8 files changed, 148 insertions, 215 deletions
diff --git a/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-networkd-when-using-con.patch b/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-networkd-when-using-con.patch
deleted file mode 100644
index dd012750a4..0000000000
--- a/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-networkd-when-using-con.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 9fea099d0a3ece37d80ad70d32ebb8a93f8f3280 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@windriver.com>
-Date: Fri, 30 Oct 2020 13:48:45 +0800
-Subject: [PATCH] connman.service: stop systemd-networkd when using connman
-Stop systemd-networkd service when we use connman as network manager.
-Upstream-Status: Inappropriate [configuration]
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- src/connman.service.in | 1 +
- 1 file changed, 1 insertion(+)
-diff --git a/src/connman.service.in b/src/connman.service.in
-index 79e75d6..014eafe 100644
--- a/src/connman.service.in
-+++ b/src/connman.service.in
-@@ -6,6 +6,7 @@ RequiresMountsFor=@localstatedir@/lib/connman
- After=dbus.service network-pre.target systemd-sysusers.service
- Before=network.target multi-user.target shutdown.target
- Wants=network.target
-+Conflicts=systemd-networkd.service systemd-networkd.socket
- Conflicts=systemd-resolved.service
- 
- [Service]
-- 
-2.17.1
diff --git a/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch b/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch
deleted file mode 100644
index 8e2e0bd02d..0000000000
--- a/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 9f70b94ebf18f52c115634642652830fa77f27a1 Mon Sep 17 00:00:00 2001
-From: "Maxin B. John" <maxin.john@intel.com>
-Date: Mon, 12 Jun 2017 16:52:39 +0300
-Subject: [PATCH] connman.service: stop systemd-resolved when we use connman
-Stop systemd-resolved service when we use connman as network manager.
-Upstream-Status: Inappropriate [configuration]
-Signed-off-by: Maxin B. John <maxin.john@intel.com>
---
- src/connman.service.in | 1 +
- 1 file changed, 1 insertion(+)
-diff --git a/src/connman.service.in b/src/connman.service.in
-index 9f5c10f..dab48bc 100644
--- a/src/connman.service.in
-+++ b/src/connman.service.in
-@@ -6,6 +6,7 @@ RequiresMountsFor=@localstatedir@/lib/connman
- After=dbus.service network-pre.target systemd-sysusers.service
- Before=network.target multi-user.target shutdown.target
- Wants=network.target
-+Conflicts=systemd-resolved.service
- 
- [Service]
- Type=dbus
-- 
-2.4.0
diff --git a/meta/recipes-connectivity/connman/connman/0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch b/meta/recipes-connectivity/connman/connman/0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch
deleted file mode 100644
index e6f03e632e..0000000000
--- a/meta/recipes-connectivity/connman/connman/0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 4ddaf78dad5a9ee4a0658235f71b75132192123e Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Sat, 7 Apr 2012 18:52:12 -0700
-Subject: [PATCH] plugin.h: Change visibility to default for debug symbols
-gold refuses to link in undefined weak symbols which
-have hidden visibility
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Upstream-Status: Pending
---
- include/plugin.h |    4 ++--
- 1 files changed, 2 insertions(+), 2 deletions(-)
-diff --git a/include/plugin.h b/include/plugin.h
-index 692a4e5..a9361c3 100644
--- a/include/plugin.h
-+++ b/include/plugin.h
-@@ -89,9 +89,9 @@ struct connman_plugin_desc {
- #else
- #define CONNMAN_PLUGIN_DEFINE(name, description, version, priority, init, exit) \
-                extern struct connman_debug_desc __start___debug[] \
-                               __attribute__ ((weak, visibility("hidden"))); \
-+                               __attribute__ ((weak, visibility("default"))); \
-                extern struct connman_debug_desc __stop___debug[] \
-                               __attribute__ ((weak, visibility("hidden"))); \
-+                               __attribute__ ((weak, visibility("default"))); \
-                extern struct connman_plugin_desc connman_plugin_desc \
-                                __attribute__ ((visibility("default"))); \
-                struct connman_plugin_desc connman_plugin_desc = { \
-- 
-1.7.5.4
diff --git a/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch b/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
index 942b9c97b6..2c612039ee 100644
--- a/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
+++ b/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
@@ -1,83 +1,85 @@
-From c7734e1547db967eccf242fe4b9e8a30b9ff141c Mon Sep 17 00:00:00 2001
+From 4e726a5aaa75d60fab6a56bc37dbec48be53ff79 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Mon, 6 Apr 2015 23:02:21 -0700
-Subject: [PATCH] resolve: musl does not implement res_ninit
+Subject: [PATCH] gweb/gresolv.c: make use of res_ninit optional and subject to
+ __RES
-ported from
+Not all libc implementation have those functions, and the way to determine
+if they do is to check __RES which is explained in resolv.h thusly:
+/*
+ * Revision information.  This is the release date in YYYYMMDD format.
+ * It can change every day so the right thing to do with it is use it
+ * in preprocessor commands such as "#if (__RES > 19931104)".  Do not
+ * compare for equality; rather, use it to determine whether your resolver
+ * is new enough to contain a certain feature.
+ */
+Indeed, it needs to be at least 19991006.
+The portion of the patch that implements a fallback is ported from
+Alpine Linux:
 http://git.alpinelinux.org/cgit/aports/plain/testing/connman/libresolv.patch
-Upstream-Status: Pending
+Upstream-Status: Submitted [to connman@lists.linux.dev,marcel@holtmann.org]
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 ---
- gweb/gresolv.c | 34 +++++++++++++---------------------
+ gweb/gresolv.c | 21 +++++++++++++++++++++
- 1 file changed, 13 insertions(+), 21 deletions(-)
+ 1 file changed, 21 insertions(+)
 diff --git a/gweb/gresolv.c b/gweb/gresolv.c
-index 38a554e..a9e8740 100644
+index 8101d71..9f1477c 100644
 --- a/gweb/gresolv.c
 +++ b/gweb/gresolv.c
-@@ -36,6 +36,7 @@
+@@ -879,7 +879,9 @@ GResolv *g_resolv_new(int index)
- #include <arpa/inet.h>
- #include <arpa/nameser.h>
- #include <net/if.h>
-+#include <ctype.h>
- 
- #include "gresolv.h"
- 
-@@ -877,8 +878,6 @@ GResolv *g_resolv_new(int index)
        resolv->index = index;
        resolv->nameserver_list = NULL;
 
-       res_ninit(&resolv->res);
+#if (__RES >= 19991006)
-
+        res_ninit(&resolv->res);
+#endif
+ 
        return resolv;
 }
- 
+@@ -920,7 +922,9 @@ void g_resolv_unref(GResolv *resolv)
-@@ -918,8 +917,6 @@ void g_resolv_unref(GResolv *resolv)
 
        flush_nameservers(resolv);
 
-       res_nclose(&resolv->res);
+#if (__RES >= 19991006)
-
+        res_nclose(&resolv->res);
+#endif
+ 
        g_free(resolv);
 }
- 
+@@ -1024,6 +1028,7 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname,
-@@ -1022,24 +1019,19 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname,
        debug(resolv, "hostname %s", hostname);
 
        if (!resolv->nameserver_list) {
-               int i;
+#if (__RES >= 19991006)
-
+                int i;
-               for (i = 0; i < resolv->res.nscount; i++) {
+ 
-                       char buf[100];
+                for (i = 0; i < resolv->res.nscount; i++) {
-                       int family = resolv->res.nsaddr_list[i].sin_family;
+@@ -1043,6 +1048,22 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname,
-                       void *sa_addr = &resolv->res.nsaddr_list[i].sin_addr;
+                        if (inet_ntop(family, sa_addr, buf, sizeof(buf)))
-
+                                g_resolv_add_nameserver(resolv, buf, 53, 0);
-                       if (family != AF_INET &&
-                                       resolv->res._u._ext.nsaddrs[i]) {
-                               family = AF_INET6;
-                               sa_addr = &resolv->res._u._ext.nsaddrs[i]->sin6_addr;
-+               FILE *f = fopen("/etc/resolv.conf", "r");
-+               if (f) {
-+                       char line[256], *s;
-+                       int i;
-+                       while (fgets(line, sizeof(line), f)) {
-+                               if (strncmp(line, "nameserver", 10) || !isspace(line[10]))
-+                                       continue;
-+                               for (s = &line[11]; isspace(s[0]); s++);
-+                               for (i = 0; s[i] && !isspace(s[i]); i++);
-+                               s[i] = 0;
-+                               g_resolv_add_nameserver(resolv, s, 53, 0);
-                        }
-
-                       if (family != AF_INET && family != AF_INET6)
-                               continue;
-
-                       if (inet_ntop(family, sa_addr, buf, sizeof(buf)))
-                               g_resolv_add_nameserver(resolv, buf, 53, 0);
-+                       fclose(f);
                }
+#else
+                FILE *f = fopen("/etc/resolv.conf", "r");
+                if (f) {
+                        char line[256], *s;
+                        int i;
+                        while (fgets(line, sizeof(line), f)) {
+                                if (strncmp(line, "nameserver", 10) || !isspace(line[10]))
+                                        continue;
+                                for (s = &line[11]; isspace(s[0]); s++);
+                                for (i = 0; s[i] && !isspace(s[i]); i++);
+                                s[i] = 0;
+                                g_resolv_add_nameserver(resolv, s, 53, 0);
+                        }
+                        fclose(f);
+                }
+#endif
 
                if (!resolv->nameserver_list)
+                        g_resolv_add_nameserver(resolv, "127.0.0.1", 53, 0);
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
new file mode 100644
index 0000000000..62f07e707a
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
@@ -0,0 +1,41 @@
+From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
+From: Yoonje Shin <ioerts@kookmin.ac.kr>
+Date: Mon, 12 May 2025 10:48:18 +0200
+Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability
+In Connman parse_rr in dnsproxy.c has a memcpy length
+that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
+and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
+than the amount of remaining packet data in the current state of
+parsing. As a result, values of stack memory locations may be sent
+over the network in a response.
+This patch adds a check to ensure that (*end + *rdlen) does not exceed
+the valid range. If the condition is violated, the function returns
+-EINVAL.
+CVE: CVE-2025-32366
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4]
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ src/dnsproxy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 7ee26d9..1dd2f7f 100644
+--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
+@@ -998,6 +998,9 @@ static int parse_rr(const unsigned char *buf, const unsigned char *start,
+        if ((offset + *rdlen) > *response_size)
+                return -ENOBUFS;
+       if ((*end + *rdlen) > max)
+               return -EINVAL;
+
+        memcpy(response + offset, *end, *rdlen);
+        *end += *rdlen;
+--
+2.40.0
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch
new file mode 100644
index 0000000000..c114589679
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch
@@ -0,0 +1,48 @@
+From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001
+From: Praveen Kumar <praveen.kumar@windriver.com>
+Date: Thu, 24 Apr 2025 11:39:29 +0000
+Subject: [PATCH] dnsproxy: Fix NULL/empty lookup causing potential crash
+In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
+can be NULL or an empty string when the TC (Truncated) bit is set in
+a DNS response. This allows attackers to cause a denial of service
+(application crash) or possibly execute arbitrary code, because those
+lookup values lead to incorrect length calculations and incorrect
+memcpy operations.
+This patch includes a check to make sure loookup value is valid before
+using it. This helps avoid unexpected value when the input is empty or
+incorrect.
+Fixes: CVE-2025-32743
+CVE: CVE-2025-32743
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f]
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ src/dnsproxy.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index f28a5d7..7ee26d9 100644
+--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
+@@ -1685,8 +1685,13 @@ static int ns_resolv(struct server_data *server, struct request_data *req,
+                                gpointer request, gpointer name)
+ {
+        int sk = -1;
+       int err;
+        const char *lookup = (const char *)name;
+-       int err = ns_try_resolv_from_cache(req, request, lookup);
+
+       if (!lookup || strlen(lookup) == 0)
+               return -EINVAL;
+
+       err = ns_try_resolv_from_cache(req, request, lookup);
+        if (err > 0)
+                /* cache hit */
+--
+2.40.0
diff --git a/meta/recipes-connectivity/connman/connman/connman b/meta/recipes-connectivity/connman/connman/connman
index c64fa0d715..adb5d44fed 100644
--- a/meta/recipes-connectivity/connman/connman/connman
+++ b/meta/recipes-connectivity/connman/connman/connman
@@ -10,53 +10,15 @@ fi
 set -e
-nfsroot=0
-exec 9<&0 < /proc/mounts
-while read dev mtpt fstype rest; do
-        if test $mtpt = "/" ; then
-                case $fstype in
-                    nfs | nfs4)
-                        nfsroot=1
-                        break
-                        ;;
-                    *)
-                        ;;
-                esac
-        fi
-done
 do_start() {
-        EXTRA_PARAM=""
-        if test $nfsroot -eq 1 ; then
-            NET_DEVS=`cat /proc/net/dev | sed -ne 's/^\([a-zA-Z0-9 ]*\):.*$/\1/p'`
-            NET_ADDR=`cat /proc/cmdline | sed -ne 's/^.*ip=\([^ :]*\).*$/\1/p'`
-            if [ ! -z "$NET_ADDR" ]; then
-                if [ "$NET_ADDR" = dhcp ]; then
-                    ethn=`ifconfig | grep "^eth" | sed -e "s/\(eth[0-9]\)\(.*\)/\1/"`
-                    if [ ! -z "$ethn" ]; then
-                        EXTRA_PARAM="-I $ethn"
-                    fi
-                else
-                    for i in $NET_DEVS; do
-                        ADDR=`ifconfig $i | sed 's/addr://g' | sed -ne 's/^.*inet \([0-9.]*\) .*$/\1/p'`
-                        if [ "$NET_ADDR" = "$ADDR" ]; then
-                            EXTRA_PARAM="-I $i"
-                            break
-                        fi
-                    done
-                fi
-            fi
-        fi
        if [ -f @DATADIR@/connman/wired-setup ] ; then
                . @DATADIR@/connman/wired-setup
        fi
-        $DAEMON $EXTRA_PARAM
+        $DAEMON
 }
 do_stop() {
-        start-stop-daemon --stop --name connmand --quiet
+        start-stop-daemon --stop --oknodo --name connmand --quiet
 }
 case "$1" in
diff --git a/meta/recipes-connectivity/connman/connman/no-version-scripts.patch b/meta/recipes-connectivity/connman/connman/no-version-scripts.patch
deleted file mode 100644
index e96e38bcf9..0000000000
--- a/meta/recipes-connectivity/connman/connman/no-version-scripts.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-With binutils 2.27 on at least MIPS, connmand will crash on startup.  This
-appears to be due to the symbol visibilty scripts hiding symbols that stdio
-looks up at runtime, resulting in it segfaulting.
-This certainly appears to be a bug in binutils 2.27 although the problem has
-been known about for some time:
-https://sourceware.org/bugzilla/show_bug.cgi?id=17908
-As the version scripts are only used to hide symbols from plugins we can safely
-remove the scripts to work around the problem until binutils is fixed.
-Upstream-Status: Inappropriate
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-diff --git a/Makefile.am b/Makefile.am
-index d70725c..76ae432 100644
--- a/Makefile.am
-+++ b/Makefile.am
-@@ -132,2 +132 @@ src_connmand_LDADD = gdbus/libgdbus-internal.la $(builtin_libadd) \
-src_connmand_LDFLAGS = -Wl,--export-dynamic \
-                               -Wl,--version-script=$(srcdir)/src/connman.ver
-+src_connmand_LDFLAGS = -Wl,--export-dynamic
-@@ -166,2 +165 @@ vpn_connman_vpnd_LDADD = gdbus/libgdbus-internal.la $(builtin_vpn_libadd) \
-vpn_connman_vpnd_LDFLAGS = -Wl,--export-dynamic \
-                               -Wl,--version-script=$(srcdir)/vpn/vpn.ver
-+vpn_connman_vpnd_LDFLAGS = -Wl,--export-dynamic

diff --git a/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-networkd-when-using-con.patch b/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-networkd-when-using-con.patch deleted file mode 100644 index dd012750a4..0000000000 --- a/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-networkd-when-using-con.patch +++ /dev/null
@@ -1,29 +0,0 @@
1	From 9fea099d0a3ece37d80ad70d32ebb8a93f8f3280 Mon Sep 17 00:00:00 2001
2	From: Yi Zhao <yi.zhao@windriver.com>
3	Date: Fri, 30 Oct 2020 13:48:45 +0800
4	Subject: [PATCH] connman.service: stop systemd-networkd when using connman
5
6	Stop systemd-networkd service when we use connman as network manager.
7
8	Upstream-Status: Inappropriate [configuration]
9
10	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
11	---
12	src/connman.service.in \| 1 +
13	1 file changed, 1 insertion(+)
14
15	diff --git a/src/connman.service.in b/src/connman.service.in
16	index 79e75d6..014eafe 100644
17	--- a/src/connman.service.in
18	+++ b/src/connman.service.in
19	@@ -6,6 +6,7 @@ RequiresMountsFor=@localstatedir@/lib/connman
20	After=dbus.service network-pre.target systemd-sysusers.service
21	Before=network.target multi-user.target shutdown.target
22	Wants=network.target
23	+Conflicts=systemd-networkd.service systemd-networkd.socket
24	Conflicts=systemd-resolved.service
25
26	[Service]
27	--
28	2.17.1
29


diff --git a/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch b/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch deleted file mode 100644 index 8e2e0bd02d..0000000000 --- a/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch +++ /dev/null
@@ -1,29 +0,0 @@
1	From 9f70b94ebf18f52c115634642652830fa77f27a1 Mon Sep 17 00:00:00 2001
2	From: "Maxin B. John" <maxin.john@intel.com>
3	Date: Mon, 12 Jun 2017 16:52:39 +0300
4	Subject: [PATCH] connman.service: stop systemd-resolved when we use connman
5
6	Stop systemd-resolved service when we use connman as network manager.
7
8	Upstream-Status: Inappropriate [configuration]
9
10	Signed-off-by: Maxin B. John <maxin.john@intel.com>
11	---
12	src/connman.service.in \| 1 +
13	1 file changed, 1 insertion(+)
14
15	diff --git a/src/connman.service.in b/src/connman.service.in
16	index 9f5c10f..dab48bc 100644
17	--- a/src/connman.service.in
18	+++ b/src/connman.service.in
19	@@ -6,6 +6,7 @@ RequiresMountsFor=@localstatedir@/lib/connman
20	After=dbus.service network-pre.target systemd-sysusers.service
21	Before=network.target multi-user.target shutdown.target
22	Wants=network.target
23	+Conflicts=systemd-resolved.service
24
25	[Service]
26	Type=dbus
27	--
28	2.4.0
29


diff --git a/meta/recipes-connectivity/connman/connman/0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch b/meta/recipes-connectivity/connman/connman/0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch deleted file mode 100644 index e6f03e632e..0000000000 --- a/meta/recipes-connectivity/connman/connman/0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch +++ /dev/null
@@ -1,35 +0,0 @@
1	From 4ddaf78dad5a9ee4a0658235f71b75132192123e Mon Sep 17 00:00:00 2001
2	From: Khem Raj <raj.khem@gmail.com>
3	Date: Sat, 7 Apr 2012 18:52:12 -0700
4	Subject: [PATCH] plugin.h: Change visibility to default for debug symbols
5
6	gold refuses to link in undefined weak symbols which
7	have hidden visibility
8
9	Signed-off-by: Khem Raj <raj.khem@gmail.com>
10
11
12	Upstream-Status: Pending
13	---
14	include/plugin.h \| 4 ++--
15	1 files changed, 2 insertions(+), 2 deletions(-)
16
17	diff --git a/include/plugin.h b/include/plugin.h
18	index 692a4e5..a9361c3 100644
19	--- a/include/plugin.h
20	+++ b/include/plugin.h
21	@@ -89,9 +89,9 @@ struct connman_plugin_desc {
22	#else
23	#define CONNMAN_PLUGIN_DEFINE(name, description, version, priority, init, exit) \
24	extern struct connman_debug_desc __start___debug[] \
25	- __attribute__ ((weak, visibility("hidden"))); \
26	+ __attribute__ ((weak, visibility("default"))); \
27	extern struct connman_debug_desc __stop___debug[] \
28	- __attribute__ ((weak, visibility("hidden"))); \
29	+ __attribute__ ((weak, visibility("default"))); \
30	extern struct connman_plugin_desc connman_plugin_desc \
31	__attribute__ ((visibility("default"))); \
32	struct connman_plugin_desc connman_plugin_desc = { \
33	--
34	1.7.5.4
35


diff --git a/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch b/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch index 942b9c97b6..2c612039ee 100644 --- a/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch +++ b/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
@@ -1,83 +1,85 @@
1	From c7734e1547db967eccf242fe4b9e8a30b9ff141c Mon Sep 17 00:00:00 2001	1	From 4e726a5aaa75d60fab6a56bc37dbec48be53ff79 Mon Sep 17 00:00:00 2001
2	From: Khem Raj <raj.khem@gmail.com>	2	From: Khem Raj <raj.khem@gmail.com>
3	Date: Mon, 6 Apr 2015 23:02:21 -0700	3	Date: Mon, 6 Apr 2015 23:02:21 -0700
4	Subject: [PATCH] resolve: musl does not implement res_ninit	4	Subject: [PATCH] gweb/gresolv.c: make use of res_ninit optional and subject to
		5	__RES
5		6
6	ported from	7	Not all libc implementation have those functions, and the way to determine
		8	if they do is to check __RES which is explained in resolv.h thusly:
		9
		10	/*
		11	* Revision information. This is the release date in YYYYMMDD format.
		12	* It can change every day so the right thing to do with it is use it
		13	* in preprocessor commands such as "#if (__RES > 19931104)". Do not
		14	* compare for equality; rather, use it to determine whether your resolver
		15	* is new enough to contain a certain feature.
		16	*/
		17
		18	Indeed, it needs to be at least 19991006.
		19
		20	The portion of the patch that implements a fallback is ported from
		21	Alpine Linux:
7	http://git.alpinelinux.org/cgit/aports/plain/testing/connman/libresolv.patch	22	http://git.alpinelinux.org/cgit/aports/plain/testing/connman/libresolv.patch
8		23
9	Upstream-Status: Pending	24	Upstream-Status: Submitted [to connman@lists.linux.dev,marcel@holtmann.org]
10		25
11	Signed-off-by: Khem Raj <raj.khem@gmail.com>	26	Signed-off-by: Khem Raj <raj.khem@gmail.com>
12
13	---	27	---
14	gweb/gresolv.c \| 34 +++++++++++++---------------------	28	gweb/gresolv.c \| 21 +++++++++++++++++++++
15	1 file changed, 13 insertions(+), 21 deletions(-)	29	1 file changed, 21 insertions(+)
16		30
17	diff --git a/gweb/gresolv.c b/gweb/gresolv.c	31	diff --git a/gweb/gresolv.c b/gweb/gresolv.c
18	index 38a554e..a9e8740 100644	32	index 8101d71..9f1477c 100644
19	--- a/gweb/gresolv.c	33	--- a/gweb/gresolv.c
20	+++ b/gweb/gresolv.c	34	+++ b/gweb/gresolv.c
21	@@ -36,6 +36,7 @@	35	@@ -879,7 +879,9 @@ GResolv *g_resolv_new(int index)
22	#include <arpa/inet.h>
23	#include <arpa/nameser.h>
24	#include <net/if.h>
25	+#include <ctype.h>
26
27	#include "gresolv.h"
28
29	@@ -877,8 +878,6 @@ GResolv *g_resolv_new(int index)
30	resolv->index = index;	36	resolv->index = index;
31	resolv->nameserver_list = NULL;	37	resolv->nameserver_list = NULL;
32		38
33	- res_ninit(&resolv->res);	39	+#if (__RES >= 19991006)
34	-	40	res_ninit(&resolv->res);
		41	+#endif
		42
35	return resolv;	43	return resolv;
36	}	44	}
37		45	@@ -920,7 +922,9 @@ void g_resolv_unref(GResolv *resolv)
38	@@ -918,8 +917,6 @@ void g_resolv_unref(GResolv *resolv)
39		46
40	flush_nameservers(resolv);	47	flush_nameservers(resolv);
41		48
42	- res_nclose(&resolv->res);	49	+#if (__RES >= 19991006)
43	-	50	res_nclose(&resolv->res);
		51	+#endif
		52
44	g_free(resolv);	53	g_free(resolv);
45	}	54	}
46		55	@@ -1024,6 +1028,7 @@ guint g_resolv_lookup_hostname(GResolv resolv, const char hostname,
47	@@ -1022,24 +1019,19 @@ guint g_resolv_lookup_hostname(GResolv resolv, const char hostname,
48	debug(resolv, "hostname %s", hostname);	56	debug(resolv, "hostname %s", hostname);
49		57
50	if (!resolv->nameserver_list) {	58	if (!resolv->nameserver_list) {
51	- int i;	59	+#if (__RES >= 19991006)
52	-	60	int i;
53	- for (i = 0; i < resolv->res.nscount; i++) {	61
54	- char buf[100];	62	for (i = 0; i < resolv->res.nscount; i++) {
55	- int family = resolv->res.nsaddr_list[i].sin_family;	63	@@ -1043,6 +1048,22 @@ guint g_resolv_lookup_hostname(GResolv resolv, const char hostname,
56	- void *sa_addr = &resolv->res.nsaddr_list[i].sin_addr;	64	if (inet_ntop(family, sa_addr, buf, sizeof(buf)))
57	-	65	g_resolv_add_nameserver(resolv, buf, 53, 0);
58	- if (family != AF_INET &&
59	- resolv->res._u._ext.nsaddrs[i]) {
60	- family = AF_INET6;
61	- sa_addr = &resolv->res._u._ext.nsaddrs[i]->sin6_addr;
62	+ FILE *f = fopen("/etc/resolv.conf", "r");
63	+ if (f) {
64	+ char line[256], *s;
65	+ int i;
66	+ while (fgets(line, sizeof(line), f)) {
67	+ if (strncmp(line, "nameserver", 10) \|\| !isspace(line[10]))
68	+ continue;
69	+ for (s = &line[11]; isspace(s[0]); s++);
70	+ for (i = 0; s[i] && !isspace(s[i]); i++);
71	+ s[i] = 0;
72	+ g_resolv_add_nameserver(resolv, s, 53, 0);
73	}
74	-
75	- if (family != AF_INET && family != AF_INET6)
76	- continue;
77	-
78	- if (inet_ntop(family, sa_addr, buf, sizeof(buf)))
79	- g_resolv_add_nameserver(resolv, buf, 53, 0);
80	+ fclose(f);
81	}	66	}
		67	+#else
		68	+ FILE *f = fopen("/etc/resolv.conf", "r");
		69	+ if (f) {
		70	+ char line[256], *s;
		71	+ int i;
		72	+ while (fgets(line, sizeof(line), f)) {
		73	+ if (strncmp(line, "nameserver", 10) \|\| !isspace(line[10]))
		74	+ continue;
		75	+ for (s = &line[11]; isspace(s[0]); s++);
		76	+ for (i = 0; s[i] && !isspace(s[i]); i++);
		77	+ s[i] = 0;
		78	+ g_resolv_add_nameserver(resolv, s, 53, 0);
		79	+ }
		80	+ fclose(f);
		81	+ }
		82	+#endif
82		83
83	if (!resolv->nameserver_list)	84	if (!resolv->nameserver_list)
		85	g_resolv_add_nameserver(resolv, "127.0.0.1", 53, 0);


diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch new file mode 100644 index 0000000000..62f07e707a --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
@@ -0,0 +1,41 @@
		1	From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
		2	From: Yoonje Shin <ioerts@kookmin.ac.kr>
		3	Date: Mon, 12 May 2025 10:48:18 +0200
		4	Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability
		5
		6	In Connman parse_rr in dnsproxy.c has a memcpy length
		7	that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
		8	and memcpy(response+offset,end,rdlen)). Here, rdlen may be larger
		9	than the amount of remaining packet data in the current state of
		10	parsing. As a result, values of stack memory locations may be sent
		11	over the network in a response.
		12
		13	This patch adds a check to ensure that (end + rdlen) does not exceed
		14	the valid range. If the condition is violated, the function returns
		15	-EINVAL.
		16
		17	CVE: CVE-2025-32366
		18
		19	Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4]
		20
		21	Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
		22	---
		23	src/dnsproxy.c \| 3 +++
		24	1 file changed, 3 insertions(+)
		25
		26	diff --git a/src/dnsproxy.c b/src/dnsproxy.c
		27	index 7ee26d9..1dd2f7f 100644
		28	--- a/src/dnsproxy.c
		29	+++ b/src/dnsproxy.c
		30	@@ -998,6 +998,9 @@ static int parse_rr(const unsigned char buf, const unsigned char start,
		31	if ((offset + rdlen) > response_size)
		32	return -ENOBUFS;
		33
		34	+ if ((end + rdlen) > max)
		35	+ return -EINVAL;
		36	+
		37	memcpy(response + offset, end, rdlen);
		38
		39	end += rdlen;
		40	--
		41	2.40.0


diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch new file mode 100644 index 0000000000..c114589679 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch
@@ -0,0 +1,48 @@
		1	From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001
		2	From: Praveen Kumar <praveen.kumar@windriver.com>
		3	Date: Thu, 24 Apr 2025 11:39:29 +0000
		4	Subject: [PATCH] dnsproxy: Fix NULL/empty lookup causing potential crash
		5
		6	In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
		7	can be NULL or an empty string when the TC (Truncated) bit is set in
		8	a DNS response. This allows attackers to cause a denial of service
		9	(application crash) or possibly execute arbitrary code, because those
		10	lookup values lead to incorrect length calculations and incorrect
		11	memcpy operations.
		12
		13	This patch includes a check to make sure loookup value is valid before
		14	using it. This helps avoid unexpected value when the input is empty or
		15	incorrect.
		16
		17	Fixes: CVE-2025-32743
		18
		19	CVE: CVE-2025-32743
		20
		21	Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f]
		22
		23	Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
		24	---
		25	src/dnsproxy.c \| 7 ++++++-
		26	1 file changed, 6 insertions(+), 1 deletion(-)
		27
		28	diff --git a/src/dnsproxy.c b/src/dnsproxy.c
		29	index f28a5d7..7ee26d9 100644
		30	--- a/src/dnsproxy.c
		31	+++ b/src/dnsproxy.c
		32	@@ -1685,8 +1685,13 @@ static int ns_resolv(struct server_data server, struct request_data req,
		33	gpointer request, gpointer name)
		34	{
		35	int sk = -1;
		36	+ int err;
		37	const char lookup = (const char )name;
		38	- int err = ns_try_resolv_from_cache(req, request, lookup);
		39	+
		40	+ if (!lookup \|\| strlen(lookup) == 0)
		41	+ return -EINVAL;
		42	+
		43	+ err = ns_try_resolv_from_cache(req, request, lookup);
		44
		45	if (err > 0)
		46	/* cache hit */
		47	--
		48	2.40.0


diff --git a/meta/recipes-connectivity/connman/connman/connman b/meta/recipes-connectivity/connman/connman/connman index c64fa0d715..adb5d44fed 100644 --- a/meta/recipes-connectivity/connman/connman/connman +++ b/meta/recipes-connectivity/connman/connman/connman
@@ -10,53 +10,15 @@ fi
10		10
11	set -e	11	set -e
12		12
13	nfsroot=0
14
15	exec 9<&0 < /proc/mounts
16	while read dev mtpt fstype rest; do
17	if test $mtpt = "/" ; then
18	case $fstype in
19	nfs \| nfs4)
20	nfsroot=1
21	break
22	;;
23	*)
24	;;
25	esac
26	fi
27	done
28
29	do_start() {	13	do_start() {
30	EXTRA_PARAM=""
31	if test $nfsroot -eq 1 ; then
32	NET_DEVS=`cat /proc/net/dev \| sed -ne 's/^\([a-zA-Z0-9 ]\):.$/\1/p'`
33	NET_ADDR=`cat /proc/cmdline \| sed -ne 's/^.ip=\([^ :]\).*$/\1/p'`
34
35	if [ ! -z "$NET_ADDR" ]; then
36	if [ "$NET_ADDR" = dhcp ]; then
37	ethn=`ifconfig \| grep "^eth" \| sed -e "s/\(eth[0-9]\)\(.*\)/\1/"`
38	if [ ! -z "$ethn" ]; then
39	EXTRA_PARAM="-I $ethn"
40	fi
41	else
42	for i in $NET_DEVS; do
43	ADDR=`ifconfig $i \| sed 's/addr://g' \| sed -ne 's/^.inet \([0-9.]\) .*$/\1/p'`
44	if [ "$NET_ADDR" = "$ADDR" ]; then
45	EXTRA_PARAM="-I $i"
46	break
47	fi
48	done
49	fi
50	fi
51	fi
52	if [ -f @DATADIR@/connman/wired-setup ] ; then	14	if [ -f @DATADIR@/connman/wired-setup ] ; then
53	. @DATADIR@/connman/wired-setup	15	. @DATADIR@/connman/wired-setup
54	fi	16	fi
55	$DAEMON $EXTRA_PARAM	17	$DAEMON
56	}	18	}
57		19
58	do_stop() {	20	do_stop() {
59	start-stop-daemon --stop --name connmand --quiet	21	start-stop-daemon --stop --oknodo --name connmand --quiet
60	}	22	}
61		23
62	case "$1" in	24	case "$1" in


diff --git a/meta/recipes-connectivity/connman/connman/no-version-scripts.patch b/meta/recipes-connectivity/connman/connman/no-version-scripts.patch deleted file mode 100644 index e96e38bcf9..0000000000 --- a/meta/recipes-connectivity/connman/connman/no-version-scripts.patch +++ /dev/null
@@ -1,27 +0,0 @@
1	With binutils 2.27 on at least MIPS, connmand will crash on startup. This
2	appears to be due to the symbol visibilty scripts hiding symbols that stdio
3	looks up at runtime, resulting in it segfaulting.
4
5	This certainly appears to be a bug in binutils 2.27 although the problem has
6	been known about for some time:
7
8	https://sourceware.org/bugzilla/show_bug.cgi?id=17908
9
10	As the version scripts are only used to hide symbols from plugins we can safely
11	remove the scripts to work around the problem until binutils is fixed.
12
13	Upstream-Status: Inappropriate
14	Signed-off-by: Ross Burton <ross.burton@intel.com>
15
16	diff --git a/Makefile.am b/Makefile.am
17	index d70725c..76ae432 100644
18	--- a/Makefile.am
19	+++ b/Makefile.am
20	@@ -132,2 +132 @@ src_connmand_LDADD = gdbus/libgdbus-internal.la $(builtin_libadd) \
21	-src_connmand_LDFLAGS = -Wl,--export-dynamic \
22	- -Wl,--version-script=$(srcdir)/src/connman.ver
23	+src_connmand_LDFLAGS = -Wl,--export-dynamic
24	@@ -166,2 +165 @@ vpn_connman_vpnd_LDADD = gdbus/libgdbus-internal.la $(builtin_vpn_libadd) \
25	-vpn_connman_vpnd_LDFLAGS = -Wl,--export-dynamic \
26	- -Wl,--version-script=$(srcdir)/vpn/vpn.ver
27	+vpn_connman_vpnd_LDFLAGS = -Wl,--export-dynamic