8 changed files with 74 additions and 352 deletions
--- a/.dbus-broker.metadata
+++ b/.dbus-broker.metadata
@ -1 +1 @@
-2602b87b336875bc1fd6866004f16013e6cf3fe4 SOURCES/dbus-broker-28.tar.xz
+a3b28df004f1df47ae7cf4d5e47ab6a70f79638b SOURCES/dbus-broker-35.tar.xz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/dbus-broker-28.tar.xz
+SOURCES/dbus-broker-35.tar.xz
--- a/SOURCES/1add8a7d60e46806e0ef87994d3024245db0d84a.patch
+++ b/SOURCES/1add8a7d60e46806e0ef87994d3024245db0d84a.patch
@ -1,38 +0,0 @@
 From 1add8a7d60e46806e0ef87994d3024245db0d84a Mon Sep 17 00:00:00 2001
 From: David Rheinsberg <david.rheinsberg@gmail.com>
 Date: Thu, 18 Mar 2021 11:10:02 +0100
 Subject: [PATCH] launch/policy: fix incorrect assertion for at_console
 We write at_console policies for ranges of uids. If one of those ranges
 is 0, an overflow assertion will incorrectly fire. Fix this and simplify
 the assertions for better readability.
 Note that such empty ranges will happen if more than one user on the
 system is considered `at_console` **and** those users have consecutive
 UIDs. Another possibility for empty ranges is when uid 0 is considered
 at_console.
 In any case, the assertion will abort the application incorrectly. So
 this is not a security issue, but merely an incorrect assertion.
 Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
 ---
 src/launch/policy.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/src/launch/policy.c b/src/launch/policy.c
 index f91f11b..75eb0d3 100644
 --- a/src/launch/policy.c
 +++ b/src/launch/policy.c
@@ -934,7 +934,10 @@ static int policy_export_xmit(Policy *policy, CList *list1, CList *list2, sd_bus
 static int policy_export_console(Policy *policy, sd_bus_message *m, PolicyEntries *entries, uint32_t uid_start, uint32_t n_uid) {
         int r;
 -        c_assert(((uint32_t)-1) - n_uid + 1 >= uid_start);
 +        /* check for overflow */
 +        c_assert(uid_start + n_uid >= uid_start);
 +        /* check for encoding into dbus `u` type */
 +        c_assert(uid_start + n_uid <= (uint32_t)-1);
         if (n_uid == 0)
                 return 0;
--- a/SOURCES/33e0595b1c7cf8fa0e7ca3a353f4380c1307dc25.patch
+++ b/SOURCES/33e0595b1c7cf8fa0e7ca3a353f4380c1307dc25.patch
@ -1,155 +0,0 @@
 From 33e0595b1c7cf8fa0e7ca3a353f4380c1307dc25 Mon Sep 17 00:00:00 2001
 From: David Rheinsberg <david.rheinsberg@gmail.com>
 Date: Thu, 5 May 2022 10:50:31 +0200
 Subject: [PATCH] test-config: add tests for some config samples
 Add infrastructure to easily parse config-samples in our test. This
 allows us to add any reports about broken configurations easily, and
 making sure we will not run into the same issues again.
 Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
 ---
 src/launch/test-config.c | 97 +++++++++++++++++++++++++++++++++++++---
 1 file changed, 91 insertions(+), 6 deletions(-)
 diff --git a/src/launch/test-config.c b/src/launch/test-config.c
 index 0401a434..c2f8765e 100644
 --- a/src/launch/test-config.c
 +++ b/src/launch/test-config.c
@@ -9,6 +9,7 @@
 #include "launch/config.h"
 #include "launch/nss-cache.h"
 #include "util/dirwatch.h"
 +#include "util/syscall.h"
 static const char *test_type2str[_CONFIG_NODE_N] = {
         [CONFIG_NODE_BUSCONFIG]         = "busconfig",
@@ -35,12 +36,23 @@ static const char *test_type2str[_CONFIG_NODE_N] = {
         [CONFIG_NODE_ASSOCIATE]         = "associate",
 };
 -static void print_config(const char *path) {
 +static int config_memfd(const char *data) {
 +        ssize_t n;
 +        int fd;
 +
 +        fd = syscall_memfd_create("dbus-broker-test-config", 0);
 +        c_assert(fd >= 0);
 +        n = write(fd, data, strlen(data));
 +        c_assert(n == (ssize_t)strlen(data));
 +
 +        return fd;
 +}
 +
 +static int parse_config(ConfigRoot **rootp, const char *path) {
         _c_cleanup_(config_parser_deinit) ConfigParser parser = CONFIG_PARSER_NULL(parser);
         _c_cleanup_(config_root_freep) ConfigRoot *root = NULL;
         _c_cleanup_(nss_cache_deinit) NSSCache nss_cache = NSS_CACHE_INIT;
         _c_cleanup_(dirwatch_freep) Dirwatch *dirwatch = NULL;
 -        ConfigNode *i_node;
         int r;
         r = dirwatch_new(&dirwatch);
@@ -49,6 +61,32 @@ static void print_config(const char *path) {
         config_parser_init(&parser);
         r = config_parser_read(&parser, &root, path, &nss_cache, dirwatch);
 +        if (r)
 +                return r;
 +
 +        *rootp = root;
 +        root = NULL;
 +        return 0;
 +}
 +
 +static int parse_config_inline(ConfigRoot **rootp, const char *data) {
 +        _c_cleanup_(c_closep) int fd = -1;
 +        _c_cleanup_(c_freep) char *path = NULL;
 +        int r;
 +
 +        fd = config_memfd(data);
 +        r = asprintf(&path, "/proc/self/fd/%d", fd);
 +        c_assert(r > 0);
 +
 +        return parse_config(rootp, path);
 +}
 +
 +static void print_config(const char *path) {
 +        _c_cleanup_(config_root_freep) ConfigRoot *root = NULL;
 +        ConfigNode *i_node;
 +        int r;
 +
 +        r = parse_config(&root, path);
         c_assert(!r);
         c_list_for_each_entry(i_node, &root->node_list, root_link) {
@@ -56,18 +94,65 @@ static void print_config(const char *path) {
         }
 }
 -static void test_config(void) {
 +static void test_config_base(void) {
         _c_cleanup_(config_parser_deinit) ConfigParser parser = CONFIG_PARSER_NULL(parser);
         config_parser_init(&parser);
         config_parser_deinit(&parser);
 }
 +static void test_config_sample0(void) {
 +        _c_cleanup_(config_root_freep) ConfigRoot *root = NULL;
 +        const char *data;
 +        int r;
 +
 +        data =
 +"<?xml version=\"1.0\"?> <!--*-nxml-*-->\
 +<!DOCTYPE g PUBLIC \"-/N\"\
 +	\"htt\">\
 +<busconfig>\
 +	<policy user=\"root\">\
 +		<allow own_prefix=\"oramd\"/>\
 +		<allow send_interface=\"d\"/>\
 +	</policy>\
 +		<user ix=\"d\"/>\
 +	</cy>";
 +
 +        r = parse_config_inline(&root, data);
 +        c_assert(r == CONFIG_E_INVALID);
 +}
 +
 +static void test_config_sample1(void) {
 +        _c_cleanup_(config_root_freep) ConfigRoot *root = NULL;
 +        const char *data;
 +        int r;
 +
 +        data =
 +"<?xml version=\"1.0\"?> <!--*-nxml-*-->\
 +<!DOCTYPE g PUBLIC \"-/N\"\
 +	\"htt\">\
 +<busconfig>\
 +	<policy user=\"root\">\
 +		<allow own_prefix=\"oramd\"/>\
 +		<allow send_interface=\"d\"/>\
 +	</policy>\
 +	<policy context=\"default\"/>		<user ix=\"d\"/>\
 +	</policy>\
 +</busconfig>";
 +
 +        r = parse_config_inline(&root, data);
 +        c_assert(r == CONFIG_E_INVALID);
 +}
 +
 int main(int argc, char **argv) {
 -        if (argc < 2)
 -                test_config();
 -        else
 +        if (argc > 1) {
                 print_config(argv[1]);
 +                return 0;
 +        }
 +
 +        test_config_base();
 +        test_config_sample0();
 +        test_config_sample1();
         return 0;
 }
--- a/SOURCES/b82b670bfec6600d0144bcb9ca635fb07c80118f.patch
+++ b/SOURCES/b82b670bfec6600d0144bcb9ca635fb07c80118f.patch
@ -1,30 +0,0 @@
 From b82b670bfec6600d0144bcb9ca635fb07c80118f Mon Sep 17 00:00:00 2001
 From: David Rheinsberg <david.rheinsberg@gmail.com>
 Date: Thu, 18 Mar 2021 12:13:16 +0100
 Subject: [PATCH] launch/policy: fix at_console range assertion again
 The previous fix did not actually consider that a full range can span up
 until (uint32_t)-1. Fix this properly now, and just check manually for
 an empty range before checking that the highest entry in the range can
 be represented.
 Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
 ---
 src/launch/policy.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)
 diff --git a/src/launch/policy.c b/src/launch/policy.c
 index 75eb0d3..6999ceb 100644
 --- a/src/launch/policy.c
 +++ b/src/launch/policy.c
@@ -935,9 +935,7 @@ static int policy_export_console(Policy *policy, sd_bus_message *m, PolicyEntrie
         int r;
         /* check for overflow */
 -        c_assert(uid_start + n_uid >= uid_start);
 -        /* check for encoding into dbus `u` type */
 -        c_assert(uid_start + n_uid <= (uint32_t)-1);
 +        c_assert(n_uid == 0 || uid_start + n_uid - 1 >= uid_start);
         if (n_uid == 0)
                 return 0;
--- a/SOURCES/cve-2022-31212.patch
+++ b/SOURCES/cve-2022-31212.patch
@ -1,66 +0,0 @@
 From 7fd15f8e272136955f7ffc37df29fbca9ddceca1 Mon Sep 17 00:00:00 2001
 From: David Rheinsberg <david.rheinsberg@gmail.com>
 Date: Tue, 19 Apr 2022 13:11:02 +0200
 Subject: [PATCH] strnspn: fix buffer overflow
 Fix the strnspn and strncspn functions to use a properly sized buffer.
 It used to be 1 byte too short. Checking for `0xff` in a string will
 thus write `0xff` once byte beyond the stack space of the local buffer.
 Note that the public API does not allow to pass `0xff` to those
 functions. Therefore, this is a read-only buffer overrun, possibly
 causing bogus reports from the parser, but still well-defined.
 Reported-by: Steffen Robertz
 Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
 ---
 /subprojects/c-shquote/src/c-shquote.c    | 4 ++--
 /subprojects/c-shquote/src/test-private.c | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)
 diff --git a//subprojects/c-shquote/src/c-shquote.c b//subprojects/c-shquote/src/c-shquote.c
 index b268906..abb55d6 100644
 --- a//subprojects/c-shquote/src/c-shquote.c
 +++ b//subprojects/c-shquote/src/c-shquote.c
@@ -85,7 +85,7 @@ int c_shquote_consume_char(char **outp,
 size_t c_shquote_strnspn(const char *string,
                         size_t n_string,
                         const char *accept) {
 -        bool buffer[UCHAR_MAX] = {};
 +        bool buffer[UCHAR_MAX + 1] = {};
         for ( ; *accept; ++accept)
                 buffer[(unsigned char)*accept] = true;
@@ -100,7 +100,7 @@ size_t c_shquote_strnspn(const char *string,
 size_t c_shquote_strncspn(const char *string,
                           size_t n_string,
                           const char *reject) {
 -        bool buffer[UCHAR_MAX] = {};
 +        bool buffer[UCHAR_MAX + 1] = {};
         if (strlen(reject) == 1) {
                 const char *p;
 diff --git a//subprojects/c-shquote/src/test-private.c b//subprojects/c-shquote/src/test-private.c
 index 57a7250..c6afe40 100644
 --- a//subprojects/c-shquote/src/test-private.c
 +++ b//subprojects/c-shquote/src/test-private.c
@@ -148,6 +148,9 @@ static void test_strnspn(void) {
         len = c_shquote_strnspn("ab", 2, "bc");
         c_assert(len == 0);
 +
 +        len = c_shquote_strnspn("ab", 2, "\xff");
 +        c_assert(len == 0);
 }
 static void test_strncspn(void) {
@@ -167,6 +170,9 @@ static void test_strncspn(void) {
         len = c_shquote_strncspn("ab", 2, "cd");
         c_assert(len == 2);
 +
 +        len = c_shquote_strncspn("ab", 2, "\xff");
 +        c_assert(len == 2);
 }
 static void test_discard_comment(void) {
--- a/SOURCES/cve-2022-31213.patch
+++ b/SOURCES/cve-2022-31213.patch
@ -1,35 +0,0 @@
 From 4fefc3908ce527de4ca3d7386886c2447d6b4c14 Mon Sep 17 00:00:00 2001
 From: David Rheinsberg <david.rheinsberg@gmail.com>
 Date: Tue, 19 Apr 2022 13:29:53 +0200
 Subject: [PATCH] launch/config: keep empty cdata around
 We expect the `node->cdata` pointer to contain the actual content of an
 XML entry. Make sure it is initialized to an empty string, so we can
 dereference it without checking for validity everywhere.
 Note that we want it to be an owned string, to allow claiming the value.
 We will avoid any `n_cdata + 'static ""` here, to keep the code simple.
 The performance of that strdup() merely affects XML parsing, no bus
 runtime.
 Reported-by: Steffen Robertz
 Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
 ---
 src/launch/config.c | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/src/launch/config.c b/src/launch/config.c
 index 490d7b7d..cb7e3fae 100644
 --- a/src/launch/config.c
 +++ b/src/launch/config.c
@@ -133,6 +133,10 @@ int config_node_new(ConfigNode **nodep, ConfigNode *parent, unsigned int type) {
                 break;
         }
 +        node->cdata = strdup("");
 +        if (!node->cdata)
 +                return error_origin(-ENOMEM);
 +
         *nodep = node;
         node = NULL;
         return 0;
--- a/SPECS/dbus-broker.spec
+++ b/SPECS/dbus-broker.spec
@ -1,18 +1,22 @@
 ## START: Set by rpmautospec
 ## (rpmautospec version 0.6.5)
 ## RPMAUTOSPEC: autorelease, autochangelog
 %define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
    release_number = 6;
    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
    print(release_number + base_release_number - 1);
 }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
 ## END: Set by rpmautospec
 %global dbus_user_id 81
 Name:                 dbus-broker
-Version:              28
+Version:              35
-Release:              7%{?dist}
+Release:              %autorelease
 Summary:              Linux D-Bus Message Broker
-License:              ASL 2.0
+License:              Apache-2.0 AND LGPL-2.0-or-later AND LGPL-2.1-or-later AND (Apache-2.0 OR LGPL-2.1-or-later)
 URL:                  https://github.com/bus1/dbus-broker
 Source0:              https://github.com/bus1/dbus-broker/releases/download/v%{version}/dbus-broker-%{version}.tar.xz
 Patch0000:            https://github.com/bus1/dbus-broker/commit/1add8a7d60e46806e0ef87994d3024245db0d84a.patch
 Patch0001:            https://github.com/bus1/dbus-broker/commit/b82b670bfec6600d0144bcb9ca635fb07c80118f.patch
 Patch0002:            cve-2022-31212.patch
 Patch0003:            cve-2022-31213.patch
 Patch0004:            https://github.com/bus1/dbus-broker/commit/33e0595b1c7cf8fa0e7ca3a353f4380c1307dc25.patch
 %{?systemd_requires}
 BuildRequires:        pkgconfig(audit)
 BuildRequires:        pkgconfig(expat)
 BuildRequires:        pkgconfig(dbus-1)
@ -26,9 +30,6 @@ BuildRequires:        meson
 BuildRequires:        python3-docutils
 Requires:             dbus-common
 Requires(pre):        shadow-utils
 Requires(post):       /usr/bin/systemctl
 # for triggerpostun
 Requires:             /usr/bin/systemctl
 %description
 dbus-broker is an implementation of a message bus as defined by the D-Bus
@ -76,7 +77,7 @@ exit 0
 %systemd_user_postun dbus-broker.service
 %triggerpostun -- dbus-daemon
-if [ $2 -eq 0 ] ; then
+if [ $2 -eq 0 ] && [ -x /usr/bin/systemctl ] ; then
        # The `dbus-daemon` package used to provide the default D-Bus
        # implementation. We continue to make sure that if you uninstall it, we
        # re-evaluate whether to enable dbus-broker to replace it. If we didnt,
@ -98,22 +99,66 @@ fi
 %{_userunitdir}/dbus-broker.service
 %changelog
-* Mon Aug 22 2022 Frantisek Sumsal <fsumsal@redhat.com> - 28-7
+## START: Generated by rpmautospec
- Add coverage for CVE-2022-31213 and other config-file-related issues
+* Wed Jul 03 2024 Jakub Martisko <jamartis@redhat.com> - 35-6
-Related: CVE-2022-31213
+- Fix the license string (case sensitivity) in the spec file
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 35-5
 - Bump release for June 2024 mass rebuild
 * Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 35-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 35-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Thu Dec 21 2023 David Rheinsberg <david@readahead.eu> - 35-2
 - dbus-broker: drop old patch files
 * Thu Dec 21 2023 David Rheinsberg <david@readahead.eu> - 35-1
 - dbus-broker: update to v35
 * Fri Dec 15 2023 Daan De Meyer <daan.j.demeyer@gmail.com> - 34-1
 - dbus-broker: update to v34
 * Tue Oct 03 2023 Daan De Meyer <daan.j.demeyer@gmail.com> - 33-5
 - dbus-broker: Backport selinux permissive support
 * Wed Jul 26 2023 Lukáš Zaoral <lzaoral@redhat.com> - 33-3
 - migrate to SPDX license format
 * Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 33-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 * Mon Feb  6 2023 David Rheinsberg <david@readahead.eu> - 33-1
 - Update to upstream v33.
 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 32-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 * Fri Aug  5 2022 David Rheinsberg <david.rheinsberg@gmail.com> - 32-1
 - Update to upstream v32.
 * Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 31-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 * Mon May 16 2022 David Rheinsberg <david.rheinsberg@gmail.com> - 31-1
 - Update to upstream v31.
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 29-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 * Fri Oct 01 2021 Kalev Lember <klember@redhat.com> - 29-4
 - Avoid systemd_requires as per updated packaging guidelines
-* Tue Aug 02 2022 Jakub Martisko <jamartis@redhat.com> - 28-6
+* Thu Jul 29 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 29-3
- Fix a stack buffer over-read in the c-shquote library
+- Drop the ordering on sysinit.target (#1976653)
 - Fix null pointer reference when supplying a malformed XML config file
 Resolves: CVE-2022-31212
 Resolves: CVE-2022-31213
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 28-5
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 29-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
  Related: rhbz#1991688
-* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 28-4
+* Thu Jun 24 2021 David Rheinsberg <david.rheinsberg@gmail.com> - 29-1
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+- Update to upstream v29 with additional fixes.
 * Thu Mar 18 2021 David Rheinsberg <david.rheinsberg@gmail.com> - 28-3
 - Apply another fix for incorrect at_console range assertion.
@ -315,3 +360,4 @@ Resolves: CVE-2022-31213
 * Sun Aug 13 2017 Tom Gundersen <teg@jklm.no> - 1-1
 - Initial RPM release
 ## END: Generated by rpmautospec
`@ -1 +1 @@`
	`2602b87b336875bc1fd6866004f16013e6cf3fe4 SOURCES/dbus-broker-28.tar.xz`	`a3b28df004f1df47ae7cf4d5e47ab6a70f79638b SOURCES/dbus-broker-35.tar.xz`
`@ -1 +1 @@`
	`SOURCES/dbus-broker-28.tar.xz`	`SOURCES/dbus-broker-35.tar.xz`