1 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
new file mode 100644
index 0000000000..c8d6a66174
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
@@ -0,0 +1,73 @@
+From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Mon, 23 Oct 2023 13:38:35 +0200
+Subject: [PATCH] core: extract host name using avahi_unescape_label()
+Previously we could create invalid escape sequence when we split the
+string on dot. For example, from valid host name "foo\\.bar" we have
+created invalid name "foo\\" and tried to set that as the host name
+which crashed the daemon.
+Fixes #453
+CVE-2023-38471
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-1.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09]
+CVE: CVE-2023-38471
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-core/server.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+Index: avahi-0.7/avahi-core/server.c
+===================================================================
+--- avahi-0.7.orig/avahi-core/server.c
+++ avahi-0.7/avahi-core/server.c
+@@ -1253,7 +1253,11 @@ static void update_fqdn(AvahiServer *s)
+ }
+ 
+ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+-    char *hn = NULL;
+    char label_escaped[AVAHI_LABEL_MAX*4+1];
+    char label[AVAHI_LABEL_MAX];
+    char *hn = NULL, *h;
+    size_t len;
+
+     assert(s);
+ 
+     AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
+@@ -1263,17 +1267,28 @@ int avahi_server_set_host_name(AvahiServ
+     else
+         hn = avahi_normalize_name_strdup(host_name);
+ 
+-    hn[strcspn(hn, ".")] = 0;
+    h = hn;
+    if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
+        avahi_free(h);
+        return AVAHI_ERR_INVALID_HOST_NAME;
+    }
+
+    avahi_free(h);
+ 
+-    if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
+-        avahi_free(hn);
+    h = label_escaped;
+    len = sizeof(label_escaped);
+    if (!avahi_escape_label(label, strlen(label), &h, &len))
+        return AVAHI_ERR_INVALID_HOST_NAME;
+
+    if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
+         return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
+-    }
+ 
+     withdraw_host_rrs(s);
+ 
+     avahi_free(s->host_name);
+-    s->host_name = hn;
+    s->host_name = avahi_strdup(label_escaped);
+    if (!s->host_name)
+        return AVAHI_ERR_NO_MEMORY;
+ 
+     update_fqdn(s);
+

diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch new file mode 100644 index 0000000000..c8d6a66174 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
@@ -0,0 +1,73 @@
	1	From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001
	2	From: Michal Sekletar <msekleta@redhat.com>
	3	Date: Mon, 23 Oct 2023 13:38:35 +0200
	4	Subject: [PATCH] core: extract host name using avahi_unescape_label()
	5
	6	Previously we could create invalid escape sequence when we split the
	7	string on dot. For example, from valid host name "foo\\.bar" we have
	8	created invalid name "foo\\" and tried to set that as the host name
	9	which crashed the daemon.
	10
	11	Fixes #453
	12
	13	CVE-2023-38471
	14
	15	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-1.patch?h=ubuntu/focal-security
	16	Upstream commit https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09]
	17	CVE: CVE-2023-38471
	18	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	19	---
	20	avahi-core/server.c \| 27 +++++++++++++++++++++------
	21	1 file changed, 21 insertions(+), 6 deletions(-)
	22
	23	Index: avahi-0.7/avahi-core/server.c
	24	===================================================================
	25	--- avahi-0.7.orig/avahi-core/server.c
	26	+++ avahi-0.7/avahi-core/server.c
	27	@@ -1253,7 +1253,11 @@ static void update_fqdn(AvahiServer *s)
	28	}
	29
	30	int avahi_server_set_host_name(AvahiServer s, const char host_name) {
	31	- char *hn = NULL;
	32	+ char label_escaped[AVAHI_LABEL_MAX*4+1];
	33	+ char label[AVAHI_LABEL_MAX];
	34	+ char hn = NULL, h;
	35	+ size_t len;
	36	+
	37	assert(s);
	38
	39	AVAHI_CHECK_VALIDITY(s, !host_name \|\| avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
	40	@@ -1263,17 +1267,28 @@ int avahi_server_set_host_name(AvahiServ
	41	else
	42	hn = avahi_normalize_name_strdup(host_name);
	43
	44	- hn[strcspn(hn, ".")] = 0;
	45	+ h = hn;
	46	+ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
	47	+ avahi_free(h);
	48	+ return AVAHI_ERR_INVALID_HOST_NAME;
	49	+ }
	50	+
	51	+ avahi_free(h);
	52
	53	- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
	54	- avahi_free(hn);
	55	+ h = label_escaped;
	56	+ len = sizeof(label_escaped);
	57	+ if (!avahi_escape_label(label, strlen(label), &h, &len))
	58	+ return AVAHI_ERR_INVALID_HOST_NAME;
	59	+
	60	+ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
	61	return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
	62	- }
	63
	64	withdraw_host_rrs(s);
	65
	66	avahi_free(s->host_name);
	67	- s->host_name = hn;
	68	+ s->host_name = avahi_strdup(label_escaped);
	69	+ if (!s->host_name)
	70	+ return AVAHI_ERR_NO_MEMORY;
	71
	72	update_fqdn(s);
	73