Patch dnf5 CVE-2024-1929, CVE-2024-1930, CVE-2024-2746 [High] (#13646)

Signed-off-by: Kanishk-Bansal <kbkanishk975@gmail.com>
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
(cherry picked from commit 53538e4)

Author: 2 people

SPECS/dnf5/CVE-2024-1929.patch

@@ -0,0 +1,64 @@
+From 6e51bf2f0d585ab661806076c1e428c6482ddf86 Mon Sep 17 00:00:00 2001
+From: Marek Blaha <mblaha@redhat.com>
+Date: Tue, 23 Jan 2024 10:08:51 +0100
+Subject: [PATCH] dnfdaemon: Explicitly specify allowed config overrides
+
+Limit main config options overrides for dnfdaemon session only to
+those explicitely allowed.
+---
+ dnf5daemon-server/session.cpp | 35 ++++++++++++++++++++++++++++++++++-
+ 1 file changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/dnf5daemon-server/session.cpp b/dnf5daemon-server/session.cpp
+index b5f2415b4..5322ddc08 100644
+--- a/dnf5daemon-server/session.cpp
++++ b/dnf5daemon-server/session.cpp
+@@ -37,6 +37,34 @@ along with libdnf.  If not, see <https://www.gnu.org/licenses/>.
+ #include <iostream>
+ #include <string>
+ 
++static const std::unordered_set<std::string> ALLOWED_MAIN_CONF_OVERRIDES = {
++    "allow_downgrade",
++    "allow_vendor_change",
++    "best",
++    "clean_requirements_on_remove",
++    "disable_excludes",
++    "exclude_from_weak",
++    "exclude_from_weak_autodetect",
++    "excludepkgs",
++    "ignorearch",
++    "includepkgs",
++    "installonly_limit",
++    "installonlypkgs",
++    "install_weak_deps",
++    "keepcache",
++    "module_obsoletes",
++    "module_platform_id",
++    "module_stream_switch",
++    "multilib_policy",
++    "obsoletes",
++    "optional_metadata_types",
++    "protect_running_kernel",
++    "reposdir",
++    "skip_broken",
++    "skip_if_unavailable",
++    "skip_unavailable",
++    "strict",
++};
+ 
+ Session::Session(
+     std::vector<std::unique_ptr<libdnf5::Logger>> && loggers,
+@@ -65,7 +93,12 @@ Session::Session(
+         auto value = opt.second;
+         auto bind = opt_binds.find(key);
+         if (bind != opt_binds.end()) {
+-            bind->second.new_string(libdnf5::Option::Priority::RUNTIME, value);
++            if (ALLOWED_MAIN_CONF_OVERRIDES.find(key) != ALLOWED_MAIN_CONF_OVERRIDES.end()) {
++                bind->second.new_string(libdnf5::Option::Priority::RUNTIME, value);
++            } else {
++                base->get_logger()->warning("Config option {} not allowed.", key);
++                continue;
++            }
+         } else {
+             base->get_logger()->warning("Unknown config option: {}", key);
+         }

SPECS/dnf5/CVE-2024-1930.patch

@@ -0,0 +1,44 @@
+From c090ffeb79da57b88d51da6ee76f02f6512c7d91 Mon Sep 17 00:00:00 2001
+From: Marek Blaha <mblaha@redhat.com>
+Date: Mon, 12 Feb 2024 09:40:02 +0100
+Subject: [PATCH] dnfdaemon: Limit number of simultaneously active sessions
+
+---
+ dnf5daemon-server/session_manager.cpp | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/dnf5daemon-server/session_manager.cpp b/dnf5daemon-server/session_manager.cpp
+index a5e1c14f7..b8439cf37 100644
+--- a/dnf5daemon-server/session_manager.cpp
++++ b/dnf5daemon-server/session_manager.cpp
+@@ -26,11 +26,15 @@ along with libdnf.  If not, see <https://www.gnu.org/licenses/>.
+ #include <sdbus-c++/sdbus-c++.h>
+ 
+ #include <iostream>
++#include <numeric>
+ #include <random>
+ #include <sstream>
+ #include <string>
+ #include <thread>
+ 
++// TODO(mblaha): Make this constant configurable
++const int MAX_SESSIONS = 3;
++
+ SessionManager::SessionManager() {
+     connection = sdbus::createSystemBusConnection(dnfdaemon::DBUS_NAME);
+     dbus_register();
+@@ -98,6 +102,14 @@ sdbus::MethodReply SessionManager::open_session(sdbus::MethodCall & call) {
+     if (!active) {
+         throw sdbus::Error(dnfdaemon::ERROR, "Cannot open new session.");
+     }
++    // limit number of simultaneously opened sessions
++    const int num_sessions = std::accumulate(
++        sessions.begin(), sessions.end(), 0, [](int sum, const auto & sender) { return sum + sender.second.size(); });
++    if (num_sessions >= MAX_SESSIONS) {
++        auto reply = call.createErrorReply(sdbus::Error(
++            dnfdaemon::ERROR, "Cannot open new session - maximal number of simultaneously opened sessions achieved."));
++        return reply;
++    }
+ 
+     auto sender = call.getSender();
+     dnfdaemon::KeyValueMap configuration;

SPECS/dnf5/CVE-2024-2746.patch

@@ -0,0 +1,23 @@
+From 07c5770482605ca78aaed41f7224d141c5980de4 Mon Sep 17 00:00:00 2001
+From: Marek Blaha <mblaha@redhat.com>
+Date: Thu, 21 Mar 2024 08:45:15 +0100
+Subject: [PATCH] dnf5daemon: Remove reposdir from allowed config overrides
+
+The option is potentially dangerous and can cause dnf5daemon-server to
+block on malicious reposdir.
+---
+ dnf5daemon-server/session.cpp | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/dnf5daemon-server/session.cpp b/dnf5daemon-server/session.cpp
+index b776c44bb..142abedfb 100644
+--- a/dnf5daemon-server/session.cpp
++++ b/dnf5daemon-server/session.cpp
+@@ -60,7 +60,6 @@ static const std::unordered_set<std::string> ALLOWED_MAIN_CONF_OVERRIDES = {
+     "obsoletes",
+     "optional_metadata_types",
+     "protect_running_kernel",
+-    "reposdir",
+     "skip_broken",
+     "skip_if_unavailable",
+     "skip_unavailable",

SPECS/dnf5/dnf5.spec

@@ -38,12 +38,15 @@
 Summary:        Command-line package manager
 Name:           dnf5
 Version:        %{project_version_major}.%{project_version_minor}.%{project_version_patch}
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPL-2.0-or-later
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL:            https://github.com/rpm-software-management/dnf5
 Source0:        %{url}/archive/%{version}/dnf5-%{version}.tar.gz
+Patch0:         CVE-2024-1929.patch
+Patch1:         CVE-2024-1930.patch
+Patch2:         CVE-2024-2746.patch
 # ========== build requires ==========
 BuildRequires:  bash-completion
 BuildRequires:  cmake
@@ -674,6 +677,9 @@ done
 
 
 %changelog
+* Wed Apr 30 2025 Kanishk Bansal <kanbansal@microsoft.com> - 5.1.11-2
+- Patch CVE-2024-1929, CVE-2024-1930, CVE-2024-2746
+
 * Wed Jan 31 2024 Sam Meluch <sammeluch@microsoft.com> - 5.1.11-1
 - Update to version 5.1.11
 - Merge spec from upstream dnf5 repo