Fix CVE-2020-12049: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12049 https://lists.freedesktop.org/archives/ftp-release/2020-June/000753.html Taken from upstream: https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5 diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c --- a/dbus/dbus-sysdeps-unix.c +++ b/dbus/dbus-sysdeps-unix.c @@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd, struct cmsghdr *cm; dbus_bool_t found = FALSE; - if (m.msg_flags & MSG_CTRUNC) - { - /* Hmm, apparently the control data was truncated. The bad - thing is that we might have completely lost a couple of fds - without chance to recover them. Hence let's treat this as a - serious error. */ - - errno = ENOSPC; - _dbus_string_set_length (buffer, start); - return -1; - } - for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm)) if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS) { @@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd, if (!found) *n_fds = 0; + if (m.msg_flags & MSG_CTRUNC) + { + unsigned int i; + + /* Hmm, apparently the control data was truncated. The bad + thing is that we might have completely lost a couple of fds + without chance to recover them. Hence let's treat this as a + serious error. */ + + /* We still need to close whatever fds we *did* receive, + * otherwise they'll never get closed. (CVE-2020-12049) */ + for (i = 0; i < *n_fds; i++) + close (fds[i]); + + *n_fds = 0; + errno = ENOSPC; + _dbus_string_set_length (buffer, start); + return -1; + } + /* put length back (doesn't actually realloc) */ _dbus_string_set_length (buffer, start + bytes_read); >
path: root/etc/release-manifest.scm
AgeCommit message (Expand)Author
2020-11-08maint: Reduce the package set for "i586-gnu"....* etc/release-manifest.scm (%base-packages/hurd): New variable. (%base-manifest): Use it when SYSTEM is "i586-gnu". Ludovic Courtès
2020-10-13installer: Add Emacs EXWM desktop environment....Suggested by zenny via IRC. * gnu/installer/services.scm (%system-services): Add emacs, emacs-exwm, emacs-desktop-environment. * etc/release-manifest.scm (%system-packages): Likewise. * gnu/system/examples/lightweight-desktop.tmpl: Likewise. * gnu/tests/install.scm (installation-target-desktop-os-for-gui-tests) [packages]: Likewise * gnu/installer/newt/services.scm (run-desktop-environments-cbt-page): Make one entry taller. Jan (janneke) Nieuwenhuizen
2020-04-15Merge branch 'master' into core-updatesMarius Bakke
2020-04-14maint: Ensure substitutes are available for '%default-xorg-modules'....* etc/release-manifest.scm (%system-packages): Append %DEFAULT-XORG-MODULES. Ludovic Courtès
2020-04-14maint: Actually check for the availablility of system packages....* etc/release-manifest.scm (%system-manifest): New variable. <top level>: Add it in 'concatenate-manifests' call. Ludovic Courtès
2020-04-08maint: Adjust release manifest for Guile 3.0 switch....* etc/release-manifest.scm (%packages-to-cross-build): Refer to GUILE-3.0/FIXED instead of GUILE-2.2/FIXED. Marius Bakke
2020-04-08maint: Cross-build GUILE-2.2/FIXED....* etc/release-manifest.scm (%packages-to-cross-build): Replace "guile@2.2" with GUILE-2.2/FIXED. Ludovic Courtès
2020-04-07maint: Remove GCC from the packages to cross-build....* etc/release-manifest.scm (%packages-to-cross-build): Remove GCC. Ludovic Courtès
2020-04-04maint: Remove unsupported cross-compilation jobs from 'release-manifest.scm'....* etc/release-manifest.scm (%packages-to-cross-build-for-mingw): New variable. (%cross-manifest): Use it. Remove "riscv64-linux-gnu" from %CROSS-TARGETS. Ludovic Courtès
2020-03-13maint: Add 'etc/release-manifest.scm'....* etc/release-manifest.scm: New file. * gnu/ci.scm (%cross-targets): Export. * build-aux/check-available-binaries.scm: Remove. * Makefile.am (EXTRA_DIST): Add 'etc/release-manifest.scm' and remove 'build-aux/check-available-binaries.scm'. (assert-binaries-available): Rewrite using 'guix weather -m'. Ludovic Courtès