As described in (at least) these mailing list messages: http://lists.freedesktop.org/archives/dbus/2007-March/007357.html http://lists.freedesktop.org/archives/dbus/2011-May/014408.html when libdbus byteswaps a message into native order, it doesn't alter byte 0 of the fixed header (the byte order). Normally this is harmless, but if you're going to forward the message to another connection (e.g. you are dbus-daemon), badness occurs. If someone had opened a bug back in 2007, this might have been fixed by now. Or maybe not. I believe I've fixed this (the fix that Havoc suggested in 2007 looks obviously-correct), but I'm going to construct a test-case so this doesn't come back.
Created attachment 47779 [details] [review] _dbus_header_byteswap: change the first byte of the message, not just the struct member This has been wrong approximately forever, for instance see: http://lists.freedesktop.org/archives/dbus/2007-March/007357.html
Created attachment 47780 [details] [review] Add a test for marshalling and endian-swapping This requires the infrastructure from Bug #34570.
Created attachment 47781 [details] [review] dbus_message_demarshal_bytes_needed: correct a wrong assertion It's entirely possible for a message to indicate how many bytes we need, without actually being complete. (The other caller of _dbus_header_have_message_untrusted seems to be correct.)
Created attachment 47782 [details] [review] marshal test: test dbus_message_demarshal_bytes_needed (Requires Attachment #47780 [details])
Created attachment 47783 [details] [review] Test that a message with the byte order mangled causes disconnection but no crash (Requires more commits from Bug #34570)
Created attachment 47784 [details] [review] Add a test for marshalling and endian-swapping (v2) Replacement for Attachment #47780 [details], now with less reliance on implementation details.
This is also <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629938>. I've asked the Debian security team to allocate a CVE ID, since this could be used as a local DoS.
Review of attachment 47781 [details] [review]: This looks fine.
Review of attachment 47779 [details] [review]: Looks correct. (Next up, reviewing the tests…)
Comment on attachment 47779 [details] [review] _dbus_header_byteswap: change the first byte of the message, not just the struct member Actual bugs fixed in git for 1.4.12, will be merged to master before 1.5.4. Tests awaiting review.
Fixed in git for 1.2.28, 1.4.12 and 1.5.4. Still waiting for a CVE number from the Debian security team, but if I don't get one soon I'll just release anyway.
This is CVE-2011-2200. See the Debian bug for a standalone version of the test case from Attachment #47784 [details].
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.