avahi: fix CVE-2017-6519

Backport patch to fix CVE-2017-6519. CVE: CVE-2017-6519 (From OE-Core rev: 979e3f4ac1e12228d368315169a32d5ab0209e91) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Kai Kang <kai.kang@windriver.com> 2019-04-02 03:44:26 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-04-03 14:50:13 +0100
commit: be07743960fb4a0ddf1c79c1c63d5787b1fda08e (patch)
tree: 86d6d797bdca5475af5a3fd5f84e0cadfaeec2c1 /meta/recipes-connectivity/avahi
parent: 6334737a782cc81c28e168ed24e566d35752a5a2 (diff)
download: poky-be07743960fb4a0ddf1c79c1c63d5787b1fda08e.tar.gz
2 files changed, 51 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/avahi/avahi.inc b/meta/recipes-connectivity/avahi/avahi.inc
index 11846849f0..8339e451f5 100644
--- a/meta/recipes-connectivity/avahi/avahi.inc
+++ b/meta/recipes-connectivity/avahi/avahi.inc
@@ -19,7 +19,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
                    file://avahi-daemon/main.c;endline=21;md5=9ee77368c5407af77caaef1b07285969 \
                    file://avahi-client/client.h;endline=23;md5=f4ac741a25c4f434039ba3e18c8674cf"
-SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz"
+SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \
+           file://fix-CVE-2017-6519.patch \
+           "
 UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
 SRC_URI[md5sum] = "d76c59d0882ac6c256d70a2a585362a6"
diff --git a/meta/recipes-connectivity/avahi/files/fix-CVE-2017-6519.patch b/meta/recipes-connectivity/avahi/files/fix-CVE-2017-6519.patch
new file mode 100644
index 0000000000..7461fe193d
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/fix-CVE-2017-6519.patch
@@ -0,0 +1,48 @@
+Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/e111def]
+CVE: CVE-2017-6519
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+From e111def44a7df4624a4aa3f85fe98054bffb6b4f Mon Sep 17 00:00:00 2001
+From: Trent Lloyd <trent@lloyd.id.au>
+Date: Sat, 22 Dec 2018 09:06:07 +0800
+Subject: [PATCH] Drop legacy unicast queries from address not on local link
+When handling legacy unicast queries, ensure that the source IP is
+inside a subnet on the local link, otherwise drop the packet.
+Fixes #145
+Fixes #203
+CVE-2017-6519
+CVE-2018-1000845
+---
+ avahi-core/server.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+diff --git a/avahi-core/server.c b/avahi-core/server.c
+index a2cb19a8..a2580e38 100644
+--- a/avahi-core/server.c
+++ b/avahi-core/server.c
+@@ -930,6 +930,7 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres
+ 
+     if (avahi_dns_packet_is_query(p)) {
+         int legacy_unicast = 0;
+        char t[AVAHI_ADDRESS_STR_MAX];
+ 
+         /* For queries EDNS0 might allow ARCOUNT != 0. We ignore the
+          * AR section completely here, so far. Until the day we add
+@@ -947,6 +948,13 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres
+             legacy_unicast = 1;
+         }
+ 
+        if (!is_mdns_mcast_address(dst_address) &&
+            !avahi_interface_address_on_link(i, src_address)) {
+
+            avahi_log_debug("Received non-local unicast query from host %s on interface '%s.%i'.", avahi_address_snprint(t, sizeof(t), src_address), i->hardware->name, i->protocol);
+            return;
+        }
+
+         if (legacy_unicast)
+             reflect_legacy_unicast_query_packet(s, p, i, src_address, port);
+
author	Kai Kang <kai.kang@windriver.com>	2019-04-02 03:44:26 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-04-03 14:50:13 +0100
commit	be07743960fb4a0ddf1c79c1c63d5787b1fda08e (patch)
tree	86d6d797bdca5475af5a3fd5f84e0cadfaeec2c1 /meta/recipes-connectivity/avahi
parent	6334737a782cc81c28e168ed24e566d35752a5a2 (diff)
download	poky-be07743960fb4a0ddf1c79c1c63d5787b1fda08e.tar.gz

diff --git a/meta/recipes-connectivity/avahi/avahi.inc b/meta/recipes-connectivity/avahi/avahi.inc index 11846849f0..8339e451f5 100644 --- a/meta/recipes-connectivity/avahi/avahi.inc +++ b/meta/recipes-connectivity/avahi/avahi.inc
@@ -19,7 +19,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
19	file://avahi-daemon/main.c;endline=21;md5=9ee77368c5407af77caaef1b07285969 \	19	file://avahi-daemon/main.c;endline=21;md5=9ee77368c5407af77caaef1b07285969 \
20	file://avahi-client/client.h;endline=23;md5=f4ac741a25c4f434039ba3e18c8674cf"	20	file://avahi-client/client.h;endline=23;md5=f4ac741a25c4f434039ba3e18c8674cf"
21		21
22	SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz"	22	SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \
		23	file://fix-CVE-2017-6519.patch \
		24	"
23		25
24	UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"	26	UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
25	SRC_URI[md5sum] = "d76c59d0882ac6c256d70a2a585362a6"	27	SRC_URI[md5sum] = "d76c59d0882ac6c256d70a2a585362a6"


diff --git a/meta/recipes-connectivity/avahi/files/fix-CVE-2017-6519.patch b/meta/recipes-connectivity/avahi/files/fix-CVE-2017-6519.patch new file mode 100644 index 0000000000..7461fe193d --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/fix-CVE-2017-6519.patch
@@ -0,0 +1,48 @@
		1	Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/e111def]
		2
		3	CVE: CVE-2017-6519
		4
		5	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		6
		7	From e111def44a7df4624a4aa3f85fe98054bffb6b4f Mon Sep 17 00:00:00 2001
		8	From: Trent Lloyd <trent@lloyd.id.au>
		9	Date: Sat, 22 Dec 2018 09:06:07 +0800
		10	Subject: [PATCH] Drop legacy unicast queries from address not on local link
		11
		12	When handling legacy unicast queries, ensure that the source IP is
		13	inside a subnet on the local link, otherwise drop the packet.
		14
		15	Fixes #145
		16	Fixes #203
		17	CVE-2017-6519
		18	CVE-2018-1000845
		19	---
		20	avahi-core/server.c \| 8 ++++++++
		21	1 file changed, 8 insertions(+)
		22
		23	diff --git a/avahi-core/server.c b/avahi-core/server.c
		24	index a2cb19a8..a2580e38 100644
		25	--- a/avahi-core/server.c
		26	+++ b/avahi-core/server.c
		27	@@ -930,6 +930,7 @@ static void dispatch_packet(AvahiServer s, AvahiDnsPacket p, const AvahiAddres
		28
		29	if (avahi_dns_packet_is_query(p)) {
		30	int legacy_unicast = 0;
		31	+ char t[AVAHI_ADDRESS_STR_MAX];
		32
		33	/* For queries EDNS0 might allow ARCOUNT != 0. We ignore the
		34	* AR section completely here, so far. Until the day we add
		35	@@ -947,6 +948,13 @@ static void dispatch_packet(AvahiServer s, AvahiDnsPacket p, const AvahiAddres
		36	legacy_unicast = 1;
		37	}
		38
		39	+ if (!is_mdns_mcast_address(dst_address) &&
		40	+ !avahi_interface_address_on_link(i, src_address)) {
		41	+
		42	+ avahi_log_debug("Received non-local unicast query from host %s on interface '%s.%i'.", avahi_address_snprint(t, sizeof(t), src_address), i->hardware->name, i->protocol);
		43	+ return;
		44	+ }
		45	+
		46	if (legacy_unicast)
		47	reflect_legacy_unicast_query_packet(s, p, i, src_address, port);
		48