[AutoPR- Security] Patch dnf5 for CVE-2024-1930 [MEDIUM] (microsoft#14461)

Author: azurelinux-security

SPECS/dnf5/CVE-2024-1930.patch

@@ -0,0 +1,49 @@
+From aa19993dc833771333149829fb36c79709f4dff4 Mon Sep 17 00:00:00 2001
+From: Marek Blaha <[email protected]>
+Date: Mon, 12 Feb 2024 09:40:02 +0100
+Subject: [PATCH] dnfdaemon: Limit number of simultaneously active sessions
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/rpm-software-management/dnf5/commit/c090ffeb79da57b88d51da6ee76f02f6512c7d91.patch
+---
+ dnf5daemon-server/session_manager.cpp | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/dnf5daemon-server/session_manager.cpp b/dnf5daemon-server/session_manager.cpp
+index 57c036b..d60d7ca 100644
+--- a/dnf5daemon-server/session_manager.cpp
++++ b/dnf5daemon-server/session_manager.cpp
+@@ -26,11 +26,15 @@ along with libdnf.  If not, see <https://www.gnu.org/licenses/>.
+ #include <sdbus-c++/sdbus-c++.h>
+ 
+ #include <iostream>
++#include <numeric>
+ #include <random>
+ #include <sstream>
+ #include <string>
+ #include <thread>
+ 
++// TODO(mblaha): Make this constant configurable
++const int MAX_SESSIONS = 3;
++
+ SessionManager::SessionManager() {
+     connection = sdbus::createSystemBusConnection(dnfdaemon::DBUS_NAME);
+     dbus_register();
+@@ -98,6 +102,14 @@ sdbus::MethodReply SessionManager::open_session(sdbus::MethodCall & call) {
+     if (!active) {
+         throw sdbus::Error(dnfdaemon::ERROR, "Cannot open new session.");
+     }
++    // limit number of simultaneously opened sessions
++    const int num_sessions = std::accumulate(
++        sessions.begin(), sessions.end(), 0, [](int sum, const auto & sender) { return sum + sender.second.size(); });
++    if (num_sessions >= MAX_SESSIONS) {
++        auto reply = call.createErrorReply(sdbus::Error(
++            dnfdaemon::ERROR, "Cannot open new session - maximal number of simultaneously opened sessions achieved."));
++        return reply;
++    }
+ 
+     auto sender = call.getSender();
+     dnfdaemon::KeyValueMap configuration;
+-- 
+2.45.4
+

SPECS/dnf5/dnf5.spec

@@ -37,12 +37,13 @@
 Summary:        Command-line package manager
 Name:           dnf5
 Version:        %{project_version_major}.%{project_version_minor}.%{project_version_patch}
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPL-2.0-or-later
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://github.com/rpm-software-management/dnf5
 Source0:        %{url}/archive/%{version}/dnf5-%{version}.tar.gz
+Patch0:         CVE-2024-1930.patch
 # ========== build requires ==========
 BuildRequires:  bash-completion
 BuildRequires:  cmake
@@ -590,6 +591,9 @@ done
 
 
 %changelog
+* Fri Aug 08 2025 Azure Linux Security Servicing Account <[email protected]> - 5.0.14-3
+- Patch for CVE-2024-1930
+
 * Wed Sep 20 2023 Jon Slobodzian <[email protected]> - 5.0.14-2
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)