diff options
author | Neetika Singh <Neetika.Singh@kpit.com> | 2021-09-20 18:22:40 +0530 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2021-09-20 15:51:39 -0700 |
commit | b06724bc274f751004ade2ceeddfb8ec40d93f16 (patch) | |
tree | 50d70031a0686aef118fe338755b59d6686abe08 | |
parent | 2e7e98cd0cb82db214b13224c71134b9335a719b (diff) | |
download | meta-openembedded-b06724bc274f751004ade2ceeddfb8ec40d93f16.tar.gz |
c-ares: Add fix for CVE-2021-3672
Added below patches to fix CVE-2021-3672
1. ares_expand_name-should-escape-more-characters.patch
2. ares_expand_name-fix-formatting-and-handling-of-root.patch
Link: http://snapshot.debian.org/archive/debian-security/20210810T064453Z/pool/updates/main/c/c-ares/c-ares_1.17.1-1%2Bdeb11u1.debian.tar.xz
Signed-off-by: akash hadke <Akash.Hadke@kpit.com>
Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
3 files changed, 207 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-fix-formatting-and-handling-of-root.patch b/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-fix-formatting-and-handling-of-root.patch new file mode 100644 index 000000000..d1cb54aef --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-fix-formatting-and-handling-of-root.patch | |||
@@ -0,0 +1,115 @@ | |||
1 | From: bradh352 <brad@brad-house.com> | ||
2 | Date: Fri, 11 Jun 2021 12:39:24 -0400 | ||
3 | Subject: [2/2] ares_expand_name(): fix formatting and handling of root name | ||
4 | response | ||
5 | Origin: https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14 | ||
6 | Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3672 | ||
7 | |||
8 | Fixes issue introduced in prior commit with formatting and handling | ||
9 | of parsing a root name response which should not be escaped. | ||
10 | |||
11 | Fix By: Brad House | ||
12 | CVE: CVE-2021-3672 | ||
13 | Upstream-Status: Backport [http://snapshot.debian.org/archive/debian-security/20210810T064453Z/pool/updates/main/c/c-ares/c-ares_1.17.1-1%2Bdeb11u1.debian.tar.xz] | ||
14 | Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> | ||
15 | --- | ||
16 | ares_expand_name.c | 62 ++++++++++++++++++++++++-------------- | ||
17 | 1 file changed, 40 insertions(+), 22 deletions(-) | ||
18 | |||
19 | diff --git a/ares_expand_name.c b/ares_expand_name.c | ||
20 | index f1c874a97cfc..eb9268c1ff0a 100644 | ||
21 | --- a/ares_expand_name.c | ||
22 | +++ b/ares_expand_name.c | ||
23 | @@ -127,27 +127,37 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf, | ||
24 | } | ||
25 | else | ||
26 | { | ||
27 | - len = *p; | ||
28 | + int name_len = *p; | ||
29 | + len = name_len; | ||
30 | p++; | ||
31 | + | ||
32 | while (len--) | ||
33 | { | ||
34 | - if (!isprint(*p)) { | ||
35 | - /* Output as \DDD for consistency with RFC1035 5.1 */ | ||
36 | - *q++ = '\\'; | ||
37 | - *q++ = '0' + *p / 100; | ||
38 | - *q++ = '0' + (*p % 100) / 10; | ||
39 | - *q++ = '0' + (*p % 10); | ||
40 | - } else if (is_reservedch(*p)) { | ||
41 | - *q++ = '\\'; | ||
42 | - *q++ = *p; | ||
43 | - } else { | ||
44 | - *q++ = *p; | ||
45 | - } | ||
46 | + /* Output as \DDD for consistency with RFC1035 5.1, except | ||
47 | + * for the special case of a root name response */ | ||
48 | + if (!isprint(*p) && !(name_len == 1 && *p == 0)) | ||
49 | + { | ||
50 | + | ||
51 | + *q++ = '\\'; | ||
52 | + *q++ = '0' + *p / 100; | ||
53 | + *q++ = '0' + (*p % 100) / 10; | ||
54 | + *q++ = '0' + (*p % 10); | ||
55 | + } | ||
56 | + else if (is_reservedch(*p)) | ||
57 | + { | ||
58 | + *q++ = '\\'; | ||
59 | + *q++ = *p; | ||
60 | + } | ||
61 | + else | ||
62 | + { | ||
63 | + *q++ = *p; | ||
64 | + } | ||
65 | p++; | ||
66 | } | ||
67 | *q++ = '.'; | ||
68 | } | ||
69 | - } | ||
70 | + } | ||
71 | + | ||
72 | if (!indir) | ||
73 | *enclen = aresx_uztosl(p + 1U - encoded); | ||
74 | |||
75 | @@ -194,21 +204,29 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf, | ||
76 | } | ||
77 | else if (top == 0x00) | ||
78 | { | ||
79 | - offset = *encoded; | ||
80 | + int name_len = *encoded; | ||
81 | + offset = name_len; | ||
82 | if (encoded + offset + 1 >= abuf + alen) | ||
83 | return -1; | ||
84 | encoded++; | ||
85 | + | ||
86 | while (offset--) | ||
87 | { | ||
88 | - if (!isprint(*encoded)) { | ||
89 | - n += 4; | ||
90 | - } else if (is_reservedch(*encoded)) { | ||
91 | - n += 2; | ||
92 | - } else { | ||
93 | - n += 1; | ||
94 | - } | ||
95 | + if (!isprint(*encoded) && !(name_len == 1 && *encoded == 0)) | ||
96 | + { | ||
97 | + n += 4; | ||
98 | + } | ||
99 | + else if (is_reservedch(*encoded)) | ||
100 | + { | ||
101 | + n += 2; | ||
102 | + } | ||
103 | + else | ||
104 | + { | ||
105 | + n += 1; | ||
106 | + } | ||
107 | encoded++; | ||
108 | } | ||
109 | + | ||
110 | n++; | ||
111 | } | ||
112 | else | ||
113 | -- | ||
114 | 2.32.0 | ||
115 | |||
diff --git a/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch b/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch new file mode 100644 index 000000000..3603ef127 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch | |||
@@ -0,0 +1,90 @@ | |||
1 | From: bradh352 <brad@brad-house.com> | ||
2 | Date: Fri, 11 Jun 2021 11:27:45 -0400 | ||
3 | Subject: [1/2] ares_expand_name() should escape more characters | ||
4 | Origin: https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83 | ||
5 | Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3672 | ||
6 | |||
7 | RFC1035 5.1 specifies some reserved characters and escaping sequences | ||
8 | that are allowed to be specified. Expand the list of reserved characters | ||
9 | and also escape non-printable characters using the \DDD format as | ||
10 | specified in the RFC. | ||
11 | |||
12 | Bug Reported By: philipp.jeitner@sit.fraunhofer.de | ||
13 | Fix By: Brad House (@bradh352) | ||
14 | CVE: CVE-2021-3672 | ||
15 | Upstream-Status: Backport [http://snapshot.debian.org/archive/debian-security/20210810T064453Z/pool/updates/main/c/c-ares/c-ares_1.17.1-1%2Bdeb11u1.debian.tar.xz] | ||
16 | Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> | ||
17 | --- | ||
18 | ares_expand_name.c | 41 +++++++++++++++++++++++++++++++++++--- | ||
19 | 1 file changed, 38 insertions(+), 3 deletions(-) | ||
20 | |||
21 | diff --git a/ares_expand_name.c b/ares_expand_name.c | ||
22 | index 407200ef5b4b..f1c874a97cfc 100644 | ||
23 | --- a/ares_expand_name.c | ||
24 | +++ b/ares_expand_name.c | ||
25 | @@ -32,6 +32,26 @@ | ||
26 | static int name_length(const unsigned char *encoded, const unsigned char *abuf, | ||
27 | int alen); | ||
28 | |||
29 | +/* Reserved characters for names that need to be escaped */ | ||
30 | +static int is_reservedch(int ch) | ||
31 | +{ | ||
32 | + switch (ch) { | ||
33 | + case '"': | ||
34 | + case '.': | ||
35 | + case ';': | ||
36 | + case '\\': | ||
37 | + case '(': | ||
38 | + case ')': | ||
39 | + case '@': | ||
40 | + case '$': | ||
41 | + return 1; | ||
42 | + default: | ||
43 | + break; | ||
44 | + } | ||
45 | + | ||
46 | + return 0; | ||
47 | +} | ||
48 | + | ||
49 | /* Expand an RFC1035-encoded domain name given by encoded. The | ||
50 | * containing message is given by abuf and alen. The result given by | ||
51 | * *s, which is set to a NUL-terminated allocated buffer. *enclen is | ||
52 | @@ -111,9 +131,18 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf, | ||
53 | p++; | ||
54 | while (len--) | ||
55 | { | ||
56 | - if (*p == '.' || *p == '\\') | ||
57 | + if (!isprint(*p)) { | ||
58 | + /* Output as \DDD for consistency with RFC1035 5.1 */ | ||
59 | + *q++ = '\\'; | ||
60 | + *q++ = '0' + *p / 100; | ||
61 | + *q++ = '0' + (*p % 100) / 10; | ||
62 | + *q++ = '0' + (*p % 10); | ||
63 | + } else if (is_reservedch(*p)) { | ||
64 | *q++ = '\\'; | ||
65 | - *q++ = *p; | ||
66 | + *q++ = *p; | ||
67 | + } else { | ||
68 | + *q++ = *p; | ||
69 | + } | ||
70 | p++; | ||
71 | } | ||
72 | *q++ = '.'; | ||
73 | @@ -171,7 +200,13 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf, | ||
74 | encoded++; | ||
75 | while (offset--) | ||
76 | { | ||
77 | - n += (*encoded == '.' || *encoded == '\\') ? 2 : 1; | ||
78 | + if (!isprint(*encoded)) { | ||
79 | + n += 4; | ||
80 | + } else if (is_reservedch(*encoded)) { | ||
81 | + n += 2; | ||
82 | + } else { | ||
83 | + n += 1; | ||
84 | + } | ||
85 | encoded++; | ||
86 | } | ||
87 | n++; | ||
88 | -- | ||
89 | 2.32.0 | ||
90 | |||
diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb index 67dd70180..36bb9be17 100644 --- a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb +++ b/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb | |||
@@ -11,6 +11,8 @@ SRC_URI = "\ | |||
11 | git://github.com/c-ares/c-ares.git \ | 11 | git://github.com/c-ares/c-ares.git \ |
12 | file://cmake-install-libcares.pc.patch \ | 12 | file://cmake-install-libcares.pc.patch \ |
13 | file://0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch \ | 13 | file://0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch \ |
14 | file://ares_expand_name-should-escape-more-characters.patch \ | ||
15 | file://ares_expand_name-fix-formatting-and-handling-of-root.patch \ | ||
14 | " | 16 | " |
15 | SRCREV = "74a1426ba60e2cd7977e53a22ef839c87415066e" | 17 | SRCREV = "74a1426ba60e2cd7977e53a22ef839c87415066e" |
16 | 18 | ||