diff options
Diffstat (limited to 'meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch')
-rw-r--r-- | meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch new file mode 100644 index 0000000000..c8d6a66174 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michal Sekletar <msekleta@redhat.com> | ||
3 | Date: Mon, 23 Oct 2023 13:38:35 +0200 | ||
4 | Subject: [PATCH] core: extract host name using avahi_unescape_label() | ||
5 | |||
6 | Previously we could create invalid escape sequence when we split the | ||
7 | string on dot. For example, from valid host name "foo\\.bar" we have | ||
8 | created invalid name "foo\\" and tried to set that as the host name | ||
9 | which crashed the daemon. | ||
10 | |||
11 | Fixes #453 | ||
12 | |||
13 | CVE-2023-38471 | ||
14 | |||
15 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-1.patch?h=ubuntu/focal-security | ||
16 | Upstream commit https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09] | ||
17 | CVE: CVE-2023-38471 | ||
18 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
19 | --- | ||
20 | avahi-core/server.c | 27 +++++++++++++++++++++------ | ||
21 | 1 file changed, 21 insertions(+), 6 deletions(-) | ||
22 | |||
23 | Index: avahi-0.7/avahi-core/server.c | ||
24 | =================================================================== | ||
25 | --- avahi-0.7.orig/avahi-core/server.c | ||
26 | +++ avahi-0.7/avahi-core/server.c | ||
27 | @@ -1253,7 +1253,11 @@ static void update_fqdn(AvahiServer *s) | ||
28 | } | ||
29 | |||
30 | int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { | ||
31 | - char *hn = NULL; | ||
32 | + char label_escaped[AVAHI_LABEL_MAX*4+1]; | ||
33 | + char label[AVAHI_LABEL_MAX]; | ||
34 | + char *hn = NULL, *h; | ||
35 | + size_t len; | ||
36 | + | ||
37 | assert(s); | ||
38 | |||
39 | AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME); | ||
40 | @@ -1263,17 +1267,28 @@ int avahi_server_set_host_name(AvahiServ | ||
41 | else | ||
42 | hn = avahi_normalize_name_strdup(host_name); | ||
43 | |||
44 | - hn[strcspn(hn, ".")] = 0; | ||
45 | + h = hn; | ||
46 | + if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { | ||
47 | + avahi_free(h); | ||
48 | + return AVAHI_ERR_INVALID_HOST_NAME; | ||
49 | + } | ||
50 | + | ||
51 | + avahi_free(h); | ||
52 | |||
53 | - if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) { | ||
54 | - avahi_free(hn); | ||
55 | + h = label_escaped; | ||
56 | + len = sizeof(label_escaped); | ||
57 | + if (!avahi_escape_label(label, strlen(label), &h, &len)) | ||
58 | + return AVAHI_ERR_INVALID_HOST_NAME; | ||
59 | + | ||
60 | + if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) | ||
61 | return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); | ||
62 | - } | ||
63 | |||
64 | withdraw_host_rrs(s); | ||
65 | |||
66 | avahi_free(s->host_name); | ||
67 | - s->host_name = hn; | ||
68 | + s->host_name = avahi_strdup(label_escaped); | ||
69 | + if (!s->host_name) | ||
70 | + return AVAHI_ERR_NO_MEMORY; | ||
71 | |||
72 | update_fqdn(s); | ||
73 | |||