1 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
new file mode 100644
index 0000000000..59f6806c85
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
@@ -0,0 +1,109 @@
+From b448c9f771bada14ae8de175695a9729f8646797 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 11 Oct 2023 17:45:44 +0200
+Subject: [PATCH] common: derive alternative host name from its unescaped
+ version
+Normalization of input makes sure we don't have to deal with special
+cases like unescaped dot at the end of label.
+Fixes #451 #487
+CVE-2023-38473
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38473.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797]
+CVE: CVE-2023-38473
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-common/alternative-test.c |  3 +++
+ avahi-common/alternative.c      | 27 +++++++++++++++++++--------
+ 2 files changed, 22 insertions(+), 8 deletions(-)
+Index: avahi-0.7/avahi-common/alternative-test.c
+===================================================================
+--- avahi-0.7.orig/avahi-common/alternative-test.c
+++ avahi-0.7/avahi-common/alternative-test.c
+@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAH
+     const char* const test_strings[] = {
+         "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+         "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü",
+        ").",
+        "\\.",
+        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\",
+         "gurke",
+         "-",
+         " #",
+Index: avahi-0.7/avahi-common/alternative.c
+===================================================================
+--- avahi-0.7.orig/avahi-common/alternative.c
+++ avahi-0.7/avahi-common/alternative.c
+@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c
+ }
+ 
+ char *avahi_alternative_host_name(const char *s) {
+    char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1];
+    char *alt, *r, *ret;
+     const char *e;
+-    char *r;
+    size_t len;
+ 
+     assert(s);
+ 
+     if (!avahi_is_valid_host_name(s))
+         return NULL;
+ 
+-    if ((e = strrchr(s, '-'))) {
+    if (!avahi_unescape_label(&s, label, sizeof(label)))
+        return NULL;
+
+    if ((e = strrchr(label, '-'))) {
+         const char *p;
+ 
+         e++;
+@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const
+ 
+     if (e) {
+         char *c, *m;
+-        size_t l;
+         int n;
+ 
+         n = atoi(e)+1;
+         if (!(m = avahi_strdup_printf("%i", n)))
+             return NULL;
+ 
+-        l = e-s-1;
+        len = e-label-1;
+ 
+-        if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1)
+-            l = AVAHI_LABEL_MAX-1-strlen(m)-1;
+        if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1)
+            len = AVAHI_LABEL_MAX-1-strlen(m)-1;
+ 
+-        if (!(c = avahi_strndup(s, l))) {
+        if (!(c = avahi_strndup(label, len))) {
+             avahi_free(m);
+             return NULL;
+         }
+@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const
+     } else {
+         char *c;
+ 
+-        if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2)))
+        if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2)))
+             return NULL;
+ 
+         drop_incomplete_utf8(c);
+@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const
+         avahi_free(c);
+     }
+ 
+    alt = alternative;
+    len = sizeof(alternative);
+    ret = avahi_escape_label(r, strlen(r), &alt, &len);
+
+    avahi_free(r);
+    r = avahi_strdup(ret);
+
+     assert(avahi_is_valid_host_name(r));
+ 
+     return r;

diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch new file mode 100644 index 0000000000..59f6806c85 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
@@ -0,0 +1,109 @@
	1	From b448c9f771bada14ae8de175695a9729f8646797 Mon Sep 17 00:00:00 2001
	2	From: Michal Sekletar <msekleta@redhat.com>
	3	Date: Wed, 11 Oct 2023 17:45:44 +0200
	4	Subject: [PATCH] common: derive alternative host name from its unescaped
	5	version
	6
	7	Normalization of input makes sure we don't have to deal with special
	8	cases like unescaped dot at the end of label.
	9
	10	Fixes #451 #487
	11	CVE-2023-38473
	12
	13	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38473.patch?h=ubuntu/focal-security
	14	Upstream commit https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797]
	15	CVE: CVE-2023-38473
	16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	17	---
	18	avahi-common/alternative-test.c \| 3 +++
	19	avahi-common/alternative.c \| 27 +++++++++++++++++++--------
	20	2 files changed, 22 insertions(+), 8 deletions(-)
	21
	22	Index: avahi-0.7/avahi-common/alternative-test.c
	23	===================================================================
	24	--- avahi-0.7.orig/avahi-common/alternative-test.c
	25	+++ avahi-0.7/avahi-common/alternative-test.c
	26	@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAH
	27	const char* const test_strings[] = {
	28	"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
	29	"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü",
	30	+ ").",
	31	+ "\\.",
	32	+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\",
	33	"gurke",
	34	"-",
	35	" #",
	36	Index: avahi-0.7/avahi-common/alternative.c
	37	===================================================================
	38	--- avahi-0.7.orig/avahi-common/alternative.c
	39	+++ avahi-0.7/avahi-common/alternative.c
	40	@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c
	41	}
	42
	43	char avahi_alternative_host_name(const char s) {
	44	+ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1];
	45	+ char alt, r, *ret;
	46	const char *e;
	47	- char *r;
	48	+ size_t len;
	49
	50	assert(s);
	51
	52	if (!avahi_is_valid_host_name(s))
	53	return NULL;
	54
	55	- if ((e = strrchr(s, '-'))) {
	56	+ if (!avahi_unescape_label(&s, label, sizeof(label)))
	57	+ return NULL;
	58	+
	59	+ if ((e = strrchr(label, '-'))) {
	60	const char *p;
	61
	62	e++;
	63	@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const
	64
	65	if (e) {
	66	char c, m;
	67	- size_t l;
	68	int n;
	69
	70	n = atoi(e)+1;
	71	if (!(m = avahi_strdup_printf("%i", n)))
	72	return NULL;
	73
	74	- l = e-s-1;
	75	+ len = e-label-1;
	76
	77	- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1)
	78	- l = AVAHI_LABEL_MAX-1-strlen(m)-1;
	79	+ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1)
	80	+ len = AVAHI_LABEL_MAX-1-strlen(m)-1;
	81
	82	- if (!(c = avahi_strndup(s, l))) {
	83	+ if (!(c = avahi_strndup(label, len))) {
	84	avahi_free(m);
	85	return NULL;
	86	}
	87	@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const
	88	} else {
	89	char *c;
	90
	91	- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2)))
	92	+ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2)))
	93	return NULL;
	94
	95	drop_incomplete_utf8(c);
	96	@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const
	97	avahi_free(c);
	98	}
	99
	100	+ alt = alternative;
	101	+ len = sizeof(alternative);
	102	+ ret = avahi_escape_label(r, strlen(r), &alt, &len);
	103	+
	104	+ avahi_free(r);
	105	+ r = avahi_strdup(ret);
	106	+
	107	assert(avahi_is_valid_host_name(r));
	108
	109	return r;