Security fix for SA44896, D-Bus Message Byte Order Denial of Service Weakness

Fix from upstream git. ok aja@ (MAINTAINER)
2011-06-13 17:14:58 +00:00 · 2011-06-13 17:14:58 +00:00 · aeaf5d28c3
commit aeaf5d28c3
parent 0fd16184f6
2 changed files with 39 additions and 1 deletions
--- a/x11/dbus/Makefile
+++ b/x11/dbus/Makefile
@ -1,8 +1,9 @@
-# $OpenBSD: Makefile,v 1.66 2011/06/03 16:51:23 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.67 2011/06/13 17:14:58 jasper Exp $

 COMMENT=	message bus system

 DISTNAME=	dbus-1.4.10
+REVISION=	0
 EPOCH=		0

 SHARED_LIBS +=	dbus-1	9.1 # .8.6
--- a/x11/dbus/patches/patch-dbus_dbus-marshal-header_c
+++ b/x11/dbus/patches/patch-dbus_dbus-marshal-header_c
@ -0,0 +1,37 @@
+$OpenBSD: patch-dbus_dbus-marshal-header_c,v 1.1 2011/06/13 17:14:58 jasper Exp $
+
+Security fix for SA44896:
+From c3223ba6c401ba81df1305851312a47c485e6cd7 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Date: Thu, 09 Jun 2011 16:52:10 +0000
+Subject: _dbus_header_byteswap: change the first byte of the message, not just the struct member
+
+This has been wrong approximately forever, for instance see:
+http://lists.freedesktop.org/archives/dbus/2007-March/007357.html
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=38120
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629938
+
+--- dbus/dbus-marshal-header.c.orig	Thu Jan 27 13:52:00 2011
+++ dbus/dbus-marshal-header.c	Mon Jun 13 19:05:56 2011
+@@ -1468,14 +1468,20 @@ void
+ _dbus_header_byteswap (DBusHeader *header,
+                        int         new_order)
+ {
+  unsigned char byte_order;
+
+   if (header->byte_order == new_order)
+     return;
+ 
+  byte_order = _dbus_string_get_byte (&header->data, BYTE_ORDER_OFFSET);
+  _dbus_assert (header->byte_order == byte_order);
+
+   _dbus_marshal_byteswap (&_dbus_header_signature_str,
+                           0, header->byte_order,
+                           new_order,
+                           &header->data, 0);
+ 
+  _dbus_string_set_byte (&header->data, BYTE_ORDER_OFFSET, new_order);
+   header->byte_order = new_order;
+ }
+