Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:Update
dbus-1
fix-upstream-CVE-2022-42011.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File fix-upstream-CVE-2022-42011.patch of Package dbus-1
commit 079bbf16186e87fb0157adf8951f19864bc2ed69 Author: Simon McVittie <smcv@collabora.com> Date: Mon Sep 12 13:14:18 2022 +0100 dbus-marshal-validate: Validate length of arrays of fixed-length items This fast-path previously did not check that the array was made up of an integer number of items. This could lead to assertion failures and out-of-bounds accesses during subsequent message processing (which assumes that the message has already been validated), particularly after the addition of _dbus_header_remove_unknown_fields(), which makes it more likely that dbus-daemon will apply non-trivial edits to messages. Thanks: Evgeny Vereshchagin Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays" Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413 Resolves: CVE-2022-42011 Signed-off-by: Simon McVittie <smcv@collabora.com> Index: dbus-1.12.2/dbus/dbus-marshal-validate.c =================================================================== --- dbus-1.12.2.orig/dbus/dbus-marshal-validate.c +++ dbus-1.12.2/dbus/dbus-marshal-validate.c @@ -498,13 +498,24 @@ validate_body_helper (DBusTypeReader */ if (dbus_type_is_fixed (array_elem_type)) { + /* Note that fixed-size types all have sizes equal to + * their alignments, so this is really the item size. */ + alignment = _dbus_type_get_alignment (array_elem_type); + _dbus_assert (alignment == 1 || alignment == 2 || + alignment == 4 || alignment == 8); + + /* Because the alignment is a power of 2, this is + * equivalent to: (claimed_len % alignment) != 0, + * but avoids slower integer division */ + if ((claimed_len & (alignment - 1)) != 0) + return DBUS_INVALID_ARRAY_LENGTH_INCORRECT; + /* bools need to be handled differently, because they can * have an invalid value */ if (array_elem_type == DBUS_TYPE_BOOLEAN) { dbus_uint32_t v; - alignment = _dbus_type_get_alignment (array_elem_type); while (p < array_end) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor