diff options
author | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2014-07-02 18:33:51 +0100 |
---|---|---|
committer | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2014-07-02 18:33:51 +0100 |
commit | a05ef3b12927aa40b4d322f8d0efa7bd3490d033 (patch) | |
tree | 75f4ad6b48a9d7f2f8cf8d534583b6634ecdf1dd | |
parent | 93d98e4480c73cd50c7cfd1e5fdd5fe9fe2125b7 (diff) | |
parent | 8f31484171dbffea56600daf6b6be407bd79d759 (diff) |
Merge branch 'dbus-1.8'
Conflicts:
NEWS
configure.ac
-rw-r--r-- | NEWS | 28 | ||||
-rw-r--r-- | configure.ac | 3 | ||||
-rw-r--r-- | dbus/dbus-message.c | 2 | ||||
-rw-r--r-- | dbus/dbus-sysdeps.c | 14 | ||||
-rw-r--r-- | dbus/dbus-sysdeps.h | 1 | ||||
-rw-r--r-- | dbus/dbus-transport-socket.c | 34 |
6 files changed, 74 insertions, 8 deletions
@@ -29,10 +29,6 @@ Enhancements: Fixes: -• When dbus-launch --exit-with-session starts a dbus-daemon but then cannot - attach to a session, kill the dbus-daemon as intended - (fd.o #74698, Роман Донченко) - • fix an incorrect error message if a Unix socket path is too long (fd.o #73887, Antoine Jacoutot) @@ -49,6 +45,30 @@ Fixes: (like Mac OS X 10.6), or available in libc but unsupported by the kernel (fd.o #77032; rmvsxop, OBATA Akio, Patrick Welche) +D-Bus 1.8.6 (2014-06-02) +== + +Security fixes: + +• On Linux ≥ 2.6.37-rc4, if sendmsg() fails with ETOOMANYREFS, silently drop + the message. This prevents an attack in which a malicious client can + make dbus-daemon disconnect a system service, which is a local + denial of service. + (fd.o #80163, CVE-2014-3532; Alban Crequy) + +• Track remaining Unix file descriptors correctly when more than one + message in quick succession contains fds. This prevents another attack + in which a malicious client can make dbus-daemon disconnect a system + service. + (fd.o #79694, fd.o #80469, CVE-2014-3533; Alejandro Martínez Suárez, + Simon McVittie, Alban Crequy) + +Other fixes: + +• When dbus-launch --exit-with-session starts a dbus-daemon but then cannot + attach to a session, kill the dbus-daemon as intended + (fd.o #74698, Роман Донченко) + D-Bus 1.8.4 (2014-06-10) == diff --git a/configure.ac b/configure.ac index 2a7f83fb..cbaf8742 100644 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,6 @@ AC_PREREQ([2.63]) m4_define([dbus_major_version], [1]) m4_define([dbus_minor_version], [8]) m4_define([dbus_micro_version], [99]) -m4_define([dbus_micro_version], [1]) m4_define([dbus_version], [dbus_major_version.dbus_minor_version.dbus_micro_version]) AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus]) @@ -38,7 +37,7 @@ LT_CURRENT=11 ## increment any time the source changes; set to ## 0 if you increment CURRENT -LT_REVISION=5 +LT_REVISION=6 ## increment if any interfaces have been added; set to 0 ## if any interfaces have been changed or removed. removal has diff --git a/dbus/dbus-message.c b/dbus/dbus-message.c index c6953d02..78df7558 100644 --- a/dbus/dbus-message.c +++ b/dbus/dbus-message.c @@ -4204,7 +4204,7 @@ load_message (DBusMessageLoader *loader, message->n_unix_fds_allocated = message->n_unix_fds = n_unix_fds; loader->n_unix_fds -= n_unix_fds; - memmove(loader->unix_fds + n_unix_fds, loader->unix_fds, loader->n_unix_fds); + memmove (loader->unix_fds, loader->unix_fds + n_unix_fds, loader->n_unix_fds * sizeof (loader->unix_fds[0])); } else message->unix_fds = NULL; diff --git a/dbus/dbus-sysdeps.c b/dbus/dbus-sysdeps.c index de3a18cb..f4ba0fac 100644 --- a/dbus/dbus-sysdeps.c +++ b/dbus/dbus-sysdeps.c @@ -762,6 +762,20 @@ _dbus_get_is_errno_epipe (void) } /** + * See if errno is ETOOMANYREFS + * @returns #TRUE if errno == ETOOMANYREFS + */ +dbus_bool_t +_dbus_get_is_errno_etoomanyrefs (void) +{ +#ifdef ETOOMANYREFS + return errno == ETOOMANYREFS; +#else + return FALSE; +#endif +} + +/** * Get error message from errno * @returns _dbus_strerror(errno) */ diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h index e586946f..21033ebf 100644 --- a/dbus/dbus-sysdeps.h +++ b/dbus/dbus-sysdeps.h @@ -384,6 +384,7 @@ dbus_bool_t _dbus_get_is_errno_eagain_or_ewouldblock (void); dbus_bool_t _dbus_get_is_errno_enomem (void); dbus_bool_t _dbus_get_is_errno_eintr (void); dbus_bool_t _dbus_get_is_errno_epipe (void); +dbus_bool_t _dbus_get_is_errno_etoomanyrefs (void); const char* _dbus_strerror_from_errno (void); void _dbus_disable_sigpipe (void); diff --git a/dbus/dbus-transport-socket.c b/dbus/dbus-transport-socket.c index 774f4598..199d3b54 100644 --- a/dbus/dbus-transport-socket.c +++ b/dbus/dbus-transport-socket.c @@ -645,12 +645,44 @@ do_writing (DBusTransport *transport) { /* EINTR already handled for us */ - /* For some discussion of why we also ignore EPIPE here, see + /* If the other end closed the socket with close() or shutdown(), we + * receive EPIPE here but we must not close the socket yet: there + * might still be some data to read. See: * http://lists.freedesktop.org/archives/dbus/2008-March/009526.html */ if (_dbus_get_is_errno_eagain_or_ewouldblock () || _dbus_get_is_errno_epipe ()) goto out; + + /* Since Linux commit 25888e (from 2.6.37-rc4, Nov 2010), sendmsg() + * on Unix sockets returns -1 errno=ETOOMANYREFS when the passfd + * mechanism (SCM_RIGHTS) is used recursively with a recursion level + * of maximum 4. The kernel does not have an API to check whether + * the passed fds can be forwarded and it can change asynchronously. + * See: + * https://bugs.freedesktop.org/show_bug.cgi?id=80163 + */ + + else if (_dbus_get_is_errno_etoomanyrefs ()) + { + /* We only send fds in the first byte of the message. + * ETOOMANYREFS cannot happen after. + */ + _dbus_assert (socket_transport->message_bytes_written == 0); + + _dbus_verbose (" discard message of %d bytes due to ETOOMANYREFS\n", + total_bytes_to_write); + + socket_transport->message_bytes_written = 0; + _dbus_string_set_length (&socket_transport->encoded_outgoing, 0); + _dbus_string_compact (&socket_transport->encoded_outgoing, 2048); + + /* The message was not actually sent but it needs to be removed + * from the outgoing queue + */ + _dbus_connection_message_sent_unlocked (transport->connection, + message); + } else { _dbus_verbose ("Error writing to remote app: %s\n", |