[Pkg-utopia-commits] r3792 - in /packages/unstable/dbus/debian: changelog patches/12-CVE-2010-4352-reject-deeply-nested-variants.patch patches/series
biebl at users.alioth.debian.org
biebl at users.alioth.debian.org
Tue Dec 21 17:38:46 UTC 2010
Author: biebl
Date: Tue Dec 21 17:38:45 2010
New Revision: 3792
URL: http://svn.debian.org/wsvn/pkg-utopia/?sc=1&rev=3792
Log:
* debian/patches/12-CVE-2010-4352-reject-deeply-nested-variants.patch
- Fixes CVE-2010-4352: sending messages with excessively-nested variants
can crash the bus. The existing restriction to 64-levels of nesting
previously only applied to the static type signature; now it also
applies to dynamic nesting using variants.
Patch cherry-picked from upstream Git.
Added:
packages/unstable/dbus/debian/patches/12-CVE-2010-4352-reject-deeply-nested-variants.patch
Modified:
packages/unstable/dbus/debian/changelog
packages/unstable/dbus/debian/patches/series
Modified: packages/unstable/dbus/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-utopia/packages/unstable/dbus/debian/changelog?rev=3792&op=diff
==============================================================================
--- packages/unstable/dbus/debian/changelog (original)
+++ packages/unstable/dbus/debian/changelog Tue Dec 21 17:38:45 2010
@@ -1,3 +1,14 @@
+dbus (1.2.24-4) UNRELEASED; urgency=low
+
+ * debian/patches/12-CVE-2010-4352-reject-deeply-nested-variants.patch
+ - Fixes CVE-2010-4352: sending messages with excessively-nested variants
+ can crash the bus. The existing restriction to 64-levels of nesting
+ previously only applied to the static type signature; now it also
+ applies to dynamic nesting using variants.
+ Patch cherry-picked from upstream Git.
+
+ -- Michael Biebl <biebl at debian.org> Tue, 21 Dec 2010 18:35:07 +0100
+
dbus (1.2.24-3) unstable; urgency=medium
* Add patch from upstream to fix segfaults when reloaded on kFreeBSD
Added: packages/unstable/dbus/debian/patches/12-CVE-2010-4352-reject-deeply-nested-variants.patch
URL: http://svn.debian.org/wsvn/pkg-utopia/packages/unstable/dbus/debian/patches/12-CVE-2010-4352-reject-deeply-nested-variants.patch?rev=3792&op=file
==============================================================================
--- packages/unstable/dbus/debian/patches/12-CVE-2010-4352-reject-deeply-nested-variants.patch (added)
+++ packages/unstable/dbus/debian/patches/12-CVE-2010-4352-reject-deeply-nested-variants.patch Tue Dec 21 17:38:45 2010
@@ -1,0 +1,240 @@
+From 5042c1e5e6df31700215c9dc0618634911b0c9f5 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters at verbum.org>
+Date: Tue, 21 Dec 2010 09:09:29 -0500
+Subject: [PATCH 1/4] CVE 2010-4352: Reject deeply nested variants
+
+Add DBUS_INVALID_NESTED_TOO_DEEPLY validity problem and a test that
+should generate it.
+
+Previously, we rejected deep nesting in the signature, but
+variants allow dynamic message nesting, conditional only
+on the depth of the message body.
+
+The nesting limit is 64, which was also the limit in static
+signatures. Empirically, dynamic nesting depth observed on my
+Fedora 14 system doesn't exceed 2; 64 is really a huge limit.
+
+https://bugs.freedesktop.org/show_bug.cgi?id=32321
+
+Signed-Off-By: Colin Walters <walters at verbum.org>
+Signed-off-by: Will Thompson <will.thompson at collabora.co.uk>
+
+Conflicts:
+
+ dbus/dbus-marshal-validate.h
+---
+ dbus/dbus-marshal-validate.c | 30 ++++++++++++++++---
+ dbus/dbus-marshal-validate.h | 1 +
+ dbus/dbus-message-factory.c | 65 ++++++++++++++++++++++++++++++++++++++++++
+ doc/dbus-specification.xml | 14 +++++----
+ 4 files changed, 99 insertions(+), 11 deletions(-)
+
+diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
+index 61fad4d..c681595 100644
+--- a/dbus/dbus-marshal-validate.c
++++ b/dbus/dbus-marshal-validate.c
+@@ -289,16 +289,30 @@ out:
+ return result;
+ }
+
++/* note: this function is also used to validate the header's values,
++ * since the header is a valid body with a particular signature.
++ */
+ static DBusValidity
+ validate_body_helper (DBusTypeReader *reader,
+ int byte_order,
+ dbus_bool_t walk_reader_to_end,
++ int total_depth,
+ const unsigned char *p,
+ const unsigned char *end,
+ const unsigned char **new_p)
+ {
+ int current_type;
+
++ /* The spec allows arrays and structs to each nest 32, for total
++ * nesting of 2*32. We want to impose the same limit on "dynamic"
++ * value nesting (not visible in the signature) which is introduced
++ * by DBUS_TYPE_VARIANT.
++ */
++ if (total_depth > (DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2))
++ {
++ return DBUS_INVALID_NESTED_TOO_DEEPLY;
++ }
++
+ while ((current_type = _dbus_type_reader_get_current_type (reader)) != DBUS_TYPE_INVALID)
+ {
+ const unsigned char *a;
+@@ -474,7 +488,9 @@ validate_body_helper (DBusTypeReader *reader,
+ {
+ while (p < array_end)
+ {
+- validity = validate_body_helper (&sub, byte_order, FALSE, p, end, &p);
++ validity = validate_body_helper (&sub, byte_order, FALSE,
++ total_depth + 1,
++ p, end, &p);
+ if (validity != DBUS_VALID)
+ return validity;
+ }
+@@ -591,7 +607,9 @@ validate_body_helper (DBusTypeReader *reader,
+
+ _dbus_assert (_dbus_type_reader_get_current_type (&sub) != DBUS_TYPE_INVALID);
+
+- validity = validate_body_helper (&sub, byte_order, FALSE, p, end, &p);
++ validity = validate_body_helper (&sub, byte_order, FALSE,
++ total_depth + 1,
++ p, end, &p);
+ if (validity != DBUS_VALID)
+ return validity;
+
+@@ -620,7 +638,9 @@ validate_body_helper (DBusTypeReader *reader,
+
+ _dbus_type_reader_recurse (reader, &sub);
+
+- validity = validate_body_helper (&sub, byte_order, TRUE, p, end, &p);
++ validity = validate_body_helper (&sub, byte_order, TRUE,
++ total_depth + 1,
++ p, end, &p);
+ if (validity != DBUS_VALID)
+ return validity;
+ }
+@@ -705,7 +725,7 @@ _dbus_validate_body_with_reason (const DBusString *expected_signature,
+ p = _dbus_string_get_const_data_len (value_str, value_pos, len);
+ end = p + len;
+
+- validity = validate_body_helper (&reader, byte_order, TRUE, p, end, &p);
++ validity = validate_body_helper (&reader, byte_order, TRUE, 0, p, end, &p);
+ if (validity != DBUS_VALID)
+ return validity;
+
+@@ -875,7 +895,7 @@ _dbus_validity_to_error_message (DBusValidity validity)
+ case DBUS_INVALID_DICT_ENTRY_HAS_TOO_MANY_FIELDS: return "Dict entry has too many fields";
+ case DBUS_INVALID_DICT_ENTRY_NOT_INSIDE_ARRAY: return "Dict entry not inside array";
+ case DBUS_INVALID_DICT_KEY_MUST_BE_BASIC_TYPE: return "Dict key must be basic type";
+-
++ case DBUS_INVALID_NESTED_TOO_DEEPLY: return "Variants cannot be used to create a hugely recursive tree of values";
+ default:
+ return "Invalid";
+ }
+diff --git a/dbus/dbus-marshal-validate.h b/dbus/dbus-marshal-validate.h
+index a7d904b..da599c6 100644
+--- a/dbus/dbus-marshal-validate.h
++++ b/dbus/dbus-marshal-validate.h
+@@ -117,6 +117,7 @@ typedef enum
+ DBUS_INVALID_DICT_ENTRY_HAS_TOO_MANY_FIELDS = 53,
+ DBUS_INVALID_DICT_ENTRY_NOT_INSIDE_ARRAY = 54,
+ DBUS_INVALID_DICT_KEY_MUST_BE_BASIC_TYPE = 55,
++ DBUS_INVALID_NESTED_TOO_DEEPLY = 56,
+ DBUS_VALIDITY_LAST
+ } DBusValidity;
+
+diff --git a/dbus/dbus-message-factory.c b/dbus/dbus-message-factory.c
+index 7bc539b..49151eb 100644
+--- a/dbus/dbus-message-factory.c
++++ b/dbus/dbus-message-factory.c
+@@ -333,6 +333,53 @@ simple_error (void)
+ return message;
+ }
+
++static DBusMessage*
++message_with_nesting_levels (int levels)
++{
++ DBusMessage *message;
++ dbus_int32_t v_INT32;
++ DBusMessageIter *parents;
++ DBusMessageIter *children;
++ int i;
++
++ /* If levels is higher it breaks sig_refcount in DBusMessageRealIter
++ * in dbus-message.c, this assert is just to help you know you need
++ * to fix that if you hit it
++ */
++ _dbus_assert (levels < 256);
++
++ parents = dbus_new(DBusMessageIter, levels + 1);
++ children = dbus_new(DBusMessageIter, levels + 1);
++
++ v_INT32 = 42;
++ message = simple_method_call ();
++
++ i = 0;
++ dbus_message_iter_init_append (message, &parents[i]);
++ while (i < levels)
++ {
++ dbus_message_iter_open_container (&parents[i], DBUS_TYPE_VARIANT,
++ i == (levels - 1) ?
++ DBUS_TYPE_INT32_AS_STRING :
++ DBUS_TYPE_VARIANT_AS_STRING,
++ &children[i]);
++ ++i;
++ parents[i] = children[i-1];
++ }
++ --i;
++ dbus_message_iter_append_basic (&children[i], DBUS_TYPE_INT32, &v_INT32);
++ while (i >= 0)
++ {
++ dbus_message_iter_close_container (&parents[i], &children[i]);
++ --i;
++ }
++
++ dbus_free(parents);
++ dbus_free(children);
++
++ return message;
++}
++
+ static dbus_bool_t
+ generate_special (DBusMessageDataIter *iter,
+ DBusString *data,
+@@ -735,6 +782,24 @@ generate_special (DBusMessageDataIter *iter,
+
+ *expected_validity = DBUS_INVALID_DICT_ENTRY_HAS_NO_FIELDS;
+ }
++ else if (item_seq == 20)
++ {
++ /* 64 levels of nesting is OK */
++ message = message_with_nesting_levels(64);
++
++ generate_from_message (data, expected_validity, message);
++
++ *expected_validity = DBUS_VALID;
++ }
++ else if (item_seq == 21)
++ {
++ /* 65 levels of nesting is not OK */
++ message = message_with_nesting_levels(65);
++
++ generate_from_message (data, expected_validity, message);
++
++ *expected_validity = DBUS_INVALID_NESTED_TOO_DEEPLY;
++ }
+ else
+ {
+ return FALSE;
+diff --git a/doc/dbus-specification.xml b/doc/dbus-specification.xml
+index b5866e5..7793016 100644
+--- a/doc/dbus-specification.xml
++++ b/doc/dbus-specification.xml
+@@ -561,12 +561,14 @@
+ </row><row>
+ <entry><literal>VARIANT</literal></entry>
+ <entry>
+- A variant type has a marshaled <literal>SIGNATURE</literal>
+- followed by a marshaled value with the type
+- given in the signature.
+- Unlike a message signature, the variant signature
+- can contain only a single complete type.
+- So "i", "ai" or "(ii)" is OK, but "ii" is not.
++ A variant type has a marshaled
++ <literal>SIGNATURE</literal> followed by a marshaled
++ value with the type given in the signature. Unlike
++ a message signature, the variant signature can
++ contain only a single complete type. So "i", "ai"
++ or "(ii)" is OK, but "ii" is not. Use of variants may not
++ cause a total message depth to be larger than 64, including
++ other container types such as structures.
+ </entry>
+ <entry>
+ 1 (alignment of the signature)
+--
+1.7.2.3
+
Modified: packages/unstable/dbus/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-utopia/packages/unstable/dbus/debian/patches/series?rev=3792&op=diff
==============================================================================
--- packages/unstable/dbus/debian/patches/series (original)
+++ packages/unstable/dbus/debian/patches/series Tue Dec 21 17:38:45 2010
@@ -2,3 +2,4 @@
01_no-fatal-warnings.patch
10_dbus-1.0.1-generate-xml-docs.patch
11-589662-reload-kqueue.patch
+12-CVE-2010-4352-reject-deeply-nested-variants.patch
More information about the Pkg-utopia-commits
mailing list