diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2023-11-22 13:29:23 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-12-01 04:14:19 -1000 |
commit | 716693ccccb82ad398ff7470c360d047baeaec07 (patch) | |
tree | 2206f3cebfe9d81f2d0f2ccf449f33a50c7d6901 | |
parent | 8cabed090e84c5b4d0511bfced2ace49d9949e4c (diff) | |
download | poky-716693ccccb82ad398ff7470c360d047baeaec07.tar.gz |
avahi: backport Debian patches to fix multiple CVE's
import patches from ubuntu to fix
CVE-2023-1981
CVE-2023-38469
CVE-2023-38470
CVE-2023-38471
CVE-2023-38472
CVE-2023-38473
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/focal-security
Upstream commit
https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f
&
https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf
&
https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237
&
https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c
&
https://github.com/lathiat/avahi/commit/20dec84b2480821704258bc908e7b2bd2e883b24
&
https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09
&
https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460
&
https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40
&
https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797]
(From OE-Core rev: 4771e335cd4d95e734d7f07a718319f4543ce2f1)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
10 files changed, 571 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/avahi/avahi.inc b/meta/recipes-connectivity/avahi/avahi.inc index 25bb41b738..e1dfc7a861 100644 --- a/meta/recipes-connectivity/avahi/avahi.inc +++ b/meta/recipes-connectivity/avahi/avahi.inc | |||
@@ -22,6 +22,15 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \ | |||
22 | SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \ | 22 | SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \ |
23 | file://fix-CVE-2017-6519.patch \ | 23 | file://fix-CVE-2017-6519.patch \ |
24 | file://CVE-2021-3468.patch \ | 24 | file://CVE-2021-3468.patch \ |
25 | file://CVE-2023-1981.patch \ | ||
26 | file://CVE-2023-38469-1.patch \ | ||
27 | file://CVE-2023-38469-2.patch \ | ||
28 | file://CVE-2023-38470-1.patch \ | ||
29 | file://CVE-2023-38470-2.patch \ | ||
30 | file://CVE-2023-38471-1.patch \ | ||
31 | file://CVE-2023-38471-2.patch \ | ||
32 | file://CVE-2023-38472.patch \ | ||
33 | file://CVE-2023-38473.patch \ | ||
25 | " | 34 | " |
26 | 35 | ||
27 | UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/" | 36 | UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/" |
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch new file mode 100644 index 0000000000..1209864402 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001 | ||
4 | From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> | ||
5 | Date: Thu, 17 Nov 2022 01:51:53 +0100 | ||
6 | Subject: [PATCH] Emit error if requested service is not found | ||
7 | |||
8 | It currently just crashes instead of replying with error. Check return | ||
9 | value and emit error instead of passing NULL pointer to reply. | ||
10 | |||
11 | Fixes #375 | ||
12 | |||
13 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-1981.patch?h=ubuntu/focal-security | ||
14 | Upstream commit https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f] | ||
15 | CVE: CVE-2023-1981 | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------ | ||
19 | 1 file changed, 14 insertions(+), 6 deletions(-) | ||
20 | |||
21 | --- a/avahi-daemon/dbus-protocol.c | ||
22 | +++ b/avahi-daemon/dbus-protocol.c | ||
23 | @@ -391,10 +391,14 @@ static DBusHandlerResult msg_server_impl | ||
24 | } | ||
25 | |||
26 | t = avahi_alternative_host_name(n); | ||
27 | - avahi_dbus_respond_string(c, m, t); | ||
28 | - avahi_free(t); | ||
29 | - | ||
30 | - return DBUS_HANDLER_RESULT_HANDLED; | ||
31 | + if (t) { | ||
32 | + avahi_dbus_respond_string(c, m, t); | ||
33 | + avahi_free(t); | ||
34 | + | ||
35 | + return DBUS_HANDLER_RESULT_HANDLED; | ||
36 | + } else { | ||
37 | + return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found"); | ||
38 | + } | ||
39 | |||
40 | } else if (dbus_message_is_method_call(m, AVAHI_DBUS_INTERFACE_SERVER, "GetAlternativeServiceName")) { | ||
41 | char *n, *t; | ||
42 | @@ -405,10 +409,14 @@ static DBusHandlerResult msg_server_impl | ||
43 | } | ||
44 | |||
45 | t = avahi_alternative_service_name(n); | ||
46 | - avahi_dbus_respond_string(c, m, t); | ||
47 | - avahi_free(t); | ||
48 | - | ||
49 | - return DBUS_HANDLER_RESULT_HANDLED; | ||
50 | + if (t) { | ||
51 | + avahi_dbus_respond_string(c, m, t); | ||
52 | + avahi_free(t); | ||
53 | + | ||
54 | + return DBUS_HANDLER_RESULT_HANDLED; | ||
55 | + } else { | ||
56 | + return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found"); | ||
57 | + } | ||
58 | |||
59 | } else if (dbus_message_is_method_call(m, AVAHI_DBUS_INTERFACE_SERVER, "EntryGroupNew")) { | ||
60 | Client *client; | ||
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch new file mode 100644 index 0000000000..12dad9ef6f --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001 | ||
2 | From: Evgeny Vereshchagin <evvers@ya.ru> | ||
3 | Date: Mon, 23 Oct 2023 20:29:31 +0000 | ||
4 | Subject: [PATCH] core: reject overly long TXT resource records | ||
5 | |||
6 | Closes https://github.com/lathiat/avahi/issues/455 | ||
7 | |||
8 | CVE-2023-38469 | ||
9 | |||
10 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-1.patch?h=ubuntu/focal-security | ||
11 | Upstream commit https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf] | ||
12 | CVE: CVE-2023-38469 | ||
13 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
14 | --- | ||
15 | avahi-core/rr.c | 9 ++++++++- | ||
16 | 1 file changed, 8 insertions(+), 1 deletion(-) | ||
17 | |||
18 | Index: avahi-0.7/avahi-core/rr.c | ||
19 | =================================================================== | ||
20 | --- avahi-0.7.orig/avahi-core/rr.c | ||
21 | +++ avahi-0.7/avahi-core/rr.c | ||
22 | @@ -32,6 +32,7 @@ | ||
23 | #include <avahi-common/malloc.h> | ||
24 | #include <avahi-common/defs.h> | ||
25 | |||
26 | +#include "dns.h" | ||
27 | #include "rr.h" | ||
28 | #include "log.h" | ||
29 | #include "util.h" | ||
30 | @@ -688,11 +689,17 @@ int avahi_record_is_valid(AvahiRecord *r | ||
31 | case AVAHI_DNS_TYPE_TXT: { | ||
32 | |||
33 | AvahiStringList *strlst; | ||
34 | + size_t used = 0; | ||
35 | |||
36 | - for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) | ||
37 | + for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) { | ||
38 | if (strlst->size > 255 || strlst->size <= 0) | ||
39 | return 0; | ||
40 | |||
41 | + used += 1+strlst->size; | ||
42 | + if (used > AVAHI_DNS_RDATA_MAX) | ||
43 | + return 0; | ||
44 | + } | ||
45 | + | ||
46 | return 1; | ||
47 | } | ||
48 | } | ||
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch new file mode 100644 index 0000000000..a62c718ebe --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From c6cab87df290448a63323c8ca759baa516166237 Mon Sep 17 00:00:00 2001 | ||
2 | From: Evgeny Vereshchagin <evvers@ya.ru> | ||
3 | Date: Wed, 25 Oct 2023 18:15:42 +0000 | ||
4 | Subject: [PATCH] tests: pass overly long TXT resource records | ||
5 | |||
6 | to make sure they don't crash avahi any more. | ||
7 | It reproduces https://github.com/lathiat/avahi/issues/455 | ||
8 | |||
9 | Canonical notes: | ||
10 | nickgalanis> removed first hunk since there is no .github dir in this release | ||
11 | |||
12 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-2.patch?h=ubuntu/focal-security | ||
13 | Upstream commit https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237] | ||
14 | CVE: CVE-2023-38469 | ||
15 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
16 | --- | ||
17 | avahi-client/client-test.c | 14 ++++++++++++++ | ||
18 | 1 files changed, 14 insertions(+) | ||
19 | |||
20 | Index: avahi-0.7/avahi-client/client-test.c | ||
21 | =================================================================== | ||
22 | --- avahi-0.7.orig/avahi-client/client-test.c | ||
23 | +++ avahi-0.7/avahi-client/client-test.c | ||
24 | @@ -22,6 +22,7 @@ | ||
25 | #endif | ||
26 | |||
27 | #include <stdio.h> | ||
28 | +#include <string.h> | ||
29 | #include <assert.h> | ||
30 | |||
31 | #include <avahi-client/client.h> | ||
32 | @@ -33,6 +34,8 @@ | ||
33 | #include <avahi-common/malloc.h> | ||
34 | #include <avahi-common/timeval.h> | ||
35 | |||
36 | +#include <avahi-core/dns.h> | ||
37 | + | ||
38 | static const AvahiPoll *poll_api = NULL; | ||
39 | static AvahiSimplePoll *simple_poll = NULL; | ||
40 | |||
41 | @@ -222,6 +225,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA | ||
42 | uint32_t cookie; | ||
43 | struct timeval tv; | ||
44 | AvahiAddress a; | ||
45 | + uint8_t rdata[AVAHI_DNS_RDATA_MAX+1]; | ||
46 | + AvahiStringList *txt = NULL; | ||
47 | + int r; | ||
48 | |||
49 | simple_poll = avahi_simple_poll_new(); | ||
50 | poll_api = avahi_simple_poll_get(simple_poll); | ||
51 | @@ -258,6 +264,14 @@ int main (AVAHI_GCC_UNUSED int argc, AVA | ||
52 | printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL))); | ||
53 | printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6)); | ||
54 | |||
55 | + memset(rdata, 1, sizeof(rdata)); | ||
56 | + r = avahi_string_list_parse(rdata, sizeof(rdata), &txt); | ||
57 | + assert(r >= 0); | ||
58 | + assert(avahi_string_list_serialize(txt, NULL, 0) == sizeof(rdata)); | ||
59 | + error = avahi_entry_group_add_service_strlst(group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", "_qotd._tcp", NULL, NULL, 123, txt); | ||
60 | + assert(error == AVAHI_ERR_INVALID_RECORD); | ||
61 | + avahi_string_list_free(txt); | ||
62 | + | ||
63 | avahi_entry_group_commit (group); | ||
64 | |||
65 | domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u"); | ||
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch new file mode 100644 index 0000000000..82fb1ab40b --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From 94cb6489114636940ac683515417990b55b5d66c Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> | ||
3 | Date: Tue, 11 Apr 2023 15:29:59 +0200 | ||
4 | Subject: [PATCH] Ensure each label is at least one byte long | ||
5 | |||
6 | The only allowed exception is single dot, where it should return empty | ||
7 | string. | ||
8 | |||
9 | Fixes #454. | ||
10 | |||
11 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38470-1.patch?h=ubuntu/focal-security | ||
12 | Upstream commit https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c] | ||
13 | CVE: CVE-2023-38470 | ||
14 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
15 | --- | ||
16 | avahi-common/domain-test.c | 14 ++++++++++++++ | ||
17 | avahi-common/domain.c | 2 +- | ||
18 | 2 files changed, 15 insertions(+), 1 deletion(-) | ||
19 | |||
20 | Index: avahi-0.7/avahi-common/domain-test.c | ||
21 | =================================================================== | ||
22 | --- avahi-0.7.orig/avahi-common/domain-test.c | ||
23 | +++ avahi-0.7/avahi-common/domain-test.c | ||
24 | @@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAH | ||
25 | printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo.")); | ||
26 | avahi_free(s); | ||
27 | |||
28 | + printf("%s\n", s = avahi_normalize_name_strdup(".")); | ||
29 | + avahi_free(s); | ||
30 | + | ||
31 | + s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}." | ||
32 | + "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}" | ||
33 | + ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`" | ||
34 | + "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?." | ||
35 | + "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}." | ||
36 | + "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?" | ||
37 | + "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM." | ||
38 | + "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?." | ||
39 | + "}.?.?.?.}.=.?.?.}"); | ||
40 | + assert(s == NULL); | ||
41 | + | ||
42 | printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff")); | ||
43 | printf("%i\n", avahi_domain_equal("A", "a")); | ||
44 | |||
45 | Index: avahi-0.7/avahi-common/domain.c | ||
46 | =================================================================== | ||
47 | --- avahi-0.7.orig/avahi-common/domain.c | ||
48 | +++ avahi-0.7/avahi-common/domain.c | ||
49 | @@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s | ||
50 | } | ||
51 | |||
52 | if (!empty) { | ||
53 | - if (size < 1) | ||
54 | + if (size < 2) | ||
55 | return NULL; | ||
56 | |||
57 | *(r++) = '.'; | ||
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch new file mode 100644 index 0000000000..403ed6fd6a --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 20dec84b2480821704258bc908e7b2bd2e883b24 Mon Sep 17 00:00:00 2001 | ||
2 | From: Evgeny Vereshchagin <evvers@ya.ru> | ||
3 | Date: Tue, 19 Sep 2023 03:21:25 +0000 | ||
4 | Subject: [PATCH] [common] bail out when escaped labels can't fit into ret | ||
5 | |||
6 | Fixes: | ||
7 | ``` | ||
8 | ==93410==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f9e76f14c16 at pc 0x00000047208d bp 0x7ffee90a6a00 sp 0x7ffee90a61c8 | ||
9 | READ of size 1110 at 0x7f9e76f14c16 thread T0 | ||
10 | #0 0x47208c in __interceptor_strlen (out/fuzz-domain+0x47208c) (BuildId: 731b20c1eef22c2104e75a6496a399b10cfc7cba) | ||
11 | #1 0x534eb0 in avahi_strdup avahi/avahi-common/malloc.c:167:12 | ||
12 | #2 0x53862c in avahi_normalize_name_strdup avahi/avahi-common/domain.c:226:12 | ||
13 | ``` | ||
14 | and | ||
15 | ``` | ||
16 | fuzz-domain: fuzz/fuzz-domain.c:38: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `avahi_domain_equal(s, t)' failed. | ||
17 | ==101571== ERROR: libFuzzer: deadly signal | ||
18 | #0 0x501175 in __sanitizer_print_stack_trace (/home/vagrant/avahi/out/fuzz-domain+0x501175) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) | ||
19 | #1 0x45ad2c in fuzzer::PrintStackTrace() (/home/vagrant/avahi/out/fuzz-domain+0x45ad2c) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) | ||
20 | #2 0x43fc07 in fuzzer::Fuzzer::CrashCallback() (/home/vagrant/avahi/out/fuzz-domain+0x43fc07) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) | ||
21 | #3 0x7f1581d7ebaf (/lib64/libc.so.6+0x3dbaf) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) | ||
22 | #4 0x7f1581dcf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) | ||
23 | #5 0x7f1581d7eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) | ||
24 | #6 0x7f1581d6787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) | ||
25 | #7 0x7f1581d6779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) | ||
26 | #8 0x7f1581d77186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) | ||
27 | #9 0x5344a4 in LLVMFuzzerTestOneInput /home/vagrant/avahi/fuzz/fuzz-domain.c:38:9 | ||
28 | ``` | ||
29 | |||
30 | It's a follow-up to 94cb6489114636940ac683515417990b55b5d66c | ||
31 | |||
32 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-2.patch?h=ubuntu/focal-security | ||
33 | Upstream commit https://github.com/lathiat/avahi/commit/20dec84b2480821704258bc908e7b2bd2e883b24] | ||
34 | CVE: CVE-2023-38470 #Follow-up patch | ||
35 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
36 | --- | ||
37 | avahi-common/domain.c | 3 ++- | ||
38 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
39 | |||
40 | Index: avahi-0.7/avahi-common/domain.c | ||
41 | =================================================================== | ||
42 | --- avahi-0.7.orig/avahi-common/domain.c | ||
43 | +++ avahi-0.7/avahi-common/domain.c | ||
44 | @@ -210,7 +210,8 @@ char *avahi_normalize_name(const char *s | ||
45 | } else | ||
46 | empty = 0; | ||
47 | |||
48 | - avahi_escape_label(label, strlen(label), &r, &size); | ||
49 | + if (!(avahi_escape_label(label, strlen(label), &r, &size))) | ||
50 | + return NULL; | ||
51 | } | ||
52 | |||
53 | return ret_s; | ||
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch new file mode 100644 index 0000000000..c8d6a66174 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michal Sekletar <msekleta@redhat.com> | ||
3 | Date: Mon, 23 Oct 2023 13:38:35 +0200 | ||
4 | Subject: [PATCH] core: extract host name using avahi_unescape_label() | ||
5 | |||
6 | Previously we could create invalid escape sequence when we split the | ||
7 | string on dot. For example, from valid host name "foo\\.bar" we have | ||
8 | created invalid name "foo\\" and tried to set that as the host name | ||
9 | which crashed the daemon. | ||
10 | |||
11 | Fixes #453 | ||
12 | |||
13 | CVE-2023-38471 | ||
14 | |||
15 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-1.patch?h=ubuntu/focal-security | ||
16 | Upstream commit https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09] | ||
17 | CVE: CVE-2023-38471 | ||
18 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
19 | --- | ||
20 | avahi-core/server.c | 27 +++++++++++++++++++++------ | ||
21 | 1 file changed, 21 insertions(+), 6 deletions(-) | ||
22 | |||
23 | Index: avahi-0.7/avahi-core/server.c | ||
24 | =================================================================== | ||
25 | --- avahi-0.7.orig/avahi-core/server.c | ||
26 | +++ avahi-0.7/avahi-core/server.c | ||
27 | @@ -1253,7 +1253,11 @@ static void update_fqdn(AvahiServer *s) | ||
28 | } | ||
29 | |||
30 | int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { | ||
31 | - char *hn = NULL; | ||
32 | + char label_escaped[AVAHI_LABEL_MAX*4+1]; | ||
33 | + char label[AVAHI_LABEL_MAX]; | ||
34 | + char *hn = NULL, *h; | ||
35 | + size_t len; | ||
36 | + | ||
37 | assert(s); | ||
38 | |||
39 | AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME); | ||
40 | @@ -1263,17 +1267,28 @@ int avahi_server_set_host_name(AvahiServ | ||
41 | else | ||
42 | hn = avahi_normalize_name_strdup(host_name); | ||
43 | |||
44 | - hn[strcspn(hn, ".")] = 0; | ||
45 | + h = hn; | ||
46 | + if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { | ||
47 | + avahi_free(h); | ||
48 | + return AVAHI_ERR_INVALID_HOST_NAME; | ||
49 | + } | ||
50 | + | ||
51 | + avahi_free(h); | ||
52 | |||
53 | - if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) { | ||
54 | - avahi_free(hn); | ||
55 | + h = label_escaped; | ||
56 | + len = sizeof(label_escaped); | ||
57 | + if (!avahi_escape_label(label, strlen(label), &h, &len)) | ||
58 | + return AVAHI_ERR_INVALID_HOST_NAME; | ||
59 | + | ||
60 | + if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) | ||
61 | return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); | ||
62 | - } | ||
63 | |||
64 | withdraw_host_rrs(s); | ||
65 | |||
66 | avahi_free(s->host_name); | ||
67 | - s->host_name = hn; | ||
68 | + s->host_name = avahi_strdup(label_escaped); | ||
69 | + if (!s->host_name) | ||
70 | + return AVAHI_ERR_NO_MEMORY; | ||
71 | |||
72 | update_fqdn(s); | ||
73 | |||
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch new file mode 100644 index 0000000000..a789b144ed --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From b675f70739f404342f7f78635d6e2dcd85a13460 Mon Sep 17 00:00:00 2001 | ||
2 | From: Evgeny Vereshchagin <evvers@ya.ru> | ||
3 | Date: Tue, 24 Oct 2023 22:04:51 +0000 | ||
4 | Subject: [PATCH] core: return errors from avahi_server_set_host_name properly | ||
5 | |||
6 | It's a follow-up to 894f085f402e023a98cbb6f5a3d117bd88d93b09 | ||
7 | |||
8 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-2.patch?h=ubuntu/focal-security | ||
9 | Upstream commit https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460] | ||
10 | CVE: CVE-2023-38471 #Follow-up Patch | ||
11 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
12 | --- | ||
13 | avahi-core/server.c | 9 ++++++--- | ||
14 | 1 file changed, 6 insertions(+), 3 deletions(-) | ||
15 | |||
16 | Index: avahi-0.7/avahi-core/server.c | ||
17 | =================================================================== | ||
18 | --- avahi-0.7.orig/avahi-core/server.c | ||
19 | +++ avahi-0.7/avahi-core/server.c | ||
20 | @@ -1267,10 +1267,13 @@ int avahi_server_set_host_name(AvahiServ | ||
21 | else | ||
22 | hn = avahi_normalize_name_strdup(host_name); | ||
23 | |||
24 | + if (!hn) | ||
25 | + return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY); | ||
26 | + | ||
27 | h = hn; | ||
28 | if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { | ||
29 | avahi_free(h); | ||
30 | - return AVAHI_ERR_INVALID_HOST_NAME; | ||
31 | + return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME); | ||
32 | } | ||
33 | |||
34 | avahi_free(h); | ||
35 | @@ -1278,7 +1281,7 @@ int avahi_server_set_host_name(AvahiServ | ||
36 | h = label_escaped; | ||
37 | len = sizeof(label_escaped); | ||
38 | if (!avahi_escape_label(label, strlen(label), &h, &len)) | ||
39 | - return AVAHI_ERR_INVALID_HOST_NAME; | ||
40 | + return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME); | ||
41 | |||
42 | if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) | ||
43 | return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); | ||
44 | @@ -1288,7 +1291,7 @@ int avahi_server_set_host_name(AvahiServ | ||
45 | avahi_free(s->host_name); | ||
46 | s->host_name = avahi_strdup(label_escaped); | ||
47 | if (!s->host_name) | ||
48 | - return AVAHI_ERR_NO_MEMORY; | ||
49 | + return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY); | ||
50 | |||
51 | update_fqdn(s); | ||
52 | |||
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch new file mode 100644 index 0000000000..f49d990a42 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michal Sekletar <msekleta@redhat.com> | ||
3 | Date: Thu, 19 Oct 2023 17:36:44 +0200 | ||
4 | Subject: [PATCH] core: make sure there is rdata to process before parsing it | ||
5 | |||
6 | Fixes #452 | ||
7 | |||
8 | CVE-2023-38472 | ||
9 | |||
10 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38472.patch?h=ubuntu/focal-security | ||
11 | Upstream commit https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40] | ||
12 | CVE: CVE-2023-38472 | ||
13 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
14 | --- | ||
15 | avahi-client/client-test.c | 3 +++ | ||
16 | avahi-daemon/dbus-entry-group.c | 2 +- | ||
17 | 2 files changed, 4 insertions(+), 1 deletion(-) | ||
18 | |||
19 | Index: avahi-0.7/avahi-client/client-test.c | ||
20 | =================================================================== | ||
21 | --- avahi-0.7.orig/avahi-client/client-test.c | ||
22 | +++ avahi-0.7/avahi-client/client-test.c | ||
23 | @@ -272,6 +272,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA | ||
24 | assert(error == AVAHI_ERR_INVALID_RECORD); | ||
25 | avahi_string_list_free(txt); | ||
26 | |||
27 | + error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0); | ||
28 | + assert(error != AVAHI_OK); | ||
29 | + | ||
30 | avahi_entry_group_commit (group); | ||
31 | |||
32 | domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u"); | ||
33 | Index: avahi-0.7/avahi-daemon/dbus-entry-group.c | ||
34 | =================================================================== | ||
35 | --- avahi-0.7.orig/avahi-daemon/dbus-entry-group.c | ||
36 | +++ avahi-0.7/avahi-daemon/dbus-entry-group.c | ||
37 | @@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_g | ||
38 | if (!(r = avahi_record_new_full (name, clazz, type, ttl))) | ||
39 | return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL); | ||
40 | |||
41 | - if (avahi_rdata_parse (r, rdata, size) < 0) { | ||
42 | + if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) { | ||
43 | avahi_record_unref (r); | ||
44 | return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL); | ||
45 | } | ||
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch new file mode 100644 index 0000000000..59f6806c85 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch | |||
@@ -0,0 +1,109 @@ | |||
1 | From b448c9f771bada14ae8de175695a9729f8646797 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michal Sekletar <msekleta@redhat.com> | ||
3 | Date: Wed, 11 Oct 2023 17:45:44 +0200 | ||
4 | Subject: [PATCH] common: derive alternative host name from its unescaped | ||
5 | version | ||
6 | |||
7 | Normalization of input makes sure we don't have to deal with special | ||
8 | cases like unescaped dot at the end of label. | ||
9 | |||
10 | Fixes #451 #487 | ||
11 | CVE-2023-38473 | ||
12 | |||
13 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38473.patch?h=ubuntu/focal-security | ||
14 | Upstream commit https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797] | ||
15 | CVE: CVE-2023-38473 | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | avahi-common/alternative-test.c | 3 +++ | ||
19 | avahi-common/alternative.c | 27 +++++++++++++++++++-------- | ||
20 | 2 files changed, 22 insertions(+), 8 deletions(-) | ||
21 | |||
22 | Index: avahi-0.7/avahi-common/alternative-test.c | ||
23 | =================================================================== | ||
24 | --- avahi-0.7.orig/avahi-common/alternative-test.c | ||
25 | +++ avahi-0.7/avahi-common/alternative-test.c | ||
26 | @@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAH | ||
27 | const char* const test_strings[] = { | ||
28 | "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", | ||
29 | "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü", | ||
30 | + ").", | ||
31 | + "\\.", | ||
32 | + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\", | ||
33 | "gurke", | ||
34 | "-", | ||
35 | " #", | ||
36 | Index: avahi-0.7/avahi-common/alternative.c | ||
37 | =================================================================== | ||
38 | --- avahi-0.7.orig/avahi-common/alternative.c | ||
39 | +++ avahi-0.7/avahi-common/alternative.c | ||
40 | @@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c | ||
41 | } | ||
42 | |||
43 | char *avahi_alternative_host_name(const char *s) { | ||
44 | + char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1]; | ||
45 | + char *alt, *r, *ret; | ||
46 | const char *e; | ||
47 | - char *r; | ||
48 | + size_t len; | ||
49 | |||
50 | assert(s); | ||
51 | |||
52 | if (!avahi_is_valid_host_name(s)) | ||
53 | return NULL; | ||
54 | |||
55 | - if ((e = strrchr(s, '-'))) { | ||
56 | + if (!avahi_unescape_label(&s, label, sizeof(label))) | ||
57 | + return NULL; | ||
58 | + | ||
59 | + if ((e = strrchr(label, '-'))) { | ||
60 | const char *p; | ||
61 | |||
62 | e++; | ||
63 | @@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const | ||
64 | |||
65 | if (e) { | ||
66 | char *c, *m; | ||
67 | - size_t l; | ||
68 | int n; | ||
69 | |||
70 | n = atoi(e)+1; | ||
71 | if (!(m = avahi_strdup_printf("%i", n))) | ||
72 | return NULL; | ||
73 | |||
74 | - l = e-s-1; | ||
75 | + len = e-label-1; | ||
76 | |||
77 | - if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1) | ||
78 | - l = AVAHI_LABEL_MAX-1-strlen(m)-1; | ||
79 | + if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1) | ||
80 | + len = AVAHI_LABEL_MAX-1-strlen(m)-1; | ||
81 | |||
82 | - if (!(c = avahi_strndup(s, l))) { | ||
83 | + if (!(c = avahi_strndup(label, len))) { | ||
84 | avahi_free(m); | ||
85 | return NULL; | ||
86 | } | ||
87 | @@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const | ||
88 | } else { | ||
89 | char *c; | ||
90 | |||
91 | - if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2))) | ||
92 | + if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2))) | ||
93 | return NULL; | ||
94 | |||
95 | drop_incomplete_utf8(c); | ||
96 | @@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const | ||
97 | avahi_free(c); | ||
98 | } | ||
99 | |||
100 | + alt = alternative; | ||
101 | + len = sizeof(alternative); | ||
102 | + ret = avahi_escape_label(r, strlen(r), &alt, &len); | ||
103 | + | ||
104 | + avahi_free(r); | ||
105 | + r = avahi_strdup(ret); | ||
106 | + | ||
107 | assert(avahi_is_valid_host_name(r)); | ||
108 | |||
109 | return r; | ||