diff options
| author | Baruch Siach <baruch@tkos.co.il> | 2019-02-26 20:15:34 +0200 |
|---|---|---|
| committer | Peter Korsgaard <peter@korsgaard.com> | 2019-02-26 19:41:17 +0100 |
| commit | c12b32ba46bf959d884af7340c24f3981a34693f (patch) | |
| tree | 45053f0f119cf982611bb2e980525b0e7f73f5ec /package/systemd/0018-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch | |
| parent | 759c9623aa88d7721529ac9f83b892183fb26edf (diff) | |
| download | buildroot-c12b32ba46bf959d884af7340c24f3981a34693f.tar.gz buildroot-c12b32ba46bf959d884af7340c24f3981a34693f.zip | |
package/systemd: add upstream security fixes
CVE-2019-6454: systemd (PID1) crash with specially crafted D-Bus message
from unprivileged user
Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Diffstat (limited to 'package/systemd/0018-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch')
| -rw-r--r-- | package/systemd/0018-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/package/systemd/0018-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch b/package/systemd/0018-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch new file mode 100644 index 0000000000..2de3b71b5c --- /dev/null +++ b/package/systemd/0018-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch @@ -0,0 +1,53 @@ +From febef5e18558c114f4fb7c94f6c8ed3520c50cdf Mon Sep 17 00:00:00 2001 +From: Riccardo Schirone <rschiron@redhat.com> +Date: Mon, 4 Feb 2019 14:29:09 +0100 +Subject: [PATCH] Refuse dbus message paths longer than BUS_PATH_SIZE_MAX + limit. + +Even though the dbus specification does not enforce any length limit on the +path of a dbus message, having to analyze too long strings in PID1 may be +time-consuming and it may have security impacts. + +In any case, the limit is set so high that real-life applications should not +have a problem with it. + +(cherry picked from commit 61397a60d98e368a5720b37e83f3169e3eb511c4) +Signed-off-by: Baruch Siach <baruch@tkos.co.il> +--- +Upstream status: commit 61397a60d98 + + src/libsystemd/sd-bus/bus-internal.c | 2 +- + src/libsystemd/sd-bus/bus-internal.h | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-bus/bus-internal.c b/src/libsystemd/sd-bus/bus-internal.c +index 40acae213381..598b7f110c73 100644 +--- a/src/libsystemd/sd-bus/bus-internal.c ++++ b/src/libsystemd/sd-bus/bus-internal.c +@@ -43,7 +43,7 @@ bool object_path_is_valid(const char *p) { + if (slash) + return false; + +- return true; ++ return (q - p) <= BUS_PATH_SIZE_MAX; + } + + char* object_path_startswith(const char *a, const char *b) { +diff --git a/src/libsystemd/sd-bus/bus-internal.h b/src/libsystemd/sd-bus/bus-internal.h +index f208b294d8f1..a8d61bf72a4e 100644 +--- a/src/libsystemd/sd-bus/bus-internal.h ++++ b/src/libsystemd/sd-bus/bus-internal.h +@@ -332,6 +332,10 @@ struct sd_bus { + + #define BUS_MESSAGE_SIZE_MAX (128*1024*1024) + #define BUS_AUTH_SIZE_MAX (64*1024) ++/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one ++ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however, ++ * to not clash unnecessarily with real-life applications. */ ++#define BUS_PATH_SIZE_MAX (64*1024) + + #define BUS_CONTAINER_DEPTH 128 + +-- +2.20.1 + |
