Fix CVE-2022-31212 and CVE-31213

(cherry picked from commit 0ddeb3f8e2e2a7c63ce54bb5fd865ee2fcd7ff2f)
2022-11-22 15:55:23 +08:00 · 2022-11-22 15:55:23 +08:00 · 46436b74bb
commit 46436b74bb
parent e85517fcd8
3 changed files with 114 additions and 1 deletions
--- a/backport-CVE-2022-31212.patch
+++ b/backport-CVE-2022-31212.patch
@ -0,0 +1,69 @@
+From 7fd15f8e272136955f7ffc37df29fbca9ddceca1 Mon Sep 17 00:00:00 2001
+From: David Rheinsberg <david.rheinsberg@gmail.com>
+Date: Tue, 19 Apr 2022 13:11:02 +0200
+Subject: [PATCH] strnspn: fix buffer overflow
+
+Fix the strnspn and strncspn functions to use a properly sized buffer.
+It used to be 1 byte too short. Checking for `0xff` in a string will
+thus write `0xff` once byte beyond the stack space of the local buffer.
+
+Note that the public API does not allow to pass `0xff` to those
+functions. Therefore, this is a read-only buffer overrun, possibly
+causing bogus reports from the parser, but still well-defined.
+
+Reported-by: Steffen Robertz
+Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
+---
+ src/c-shquote.c    | 4 ++--
+ src/test-private.c | 6 ++++++
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/ubprojects/c-shquote/rc/c-shquote.c b/subprojects/c-shquote/src/c-shquote.c
+index b268906..abb55d6 100644
+--- a/subprojects/c-shquote/src/c-shquote.c
+++ b/subprojects/c-shquote/src/c-shquote.c
+@@ -85,7 +85,7 @@ int c_shquote_consume_char(char **outp,
+ size_t c_shquote_strnspn(const char *string,
+                         size_t n_string,
+                         const char *accept) {
+-        bool buffer[UCHAR_MAX] = {};
+        bool buffer[UCHAR_MAX + 1] = {};
+ 
+         for ( ; *accept; ++accept)
+                 buffer[(unsigned char)*accept] = true;
+@@ -100,7 +100,7 @@ size_t c_shquote_strnspn(const char *string,
+ size_t c_shquote_strncspn(const char *string,
+                           size_t n_string,
+                           const char *reject) {
+-        bool buffer[UCHAR_MAX] = {};
+        bool buffer[UCHAR_MAX + 1] = {};
+ 
+         if (strlen(reject) == 1) {
+                 const char *p;
+diff --git a/subprojects/c-shquote/src/test-private.c b/subprojects/c-shquote/src/test-private.c
+index 57a7250..c6afe40 100644
+--- a/subprojects/c-shquote/src/test-private.c
+++ b/subprojects/c-shquote/src/test-private.c
+@@ -148,6 +148,9 @@ static void test_strnspn(void) {
+ 
+         len = c_shquote_strnspn("ab", 2, "bc");
+         c_assert(len == 0);
+
+        len = c_shquote_strnspn("ab", 2, "\xff");
+        c_assert(len == 0);
+ }
+ 
+ static void test_strncspn(void) {
+@@ -167,6 +170,9 @@ static void test_strncspn(void) {
+ 
+         len = c_shquote_strncspn("ab", 2, "cd");
+         c_assert(len == 2);
+
+        len = c_shquote_strncspn("ab", 2, "\xff");
+        c_assert(len == 2);
+ }
+ 
+ static void test_discard_comment(void) {
+-- 
+2.27.0
+
--- a/backport-CVE-2022-31213.patch
+++ b/backport-CVE-2022-31213.patch
@ -0,0 +1,38 @@
+From 4fefc3908ce527de4ca3d7386886c2447d6b4c14 Mon Sep 17 00:00:00 2001
+From: David Rheinsberg <david.rheinsberg@gmail.com>
+Date: Tue, 19 Apr 2022 13:29:53 +0200
+Subject: [PATCH] launch/config: keep empty cdata around
+
+We expect the `node->cdata` pointer to contain the actual content of an
+XML entry. Make sure it is initialized to an empty string, so we can
+dereference it without checking for validity everywhere.
+
+Note that we want it to be an owned string, to allow claiming the value.
+We will avoid any `n_cdata + 'static ""` here, to keep the code simple.
+The performance of that strdup() merely affects XML parsing, no bus
+runtime.
+
+Reported-by: Steffen Robertz
+Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
+---
+ src/launch/config.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/launch/config.c b/src/launch/config.c
+index 490d7b7..cb7e3fa 100644
+--- a/src/launch/config.c
+++ b/src/launch/config.c
+@@ -133,6 +133,10 @@ int config_node_new(ConfigNode **nodep, ConfigNode *parent, unsigned int type) {
+                 break;
+         }
+ 
+        node->cdata = strdup("");
+        if (!node->cdata)
+                return error_origin(-ENOMEM);
+
+         *nodep = node;
+         node = NULL;
+         return 0;
+-- 
+2.27.0
+
--- a/dbus-broker.spec
+++ b/dbus-broker.spec
@ -1,11 +1,14 @@
 Name:     dbus-broker
 Version:  29
-Release:  3
+Release:  4
 Summary:  Linux D-Bus Message Broker
 License:  Apache License 2.0
 URL:      https://github.com/bus1/dbus-broker
 Source0:  https://github.com/bus1/dbus-broker/releases/download/v%{version}/%{name}-%{version}.tar.xz

+Patch0001:  backport-CVE-2022-31213.patch
+Patch0002:  backport-CVE-2022-31212.patch
+
 BuildRequires:  cmake gcc glibc-devel meson python-docutils dbus
 BuildRequires:  pkgconfig(expat) pkgconfig(libsystemd) pkgconfig(libselinux)
 BuildRequires:  pkgconfig(systemd) pkgconfig(audit) pkgconfig(libcap-ng)
@ -71,6 +74,9 @@ fi
 %{_userunitdir}/dbus-broker.service

 %changelog
+* Tue Nov 22 2022 hongjinghao<hongjinghao@huawei.com> - 29-4
+- Fix CVE-2022-31212 and CVE-31213
+
 * Tue Nov 08 2022 licunlong<licunlong1@huawei.com> - 29-3
 - Enable test-parallel