile index e4bda6a042f..6fada49b0df 100644 --- a/sysutils/dbus/Makefile +++ b/sysutils/dbus/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.48 2010/05/27 12:36:02 obache Exp $ +# $NetBSD: Makefile,v 1.48.4.1 2010/12/30 03:37:21 sbd Exp $ DISTNAME= dbus-1.2.4.6permissive PKGNAME= dbus-1.2.4.6 +PKGREVISION= 2 CATEGORIES= sysutils MASTER_SITES= http://dbus.freedesktop.org/releases/dbus/ diff --git a/sysutils/dbus/distinfo b/sysutils/dbus/distinfo index ed58af0cf5a..759a3b4914a 100644 --- a/sysutils/dbus/distinfo +++ b/sysutils/dbus/distinfo @@ -1,8 +1,12 @@ -$NetBSD: distinfo,v 1.35 2010/02/21 19:32:25 tez Exp $ +$NetBSD: distinfo,v 1.35.6.1 2010/12/30 03:37:22 sbd Exp $ SHA1 (dbus-1.2.4.6permissive.tar.gz) = f71219624885fe2ec1990bb8bdd599e184dd5774 RMD160 (dbus-1.2.4.6permissive.tar.gz) = 05d1c5fae8ae763a9beb8c7d6f390f3ff54e9c30 Size (dbus-1.2.4.6permissive.tar.gz) = 1575270 bytes +SHA1 (patch-CVE-2010-4352-1) = bc83f7a2b56558b6514de8de2d6319ad84f84fce +SHA1 (patch-CVE-2010-4352-2) = 1427c2c4aea6cd21f5d19aa8fad90b87282b232b +SHA1 (patch-CVE-2010-4352-3) = d5598dab11bad66c2f586e418a8b409ac5fc67d5 +SHA1 (patch-CVE-2010-4352-4) = 82a43bc19bf4ef73d6e2909dd1c948798585135d SHA1 (patch-aa) = fd7cc2e11e15e13885e882e8de51e17af8a63d70 SHA1 (patch-ab) = b2761914edfe2c7666c5412abf79c5d7b87a2006 SHA1 (patch-ac) = 63aab0ffac02a9cb85a80e31bbb1234534db378b diff --git a/sysutils/dbus/patches/patch-CVE-2010-4352-1 b/sysutils/dbus/patches/patch-CVE-2010-4352-1 new file mode 100644 index 00000000000..c6376df57da --- /dev/null +++ b/sysutils/dbus/patches/patch-CVE-2010-4352-1 @@ -0,0 +1,81 @@ +$NetBSD: patch-CVE-2010-4352-1,v 1.1.2.2 2010/12/30 03:37:22 sbd Exp $ + +Fix for CVE-2010-4352 taken from here: + +http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=5042c1e5e6df31700215c9dc0618634911b0c9f5 + +--- dbus/dbus-marshal-validate.c.orig 2009-05-06 18:26:48.000000000 +0100 ++++ dbus/dbus-marshal-validate.c 2010-12-29 10:35:49.000000000 +0000 +@@ -289,16 +289,30 @@ + return result; + } + ++/* note: this function is also used to validate the header's values, ++ * since the header is a valid body with a particular signature. ++ */ + static DBusValidity + validate_body_helper (DBusTypeReader *reader, + int byte_order, + dbus_bool_t walk_reader_to_end, ++ int total_depth, + const unsigned char *p, + const unsigned char *end, + const unsigned char **new_p) + { + int current_type; + ++ /* The spec allows arrays and structs to each nest 32, for total ++ * nesting of 2*32. We want to impose the same limit on "dynamic" ++ * value nesting (not visible in the signature) which is introduced ++ * by DBUS_TYPE_VARIANT. ++ */ ++ if (total_depth > (DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2)) ++ { ++ return DBUS_INVALID_NESTED_TOO_DEEPLY; ++ } ++ + while ((current_type = _dbus_type_reader_get_current_type (reader)) != DBUS_TYPE_INVALID) + { + const unsigned char *a; +@@ -474,7 +488,9 @@ + { + while (p < array_end) + { +- validity = validate_body_helper (&sub, byte_order, FALSE, p, end, &p); ++ validity = validate_body_helper (&sub, byte_order, FALSE, ++ total_depth + 1, ++ p, end, &p); + if (validity != DBUS_VALID) + return validity; + } +@@ -591,7 +607,9 @@ + + _dbus_assert (_dbus_type_reader_get_current_type (&sub) != DBUS_TYPE_INVALID); + +- validity = validate_body_helper (&sub, byte_order, FALSE, p, end, &p); ++ validity = validate_body_helper (&sub, byte_order, FALSE, ++ total_depth + 1, ++ p, end, &p); + if (validity != DBUS_VALID) + return validity; + +@@ -620,7 +638,9 @@ + + _dbus_type_reader_recurse (reader, &sub); + +- validity = validate_body_helper (&sub, byte_order, TRUE, p, end, &p); ++ validity = validate_body_helper (&sub, byte_order, TRUE, ++ total_depth + 1, ++ p, end, &p); + if (validity != DBUS_VALID) + return validity; + } +@@ -705,7 +725,7 @@ + p = _dbus_string_get_const_data_len (value_str, value_pos, len); + end = p + len; + +- validity = validate_body_helper (&reader, byte_order, TRUE, p, end, &p); ++ validity = validate_body_helper (&reader, byte_order, TRUE, 0, p, end, &p); + if (validity != DBUS_VALID) + return validity; + diff --git a/sysutils/dbus/patches/patch-CVE-2010-4352-2 b/sysutils/dbus/patches/patch-CVE-2010-4352-2 new file mode 100644 index 00000000000..1637839a9df --- /dev/null +++ b/sysutils/dbus/patches/patch-CVE-2010-4352-2 @@ -0,0 +1,87 @@ +$NetBSD: patch-CVE-2010-4352-2,v 1.1.2.2 2010/12/30 03:37:22 sbd Exp $ + +Fix for CVE-2010-4352 taken from here: + +http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=5042c1e5e6df31700215c9dc0618634911b0c9f5 + +--- dbus/dbus-message-factory.c.orig 2009-05-06 18:26:48.000000000 +0100 ++++ dbus/dbus-message-factory.c 2010-12-29 10:35:49.000000000 +0000 +@@ -333,6 +333,53 @@ + return message; + } + ++static DBusMessage* ++message_with_nesting_levels (int levels) ++{ ++ DBusMessage *message; ++ dbus_int32_t v_INT32; ++ DBusMessageIter *parents; ++ DBusMessageIter *children; ++ int i; ++ ++ /* If levels is higher it breaks sig_refcount in DBusMessageRealIter ++ * in dbus-message.c, this assert is just to help you know you need ++ * to fix that if you hit it ++ */ ++ _dbus_assert (levels < 256); ++ ++ parents = dbus_new(DBusMessageIter, levels + 1); ++ children = dbus_new(DBusMessageIter, levels + 1); ++ ++ v_INT32 = 42; ++ message = simple_method_call (); ++ ++ i = 0; ++ dbus_message_iter_init_append (message, &parents[i]); ++ while (i < levels) ++ { ++ dbus_message_iter_open_container (&parents[i], DBUS_TYPE_VARIANT, ++ i == (levels - 1) ? ++ DBUS_TYPE_INT32_AS_STRING : ++ DBUS_TYPE_VARIANT_AS_STRING, ++ &children[i]); ++ ++i; ++ parents[i] = children[i-1]; ++ } ++ --i; ++ dbus_message_iter_append_basic (&children[i], DBUS_TYPE_INT32, &v_INT32); ++ while (i >= 0) ++ { ++ dbus_message_iter_close_container (&parents[i], &children[i]); ++ --i; ++ } ++ ++ dbus_free(parents); ++ dbus_free(children); ++ ++ return message; ++} ++ + static dbus_bool_t + generate_special (DBusMessageDataIter *iter, + DBusString *data, +@@ -735,6 +782,24 @@ + + *expected_validity = DBUS_INVALID_DICT_ENTRY_HAS_NO_FIELDS; + } ++ else if (item_seq == 20) ++ { ++ /* 64 levels of nesting is OK */ ++ message = message_with_nesting_levels(64); ++ ++ generate_from_message (data, expected_validity, message); ++ ++ *expected_validity = DBUS_VALID; ++ } ++ else if (item_seq == 21) ++ { ++ /* 65 levels of nesting is not OK */ ++ message = message_with_nesting_levels(65); ++ ++ generate_from_message (data, expected_validity, message); ++ ++ *expected_validity = DBUS_INVALID_NESTED_TOO_DEEPLY; ++ } + else + { + return FALSE; diff --git a/sysutils/dbus/patches/patch-CVE-2010-4352-3 b/sysutils/dbus/patches/patch-CVE-2010-4352-3 new file mode 100644 index 00000000000..f5f054d55bf --- /dev/null +++ b/sysutils/dbus/patches/patch-CVE-2010-4352-3 @@ -0,0 +1,16 @@ +$NetBSD: patch-CVE-2010-4352-3,v 1.1.2.2 2010/12/30 03:37:22 sbd Exp $ + +Fix for CVE-2010-4352 taken from here: + +http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=5042c1e5e6df31700215c9dc0618634911b0c9f5 + +--- dbus/dbus-marshal-validate.h.orig 2009-05-06 18:26:48.000000000 +0100 ++++ dbus/dbus-marshal-validate.h 2010-12-29 10:35:49.000000000 +0000 +@@ -117,6 +117,7 @@ + DBUS_INVALID_DICT_ENTRY_HAS_TOO_MANY_FIELDS = 53, + DBUS_INVALID_DICT_ENTRY_NOT_INSIDE_ARRAY = 54, + DBUS_INVALID_DICT_KEY_MUST_BE_BASIC_TYPE = 55, ++ DBUS_INVALID_NESTED_TOO_DEEPLY = 56, + DBUS_VALIDITY_LAST + } DBusValidity; + diff --git a/sysutils/dbus/patches/patch-CVE-2010-4352-4 b/sysutils/dbus/patches/patch-CVE-2010-4352-4 new file mode 100644 index 00000000000..0b8d0b154b2 --- /dev/null +++ b/sysutils/dbus/patches/patch-CVE-2010-4352-4 @@ -0,0 +1,29 @@ +$NetBSD: patch-CVE-2010-4352-4,v 1.1.2.2 2010/12/30 03:37:22 sbd Exp $ + +Fix for CVE-2010-4352 taken from here: + +http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=5042c1e5e6df31700215c9dc0618634911b0c9f5 + +--- doc/dbus-specification.xml.orig 2009-04-17 20:45:29.000000000 +0100 ++++ doc/dbus-specification.xml 2010-12-29 10:35:49.000000000 +0000 +@@ -561,12 +561,14 @@ + </row><row> + <entry><literal>VARIANT</literal></entry> + <entry> +- A variant type has a marshaled <literal>SIGNATURE</literal> +- followed by a marshaled value with the type +- given in the signature. +- Unlike a message signature, the variant signature +- can contain only a single complete type. +- So "i", "ai" or "(ii)" is OK, but "ii" is not. ++ A variant type has a marshaled ++ <literal>SIGNATURE</literal> followed by a marshaled ++ value with the type given in the signature. Unlike ++ a message signature, the variant signature can ++ contain only a single complete type. So "i", "ai" ++ or "(ii)" is OK, but "ii" is not. Use of variants may not ++ cause a total message depth to be larger than 64, including ++ other container types such as structures. + </entry> + <entry> + 1 (alignment of the signature) |