c-ares: Add fix for CVE-2021-3672

Added below patches to fix CVE-2021-3672 1. ares_expand_name-should-escape-more-characters.patch 2. ares_expand_name-fix-formatting-and-handling-of-root.patch Link: http://snapshot.debian.org/archive/debian-security/20210810T064453Z/pool/updates/main/c/c-ares/c-ares_1.17.1-1%2Bdeb11u1.debian.tar.xz Signed-off-by: akash hadke <Akash.Hadke@kpit.com> Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Neetika Singh <Neetika.Singh@kpit.com> 2021-09-20 18:22:40 +0530
committer: Armin Kuster <akuster808@gmail.com> 2021-09-20 15:51:39 -0700
commit: b06724bc274f751004ade2ceeddfb8ec40d93f16 (patch)
tree: 50d70031a0686aef118fe338755b59d6686abe08
parent: 2e7e98cd0cb82db214b13224c71134b9335a719b (diff)
download: meta-openembedded-b06724bc274f751004ade2ceeddfb8ec40d93f16.tar.gz
3 files changed, 207 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-fix-formatting-and-handling-of-root.patch b/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-fix-formatting-and-handling-of-root.patch
new file mode 100644
index 000000000..d1cb54aef
--- /dev/null
+++ b/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-fix-formatting-and-handling-of-root.patch
@@ -0,0 +1,115 @@
+From: bradh352 <brad@brad-house.com>
+Date: Fri, 11 Jun 2021 12:39:24 -0400
+Subject: [2/2] ares_expand_name(): fix formatting and handling of root name
+ response
+Origin: https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3672
+Fixes issue introduced in prior commit with formatting and handling
+of parsing a root name response which should not be escaped.
+Fix By: Brad House
+CVE: CVE-2021-3672
+Upstream-Status: Backport [http://snapshot.debian.org/archive/debian-security/20210810T064453Z/pool/updates/main/c/c-ares/c-ares_1.17.1-1%2Bdeb11u1.debian.tar.xz]
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+---
+ ares_expand_name.c | 62 ++++++++++++++++++++++++--------------
+ 1 file changed, 40 insertions(+), 22 deletions(-)
+diff --git a/ares_expand_name.c b/ares_expand_name.c
+index f1c874a97cfc..eb9268c1ff0a 100644
+--- a/ares_expand_name.c
+++ b/ares_expand_name.c
+@@ -127,27 +127,37 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf,
+         }
+       else
+         {
+-          len = *p;
+          int name_len = *p;
+          len = name_len;
+           p++;
+
+           while (len--)
+             {
+-              if (!isprint(*p)) {
+-                /* Output as \DDD for consistency with RFC1035 5.1 */
+-                *q++ = '\\';
+-                *q++ = '0' + *p / 100;
+-                *q++ = '0' + (*p % 100) / 10;
+-                *q++ = '0' + (*p % 10);
+-              } else if (is_reservedch(*p)) {
+-                *q++ = '\\';
+-                *q++ = *p;
+-              } else {
+-                *q++ = *p;
+-              }
+              /* Output as \DDD for consistency with RFC1035 5.1, except
+               * for the special case of a root name response  */
+              if (!isprint(*p) && !(name_len == 1 && *p == 0))
+                {
+
+                  *q++ = '\\';
+                  *q++ = '0' + *p / 100;
+                  *q++ = '0' + (*p % 100) / 10;
+                  *q++ = '0' + (*p % 10);
+                }
+              else if (is_reservedch(*p))
+                {
+                  *q++ = '\\';
+                  *q++ = *p;
+                }
+              else
+                {
+                  *q++ = *p;
+                }
+               p++;
+             }
+           *q++ = '.';
+         }
+-    }
+     }
+
+   if (!indir)
+     *enclen = aresx_uztosl(p + 1U - encoded);
+ 
+@@ -194,21 +204,29 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
+         }
+       else if (top == 0x00)
+         {
+-          offset = *encoded;
+          int name_len = *encoded;
+          offset = name_len;
+           if (encoded + offset + 1 >= abuf + alen)
+             return -1;
+           encoded++;
+
+           while (offset--)
+             {
+-              if (!isprint(*encoded)) {
+-                n += 4;
+-              } else if (is_reservedch(*encoded)) {
+-                n += 2;
+-              } else {
+-                n += 1;
+-              }
+              if (!isprint(*encoded) && !(name_len == 1 && *encoded == 0))
+                {
+                  n += 4;
+                }
+              else if (is_reservedch(*encoded))
+                {
+                  n += 2;
+                }
+              else
+                {
+                  n += 1;
+                }
+               encoded++;
+             }
+
+           n++;
+         }
+       else
+-- 
+2.32.0
diff --git a/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch b/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch
new file mode 100644
index 000000000..3603ef127
--- /dev/null
+++ b/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch
@@ -0,0 +1,90 @@
+From: bradh352 <brad@brad-house.com>
+Date: Fri, 11 Jun 2021 11:27:45 -0400
+Subject: [1/2] ares_expand_name() should escape more characters
+Origin: https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3672
+RFC1035 5.1 specifies some reserved characters and escaping sequences
+that are allowed to be specified.  Expand the list of reserved characters
+and also escape non-printable characters using the \DDD format as
+specified in the RFC.
+Bug Reported By: philipp.jeitner@sit.fraunhofer.de
+Fix By: Brad House (@bradh352)
+CVE: CVE-2021-3672
+Upstream-Status: Backport [http://snapshot.debian.org/archive/debian-security/20210810T064453Z/pool/updates/main/c/c-ares/c-ares_1.17.1-1%2Bdeb11u1.debian.tar.xz]
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+---
+ ares_expand_name.c | 41 +++++++++++++++++++++++++++++++++++---
+ 1 file changed, 38 insertions(+), 3 deletions(-)
+diff --git a/ares_expand_name.c b/ares_expand_name.c
+index 407200ef5b4b..f1c874a97cfc 100644
+--- a/ares_expand_name.c
+++ b/ares_expand_name.c
+@@ -32,6 +32,26 @@
+ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
+                        int alen);
+ 
+/* Reserved characters for names that need to be escaped */
+static int is_reservedch(int ch)
+{
+  switch (ch) {
+    case '"':
+    case '.':
+    case ';':
+    case '\\':
+    case '(':
+    case ')':
+    case '@':
+    case '$':
+      return 1;
+    default:
+      break;
+  }
+
+  return 0;
+}
+
+ /* Expand an RFC1035-encoded domain name given by encoded.  The
+  * containing message is given by abuf and alen.  The result given by
+  * *s, which is set to a NUL-terminated allocated buffer.  *enclen is
+@@ -111,9 +131,18 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf,
+           p++;
+           while (len--)
+             {
+-              if (*p == '.' || *p == '\\')
+              if (!isprint(*p)) {
+                /* Output as \DDD for consistency with RFC1035 5.1 */
+                *q++ = '\\';
+                *q++ = '0' + *p / 100;
+                *q++ = '0' + (*p % 100) / 10;
+                *q++ = '0' + (*p % 10);
+              } else if (is_reservedch(*p)) {
+                 *q++ = '\\';
+-              *q++ = *p;
+                *q++ = *p;
+              } else {
+                *q++ = *p;
+              }
+               p++;
+             }
+           *q++ = '.';
+@@ -171,7 +200,13 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
+           encoded++;
+           while (offset--)
+             {
+-              n += (*encoded == '.' || *encoded == '\\') ? 2 : 1;
+              if (!isprint(*encoded)) {
+                n += 4;
+              } else if (is_reservedch(*encoded)) {
+                n += 2;
+              } else {
+                n += 1;
+              }
+               encoded++;
+             }
+           n++;
+-- 
+2.32.0
diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb
index 67dd70180..36bb9be17 100644
--- a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb
+++ b/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb
@@ -11,6 +11,8 @@ SRC_URI = "\
    git://github.com/c-ares/c-ares.git \
    file://cmake-install-libcares.pc.patch \
    file://0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch \
+    file://ares_expand_name-should-escape-more-characters.patch \
+    file://ares_expand_name-fix-formatting-and-handling-of-root.patch \
 "
 SRCREV = "74a1426ba60e2cd7977e53a22ef839c87415066e"
author	Neetika Singh <Neetika.Singh@kpit.com>	2021-09-20 18:22:40 +0530
committer	Armin Kuster <akuster808@gmail.com>	2021-09-20 15:51:39 -0700
commit	b06724bc274f751004ade2ceeddfb8ec40d93f16 (patch)
tree	50d70031a0686aef118fe338755b59d6686abe08
parent	2e7e98cd0cb82db214b13224c71134b9335a719b (diff)
download	meta-openembedded-b06724bc274f751004ade2ceeddfb8ec40d93f16.tar.gz

diff --git a/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-fix-formatting-and-handling-of-root.patch b/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-fix-formatting-and-handling-of-root.patch new file mode 100644 index 000000000..d1cb54aef --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-fix-formatting-and-handling-of-root.patch
@@ -0,0 +1,115 @@
		1	From: bradh352 <brad@brad-house.com>
		2	Date: Fri, 11 Jun 2021 12:39:24 -0400
		3	Subject: [2/2] ares_expand_name(): fix formatting and handling of root name
		4	response
		5	Origin: https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14
		6	Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3672
		7
		8	Fixes issue introduced in prior commit with formatting and handling
		9	of parsing a root name response which should not be escaped.
		10
		11	Fix By: Brad House
		12	CVE: CVE-2021-3672
		13	Upstream-Status: Backport [http://snapshot.debian.org/archive/debian-security/20210810T064453Z/pool/updates/main/c/c-ares/c-ares_1.17.1-1%2Bdeb11u1.debian.tar.xz]
		14	Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
		15	---
		16	ares_expand_name.c \| 62 ++++++++++++++++++++++++--------------
		17	1 file changed, 40 insertions(+), 22 deletions(-)
		18
		19	diff --git a/ares_expand_name.c b/ares_expand_name.c
		20	index f1c874a97cfc..eb9268c1ff0a 100644
		21	--- a/ares_expand_name.c
		22	+++ b/ares_expand_name.c
		23	@@ -127,27 +127,37 @@ int ares_expand_name(const unsigned char encoded, const unsigned char abuf,
		24	}
		25	else
		26	{
		27	- len = *p;
		28	+ int name_len = *p;
		29	+ len = name_len;
		30	p++;
		31	+
		32	while (len--)
		33	{
		34	- if (!isprint(*p)) {
		35	- /* Output as \DDD for consistency with RFC1035 5.1 */
		36	- *q++ = '\\';
		37	- q++ = '0' + p / 100;
		38	- q++ = '0' + (p % 100) / 10;
		39	- q++ = '0' + (p % 10);
		40	- } else if (is_reservedch(*p)) {
		41	- *q++ = '\\';
		42	- q++ = p;
		43	- } else {
		44	- q++ = p;
		45	- }
		46	+ /* Output as \DDD for consistency with RFC1035 5.1, except
		47	+ * for the special case of a root name response */
		48	+ if (!isprint(p) && !(name_len == 1 && p == 0))
		49	+ {
		50	+
		51	+ *q++ = '\\';
		52	+ q++ = '0' + p / 100;
		53	+ q++ = '0' + (p % 100) / 10;
		54	+ q++ = '0' + (p % 10);
		55	+ }
		56	+ else if (is_reservedch(*p))
		57	+ {
		58	+ *q++ = '\\';
		59	+ q++ = p;
		60	+ }
		61	+ else
		62	+ {
		63	+ q++ = p;
		64	+ }
		65	p++;
		66	}
		67	*q++ = '.';
		68	}
		69	- }
		70	+ }
		71	+
		72	if (!indir)
		73	*enclen = aresx_uztosl(p + 1U - encoded);
		74
		75	@@ -194,21 +204,29 @@ static int name_length(const unsigned char encoded, const unsigned char abuf,
		76	}
		77	else if (top == 0x00)
		78	{
		79	- offset = *encoded;
		80	+ int name_len = *encoded;
		81	+ offset = name_len;
		82	if (encoded + offset + 1 >= abuf + alen)
		83	return -1;
		84	encoded++;
		85	+
		86	while (offset--)
		87	{
		88	- if (!isprint(*encoded)) {
		89	- n += 4;
		90	- } else if (is_reservedch(*encoded)) {
		91	- n += 2;
		92	- } else {
		93	- n += 1;
		94	- }
		95	+ if (!isprint(encoded) && !(name_len == 1 && encoded == 0))
		96	+ {
		97	+ n += 4;
		98	+ }
		99	+ else if (is_reservedch(*encoded))
		100	+ {
		101	+ n += 2;
		102	+ }
		103	+ else
		104	+ {
		105	+ n += 1;
		106	+ }
		107	encoded++;
		108	}
		109	+
		110	n++;
		111	}
		112	else
		113	--
		114	2.32.0
		115


diff --git a/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch b/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch new file mode 100644 index 000000000..3603ef127 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch
@@ -0,0 +1,90 @@
		1	From: bradh352 <brad@brad-house.com>
		2	Date: Fri, 11 Jun 2021 11:27:45 -0400
		3	Subject: [1/2] ares_expand_name() should escape more characters
		4	Origin: https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83
		5	Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3672
		6
		7	RFC1035 5.1 specifies some reserved characters and escaping sequences
		8	that are allowed to be specified. Expand the list of reserved characters
		9	and also escape non-printable characters using the \DDD format as
		10	specified in the RFC.
		11
		12	Bug Reported By: philipp.jeitner@sit.fraunhofer.de
		13	Fix By: Brad House (@bradh352)
		14	CVE: CVE-2021-3672
		15	Upstream-Status: Backport [http://snapshot.debian.org/archive/debian-security/20210810T064453Z/pool/updates/main/c/c-ares/c-ares_1.17.1-1%2Bdeb11u1.debian.tar.xz]
		16	Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
		17	---
		18	ares_expand_name.c \| 41 +++++++++++++++++++++++++++++++++++---
		19	1 file changed, 38 insertions(+), 3 deletions(-)
		20
		21	diff --git a/ares_expand_name.c b/ares_expand_name.c
		22	index 407200ef5b4b..f1c874a97cfc 100644
		23	--- a/ares_expand_name.c
		24	+++ b/ares_expand_name.c
		25	@@ -32,6 +32,26 @@
		26	static int name_length(const unsigned char encoded, const unsigned char abuf,
		27	int alen);
		28
		29	+/* Reserved characters for names that need to be escaped */
		30	+static int is_reservedch(int ch)
		31	+{
		32	+ switch (ch) {
		33	+ case '"':
		34	+ case '.':
		35	+ case ';':
		36	+ case '\\':
		37	+ case '(':
		38	+ case ')':
		39	+ case '@':
		40	+ case '$':
		41	+ return 1;
		42	+ default:
		43	+ break;
		44	+ }
		45	+
		46	+ return 0;
		47	+}
		48	+
		49	/* Expand an RFC1035-encoded domain name given by encoded. The
		50	* containing message is given by abuf and alen. The result given by
		51	* s, which is set to a NUL-terminated allocated buffer. enclen is
		52	@@ -111,9 +131,18 @@ int ares_expand_name(const unsigned char encoded, const unsigned char abuf,
		53	p++;
		54	while (len--)
		55	{
		56	- if (p == '.' \|\| p == '\\')
		57	+ if (!isprint(*p)) {
		58	+ /* Output as \DDD for consistency with RFC1035 5.1 */
		59	+ *q++ = '\\';
		60	+ q++ = '0' + p / 100;
		61	+ q++ = '0' + (p % 100) / 10;
		62	+ q++ = '0' + (p % 10);
		63	+ } else if (is_reservedch(*p)) {
		64	*q++ = '\\';
		65	- q++ = p;
		66	+ q++ = p;
		67	+ } else {
		68	+ q++ = p;
		69	+ }
		70	p++;
		71	}
		72	*q++ = '.';
		73	@@ -171,7 +200,13 @@ static int name_length(const unsigned char encoded, const unsigned char abuf,
		74	encoded++;
		75	while (offset--)
		76	{
		77	- n += (encoded == '.' \|\| encoded == '\\') ? 2 : 1;
		78	+ if (!isprint(*encoded)) {
		79	+ n += 4;
		80	+ } else if (is_reservedch(*encoded)) {
		81	+ n += 2;
		82	+ } else {
		83	+ n += 1;
		84	+ }
		85	encoded++;
		86	}
		87	n++;
		88	--
		89	2.32.0
		90


diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb index 67dd70180..36bb9be17 100644 --- a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb +++ b/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb
@@ -11,6 +11,8 @@ SRC_URI = "\
11	git://github.com/c-ares/c-ares.git \	11	git://github.com/c-ares/c-ares.git \
12	file://cmake-install-libcares.pc.patch \	12	file://cmake-install-libcares.pc.patch \
13	file://0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch \	13	file://0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch \
		14	file://ares_expand_name-should-escape-more-characters.patch \
		15	file://ares_expand_name-fix-formatting-and-handling-of-root.patch \
14	"	16	"
15	SRCREV = "74a1426ba60e2cd7977e53a22ef839c87415066e"	17	SRCREV = "74a1426ba60e2cd7977e53a22ef839c87415066e"
16		18