avahi: fix CVE-2023-38473

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function. (From OE-Core rev: fbe506e7af1ce47f6d04c122cb77573e0527ab91) Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Meenali Gupta <meenali.gupta@windriver.com> 2023-11-16 11:19:25 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-11-20 15:30:52 +0000
commit: 34f496c2d47f1ab34a8330a0830726f24e7ba6cc (patch)
tree: 31a3547bfdf82750f4c3d83b8cce93893535cc7b /meta/recipes-connectivity/avahi
parent: 9580629d5b34aa8a02f88582e15e179a900d9034 (diff)
download: poky-34f496c2d47f1ab34a8330a0830726f24e7ba6cc.tar.gz
2 files changed, 111 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 84eb1c554d..910da3c9cc 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -30,6 +30,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
           file://CVE-2023-38470.patch \
           file://CVE-2023-38471.patch \
           file://CVE-2023-38472.patch \
+           file://CVE-2023-38473.patch \
           "
 GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
new file mode 100644
index 0000000000..707acb60fe
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
@@ -0,0 +1,110 @@
+From 88cbbc48d5efff9726694557ca6c3f698f3affe4 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 11 Oct 2023 17:45:44 +0200
+Subject: [PATCH] avahi: common: derive alternative host name from its
+ unescaped version
+Normalization of input makes sure we don't have to deal with special
+cases like unescaped dot at the end of label.
+Fixes #451 #487
+Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797]
+CVE: CVE-2023-38473
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ avahi-common/alternative-test.c |  3 +++
+ avahi-common/alternative.c      | 27 +++++++++++++++++++--------
+ 2 files changed, 22 insertions(+), 8 deletions(-)
+diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c
+index 9255435..681fc15 100644
+--- a/avahi-common/alternative-test.c
+++ b/avahi-common/alternative-test.c
+@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+     const char* const test_strings[] = {
+         "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+         "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü",
+        ").",
+        "\\.",
+        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\",
+         "gurke",
+         "-",
+         " #",
+diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c
+index b3d39f0..a094e6d 100644
+--- a/avahi-common/alternative.c
+++ b/avahi-common/alternative.c
+@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) {
+ }
+ char *avahi_alternative_host_name(const char *s) {
+    char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1];
+    char *alt, *r, *ret;
+     const char *e;
+-    char *r;
+    size_t len;
+     assert(s);
+     if (!avahi_is_valid_host_name(s))
+         return NULL;
+-    if ((e = strrchr(s, '-'))) {
+    if (!avahi_unescape_label(&s, label, sizeof(label)))
+        return NULL;
+
+    if ((e = strrchr(label, '-'))) {
+         const char *p;
+         e++;
+@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) {
+     if (e) {
+         char *c, *m;
+-        size_t l;
+         int n;
+         n = atoi(e)+1;
+         if (!(m = avahi_strdup_printf("%i", n)))
+             return NULL;
+-        l = e-s-1;
+        len = e-label-1;
+-        if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1)
+-            l = AVAHI_LABEL_MAX-1-strlen(m)-1;
+        if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1)
+            len = AVAHI_LABEL_MAX-1-strlen(m)-1;
+-        if (!(c = avahi_strndup(s, l))) {
+        if (!(c = avahi_strndup(label, len))) {
+             avahi_free(m);
+             return NULL;
+         }
+@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) {
+     } else {
+         char *c;
+-        if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2)))
+        if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2)))
+             return NULL;
+         drop_incomplete_utf8(c);
+@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) {
+         avahi_free(c);
+     }
+    alt = alternative;
+    len = sizeof(alternative);
+    ret = avahi_escape_label(r, strlen(r), &alt, &len);
+
+    avahi_free(r);
+    r = avahi_strdup(ret);
+
+     assert(avahi_is_valid_host_name(r));
+     return r;
+--
+2.40.0
author	Meenali Gupta <meenali.gupta@windriver.com>	2023-11-16 11:19:25 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-11-20 15:30:52 +0000
commit	34f496c2d47f1ab34a8330a0830726f24e7ba6cc (patch)
tree	31a3547bfdf82750f4c3d83b8cce93893535cc7b /meta/recipes-connectivity/avahi
parent	9580629d5b34aa8a02f88582e15e179a900d9034 (diff)
download	poky-34f496c2d47f1ab34a8330a0830726f24e7ba6cc.tar.gz

diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb index 84eb1c554d..910da3c9cc 100644 --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -30,6 +30,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
30	file://CVE-2023-38470.patch \	30	file://CVE-2023-38470.patch \
31	file://CVE-2023-38471.patch \	31	file://CVE-2023-38471.patch \
32	file://CVE-2023-38472.patch \	32	file://CVE-2023-38472.patch \
		33	file://CVE-2023-38473.patch \
33	"	34	"
34		35
35	GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/"	36	GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/"


diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch new file mode 100644 index 0000000000..707acb60fe --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
@@ -0,0 +1,110 @@
		1	From 88cbbc48d5efff9726694557ca6c3f698f3affe4 Mon Sep 17 00:00:00 2001
		2	From: Michal Sekletar <msekleta@redhat.com>
		3	Date: Wed, 11 Oct 2023 17:45:44 +0200
		4	Subject: [PATCH] avahi: common: derive alternative host name from its
		5	unescaped version
		6
		7	Normalization of input makes sure we don't have to deal with special
		8	cases like unescaped dot at the end of label.
		9
		10	Fixes #451 #487
		11
		12	Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797]
		13	CVE: CVE-2023-38473
		14
		15	Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
		16	---
		17	avahi-common/alternative-test.c \| 3 +++
		18	avahi-common/alternative.c \| 27 +++++++++++++++++++--------
		19	2 files changed, 22 insertions(+), 8 deletions(-)
		20
		21	diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c
		22	index 9255435..681fc15 100644
		23	--- a/avahi-common/alternative-test.c
		24	+++ b/avahi-common/alternative-test.c
		25	@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
		26	const char* const test_strings[] = {
		27	"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
		28	"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü",
		29	+ ").",
		30	+ "\\.",
		31	+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\",
		32	"gurke",
		33	"-",
		34	" #",
		35	diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c
		36	index b3d39f0..a094e6d 100644
		37	--- a/avahi-common/alternative.c
		38	+++ b/avahi-common/alternative.c
		39	@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) {
		40	}
		41
		42	char avahi_alternative_host_name(const char s) {
		43	+ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1];
		44	+ char alt, r, *ret;
		45	const char *e;
		46	- char *r;
		47	+ size_t len;
		48
		49	assert(s);
		50
		51	if (!avahi_is_valid_host_name(s))
		52	return NULL;
		53
		54	- if ((e = strrchr(s, '-'))) {
		55	+ if (!avahi_unescape_label(&s, label, sizeof(label)))
		56	+ return NULL;
		57	+
		58	+ if ((e = strrchr(label, '-'))) {
		59	const char *p;
		60
		61	e++;
		62	@@ -74,19 +79,18 @@ char avahi_alternative_host_name(const char s) {
		63
		64	if (e) {
		65	char c, m;
		66	- size_t l;
		67	int n;
		68
		69	n = atoi(e)+1;
		70	if (!(m = avahi_strdup_printf("%i", n)))
		71	return NULL;
		72
		73	- l = e-s-1;
		74	+ len = e-label-1;
		75
		76	- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1)
		77	- l = AVAHI_LABEL_MAX-1-strlen(m)-1;
		78	+ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1)
		79	+ len = AVAHI_LABEL_MAX-1-strlen(m)-1;
		80
		81	- if (!(c = avahi_strndup(s, l))) {
		82	+ if (!(c = avahi_strndup(label, len))) {
		83	avahi_free(m);
		84	return NULL;
		85	}
		86	@@ -100,7 +104,7 @@ char avahi_alternative_host_name(const char s) {
		87	} else {
		88	char *c;
		89
		90	- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2)))
		91	+ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2)))
		92	return NULL;
		93
		94	drop_incomplete_utf8(c);
		95	@@ -109,6 +113,13 @@ char avahi_alternative_host_name(const char s) {
		96	avahi_free(c);
		97	}
		98
		99	+ alt = alternative;
		100	+ len = sizeof(alternative);
		101	+ ret = avahi_escape_label(r, strlen(r), &alt, &len);
		102	+
		103	+ avahi_free(r);
		104	+ r = avahi_strdup(ret);
		105	+
		106	assert(avahi_is_valid_host_name(r));
		107
		108	return r;
		109	--
		110	2.40.0