rpms/dbus/F-10 0001-Bug-17803-Fix-both-test-case-and-validation-logic.patch, NONE, 1.1 dbus.spec, 1.156, 1.157

Colin Walters walters at fedoraproject.org
Thu May 7 21:05:43 UTC 2009


Author: walters

Update of /cvs/pkgs/rpms/dbus/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3787

Modified Files:
	dbus.spec 
Added Files:
	0001-Bug-17803-Fix-both-test-case-and-validation-logic.patch 
Log Message:
* Thu May 07 2009 Colin Walters <walters at verbum.org> - 1.2.4-3
- Add patch for CVE-2009-1189


0001-Bug-17803-Fix-both-test-case-and-validation-logic.patch:

--- NEW FILE 0001-Bug-17803-Fix-both-test-case-and-validation-logic.patch ---
>From a61803cdb3c4166e10e9e33e4c39aeca0163a96c Mon Sep 17 00:00:00 2001
From: Colin Walters <walters at verbum.org>
Date: Wed, 1 Apr 2009 12:02:00 -0400
Subject: [PATCH] Bug 17803 - Fix both test case and validation logic

The previous commit had errors in both the test case and
the validation logic.  The test case was missing a trailing
comma before the previous one, so we weren't testing the
signature we thought we were.

The validation logic was wrong because if the type was not valid,
we'd drop through the entire if clause, and thus skip returning
an error code, and accept the signature.
---
 dbus/dbus-marshal-validate-util.c |    2 +-
 dbus/dbus-marshal-validate.c      |   13 +++++++------
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/dbus/dbus-marshal-validate-util.c b/dbus/dbus-marshal-validate-util.c
index 5365d6d..ac901c3 100644
--- a/dbus/dbus-marshal-validate-util.c
+++ b/dbus/dbus-marshal-validate-util.c
@@ -227,7 +227,7 @@ _dbus_marshal_validate_test (void)
     "not a valid signature",
     "123",
     ".",
-    "("
+    "(",
     "a{(ii)i}" /* https://bugs.freedesktop.org/show_bug.cgi?id=17803 */
   };
 
diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
index 35998cb..ee95548 100644
--- a/dbus/dbus-marshal-validate.c
+++ b/dbus/dbus-marshal-validate.c
@@ -246,14 +246,15 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
 	    }
         }
 
-      if (last == DBUS_DICT_ENTRY_BEGIN_CHAR &&
-          _dbus_type_is_valid (*p) &&
-          !dbus_type_is_basic (*p))
+      if (last == DBUS_DICT_ENTRY_BEGIN_CHAR)
         {
-          result = DBUS_INVALID_DICT_KEY_MUST_BE_BASIC_TYPE;
-          goto out;
+          if (!(_dbus_type_is_valid (*p) && dbus_type_is_basic (*p)))
+            {
+              result = DBUS_INVALID_DICT_KEY_MUST_BE_BASIC_TYPE;
+              goto out;
+            }
         }
-        
+
       last = *p;
       ++p;
     }
-- 
1.6.0.6



Index: dbus.spec
===================================================================
RCS file: /cvs/pkgs/rpms/dbus/F-10/dbus.spec,v
retrieving revision 1.156
retrieving revision 1.157
diff -u -p -r1.156 -r1.157
--- dbus.spec	13 Dec 2008 02:32:01 -0000	1.156
+++ dbus.spec	7 May 2009 21:05:13 -0000	1.157
@@ -9,7 +9,7 @@ Summary: D-BUS message bus
 Name: dbus
 Epoch: 1
 Version: 1.2.4
-Release: 2%{?dist}
+Release: 3%{?dist}
 URL: http://www.freedesktop.org/software/dbus/
 Source0: http://dbus.freedesktop.org/releases/dbus/%{name}-%{version}.tar.gz
 Source1: doxygen_to_devhelp.xsl
@@ -42,6 +42,8 @@ Patch0: start-early.patch
 Patch1: dbus-1.0.1-generate-xml-docs.patch
 Patch6: dbus-1.2.1-increase-timeout.patch
 
+Patch10: 0001-Bug-17803-Fix-both-test-case-and-validation-logic.patch
+
 %description
 D-BUS is a system for sending messages between applications. It is
 used both for the system-wide message bus service, and as a
@@ -96,6 +98,8 @@ in this separate package so server syste
 %patch1 -p1 -b .generate-xml-docs
 %patch6 -p1 -b .increase-timeout
 
+%patch10 -p1 -b .cve-2009-1189
+
 autoreconf -f -i
 
 %build
@@ -226,6 +230,9 @@ fi
 %{_includedir}/*
 
 %changelog
+* Thu May 07 2009 Colin Walters <walters at verbum.org> - 1.2.4-3
+- Add patch for CVE-2009-1189
+
 * Fri Dec 12 2008 Colin Walters <walters at redhat.com> - 1.2.4-2
 - Revert to 1.2.4, add epoch
   Too many things broke with this, it looks like there's no way




More information about the fedora-extras-commits mailing list