diff options
author | Meenali Gupta <meenali.gupta@windriver.com> | 2023-11-16 11:19:25 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-11-20 15:30:52 +0000 |
commit | 34f496c2d47f1ab34a8330a0830726f24e7ba6cc (patch) | |
tree | 31a3547bfdf82750f4c3d83b8cce93893535cc7b | |
parent | 9580629d5b34aa8a02f88582e15e179a900d9034 (diff) | |
download | poky-34f496c2d47f1ab34a8330a0830726f24e7ba6cc.tar.gz |
avahi: fix CVE-2023-38473
A vulnerability was found in Avahi. A reachable assertion exists
in the avahi_alternative_host_name() function.
(From OE-Core rev: fbe506e7af1ce47f6d04c122cb77573e0527ab91)
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-connectivity/avahi/avahi_0.8.bb | 1 | ||||
-rw-r--r-- | meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch | 110 |
2 files changed, 111 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb index 84eb1c554d..910da3c9cc 100644 --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb | |||
@@ -30,6 +30,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \ | |||
30 | file://CVE-2023-38470.patch \ | 30 | file://CVE-2023-38470.patch \ |
31 | file://CVE-2023-38471.patch \ | 31 | file://CVE-2023-38471.patch \ |
32 | file://CVE-2023-38472.patch \ | 32 | file://CVE-2023-38472.patch \ |
33 | file://CVE-2023-38473.patch \ | ||
33 | " | 34 | " |
34 | 35 | ||
35 | GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/" | 36 | GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/" |
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch new file mode 100644 index 0000000000..707acb60fe --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch | |||
@@ -0,0 +1,110 @@ | |||
1 | From 88cbbc48d5efff9726694557ca6c3f698f3affe4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michal Sekletar <msekleta@redhat.com> | ||
3 | Date: Wed, 11 Oct 2023 17:45:44 +0200 | ||
4 | Subject: [PATCH] avahi: common: derive alternative host name from its | ||
5 | unescaped version | ||
6 | |||
7 | Normalization of input makes sure we don't have to deal with special | ||
8 | cases like unescaped dot at the end of label. | ||
9 | |||
10 | Fixes #451 #487 | ||
11 | |||
12 | Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797] | ||
13 | CVE: CVE-2023-38473 | ||
14 | |||
15 | Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> | ||
16 | --- | ||
17 | avahi-common/alternative-test.c | 3 +++ | ||
18 | avahi-common/alternative.c | 27 +++++++++++++++++++-------- | ||
19 | 2 files changed, 22 insertions(+), 8 deletions(-) | ||
20 | |||
21 | diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c | ||
22 | index 9255435..681fc15 100644 | ||
23 | --- a/avahi-common/alternative-test.c | ||
24 | +++ b/avahi-common/alternative-test.c | ||
25 | @@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { | ||
26 | const char* const test_strings[] = { | ||
27 | "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", | ||
28 | "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü", | ||
29 | + ").", | ||
30 | + "\\.", | ||
31 | + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\", | ||
32 | "gurke", | ||
33 | "-", | ||
34 | " #", | ||
35 | diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c | ||
36 | index b3d39f0..a094e6d 100644 | ||
37 | --- a/avahi-common/alternative.c | ||
38 | +++ b/avahi-common/alternative.c | ||
39 | @@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) { | ||
40 | } | ||
41 | |||
42 | char *avahi_alternative_host_name(const char *s) { | ||
43 | + char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1]; | ||
44 | + char *alt, *r, *ret; | ||
45 | const char *e; | ||
46 | - char *r; | ||
47 | + size_t len; | ||
48 | |||
49 | assert(s); | ||
50 | |||
51 | if (!avahi_is_valid_host_name(s)) | ||
52 | return NULL; | ||
53 | |||
54 | - if ((e = strrchr(s, '-'))) { | ||
55 | + if (!avahi_unescape_label(&s, label, sizeof(label))) | ||
56 | + return NULL; | ||
57 | + | ||
58 | + if ((e = strrchr(label, '-'))) { | ||
59 | const char *p; | ||
60 | |||
61 | e++; | ||
62 | @@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) { | ||
63 | |||
64 | if (e) { | ||
65 | char *c, *m; | ||
66 | - size_t l; | ||
67 | int n; | ||
68 | |||
69 | n = atoi(e)+1; | ||
70 | if (!(m = avahi_strdup_printf("%i", n))) | ||
71 | return NULL; | ||
72 | |||
73 | - l = e-s-1; | ||
74 | + len = e-label-1; | ||
75 | |||
76 | - if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1) | ||
77 | - l = AVAHI_LABEL_MAX-1-strlen(m)-1; | ||
78 | + if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1) | ||
79 | + len = AVAHI_LABEL_MAX-1-strlen(m)-1; | ||
80 | |||
81 | - if (!(c = avahi_strndup(s, l))) { | ||
82 | + if (!(c = avahi_strndup(label, len))) { | ||
83 | avahi_free(m); | ||
84 | return NULL; | ||
85 | } | ||
86 | @@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) { | ||
87 | } else { | ||
88 | char *c; | ||
89 | |||
90 | - if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2))) | ||
91 | + if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2))) | ||
92 | return NULL; | ||
93 | |||
94 | drop_incomplete_utf8(c); | ||
95 | @@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) { | ||
96 | avahi_free(c); | ||
97 | } | ||
98 | |||
99 | + alt = alternative; | ||
100 | + len = sizeof(alternative); | ||
101 | + ret = avahi_escape_label(r, strlen(r), &alt, &len); | ||
102 | + | ||
103 | + avahi_free(r); | ||
104 | + r = avahi_strdup(ret); | ||
105 | + | ||
106 | assert(avahi_is_valid_host_name(r)); | ||
107 | |||
108 | return r; | ||
109 | -- | ||
110 | 2.40.0 | ||