diff options
Diffstat (limited to 'meta/recipes-connectivity')
85 files changed, 7574 insertions, 19 deletions
diff --git a/meta/recipes-connectivity/avahi/avahi.inc b/meta/recipes-connectivity/avahi/avahi.inc index 6acedb5412..e1dfc7a861 100644 --- a/meta/recipes-connectivity/avahi/avahi.inc +++ b/meta/recipes-connectivity/avahi/avahi.inc | |||
@@ -21,6 +21,16 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \ | |||
21 | 21 | ||
22 | SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \ | 22 | SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \ |
23 | file://fix-CVE-2017-6519.patch \ | 23 | file://fix-CVE-2017-6519.patch \ |
24 | file://CVE-2021-3468.patch \ | ||
25 | file://CVE-2023-1981.patch \ | ||
26 | file://CVE-2023-38469-1.patch \ | ||
27 | file://CVE-2023-38469-2.patch \ | ||
28 | file://CVE-2023-38470-1.patch \ | ||
29 | file://CVE-2023-38470-2.patch \ | ||
30 | file://CVE-2023-38471-1.patch \ | ||
31 | file://CVE-2023-38471-2.patch \ | ||
32 | file://CVE-2023-38472.patch \ | ||
33 | file://CVE-2023-38473.patch \ | ||
24 | " | 34 | " |
25 | 35 | ||
26 | UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/" | 36 | UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/" |
diff --git a/meta/recipes-connectivity/avahi/avahi_0.7.bb b/meta/recipes-connectivity/avahi/avahi_0.7.bb index f6e3afb24e..0df44bffbe 100644 --- a/meta/recipes-connectivity/avahi/avahi_0.7.bb +++ b/meta/recipes-connectivity/avahi/avahi_0.7.bb | |||
@@ -8,6 +8,9 @@ SRC_URI += "file://00avahi-autoipd \ | |||
8 | 8 | ||
9 | inherit update-rc.d systemd useradd | 9 | inherit update-rc.d systemd useradd |
10 | 10 | ||
11 | # Issue only affects Debian/SUSE, not us | ||
12 | CVE_CHECK_WHITELIST += "CVE-2021-26720" | ||
13 | |||
11 | PACKAGES =+ "libavahi-gobject avahi-daemon libavahi-common libavahi-core libavahi-client avahi-dnsconfd libavahi-glib avahi-autoipd avahi-utils" | 14 | PACKAGES =+ "libavahi-gobject avahi-daemon libavahi-common libavahi-core libavahi-client avahi-dnsconfd libavahi-glib avahi-autoipd avahi-utils" |
12 | 15 | ||
13 | LICENSE_libavahi-gobject = "LGPLv2.1+" | 16 | LICENSE_libavahi-gobject = "LGPLv2.1+" |
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch b/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch new file mode 100644 index 0000000000..638a1f6071 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001 | ||
2 | From: Riccardo Schirone <sirmy15@gmail.com> | ||
3 | Date: Fri, 26 Mar 2021 11:50:24 +0100 | ||
4 | Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in | ||
5 | client_work | ||
6 | |||
7 | If a client fills the input buffer, client_work() disables the | ||
8 | AVAHI_WATCH_IN event, thus preventing the function from executing the | ||
9 | `read` syscall the next times it is called. However, if the client then | ||
10 | terminates the connection, the socket file descriptor receives a HUP | ||
11 | event, which is not handled, thus the kernel keeps marking the HUP event | ||
12 | as occurring. While iterating over the file descriptors that triggered | ||
13 | an event, the client file descriptor will keep having the HUP event and | ||
14 | the client_work() function is always called with AVAHI_WATCH_HUP but | ||
15 | without nothing being done, thus entering an infinite loop. | ||
16 | |||
17 | See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938 | ||
18 | |||
19 | Upstream-Status: Backport | ||
20 | CVE: CVE-2021-3468 | ||
21 | Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
22 | |||
23 | --- | ||
24 | avahi-daemon/simple-protocol.c | 5 +++++ | ||
25 | 1 file changed, 5 insertions(+) | ||
26 | |||
27 | diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c | ||
28 | index 3e0ebb11..6c0274d6 100644 | ||
29 | --- a/avahi-daemon/simple-protocol.c | ||
30 | +++ b/avahi-daemon/simple-protocol.c | ||
31 | @@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv | ||
32 | } | ||
33 | } | ||
34 | |||
35 | + if (events & AVAHI_WATCH_HUP) { | ||
36 | + client_free(c); | ||
37 | + return; | ||
38 | + } | ||
39 | + | ||
40 | c->server->poll_api->watch_update( | ||
41 | watch, | ||
42 | (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) | | ||
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch new file mode 100644 index 0000000000..1209864402 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001 | ||
4 | From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> | ||
5 | Date: Thu, 17 Nov 2022 01:51:53 +0100 | ||
6 | Subject: [PATCH] Emit error if requested service is not found | ||
7 | |||
8 | It currently just crashes instead of replying with error. Check return | ||
9 | value and emit error instead of passing NULL pointer to reply. | ||
10 | |||
11 | Fixes #375 | ||
12 | |||
13 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-1981.patch?h=ubuntu/focal-security | ||
14 | Upstream commit https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f] | ||
15 | CVE: CVE-2023-1981 | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------ | ||
19 | 1 file changed, 14 insertions(+), 6 deletions(-) | ||
20 | |||
21 | --- a/avahi-daemon/dbus-protocol.c | ||
22 | +++ b/avahi-daemon/dbus-protocol.c | ||
23 | @@ -391,10 +391,14 @@ static DBusHandlerResult msg_server_impl | ||
24 | } | ||
25 | |||
26 | t = avahi_alternative_host_name(n); | ||
27 | - avahi_dbus_respond_string(c, m, t); | ||
28 | - avahi_free(t); | ||
29 | - | ||
30 | - return DBUS_HANDLER_RESULT_HANDLED; | ||
31 | + if (t) { | ||
32 | + avahi_dbus_respond_string(c, m, t); | ||
33 | + avahi_free(t); | ||
34 | + | ||
35 | + return DBUS_HANDLER_RESULT_HANDLED; | ||
36 | + } else { | ||
37 | + return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found"); | ||
38 | + } | ||
39 | |||
40 | } else if (dbus_message_is_method_call(m, AVAHI_DBUS_INTERFACE_SERVER, "GetAlternativeServiceName")) { | ||
41 | char *n, *t; | ||
42 | @@ -405,10 +409,14 @@ static DBusHandlerResult msg_server_impl | ||
43 | } | ||
44 | |||
45 | t = avahi_alternative_service_name(n); | ||
46 | - avahi_dbus_respond_string(c, m, t); | ||
47 | - avahi_free(t); | ||
48 | - | ||
49 | - return DBUS_HANDLER_RESULT_HANDLED; | ||
50 | + if (t) { | ||
51 | + avahi_dbus_respond_string(c, m, t); | ||
52 | + avahi_free(t); | ||
53 | + | ||
54 | + return DBUS_HANDLER_RESULT_HANDLED; | ||
55 | + } else { | ||
56 | + return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found"); | ||
57 | + } | ||
58 | |||
59 | } else if (dbus_message_is_method_call(m, AVAHI_DBUS_INTERFACE_SERVER, "EntryGroupNew")) { | ||
60 | Client *client; | ||
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch new file mode 100644 index 0000000000..12dad9ef6f --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001 | ||
2 | From: Evgeny Vereshchagin <evvers@ya.ru> | ||
3 | Date: Mon, 23 Oct 2023 20:29:31 +0000 | ||
4 | Subject: [PATCH] core: reject overly long TXT resource records | ||
5 | |||
6 | Closes https://github.com/lathiat/avahi/issues/455 | ||
7 | |||
8 | CVE-2023-38469 | ||
9 | |||
10 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-1.patch?h=ubuntu/focal-security | ||
11 | Upstream commit https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf] | ||
12 | CVE: CVE-2023-38469 | ||
13 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
14 | --- | ||
15 | avahi-core/rr.c | 9 ++++++++- | ||
16 | 1 file changed, 8 insertions(+), 1 deletion(-) | ||
17 | |||
18 | Index: avahi-0.7/avahi-core/rr.c | ||
19 | =================================================================== | ||
20 | --- avahi-0.7.orig/avahi-core/rr.c | ||
21 | +++ avahi-0.7/avahi-core/rr.c | ||
22 | @@ -32,6 +32,7 @@ | ||
23 | #include <avahi-common/malloc.h> | ||
24 | #include <avahi-common/defs.h> | ||
25 | |||
26 | +#include "dns.h" | ||
27 | #include "rr.h" | ||
28 | #include "log.h" | ||
29 | #include "util.h" | ||
30 | @@ -688,11 +689,17 @@ int avahi_record_is_valid(AvahiRecord *r | ||
31 | case AVAHI_DNS_TYPE_TXT: { | ||
32 | |||
33 | AvahiStringList *strlst; | ||
34 | + size_t used = 0; | ||
35 | |||
36 | - for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) | ||
37 | + for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) { | ||
38 | if (strlst->size > 255 || strlst->size <= 0) | ||
39 | return 0; | ||
40 | |||
41 | + used += 1+strlst->size; | ||
42 | + if (used > AVAHI_DNS_RDATA_MAX) | ||
43 | + return 0; | ||
44 | + } | ||
45 | + | ||
46 | return 1; | ||
47 | } | ||
48 | } | ||
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch new file mode 100644 index 0000000000..a62c718ebe --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From c6cab87df290448a63323c8ca759baa516166237 Mon Sep 17 00:00:00 2001 | ||
2 | From: Evgeny Vereshchagin <evvers@ya.ru> | ||
3 | Date: Wed, 25 Oct 2023 18:15:42 +0000 | ||
4 | Subject: [PATCH] tests: pass overly long TXT resource records | ||
5 | |||
6 | to make sure they don't crash avahi any more. | ||
7 | It reproduces https://github.com/lathiat/avahi/issues/455 | ||
8 | |||
9 | Canonical notes: | ||
10 | nickgalanis> removed first hunk since there is no .github dir in this release | ||
11 | |||
12 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-2.patch?h=ubuntu/focal-security | ||
13 | Upstream commit https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237] | ||
14 | CVE: CVE-2023-38469 | ||
15 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
16 | --- | ||
17 | avahi-client/client-test.c | 14 ++++++++++++++ | ||
18 | 1 files changed, 14 insertions(+) | ||
19 | |||
20 | Index: avahi-0.7/avahi-client/client-test.c | ||
21 | =================================================================== | ||
22 | --- avahi-0.7.orig/avahi-client/client-test.c | ||
23 | +++ avahi-0.7/avahi-client/client-test.c | ||
24 | @@ -22,6 +22,7 @@ | ||
25 | #endif | ||
26 | |||
27 | #include <stdio.h> | ||
28 | +#include <string.h> | ||
29 | #include <assert.h> | ||
30 | |||
31 | #include <avahi-client/client.h> | ||
32 | @@ -33,6 +34,8 @@ | ||
33 | #include <avahi-common/malloc.h> | ||
34 | #include <avahi-common/timeval.h> | ||
35 | |||
36 | +#include <avahi-core/dns.h> | ||
37 | + | ||
38 | static const AvahiPoll *poll_api = NULL; | ||
39 | static AvahiSimplePoll *simple_poll = NULL; | ||
40 | |||
41 | @@ -222,6 +225,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA | ||
42 | uint32_t cookie; | ||
43 | struct timeval tv; | ||
44 | AvahiAddress a; | ||
45 | + uint8_t rdata[AVAHI_DNS_RDATA_MAX+1]; | ||
46 | + AvahiStringList *txt = NULL; | ||
47 | + int r; | ||
48 | |||
49 | simple_poll = avahi_simple_poll_new(); | ||
50 | poll_api = avahi_simple_poll_get(simple_poll); | ||
51 | @@ -258,6 +264,14 @@ int main (AVAHI_GCC_UNUSED int argc, AVA | ||
52 | printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL))); | ||
53 | printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6)); | ||
54 | |||
55 | + memset(rdata, 1, sizeof(rdata)); | ||
56 | + r = avahi_string_list_parse(rdata, sizeof(rdata), &txt); | ||
57 | + assert(r >= 0); | ||
58 | + assert(avahi_string_list_serialize(txt, NULL, 0) == sizeof(rdata)); | ||
59 | + error = avahi_entry_group_add_service_strlst(group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", "_qotd._tcp", NULL, NULL, 123, txt); | ||
60 | + assert(error == AVAHI_ERR_INVALID_RECORD); | ||
61 | + avahi_string_list_free(txt); | ||
62 | + | ||
63 | avahi_entry_group_commit (group); | ||
64 | |||
65 | domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u"); | ||
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch new file mode 100644 index 0000000000..82fb1ab40b --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From 94cb6489114636940ac683515417990b55b5d66c Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> | ||
3 | Date: Tue, 11 Apr 2023 15:29:59 +0200 | ||
4 | Subject: [PATCH] Ensure each label is at least one byte long | ||
5 | |||
6 | The only allowed exception is single dot, where it should return empty | ||
7 | string. | ||
8 | |||
9 | Fixes #454. | ||
10 | |||
11 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38470-1.patch?h=ubuntu/focal-security | ||
12 | Upstream commit https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c] | ||
13 | CVE: CVE-2023-38470 | ||
14 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
15 | --- | ||
16 | avahi-common/domain-test.c | 14 ++++++++++++++ | ||
17 | avahi-common/domain.c | 2 +- | ||
18 | 2 files changed, 15 insertions(+), 1 deletion(-) | ||
19 | |||
20 | Index: avahi-0.7/avahi-common/domain-test.c | ||
21 | =================================================================== | ||
22 | --- avahi-0.7.orig/avahi-common/domain-test.c | ||
23 | +++ avahi-0.7/avahi-common/domain-test.c | ||
24 | @@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAH | ||
25 | printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo.")); | ||
26 | avahi_free(s); | ||
27 | |||
28 | + printf("%s\n", s = avahi_normalize_name_strdup(".")); | ||
29 | + avahi_free(s); | ||
30 | + | ||
31 | + s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}." | ||
32 | + "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}" | ||
33 | + ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`" | ||
34 | + "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?." | ||
35 | + "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}." | ||
36 | + "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?" | ||
37 | + "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM." | ||
38 | + "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?." | ||
39 | + "}.?.?.?.}.=.?.?.}"); | ||
40 | + assert(s == NULL); | ||
41 | + | ||
42 | printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff")); | ||
43 | printf("%i\n", avahi_domain_equal("A", "a")); | ||
44 | |||
45 | Index: avahi-0.7/avahi-common/domain.c | ||
46 | =================================================================== | ||
47 | --- avahi-0.7.orig/avahi-common/domain.c | ||
48 | +++ avahi-0.7/avahi-common/domain.c | ||
49 | @@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s | ||
50 | } | ||
51 | |||
52 | if (!empty) { | ||
53 | - if (size < 1) | ||
54 | + if (size < 2) | ||
55 | return NULL; | ||
56 | |||
57 | *(r++) = '.'; | ||
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch new file mode 100644 index 0000000000..403ed6fd6a --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 20dec84b2480821704258bc908e7b2bd2e883b24 Mon Sep 17 00:00:00 2001 | ||
2 | From: Evgeny Vereshchagin <evvers@ya.ru> | ||
3 | Date: Tue, 19 Sep 2023 03:21:25 +0000 | ||
4 | Subject: [PATCH] [common] bail out when escaped labels can't fit into ret | ||
5 | |||
6 | Fixes: | ||
7 | ``` | ||
8 | ==93410==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f9e76f14c16 at pc 0x00000047208d bp 0x7ffee90a6a00 sp 0x7ffee90a61c8 | ||
9 | READ of size 1110 at 0x7f9e76f14c16 thread T0 | ||
10 | #0 0x47208c in __interceptor_strlen (out/fuzz-domain+0x47208c) (BuildId: 731b20c1eef22c2104e75a6496a399b10cfc7cba) | ||
11 | #1 0x534eb0 in avahi_strdup avahi/avahi-common/malloc.c:167:12 | ||
12 | #2 0x53862c in avahi_normalize_name_strdup avahi/avahi-common/domain.c:226:12 | ||
13 | ``` | ||
14 | and | ||
15 | ``` | ||
16 | fuzz-domain: fuzz/fuzz-domain.c:38: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `avahi_domain_equal(s, t)' failed. | ||
17 | ==101571== ERROR: libFuzzer: deadly signal | ||
18 | #0 0x501175 in __sanitizer_print_stack_trace (/home/vagrant/avahi/out/fuzz-domain+0x501175) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) | ||
19 | #1 0x45ad2c in fuzzer::PrintStackTrace() (/home/vagrant/avahi/out/fuzz-domain+0x45ad2c) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) | ||
20 | #2 0x43fc07 in fuzzer::Fuzzer::CrashCallback() (/home/vagrant/avahi/out/fuzz-domain+0x43fc07) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) | ||
21 | #3 0x7f1581d7ebaf (/lib64/libc.so.6+0x3dbaf) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) | ||
22 | #4 0x7f1581dcf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) | ||
23 | #5 0x7f1581d7eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) | ||
24 | #6 0x7f1581d6787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) | ||
25 | #7 0x7f1581d6779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) | ||
26 | #8 0x7f1581d77186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) | ||
27 | #9 0x5344a4 in LLVMFuzzerTestOneInput /home/vagrant/avahi/fuzz/fuzz-domain.c:38:9 | ||
28 | ``` | ||
29 | |||
30 | It's a follow-up to 94cb6489114636940ac683515417990b55b5d66c | ||
31 | |||
32 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-2.patch?h=ubuntu/focal-security | ||
33 | Upstream commit https://github.com/lathiat/avahi/commit/20dec84b2480821704258bc908e7b2bd2e883b24] | ||
34 | CVE: CVE-2023-38470 #Follow-up patch | ||
35 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
36 | --- | ||
37 | avahi-common/domain.c | 3 ++- | ||
38 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
39 | |||
40 | Index: avahi-0.7/avahi-common/domain.c | ||
41 | =================================================================== | ||
42 | --- avahi-0.7.orig/avahi-common/domain.c | ||
43 | +++ avahi-0.7/avahi-common/domain.c | ||
44 | @@ -210,7 +210,8 @@ char *avahi_normalize_name(const char *s | ||
45 | } else | ||
46 | empty = 0; | ||
47 | |||
48 | - avahi_escape_label(label, strlen(label), &r, &size); | ||
49 | + if (!(avahi_escape_label(label, strlen(label), &r, &size))) | ||
50 | + return NULL; | ||
51 | } | ||
52 | |||
53 | return ret_s; | ||
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch new file mode 100644 index 0000000000..c8d6a66174 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michal Sekletar <msekleta@redhat.com> | ||
3 | Date: Mon, 23 Oct 2023 13:38:35 +0200 | ||
4 | Subject: [PATCH] core: extract host name using avahi_unescape_label() | ||
5 | |||
6 | Previously we could create invalid escape sequence when we split the | ||
7 | string on dot. For example, from valid host name "foo\\.bar" we have | ||
8 | created invalid name "foo\\" and tried to set that as the host name | ||
9 | which crashed the daemon. | ||
10 | |||
11 | Fixes #453 | ||
12 | |||
13 | CVE-2023-38471 | ||
14 | |||
15 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-1.patch?h=ubuntu/focal-security | ||
16 | Upstream commit https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09] | ||
17 | CVE: CVE-2023-38471 | ||
18 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
19 | --- | ||
20 | avahi-core/server.c | 27 +++++++++++++++++++++------ | ||
21 | 1 file changed, 21 insertions(+), 6 deletions(-) | ||
22 | |||
23 | Index: avahi-0.7/avahi-core/server.c | ||
24 | =================================================================== | ||
25 | --- avahi-0.7.orig/avahi-core/server.c | ||
26 | +++ avahi-0.7/avahi-core/server.c | ||
27 | @@ -1253,7 +1253,11 @@ static void update_fqdn(AvahiServer *s) | ||
28 | } | ||
29 | |||
30 | int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { | ||
31 | - char *hn = NULL; | ||
32 | + char label_escaped[AVAHI_LABEL_MAX*4+1]; | ||
33 | + char label[AVAHI_LABEL_MAX]; | ||
34 | + char *hn = NULL, *h; | ||
35 | + size_t len; | ||
36 | + | ||
37 | assert(s); | ||
38 | |||
39 | AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME); | ||
40 | @@ -1263,17 +1267,28 @@ int avahi_server_set_host_name(AvahiServ | ||
41 | else | ||
42 | hn = avahi_normalize_name_strdup(host_name); | ||
43 | |||
44 | - hn[strcspn(hn, ".")] = 0; | ||
45 | + h = hn; | ||
46 | + if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { | ||
47 | + avahi_free(h); | ||
48 | + return AVAHI_ERR_INVALID_HOST_NAME; | ||
49 | + } | ||
50 | + | ||
51 | + avahi_free(h); | ||
52 | |||
53 | - if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) { | ||
54 | - avahi_free(hn); | ||
55 | + h = label_escaped; | ||
56 | + len = sizeof(label_escaped); | ||
57 | + if (!avahi_escape_label(label, strlen(label), &h, &len)) | ||
58 | + return AVAHI_ERR_INVALID_HOST_NAME; | ||
59 | + | ||
60 | + if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) | ||
61 | return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); | ||
62 | - } | ||
63 | |||
64 | withdraw_host_rrs(s); | ||
65 | |||
66 | avahi_free(s->host_name); | ||
67 | - s->host_name = hn; | ||
68 | + s->host_name = avahi_strdup(label_escaped); | ||
69 | + if (!s->host_name) | ||
70 | + return AVAHI_ERR_NO_MEMORY; | ||
71 | |||
72 | update_fqdn(s); | ||
73 | |||
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch new file mode 100644 index 0000000000..a789b144ed --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From b675f70739f404342f7f78635d6e2dcd85a13460 Mon Sep 17 00:00:00 2001 | ||
2 | From: Evgeny Vereshchagin <evvers@ya.ru> | ||
3 | Date: Tue, 24 Oct 2023 22:04:51 +0000 | ||
4 | Subject: [PATCH] core: return errors from avahi_server_set_host_name properly | ||
5 | |||
6 | It's a follow-up to 894f085f402e023a98cbb6f5a3d117bd88d93b09 | ||
7 | |||
8 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-2.patch?h=ubuntu/focal-security | ||
9 | Upstream commit https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460] | ||
10 | CVE: CVE-2023-38471 #Follow-up Patch | ||
11 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
12 | --- | ||
13 | avahi-core/server.c | 9 ++++++--- | ||
14 | 1 file changed, 6 insertions(+), 3 deletions(-) | ||
15 | |||
16 | Index: avahi-0.7/avahi-core/server.c | ||
17 | =================================================================== | ||
18 | --- avahi-0.7.orig/avahi-core/server.c | ||
19 | +++ avahi-0.7/avahi-core/server.c | ||
20 | @@ -1267,10 +1267,13 @@ int avahi_server_set_host_name(AvahiServ | ||
21 | else | ||
22 | hn = avahi_normalize_name_strdup(host_name); | ||
23 | |||
24 | + if (!hn) | ||
25 | + return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY); | ||
26 | + | ||
27 | h = hn; | ||
28 | if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { | ||
29 | avahi_free(h); | ||
30 | - return AVAHI_ERR_INVALID_HOST_NAME; | ||
31 | + return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME); | ||
32 | } | ||
33 | |||
34 | avahi_free(h); | ||
35 | @@ -1278,7 +1281,7 @@ int avahi_server_set_host_name(AvahiServ | ||
36 | h = label_escaped; | ||
37 | len = sizeof(label_escaped); | ||
38 | if (!avahi_escape_label(label, strlen(label), &h, &len)) | ||
39 | - return AVAHI_ERR_INVALID_HOST_NAME; | ||
40 | + return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME); | ||
41 | |||
42 | if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) | ||
43 | return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); | ||
44 | @@ -1288,7 +1291,7 @@ int avahi_server_set_host_name(AvahiServ | ||
45 | avahi_free(s->host_name); | ||
46 | s->host_name = avahi_strdup(label_escaped); | ||
47 | if (!s->host_name) | ||
48 | - return AVAHI_ERR_NO_MEMORY; | ||
49 | + return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY); | ||
50 | |||
51 | update_fqdn(s); | ||
52 | |||
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch new file mode 100644 index 0000000000..f49d990a42 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michal Sekletar <msekleta@redhat.com> | ||
3 | Date: Thu, 19 Oct 2023 17:36:44 +0200 | ||
4 | Subject: [PATCH] core: make sure there is rdata to process before parsing it | ||
5 | |||
6 | Fixes #452 | ||
7 | |||
8 | CVE-2023-38472 | ||
9 | |||
10 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38472.patch?h=ubuntu/focal-security | ||
11 | Upstream commit https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40] | ||
12 | CVE: CVE-2023-38472 | ||
13 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
14 | --- | ||
15 | avahi-client/client-test.c | 3 +++ | ||
16 | avahi-daemon/dbus-entry-group.c | 2 +- | ||
17 | 2 files changed, 4 insertions(+), 1 deletion(-) | ||
18 | |||
19 | Index: avahi-0.7/avahi-client/client-test.c | ||
20 | =================================================================== | ||
21 | --- avahi-0.7.orig/avahi-client/client-test.c | ||
22 | +++ avahi-0.7/avahi-client/client-test.c | ||
23 | @@ -272,6 +272,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA | ||
24 | assert(error == AVAHI_ERR_INVALID_RECORD); | ||
25 | avahi_string_list_free(txt); | ||
26 | |||
27 | + error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0); | ||
28 | + assert(error != AVAHI_OK); | ||
29 | + | ||
30 | avahi_entry_group_commit (group); | ||
31 | |||
32 | domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u"); | ||
33 | Index: avahi-0.7/avahi-daemon/dbus-entry-group.c | ||
34 | =================================================================== | ||
35 | --- avahi-0.7.orig/avahi-daemon/dbus-entry-group.c | ||
36 | +++ avahi-0.7/avahi-daemon/dbus-entry-group.c | ||
37 | @@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_g | ||
38 | if (!(r = avahi_record_new_full (name, clazz, type, ttl))) | ||
39 | return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL); | ||
40 | |||
41 | - if (avahi_rdata_parse (r, rdata, size) < 0) { | ||
42 | + if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) { | ||
43 | avahi_record_unref (r); | ||
44 | return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL); | ||
45 | } | ||
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch new file mode 100644 index 0000000000..59f6806c85 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch | |||
@@ -0,0 +1,109 @@ | |||
1 | From b448c9f771bada14ae8de175695a9729f8646797 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michal Sekletar <msekleta@redhat.com> | ||
3 | Date: Wed, 11 Oct 2023 17:45:44 +0200 | ||
4 | Subject: [PATCH] common: derive alternative host name from its unescaped | ||
5 | version | ||
6 | |||
7 | Normalization of input makes sure we don't have to deal with special | ||
8 | cases like unescaped dot at the end of label. | ||
9 | |||
10 | Fixes #451 #487 | ||
11 | CVE-2023-38473 | ||
12 | |||
13 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38473.patch?h=ubuntu/focal-security | ||
14 | Upstream commit https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797] | ||
15 | CVE: CVE-2023-38473 | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | avahi-common/alternative-test.c | 3 +++ | ||
19 | avahi-common/alternative.c | 27 +++++++++++++++++++-------- | ||
20 | 2 files changed, 22 insertions(+), 8 deletions(-) | ||
21 | |||
22 | Index: avahi-0.7/avahi-common/alternative-test.c | ||
23 | =================================================================== | ||
24 | --- avahi-0.7.orig/avahi-common/alternative-test.c | ||
25 | +++ avahi-0.7/avahi-common/alternative-test.c | ||
26 | @@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAH | ||
27 | const char* const test_strings[] = { | ||
28 | "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", | ||
29 | "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü", | ||
30 | + ").", | ||
31 | + "\\.", | ||
32 | + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\", | ||
33 | "gurke", | ||
34 | "-", | ||
35 | " #", | ||
36 | Index: avahi-0.7/avahi-common/alternative.c | ||
37 | =================================================================== | ||
38 | --- avahi-0.7.orig/avahi-common/alternative.c | ||
39 | +++ avahi-0.7/avahi-common/alternative.c | ||
40 | @@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c | ||
41 | } | ||
42 | |||
43 | char *avahi_alternative_host_name(const char *s) { | ||
44 | + char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1]; | ||
45 | + char *alt, *r, *ret; | ||
46 | const char *e; | ||
47 | - char *r; | ||
48 | + size_t len; | ||
49 | |||
50 | assert(s); | ||
51 | |||
52 | if (!avahi_is_valid_host_name(s)) | ||
53 | return NULL; | ||
54 | |||
55 | - if ((e = strrchr(s, '-'))) { | ||
56 | + if (!avahi_unescape_label(&s, label, sizeof(label))) | ||
57 | + return NULL; | ||
58 | + | ||
59 | + if ((e = strrchr(label, '-'))) { | ||
60 | const char *p; | ||
61 | |||
62 | e++; | ||
63 | @@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const | ||
64 | |||
65 | if (e) { | ||
66 | char *c, *m; | ||
67 | - size_t l; | ||
68 | int n; | ||
69 | |||
70 | n = atoi(e)+1; | ||
71 | if (!(m = avahi_strdup_printf("%i", n))) | ||
72 | return NULL; | ||
73 | |||
74 | - l = e-s-1; | ||
75 | + len = e-label-1; | ||
76 | |||
77 | - if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1) | ||
78 | - l = AVAHI_LABEL_MAX-1-strlen(m)-1; | ||
79 | + if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1) | ||
80 | + len = AVAHI_LABEL_MAX-1-strlen(m)-1; | ||
81 | |||
82 | - if (!(c = avahi_strndup(s, l))) { | ||
83 | + if (!(c = avahi_strndup(label, len))) { | ||
84 | avahi_free(m); | ||
85 | return NULL; | ||
86 | } | ||
87 | @@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const | ||
88 | } else { | ||
89 | char *c; | ||
90 | |||
91 | - if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2))) | ||
92 | + if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2))) | ||
93 | return NULL; | ||
94 | |||
95 | drop_incomplete_utf8(c); | ||
96 | @@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const | ||
97 | avahi_free(c); | ||
98 | } | ||
99 | |||
100 | + alt = alternative; | ||
101 | + len = sizeof(alternative); | ||
102 | + ret = avahi_escape_label(r, strlen(r), &alt, &len); | ||
103 | + | ||
104 | + avahi_free(r); | ||
105 | + r = avahi_strdup(ret); | ||
106 | + | ||
107 | assert(avahi_is_valid_host_name(r)); | ||
108 | |||
109 | return r; | ||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch new file mode 100644 index 0000000000..940c6776d3 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From 36c878a0124973f29b7ca49e6bb18310f9b2601f Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org> | ||
3 | Date: Thu, 8 Sep 2022 11:11:30 +0200 | ||
4 | Subject: [PATCH 1/3] Bound the amount of work performed for delegations | ||
5 | |||
6 | Limit the amount of database lookups that can be triggered in | ||
7 | fctx_getaddresses() (i.e. when determining the name server addresses to | ||
8 | query next) by setting a hard limit on the number of NS RRs processed | ||
9 | for any delegation encountered. Without any limit in place, named can | ||
10 | be forced to perform large amounts of database lookups per each query | ||
11 | received, which severely impacts resolver performance. | ||
12 | |||
13 | The limit used (20) is an arbitrary value that is considered to be big | ||
14 | enough for any sane DNS delegation. | ||
15 | |||
16 | (cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | CVE: CVE-2022-2795 | ||
20 | Reference to upstream patch: | ||
21 | https://gitlab.isc.org/isc-projects/bind9/-/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8 | ||
22 | |||
23 | Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com> | ||
24 | --- | ||
25 | lib/dns/resolver.c | 12 ++++++++++++ | ||
26 | 1 file changed, 12 insertions(+) | ||
27 | |||
28 | diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c | ||
29 | index 8ae9a993bbd7..ac9a9ef5d009 100644 | ||
30 | --- a/lib/dns/resolver.c | ||
31 | +++ b/lib/dns/resolver.c | ||
32 | @@ -180,6 +180,12 @@ | ||
33 | */ | ||
34 | #define NS_FAIL_LIMIT 4 | ||
35 | #define NS_RR_LIMIT 5 | ||
36 | +/* | ||
37 | + * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in | ||
38 | + * any NS RRset encountered, to avoid excessive resource use while processing | ||
39 | + * large delegations. | ||
40 | + */ | ||
41 | +#define NS_PROCESSING_LIMIT 20 | ||
42 | |||
43 | /* Number of hash buckets for zone counters */ | ||
44 | #ifndef RES_DOMAIN_BUCKETS | ||
45 | @@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { | ||
46 | bool need_alternate = false; | ||
47 | bool all_spilled = true; | ||
48 | unsigned int no_addresses = 0; | ||
49 | + unsigned int ns_processed = 0; | ||
50 | |||
51 | FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); | ||
52 | |||
53 | @@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { | ||
54 | |||
55 | dns_rdata_reset(&rdata); | ||
56 | dns_rdata_freestruct(&ns); | ||
57 | + | ||
58 | + if (++ns_processed >= NS_PROCESSING_LIMIT) { | ||
59 | + result = ISC_R_NOMORE; | ||
60 | + break; | ||
61 | + } | ||
62 | } | ||
63 | if (result != ISC_R_NOMORE) { | ||
64 | return (result); | ||
65 | -- | ||
66 | 2.34.1 | ||
67 | |||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch new file mode 100644 index 0000000000..0ef87fd260 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From ef3d1a84ff807eea27b4fef601a15932c5ffbfbf Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Andrews <marka@isc.org> | ||
3 | Date: Thu, 11 Aug 2022 15:15:34 +1000 | ||
4 | Subject: [PATCH 2/3] Free eckey on siglen mismatch | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | CVE: CVE-2022-38177 | ||
8 | Reference to upstream patch: | ||
9 | https://gitlab.isc.org/isc-projects/bind9/-/commit/5b2282afff760b1ed3471f6666bdfe8e1d34e590 | ||
10 | |||
11 | Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com> | ||
12 | --- | ||
13 | lib/dns/opensslecdsa_link.c | 2 +- | ||
14 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c | ||
17 | index 83b5b51cd78c..7576e04ac635 100644 | ||
18 | --- a/lib/dns/opensslecdsa_link.c | ||
19 | +++ b/lib/dns/opensslecdsa_link.c | ||
20 | @@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) { | ||
21 | siglen = DNS_SIG_ECDSA384SIZE; | ||
22 | |||
23 | if (sig->length != siglen) | ||
24 | - return (DST_R_VERIFYFAILURE); | ||
25 | + DST_RET(DST_R_VERIFYFAILURE); | ||
26 | |||
27 | if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) | ||
28 | DST_RET (dst__openssl_toresult3(dctx->category, | ||
29 | -- | ||
30 | 2.34.1 | ||
31 | |||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch new file mode 100644 index 0000000000..e0b398e24a --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 65f5b2f0162d5d2ab25f463aa14a8bae71ace3d9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Andrews <marka@isc.org> | ||
3 | Date: Thu, 11 Aug 2022 15:28:13 +1000 | ||
4 | Subject: [PATCH 3/3] Free ctx on invalid siglen | ||
5 | |||
6 | (cherry picked from commit 6ddb480a84836641a0711768a94122972c166825) | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | CVE: CVE-2022-38178 | ||
10 | Reference to upstream patch: | ||
11 | https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6 | ||
12 | |||
13 | Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com> | ||
14 | --- | ||
15 | lib/dns/openssleddsa_link.c | 2 +- | ||
16 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c | ||
19 | index 8b115ec283f0..b4fcd607c131 100644 | ||
20 | --- a/lib/dns/openssleddsa_link.c | ||
21 | +++ b/lib/dns/openssleddsa_link.c | ||
22 | @@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { | ||
23 | siglen = DNS_SIG_ED448SIZE; | ||
24 | |||
25 | if (sig->length != siglen) | ||
26 | - return (DST_R_VERIFYFAILURE); | ||
27 | + DST_RET(ISC_R_NOTIMPLEMENTED); | ||
28 | |||
29 | isc_buffer_usedregion(buf, &tbsreg); | ||
30 | |||
31 | -- | ||
32 | 2.34.1 | ||
33 | |||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch new file mode 100644 index 0000000000..6f6c104530 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch | |||
@@ -0,0 +1,166 @@ | |||
1 | |||
2 | Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.11.5.P4+dfsg-5.1+deb10u9.debian.tar.xz | ||
3 | Upstream patch https://downloads.isc.org/isc/bind9/9.16.42/patches/0001-CVE-2023-2828.patch] | ||
4 | Upstream Commit: https://github.com/isc-projects/bind9/commit/da0eafcdee52147e72d407cc3b9f179378ee1d3a | ||
5 | CVE: CVE-2023-2828 | ||
6 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
7 | |||
8 | --- | ||
9 | lib/dns/rbtdb.c | 106 +++++++++++++++++++++++++++++++++----------------------- | ||
10 | 1 file changed, 63 insertions(+), 43 deletions(-) | ||
11 | |||
12 | diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c | ||
13 | index b1b928c..3165e26 100644 | ||
14 | --- a/lib/dns/rbtdb.c | ||
15 | +++ b/lib/dns/rbtdb.c | ||
16 | @@ -792,7 +792,7 @@ static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, | ||
17 | static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, | ||
18 | bool tree_locked, expire_t reason); | ||
19 | static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, | ||
20 | - isc_stdtime_t now, bool tree_locked); | ||
21 | + size_t purgesize, bool tree_locked); | ||
22 | static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx, | ||
23 | rdatasetheader_t *newheader); | ||
24 | static void resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version, | ||
25 | @@ -6784,6 +6784,16 @@ addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader, | ||
26 | |||
27 | static dns_dbmethods_t zone_methods; | ||
28 | |||
29 | +static size_t | ||
30 | +rdataset_size(rdatasetheader_t *header) { | ||
31 | + if (!NONEXISTENT(header)) { | ||
32 | + return (dns_rdataslab_size((unsigned char *)header, | ||
33 | + sizeof(*header))); | ||
34 | + } | ||
35 | + | ||
36 | + return (sizeof(*header)); | ||
37 | +} | ||
38 | + | ||
39 | static isc_result_t | ||
40 | addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, | ||
41 | isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options, | ||
42 | @@ -6932,7 +6942,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, | ||
43 | } | ||
44 | |||
45 | if (cache_is_overmem) | ||
46 | - overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked); | ||
47 | + overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader), | ||
48 | + tree_locked); | ||
49 | |||
50 | NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, | ||
51 | isc_rwlocktype_write); | ||
52 | @@ -6947,9 +6958,14 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, | ||
53 | cleanup_dead_nodes(rbtdb, rbtnode->locknum); | ||
54 | |||
55 | header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1); | ||
56 | - if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) | ||
57 | - expire_header(rbtdb, header, tree_locked, | ||
58 | - expire_ttl); | ||
59 | + if (header != NULL) { | ||
60 | + dns_ttl_t rdh_ttl = header->rdh_ttl; | ||
61 | + | ||
62 | + if (rdh_ttl < now - RBTDB_VIRTUAL) { | ||
63 | + expire_header(rbtdb, header, tree_locked, | ||
64 | + expire_ttl); | ||
65 | + } | ||
66 | + } | ||
67 | |||
68 | /* | ||
69 | * If we've been holding a write lock on the tree just for | ||
70 | @@ -10388,54 +10404,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, | ||
71 | ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link); | ||
72 | } | ||
73 | |||
74 | +static size_t | ||
75 | +expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize, | ||
76 | + bool tree_locked) { | ||
77 | + rdatasetheader_t *header, *header_prev; | ||
78 | + size_t purged = 0; | ||
79 | + | ||
80 | + for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); | ||
81 | + header != NULL && purged <= purgesize; header = header_prev) | ||
82 | + { | ||
83 | + header_prev = ISC_LIST_PREV(header, link); | ||
84 | + /* | ||
85 | + * Unlink the entry at this point to avoid checking it | ||
86 | + * again even if it's currently used someone else and | ||
87 | + * cannot be purged at this moment. This entry won't be | ||
88 | + * referenced any more (so unlinking is safe) since the | ||
89 | + * TTL was reset to 0. | ||
90 | + */ | ||
91 | + ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link); | ||
92 | + size_t header_size = rdataset_size(header); | ||
93 | + expire_header(rbtdb, header, tree_locked, expire_lru); | ||
94 | + purged += header_size; | ||
95 | + } | ||
96 | + | ||
97 | + return (purged); | ||
98 | +} | ||
99 | + | ||
100 | /*% | ||
101 | - * Purge some expired and/or stale (i.e. unused for some period) cache entries | ||
102 | - * under an overmem condition. To recover from this condition quickly, up to | ||
103 | - * 2 entries will be purged. This process is triggered while adding a new | ||
104 | - * entry, and we specifically avoid purging entries in the same LRU bucket as | ||
105 | - * the one to which the new entry will belong. Otherwise, we might purge | ||
106 | - * entries of the same name of different RR types while adding RRsets from a | ||
107 | - * single response (consider the case where we're adding A and AAAA glue records | ||
108 | - * of the same NS name). | ||
109 | - */ | ||
110 | + * Purge some stale (i.e. unused for some period - LRU based cleaning) cache | ||
111 | + * entries under the overmem condition. To recover from this condition quickly, | ||
112 | + * we cleanup entries up to the size of newly added rdata (passed as purgesize). | ||
113 | + * | ||
114 | + * This process is triggered while adding a new entry, and we specifically avoid | ||
115 | + * purging entries in the same LRU bucket as the one to which the new entry will | ||
116 | + * belong. Otherwise, we might purge entries of the same name of different RR | ||
117 | + * types while adding RRsets from a single response (consider the case where | ||
118 | + * we're adding A and AAAA glue records of the same NS name). | ||
119 | +*/ | ||
120 | static void | ||
121 | -overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, | ||
122 | - isc_stdtime_t now, bool tree_locked) | ||
123 | +overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize, | ||
124 | + bool tree_locked) | ||
125 | { | ||
126 | - rdatasetheader_t *header, *header_prev; | ||
127 | unsigned int locknum; | ||
128 | - int purgecount = 2; | ||
129 | + size_t purged = 0; | ||
130 | |||
131 | for (locknum = (locknum_start + 1) % rbtdb->node_lock_count; | ||
132 | - locknum != locknum_start && purgecount > 0; | ||
133 | + locknum != locknum_start && purged <= purgesize; | ||
134 | locknum = (locknum + 1) % rbtdb->node_lock_count) { | ||
135 | NODE_LOCK(&rbtdb->node_locks[locknum].lock, | ||
136 | isc_rwlocktype_write); | ||
137 | |||
138 | - header = isc_heap_element(rbtdb->heaps[locknum], 1); | ||
139 | - if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) { | ||
140 | - expire_header(rbtdb, header, tree_locked, | ||
141 | - expire_ttl); | ||
142 | - purgecount--; | ||
143 | - } | ||
144 | - | ||
145 | - for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); | ||
146 | - header != NULL && purgecount > 0; | ||
147 | - header = header_prev) { | ||
148 | - header_prev = ISC_LIST_PREV(header, link); | ||
149 | - /* | ||
150 | - * Unlink the entry at this point to avoid checking it | ||
151 | - * again even if it's currently used someone else and | ||
152 | - * cannot be purged at this moment. This entry won't be | ||
153 | - * referenced any more (so unlinking is safe) since the | ||
154 | - * TTL was reset to 0. | ||
155 | - */ | ||
156 | - ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, | ||
157 | - link); | ||
158 | - expire_header(rbtdb, header, tree_locked, | ||
159 | - expire_lru); | ||
160 | - purgecount--; | ||
161 | - } | ||
162 | + purged += expire_lru_headers(rbtdb, locknum, purgesize - purged, | ||
163 | + tree_locked); | ||
164 | |||
165 | NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, | ||
166 | isc_rwlocktype_write); | ||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch new file mode 100644 index 0000000000..be479cb00e --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch | |||
@@ -0,0 +1,175 @@ | |||
1 | From c4fac5ca98efd02fbaef43601627c7a3a09f5a71 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Andrews <marka@isc.org> | ||
3 | Date: Tue, 20 Jun 2023 15:21:36 +1000 | ||
4 | Subject: [PATCH] Limit isccc_cc_fromwire recursion depth | ||
5 | |||
6 | Named and rndc do not need a lot of recursion so the depth is | ||
7 | set to 10. | ||
8 | |||
9 | Taken from BIND 9.16.44 change. | ||
10 | |||
11 | Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/c4fac5ca98efd02fbaef43601627c7a3a09f5a71] | ||
12 | CVE: CVE-2023-3341 | ||
13 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
14 | --- | ||
15 | lib/isccc/cc.c | 38 +++++++++++++++++++++++--------- | ||
16 | lib/isccc/include/isccc/result.h | 4 +++- | ||
17 | lib/isccc/result.c | 4 +++- | ||
18 | 3 files changed, 34 insertions(+), 12 deletions(-) | ||
19 | |||
20 | diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c | ||
21 | index e012685..8eac3d6 100644 | ||
22 | --- a/lib/isccc/cc.c | ||
23 | +++ b/lib/isccc/cc.c | ||
24 | @@ -53,6 +53,10 @@ | ||
25 | |||
26 | #define MAX_TAGS 256 | ||
27 | #define DUP_LIFETIME 900 | ||
28 | +#ifndef ISCCC_MAXDEPTH | ||
29 | +#define ISCCC_MAXDEPTH \ | ||
30 | + 10 /* Big enough for rndc which just sends a string each way. */ | ||
31 | +#endif | ||
32 | |||
33 | typedef isccc_sexpr_t *sexpr_ptr; | ||
34 | |||
35 | @@ -561,19 +565,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, | ||
36 | |||
37 | static isc_result_t | ||
38 | table_fromwire(isccc_region_t *source, isccc_region_t *secret, | ||
39 | - uint32_t algorithm, isccc_sexpr_t **alistp); | ||
40 | + uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp); | ||
41 | |||
42 | static isc_result_t | ||
43 | -list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp); | ||
44 | +list_fromwire(isccc_region_t *source, unsigned int depth, | ||
45 | + isccc_sexpr_t **listp); | ||
46 | |||
47 | static isc_result_t | ||
48 | -value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { | ||
49 | +value_fromwire(isccc_region_t *source, unsigned int depth, | ||
50 | + isccc_sexpr_t **valuep) { | ||
51 | unsigned int msgtype; | ||
52 | uint32_t len; | ||
53 | isccc_sexpr_t *value; | ||
54 | isccc_region_t active; | ||
55 | isc_result_t result; | ||
56 | |||
57 | + if (depth > ISCCC_MAXDEPTH) { | ||
58 | + return (ISCCC_R_MAXDEPTH); | ||
59 | + } | ||
60 | + | ||
61 | if (REGION_SIZE(*source) < 1 + 4) | ||
62 | return (ISC_R_UNEXPECTEDEND); | ||
63 | GET8(msgtype, source->rstart); | ||
64 | @@ -591,9 +601,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { | ||
65 | } else | ||
66 | result = ISC_R_NOMEMORY; | ||
67 | } else if (msgtype == ISCCC_CCMSGTYPE_TABLE) | ||
68 | - result = table_fromwire(&active, NULL, 0, valuep); | ||
69 | + result = table_fromwire(&active, NULL, 0, depth + 1, valuep); | ||
70 | else if (msgtype == ISCCC_CCMSGTYPE_LIST) | ||
71 | - result = list_fromwire(&active, valuep); | ||
72 | + result = list_fromwire(&active, depth + 1, valuep); | ||
73 | else | ||
74 | result = ISCCC_R_SYNTAX; | ||
75 | |||
76 | @@ -602,7 +612,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { | ||
77 | |||
78 | static isc_result_t | ||
79 | table_fromwire(isccc_region_t *source, isccc_region_t *secret, | ||
80 | - uint32_t algorithm, isccc_sexpr_t **alistp) | ||
81 | + uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp) | ||
82 | { | ||
83 | char key[256]; | ||
84 | uint32_t len; | ||
85 | @@ -613,6 +623,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, | ||
86 | |||
87 | REQUIRE(alistp != NULL && *alistp == NULL); | ||
88 | |||
89 | + if (depth > ISCCC_MAXDEPTH) { | ||
90 | + return (ISCCC_R_MAXDEPTH); | ||
91 | + } | ||
92 | + | ||
93 | checksum_rstart = NULL; | ||
94 | first_tag = true; | ||
95 | alist = isccc_alist_create(); | ||
96 | @@ -628,7 +642,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, | ||
97 | GET_MEM(key, len, source->rstart); | ||
98 | key[len] = '\0'; /* Ensure NUL termination. */ | ||
99 | value = NULL; | ||
100 | - result = value_fromwire(source, &value); | ||
101 | + result = value_fromwire(source, depth + 1, &value); | ||
102 | if (result != ISC_R_SUCCESS) | ||
103 | goto bad; | ||
104 | if (isccc_alist_define(alist, key, value) == NULL) { | ||
105 | @@ -661,14 +675,18 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, | ||
106 | } | ||
107 | |||
108 | static isc_result_t | ||
109 | -list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) { | ||
110 | +list_fromwire(isccc_region_t *source, unsigned int depth, isccc_sexpr_t **listp) { | ||
111 | isccc_sexpr_t *list, *value; | ||
112 | isc_result_t result; | ||
113 | |||
114 | + if (depth > ISCCC_MAXDEPTH) { | ||
115 | + return (ISCCC_R_MAXDEPTH); | ||
116 | + } | ||
117 | + | ||
118 | list = NULL; | ||
119 | while (!REGION_EMPTY(*source)) { | ||
120 | value = NULL; | ||
121 | - result = value_fromwire(source, &value); | ||
122 | + result = value_fromwire(source, depth + 1, &value); | ||
123 | if (result != ISC_R_SUCCESS) { | ||
124 | isccc_sexpr_free(&list); | ||
125 | return (result); | ||
126 | @@ -699,7 +717,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp, | ||
127 | if (version != 1) | ||
128 | return (ISCCC_R_UNKNOWNVERSION); | ||
129 | |||
130 | - return (table_fromwire(source, secret, algorithm, alistp)); | ||
131 | + return (table_fromwire(source, secret, algorithm, 0, alistp)); | ||
132 | } | ||
133 | |||
134 | static isc_result_t | ||
135 | diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h | ||
136 | index 6c79dd7..a85861c 100644 | ||
137 | --- a/lib/isccc/include/isccc/result.h | ||
138 | +++ b/lib/isccc/include/isccc/result.h | ||
139 | @@ -47,8 +47,10 @@ | ||
140 | #define ISCCC_R_CLOCKSKEW (ISC_RESULTCLASS_ISCCC + 4) | ||
141 | /*% Duplicate */ | ||
142 | #define ISCCC_R_DUPLICATE (ISC_RESULTCLASS_ISCCC + 5) | ||
143 | +/*% Maximum recursion depth */ | ||
144 | +#define ISCCC_R_MAXDEPTH (ISC_RESULTCLASS_ISCCC + 6) | ||
145 | |||
146 | -#define ISCCC_R_NRESULTS 6 /*%< Number of results */ | ||
147 | +#define ISCCC_R_NRESULTS 7 /*%< Number of results */ | ||
148 | |||
149 | ISC_LANG_BEGINDECLS | ||
150 | |||
151 | diff --git a/lib/isccc/result.c b/lib/isccc/result.c | ||
152 | index 8419bbb..325200b 100644 | ||
153 | --- a/lib/isccc/result.c | ||
154 | +++ b/lib/isccc/result.c | ||
155 | @@ -40,7 +40,8 @@ static const char *text[ISCCC_R_NRESULTS] = { | ||
156 | "bad auth", /* 3 */ | ||
157 | "expired", /* 4 */ | ||
158 | "clock skew", /* 5 */ | ||
159 | - "duplicate" /* 6 */ | ||
160 | + "duplicate", /* 6 */ | ||
161 | + "max depth", /* 7 */ | ||
162 | }; | ||
163 | |||
164 | static const char *ids[ISCCC_R_NRESULTS] = { | ||
165 | @@ -50,6 +51,7 @@ static const char *ids[ISCCC_R_NRESULTS] = { | ||
166 | "ISCCC_R_EXPIRED", | ||
167 | "ISCCC_R_CLOCKSKEW", | ||
168 | "ISCCC_R_DUPLICATE", | ||
169 | + "ISCCC_R_MAXDEPTH", | ||
170 | }; | ||
171 | |||
172 | #define ISCCC_RESULT_RESULTSET 2 | ||
173 | -- | ||
174 | 2.25.1 | ||
175 | |||
diff --git a/meta/recipes-connectivity/bind/bind_9.11.22.bb b/meta/recipes-connectivity/bind/bind_9.11.37.bb index 3b4a299b36..95bb5be005 100644 --- a/meta/recipes-connectivity/bind/bind_9.11.22.bb +++ b/meta/recipes-connectivity/bind/bind_9.11.37.bb | |||
@@ -1,9 +1,10 @@ | |||
1 | SUMMARY = "ISC Internet Domain Name Server" | 1 | SUMMARY = "ISC Internet Domain Name Server" |
2 | HOMEPAGE = "https://www.isc.org/bind/" | 2 | HOMEPAGE = "https://www.isc.org/bind/" |
3 | DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system" | ||
3 | SECTION = "console/network" | 4 | SECTION = "console/network" |
4 | 5 | ||
5 | LICENSE = "ISC & BSD" | 6 | LICENSE = "ISC & BSD" |
6 | LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=bf39058a7f64b2a934ce14dc9ec1dd45" | 7 | LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=89a97ebbf713f7125fe5c02223d3ae95" |
7 | 8 | ||
8 | DEPENDS = "openssl libcap zlib" | 9 | DEPENDS = "openssl libcap zlib" |
9 | 10 | ||
@@ -18,9 +19,14 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ | |||
18 | file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \ | 19 | file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \ |
19 | file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ | 20 | file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ |
20 | file://0001-avoid-start-failure-with-bind-user.patch \ | 21 | file://0001-avoid-start-failure-with-bind-user.patch \ |
22 | file://CVE-2022-2795.patch \ | ||
23 | file://CVE-2022-38177.patch \ | ||
24 | file://CVE-2022-38178.patch \ | ||
25 | file://CVE-2023-2828.patch \ | ||
26 | file://CVE-2023-3341.patch \ | ||
21 | " | 27 | " |
22 | 28 | ||
23 | SRC_URI[sha256sum] = "afc6d8015006f1cabf699ff19f517bb8fd9c1811e5231f26baf51c3550262ac9" | 29 | SRC_URI[sha256sum] = "0d8efbe7ec166ada90e46add4267b7e7c934790cba9bd5af6b8380a4fbfb5aff" |
24 | 30 | ||
25 | UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" | 31 | UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" |
26 | # stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4 | 32 | # stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4 |
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc index f34ba0dce5..74fd344170 100644 --- a/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/meta/recipes-connectivity/bluez5/bluez5.inc | |||
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \ | |||
7 | file://COPYING.LIB;md5=fb504b67c50331fc78734fed90fb0e09 \ | 7 | file://COPYING.LIB;md5=fb504b67c50331fc78734fed90fb0e09 \ |
8 | file://src/main.c;beginline=1;endline=24;md5=9bc54b93cd7e17bf03f52513f39f926e" | 8 | file://src/main.c;beginline=1;endline=24;md5=9bc54b93cd7e17bf03f52513f39f926e" |
9 | DEPENDS = "dbus glib-2.0" | 9 | DEPENDS = "dbus glib-2.0" |
10 | RDEPENDS:${PN} += "dbus" | ||
10 | PROVIDES += "bluez-hcidump" | 11 | PROVIDES += "bluez-hcidump" |
11 | RPROVIDES_${PN} += "bluez-hcidump" | 12 | RPROVIDES_${PN} += "bluez-hcidump" |
12 | 13 | ||
@@ -52,6 +53,13 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \ | |||
52 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ | 53 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ |
53 | file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ | 54 | file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ |
54 | file://0001-test-gatt-Fix-hung-issue.patch \ | 55 | file://0001-test-gatt-Fix-hung-issue.patch \ |
56 | file://CVE-2021-0129.patch \ | ||
57 | file://CVE-2021-3588.patch \ | ||
58 | file://CVE-2021-3658.patch \ | ||
59 | file://CVE-2022-0204.patch \ | ||
60 | file://CVE-2022-39176.patch \ | ||
61 | file://CVE-2022-3637.patch \ | ||
62 | file://CVE-2023-45866.patch \ | ||
55 | " | 63 | " |
56 | S = "${WORKDIR}/bluez-${PV}" | 64 | S = "${WORKDIR}/bluez-${PV}" |
57 | 65 | ||
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch new file mode 100644 index 0000000000..b39730dc10 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch | |||
@@ -0,0 +1,109 @@ | |||
1 | From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001 | ||
2 | From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | ||
3 | Date: Tue, 2 Mar 2021 11:38:33 -0800 | ||
4 | Subject: shared/gatt-server: Fix not properly checking for secure flags | ||
5 | |||
6 | When passing the mask to check_permissions all valid permissions for | ||
7 | the operation must be set including BT_ATT_PERM_SECURE flags. | ||
8 | |||
9 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=00da0fb4972cf59e1c075f313da81ea549cb8738] | ||
10 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
11 | CVE: CVE-2021-0129 | ||
12 | --- | ||
13 | src/shared/att-types.h | 8 ++++++++ | ||
14 | src/shared/gatt-server.c | 25 +++++++------------------ | ||
15 | 2 files changed, 15 insertions(+), 18 deletions(-) | ||
16 | |||
17 | diff --git a/src/shared/att-types.h b/src/shared/att-types.h | ||
18 | index 7108b4e94..3adc05d9e 100644 | ||
19 | --- a/src/shared/att-types.h | ||
20 | +++ b/src/shared/att-types.h | ||
21 | @@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp { | ||
22 | #define BT_ATT_PERM_WRITE_SECURE 0x0200 | ||
23 | #define BT_ATT_PERM_SECURE (BT_ATT_PERM_READ_SECURE | \ | ||
24 | BT_ATT_PERM_WRITE_SECURE) | ||
25 | +#define BT_ATT_PERM_READ_MASK (BT_ATT_PERM_READ | \ | ||
26 | + BT_ATT_PERM_READ_AUTHEN | \ | ||
27 | + BT_ATT_PERM_READ_ENCRYPT | \ | ||
28 | + BT_ATT_PERM_READ_SECURE) | ||
29 | +#define BT_ATT_PERM_WRITE_MASK (BT_ATT_PERM_WRITE | \ | ||
30 | + BT_ATT_PERM_WRITE_AUTHEN | \ | ||
31 | + BT_ATT_PERM_WRITE_ENCRYPT | \ | ||
32 | + BT_ATT_PERM_WRITE_SECURE) | ||
33 | |||
34 | /* GATT Characteristic Properties Bitfield values */ | ||
35 | #define BT_GATT_CHRC_PROP_BROADCAST 0x01 | ||
36 | diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c | ||
37 | index b5f7de7dc..970c35f94 100644 | ||
38 | --- a/src/shared/gatt-server.c | ||
39 | +++ b/src/shared/gatt-server.c | ||
40 | @@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op) | ||
41 | return; | ||
42 | } | ||
43 | |||
44 | - ecode = check_permissions(server, attr, BT_ATT_PERM_READ | | ||
45 | - BT_ATT_PERM_READ_AUTHEN | | ||
46 | - BT_ATT_PERM_READ_ENCRYPT); | ||
47 | + ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK); | ||
48 | if (ecode) | ||
49 | goto error; | ||
50 | |||
51 | @@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, | ||
52 | (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd", | ||
53 | handle); | ||
54 | |||
55 | - ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE | | ||
56 | - BT_ATT_PERM_WRITE_AUTHEN | | ||
57 | - BT_ATT_PERM_WRITE_ENCRYPT); | ||
58 | + ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); | ||
59 | if (ecode) | ||
60 | goto error; | ||
61 | |||
62 | @@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan, | ||
63 | opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "", | ||
64 | handle); | ||
65 | |||
66 | - ecode = check_permissions(server, attr, BT_ATT_PERM_READ | | ||
67 | - BT_ATT_PERM_READ_AUTHEN | | ||
68 | - BT_ATT_PERM_READ_ENCRYPT); | ||
69 | + ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK); | ||
70 | if (ecode) | ||
71 | goto error; | ||
72 | |||
73 | @@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err, | ||
74 | goto error; | ||
75 | } | ||
76 | |||
77 | - ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ | | ||
78 | - BT_ATT_PERM_READ_AUTHEN | | ||
79 | - BT_ATT_PERM_READ_ENCRYPT); | ||
80 | + ecode = check_permissions(data->server, next_attr, | ||
81 | + BT_ATT_PERM_READ_MASK); | ||
82 | if (ecode) | ||
83 | goto error; | ||
84 | |||
85 | @@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode, | ||
86 | goto error; | ||
87 | } | ||
88 | |||
89 | - ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ | | ||
90 | - BT_ATT_PERM_READ_AUTHEN | | ||
91 | - BT_ATT_PERM_READ_ENCRYPT); | ||
92 | + ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK); | ||
93 | if (ecode) | ||
94 | goto error; | ||
95 | |||
96 | @@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode, | ||
97 | util_debug(server->debug_callback, server->debug_data, | ||
98 | "Prep Write Req - handle: 0x%04x", handle); | ||
99 | |||
100 | - ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE | | ||
101 | - BT_ATT_PERM_WRITE_AUTHEN | | ||
102 | - BT_ATT_PERM_WRITE_ENCRYPT); | ||
103 | + ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); | ||
104 | if (ecode) | ||
105 | goto error; | ||
106 | |||
107 | -- | ||
108 | cgit 1.2.3-1.el7 | ||
109 | |||
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch new file mode 100644 index 0000000000..f52ff47a06 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From 3a40bef49305f8327635b81ac8be52a3ca063d5a Mon Sep 17 00:00:00 2001 | ||
2 | From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | ||
3 | Date: Mon, 4 Jan 2021 10:38:31 -0800 | ||
4 | Subject: [PATCH] gatt: Fix potential buffer out-of-bound | ||
5 | |||
6 | When client features is read check if the offset is within the cli_feat | ||
7 | bounds. | ||
8 | |||
9 | Fixes: https://github.com/bluez/bluez/issues/70 | ||
10 | |||
11 | +Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3a40bef49305f8327635b81ac8be52a3ca063d5a] | ||
12 | +Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
13 | +CVE: CVE-2021-3588 | ||
14 | |||
15 | --- | ||
16 | src/gatt-database.c | 5 +++++ | ||
17 | 1 file changed, 5 insertions(+) | ||
18 | |||
19 | diff --git a/src/gatt-database.c b/src/gatt-database.c | ||
20 | index 90cc4bade..f2d7b5821 100644 | ||
21 | --- a/src/gatt-database.c | ||
22 | +++ b/src/gatt-database.c | ||
23 | @@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib, | ||
24 | goto done; | ||
25 | } | ||
26 | |||
27 | + if (offset >= sizeof(state->cli_feat)) { | ||
28 | + ecode = BT_ATT_ERROR_INVALID_OFFSET; | ||
29 | + goto done; | ||
30 | + } | ||
31 | + | ||
32 | len = sizeof(state->cli_feat) - offset; | ||
33 | value = len ? &state->cli_feat[offset] : NULL; | ||
34 | |||
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch new file mode 100644 index 0000000000..1738ca13da --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch | |||
@@ -0,0 +1,95 @@ | |||
1 | From b497b5942a8beb8f89ca1c359c54ad67ec843055 Mon Sep 17 00:00:00 2001 | ||
2 | From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | ||
3 | Date: Thu, 24 Jun 2021 16:32:04 -0700 | ||
4 | Subject: [PATCH] adapter: Fix storing discoverable setting | ||
5 | |||
6 | discoverable setting shall only be store when changed via Discoverable | ||
7 | property and not when discovery client set it as that be considered | ||
8 | temporary just for the lifetime of the discovery. | ||
9 | |||
10 | Upstream-Status: Backport [https://github.com/bluez/bluez/commit/b497b5942a8beb8f89ca1c359c54ad67ec843055] | ||
11 | Signed-off-by:Minjae Kim <flowergom@gmail.com> | ||
12 | --- | ||
13 | src/adapter.c | 35 ++++++++++++++++++++++------------- | ||
14 | 1 file changed, 22 insertions(+), 13 deletions(-) | ||
15 | |||
16 | diff --git a/src/adapter.c b/src/adapter.c | ||
17 | index 12e4ff5c0..663b778e4 100644 | ||
18 | --- a/src/adapter.c | ||
19 | +++ b/src/adapter.c | ||
20 | @@ -560,7 +560,11 @@ static void settings_changed(struct btd_adapter *adapter, uint32_t settings) | ||
21 | if (changed_mask & MGMT_SETTING_DISCOVERABLE) { | ||
22 | g_dbus_emit_property_changed(dbus_conn, adapter->path, | ||
23 | ADAPTER_INTERFACE, "Discoverable"); | ||
24 | - store_adapter_info(adapter); | ||
25 | + /* Only persist discoverable setting if it was not set | ||
26 | + * temporarily by discovery. | ||
27 | + */ | ||
28 | + if (!adapter->discovery_discoverable) | ||
29 | + store_adapter_info(adapter); | ||
30 | btd_adv_manager_refresh(adapter->adv_manager); | ||
31 | } | ||
32 | |||
33 | @@ -2162,8 +2166,6 @@ static bool filters_equal(struct mgmt_cp_start_service_discovery *a, | ||
34 | static int update_discovery_filter(struct btd_adapter *adapter) | ||
35 | { | ||
36 | struct mgmt_cp_start_service_discovery *sd_cp; | ||
37 | - GSList *l; | ||
38 | - | ||
39 | |||
40 | DBG(""); | ||
41 | |||
42 | @@ -2173,17 +2175,24 @@ static int update_discovery_filter(struct btd_adapter *adapter) | ||
43 | return -ENOMEM; | ||
44 | } | ||
45 | |||
46 | - for (l = adapter->discovery_list; l; l = g_slist_next(l)) { | ||
47 | - struct discovery_client *client = l->data; | ||
48 | + /* Only attempt to overwrite current discoverable setting when not | ||
49 | + * discoverable. | ||
50 | + */ | ||
51 | + if (!(adapter->current_settings & MGMT_OP_SET_DISCOVERABLE)) { | ||
52 | + GSList *l; | ||
53 | |||
54 | - if (!client->discovery_filter) | ||
55 | - continue; | ||
56 | + for (l = adapter->discovery_list; l; l = g_slist_next(l)) { | ||
57 | + struct discovery_client *client = l->data; | ||
58 | |||
59 | - if (client->discovery_filter->discoverable) | ||
60 | - break; | ||
61 | - } | ||
62 | + if (!client->discovery_filter) | ||
63 | + continue; | ||
64 | |||
65 | - set_discovery_discoverable(adapter, l ? true : false); | ||
66 | + if (client->discovery_filter->discoverable) { | ||
67 | + set_discovery_discoverable(adapter, true); | ||
68 | + break; | ||
69 | + } | ||
70 | + } | ||
71 | + } | ||
72 | |||
73 | /* | ||
74 | * If filters are equal, then don't update scan, except for when | ||
75 | @@ -2216,8 +2225,7 @@ static int discovery_stop(struct discovery_client *client) | ||
76 | return 0; | ||
77 | } | ||
78 | |||
79 | - if (adapter->discovery_discoverable) | ||
80 | - set_discovery_discoverable(adapter, false); | ||
81 | + set_discovery_discoverable(adapter, false); | ||
82 | |||
83 | /* | ||
84 | * In the idle phase of a discovery, there is no need to stop it | ||
85 | @@ -6913,6 +6921,7 @@ static void adapter_stop(struct btd_adapter *adapter) | ||
86 | g_free(adapter->current_discovery_filter); | ||
87 | adapter->current_discovery_filter = NULL; | ||
88 | |||
89 | + set_discovery_discoverable(adapter, false); | ||
90 | adapter->discovering = false; | ||
91 | |||
92 | while (adapter->connections) { | ||
93 | -- | ||
94 | 2.25.1 | ||
95 | |||
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch new file mode 100644 index 0000000000..646b5ddfc8 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch | |||
@@ -0,0 +1,66 @@ | |||
1 | From 0d328fdf6564b67fc2ec3533e3da201ebabcc9e3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | ||
3 | Date: Tue, 8 Jun 2021 16:46:49 -0700 | ||
4 | Subject: [PATCH] shared/gatt-server: Fix heap overflow when appending prepare | ||
5 | writes | ||
6 | |||
7 | The code shall check if the prepare writes would append more the | ||
8 | allowed maximum attribute length. | ||
9 | |||
10 | Fixes https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q | ||
11 | |||
12 | Upstream-Status: Backport [https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0] | ||
13 | Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> | ||
14 | CVE: CVE-2022-0204 | ||
15 | |||
16 | --- | ||
17 | src/shared/gatt-server.c | 22 ++++++++++++++++++++++ | ||
18 | 1 file changed, 22 insertions(+) | ||
19 | |||
20 | diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c | ||
21 | index 0c25a97..20e14bc 100644 | ||
22 | --- a/src/shared/gatt-server.c | ||
23 | +++ b/src/shared/gatt-server.c | ||
24 | @@ -816,6 +816,20 @@ static uint8_t authorize_req(struct bt_gatt_server *server, | ||
25 | server->authorize_data); | ||
26 | } | ||
27 | |||
28 | +static uint8_t check_length(uint16_t length, uint16_t offset) | ||
29 | +{ | ||
30 | + if (length > BT_ATT_MAX_VALUE_LEN) | ||
31 | + return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN; | ||
32 | + | ||
33 | + if (offset > BT_ATT_MAX_VALUE_LEN) | ||
34 | + return BT_ATT_ERROR_INVALID_OFFSET; | ||
35 | + | ||
36 | + if (length + offset > BT_ATT_MAX_VALUE_LEN) | ||
37 | + return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN; | ||
38 | + | ||
39 | + return 0; | ||
40 | +} | ||
41 | + | ||
42 | static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, | ||
43 | uint16_t length, void *user_data) | ||
44 | { | ||
45 | @@ -846,6 +860,10 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu, | ||
46 | (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd", | ||
47 | handle); | ||
48 | |||
49 | + ecode = check_length(length, 0); | ||
50 | + if (ecode) | ||
51 | + goto error; | ||
52 | + | ||
53 | ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); | ||
54 | if (ecode) | ||
55 | goto error; | ||
56 | @@ -1353,6 +1371,10 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode, | ||
57 | util_debug(server->debug_callback, server->debug_data, | ||
58 | "Prep Write Req - handle: 0x%04x", handle); | ||
59 | |||
60 | + ecode = check_length(length, offset); | ||
61 | + if (ecode) | ||
62 | + goto error; | ||
63 | + | ||
64 | ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK); | ||
65 | if (ecode) | ||
66 | goto error; | ||
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch new file mode 100644 index 0000000000..4ca60f99d5 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From b808b2852a0b48c6f9dbb038f932613cea3126c2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Thu, 27 Oct 2022 09:51:27 +0530 | ||
4 | Subject: [PATCH] CVE-2022-3637 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/monitor/jlink.c?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f] | ||
7 | CVE: CVE-2022-3637 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | monitor: Fix crash when using RTT backend | ||
11 | |||
12 | This fix regression introduced by "monitor: Fix memory leaks". | ||
13 | J-Link shared library is in use if jlink_init() returns 0 and thus | ||
14 | handle shall not be closed. | ||
15 | --- | ||
16 | monitor/jlink.c | 5 ++++- | ||
17 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/monitor/jlink.c b/monitor/jlink.c | ||
20 | index afa9d93..5bd4aed 100644 | ||
21 | --- a/monitor/jlink.c | ||
22 | +++ b/monitor/jlink.c | ||
23 | @@ -120,9 +120,12 @@ int jlink_init(void) | ||
24 | !jlink.tif_select || !jlink.setspeed || | ||
25 | !jlink.connect || !jlink.getsn || | ||
26 | !jlink.emu_getproductname || | ||
27 | - !jlink.rtterminal_control || !jlink.rtterminal_read) | ||
28 | + !jlink.rtterminal_control || !jlink.rtterminal_read) { | ||
29 | + dlclose(so); | ||
30 | return -EIO; | ||
31 | + } | ||
32 | |||
33 | + /* don't dlclose(so) here cause symbols from it are in use now */ | ||
34 | return 0; | ||
35 | } | ||
36 | |||
37 | -- | ||
38 | 2.25.1 | ||
39 | |||
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch new file mode 100644 index 0000000000..7bd1f5f80f --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch | |||
@@ -0,0 +1,126 @@ | |||
1 | From 752c7f707c3cc1eb12eadc13bc336a5c484d4bdf Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Wed, 28 Sep 2022 10:45:53 +0530 | ||
4 | Subject: [PATCH] CVE-2022-39176 | ||
5 | |||
6 | Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/bluez/5.53-0ubuntu3.6] | ||
7 | CVE: CVE-2022-39176 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | profiles/audio/avdtp.c | 56 +++++++++++++++++++++++++++--------------- | ||
11 | profiles/audio/avrcp.c | 8 ++++++ | ||
12 | 2 files changed, 44 insertions(+), 20 deletions(-) | ||
13 | |||
14 | diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c | ||
15 | index 782268c..0adf413 100644 | ||
16 | --- a/profiles/audio/avdtp.c | ||
17 | +++ b/profiles/audio/avdtp.c | ||
18 | @@ -1261,43 +1261,53 @@ struct avdtp_remote_sep *avdtp_find_remote_sep(struct avdtp *session, | ||
19 | return NULL; | ||
20 | } | ||
21 | |||
22 | -static GSList *caps_to_list(uint8_t *data, int size, | ||
23 | +static GSList *caps_to_list(uint8_t *data, size_t size, | ||
24 | struct avdtp_service_capability **codec, | ||
25 | gboolean *delay_reporting) | ||
26 | { | ||
27 | + struct avdtp_service_capability *cap; | ||
28 | GSList *caps; | ||
29 | - int processed; | ||
30 | |||
31 | if (delay_reporting) | ||
32 | *delay_reporting = FALSE; | ||
33 | |||
34 | - for (processed = 0, caps = NULL; processed + 2 <= size;) { | ||
35 | - struct avdtp_service_capability *cap; | ||
36 | - uint8_t length, category; | ||
37 | + if (size < sizeof(*cap)) | ||
38 | + return NULL; | ||
39 | + | ||
40 | + for (caps = NULL; size >= sizeof(*cap);) { | ||
41 | + struct avdtp_service_capability *cpy; | ||
42 | |||
43 | - category = data[0]; | ||
44 | - length = data[1]; | ||
45 | + cap = (struct avdtp_service_capability *)data; | ||
46 | |||
47 | - if (processed + 2 + length > size) { | ||
48 | + if (sizeof(*cap) + cap->length > size) { | ||
49 | error("Invalid capability data in getcap resp"); | ||
50 | break; | ||
51 | } | ||
52 | |||
53 | - cap = g_malloc(sizeof(struct avdtp_service_capability) + | ||
54 | - length); | ||
55 | - memcpy(cap, data, 2 + length); | ||
56 | + if (cap->category == AVDTP_MEDIA_CODEC && | ||
57 | + cap->length < sizeof(**codec)) { | ||
58 | + error("Invalid codec data in getcap resp"); | ||
59 | + break; | ||
60 | + } | ||
61 | + | ||
62 | + cpy = btd_malloc(sizeof(*cpy) + cap->length); | ||
63 | + memcpy(cpy, cap, sizeof(*cap) + cap->length); | ||
64 | |||
65 | - processed += 2 + length; | ||
66 | - data += 2 + length; | ||
67 | + size -= sizeof(*cap) + cap->length; | ||
68 | + data += sizeof(*cap) + cap->length; | ||
69 | |||
70 | - caps = g_slist_append(caps, cap); | ||
71 | + caps = g_slist_append(caps, cpy); | ||
72 | |||
73 | - if (category == AVDTP_MEDIA_CODEC && | ||
74 | - length >= | ||
75 | - sizeof(struct avdtp_media_codec_capability)) | ||
76 | - *codec = cap; | ||
77 | - else if (category == AVDTP_DELAY_REPORTING && delay_reporting) | ||
78 | - *delay_reporting = TRUE; | ||
79 | + switch (cap->category) { | ||
80 | + case AVDTP_MEDIA_CODEC: | ||
81 | + if (codec) | ||
82 | + *codec = cpy; | ||
83 | + break; | ||
84 | + case AVDTP_DELAY_REPORTING: | ||
85 | + if (delay_reporting) | ||
86 | + *delay_reporting = TRUE; | ||
87 | + break; | ||
88 | + } | ||
89 | } | ||
90 | |||
91 | return caps; | ||
92 | @@ -1494,6 +1504,12 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction, | ||
93 | &stream->codec, | ||
94 | &stream->delay_reporting); | ||
95 | |||
96 | + if (!stream->caps || !stream->codec) { | ||
97 | + err = AVDTP_UNSUPPORTED_CONFIGURATION; | ||
98 | + category = 0x00; | ||
99 | + goto failed_stream; | ||
100 | + } | ||
101 | + | ||
102 | /* Verify that the Media Transport capability's length = 0. Reject otherwise */ | ||
103 | for (l = stream->caps; l != NULL; l = g_slist_next(l)) { | ||
104 | struct avdtp_service_capability *cap = l->data; | ||
105 | diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c | ||
106 | index d9471c0..0233d53 100644 | ||
107 | --- a/profiles/audio/avrcp.c | ||
108 | +++ b/profiles/audio/avrcp.c | ||
109 | @@ -1916,6 +1916,14 @@ static size_t handle_vendordep_pdu(struct avctp *conn, uint8_t transaction, | ||
110 | goto err_metadata; | ||
111 | } | ||
112 | |||
113 | + operands += sizeof(*pdu); | ||
114 | + operand_count -= sizeof(*pdu); | ||
115 | + | ||
116 | + if (pdu->params_len != operand_count) { | ||
117 | + DBG("AVRCP PDU parameters length don't match"); | ||
118 | + pdu->params_len = operand_count; | ||
119 | + } | ||
120 | + | ||
121 | for (handler = session->control_handlers; handler->pdu_id; handler++) { | ||
122 | if (handler->pdu_id == pdu->pdu_id) | ||
123 | break; | ||
124 | -- | ||
125 | 2.25.1 | ||
126 | |||
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch new file mode 100644 index 0000000000..43670ab2b3 --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From 25a471a83e02e1effb15d5a488b3f0085eaeb675 Mon Sep 17 00:00:00 2001 | ||
2 | From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | ||
3 | Date: Tue, 10 Oct 2023 13:03:12 -0700 | ||
4 | Subject: input.conf: Change default of ClassicBondedOnly | ||
5 | |||
6 | This changes the default of ClassicBondedOnly since defaulting to false | ||
7 | is not inline with HID specification which mandates the of Security Mode | ||
8 | 4: | ||
9 | |||
10 | BLUETOOTH SPECIFICATION Page 84 of 123 | ||
11 | Human Interface Device (HID) Profile: | ||
12 | |||
13 | 5.4.3.4.2 Security Modes | ||
14 | Bluetooth HID Hosts shall use Security Mode 4 when interoperating with | ||
15 | Bluetooth HID devices that are compliant to the Bluetooth Core | ||
16 | Specification v2.1+EDR[6]. | ||
17 | |||
18 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675] | ||
19 | CVE: CVE-2023-45866 | ||
20 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
21 | --- | ||
22 | profiles/input/device.c | 2 +- | ||
23 | profiles/input/input.conf | 2 +- | ||
24 | 2 files changed, 2 insertions(+), 2 deletions(-) | ||
25 | |||
26 | diff --git a/profiles/input/device.c b/profiles/input/device.c | ||
27 | index 375314e..0236488 100644 | ||
28 | --- a/profiles/input/device.c | ||
29 | +++ b/profiles/input/device.c | ||
30 | @@ -93,7 +93,7 @@ struct input_device { | ||
31 | |||
32 | static int idle_timeout = 0; | ||
33 | static bool uhid_enabled = false; | ||
34 | -static bool classic_bonded_only = false; | ||
35 | +static bool classic_bonded_only = true; | ||
36 | |||
37 | void input_set_idle_timeout(int timeout) | ||
38 | { | ||
39 | diff --git a/profiles/input/input.conf b/profiles/input/input.conf | ||
40 | index 4c70bc5..d8645f3 100644 | ||
41 | --- a/profiles/input/input.conf | ||
42 | +++ b/profiles/input/input.conf | ||
43 | @@ -17,7 +17,7 @@ | ||
44 | # platforms may want to make sure that input connections only come from bonded | ||
45 | # device connections. Several older mice have been known for not supporting | ||
46 | # pairing/encryption. | ||
47 | -# Defaults to false to maximize device compatibility. | ||
48 | +# Defaults to true for security. | ||
49 | #ClassicBondedOnly=true | ||
50 | |||
51 | # LE upgrade security | ||
52 | -- | ||
53 | 2.25.1 | ||
54 | |||
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb index 8190924562..be74a35e0a 100644 --- a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb +++ b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb | |||
@@ -3,6 +3,16 @@ require bluez5.inc | |||
3 | SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a" | 3 | SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a" |
4 | SRC_URI[sha256sum] = "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88" | 4 | SRC_URI[sha256sum] = "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88" |
5 | 5 | ||
6 | # These issues have kernel fixes rather than bluez fixes so exclude here | ||
7 | CVE_CHECK_WHITELIST += "CVE-2020-12352 CVE-2020-24490" | ||
8 | |||
9 | # Commit 7a80d2096f1b7125085e21448112aa02f49f5e9a, e2b0f0d8d63e1223bb714a9efb37e2257818268b | ||
10 | # and 0388794dc5fdb73a4ea88bcf148de0a12b4364d4 to fix CVE-2022-39177 | ||
11 | # already backport in CVE-2022-39176.patch | ||
12 | # https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1977968 | ||
13 | |||
14 | CVE_CHECK_WHITELIST += "CVE-2022-39177" | ||
15 | |||
6 | # noinst programs in Makefile.tools that are conditional on READLINE | 16 | # noinst programs in Makefile.tools that are conditional on READLINE |
7 | # support | 17 | # support |
8 | NOINST_TOOLS_READLINE ?= " \ | 18 | NOINST_TOOLS_READLINE ?= " \ |
diff --git a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb index 778bf50191..24593d6258 100644 --- a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb +++ b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb | |||
@@ -10,7 +10,7 @@ DEPENDS = "gtk+3 dbus-glib dbus-glib-native intltool-native gettext-native" | |||
10 | 10 | ||
11 | # 0.7 tag | 11 | # 0.7 tag |
12 | SRCREV = "cf3c325b23dae843c5499a113591cfbc98acb143" | 12 | SRCREV = "cf3c325b23dae843c5499a113591cfbc98acb143" |
13 | SRC_URI = "git://github.com/connectivity/connman-gnome.git \ | 13 | SRC_URI = "git://github.com/connectivity/connman-gnome.git;branch=master;protocol=https \ |
14 | file://0001-Removed-icon-from-connman-gnome-about-applet.patch \ | 14 | file://0001-Removed-icon-from-connman-gnome-about-applet.patch \ |
15 | file://null_check_for_ipv4_config.patch \ | 15 | file://null_check_for_ipv4_config.patch \ |
16 | file://images/* \ | 16 | file://images/* \ |
diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc index 55e5bf97c7..c495ae29ad 100644 --- a/meta/recipes-connectivity/connman/connman.inc +++ b/meta/recipes-connectivity/connman/connman.inc | |||
@@ -15,6 +15,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \ | |||
15 | 15 | ||
16 | inherit autotools pkgconfig systemd update-rc.d update-alternatives | 16 | inherit autotools pkgconfig systemd update-rc.d update-alternatives |
17 | 17 | ||
18 | CVE_PRODUCT = "connman connection_manager" | ||
19 | |||
18 | DEPENDS = "dbus glib-2.0 ppp" | 20 | DEPENDS = "dbus glib-2.0 ppp" |
19 | 21 | ||
20 | INC_PR = "r20" | 22 | INC_PR = "r20" |
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch new file mode 100644 index 0000000000..2648a832ca --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From e4079a20f617a4b076af503f6e4e8b0304c9f2cb Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Wee <cwee@tesla.com> | ||
3 | Date: Thu, 28 Jan 2021 19:41:53 +0100 | ||
4 | Subject: [PATCH] dnsproxy: Add length checks to prevent buffer overflow | ||
5 | |||
6 | Fixes: CVE-2021-26675 | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | CVE: CVE-2021-26675 | ||
10 | |||
11 | Reference to upstream patch: | ||
12 | https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e4079a20f617a4b076af503f6e4e8b0304c9f2cb | ||
13 | |||
14 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
15 | --- | ||
16 | src/dnsproxy.c | 14 +++++++++++--- | ||
17 | 1 file changed, 11 insertions(+), 3 deletions(-) | ||
18 | |||
19 | diff --git a/src/dnsproxy.c b/src/dnsproxy.c | ||
20 | index a7bf87a1..4f5c897f 100644 | ||
21 | --- a/src/dnsproxy.c | ||
22 | +++ b/src/dnsproxy.c | ||
23 | @@ -1767,6 +1767,7 @@ static char *uncompress(int16_t field_count, char *start, char *end, | ||
24 | char **uncompressed_ptr) | ||
25 | { | ||
26 | char *uptr = *uncompressed_ptr; /* position in result buffer */ | ||
27 | + char * const uncomp_end = uncompressed + uncomp_len - 1; | ||
28 | |||
29 | debug("count %d ptr %p end %p uptr %p", field_count, ptr, end, uptr); | ||
30 | |||
31 | @@ -1787,12 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end, | ||
32 | * tmp buffer. | ||
33 | */ | ||
34 | |||
35 | - ulen = strlen(name); | ||
36 | - strncpy(uptr, name, uncomp_len - (uptr - uncompressed)); | ||
37 | - | ||
38 | debug("pos %d ulen %d left %d name %s", pos, ulen, | ||
39 | (int)(uncomp_len - (uptr - uncompressed)), uptr); | ||
40 | |||
41 | + ulen = strlen(name); | ||
42 | + if ((uptr + ulen + 1) > uncomp_end) { | ||
43 | + goto out; | ||
44 | + } | ||
45 | + strncpy(uptr, name, uncomp_len - (uptr - uncompressed)); | ||
46 | + | ||
47 | uptr += ulen; | ||
48 | *uptr++ = '\0'; | ||
49 | |||
50 | @@ -1802,6 +1806,10 @@ static char *uncompress(int16_t field_count, char *start, char *end, | ||
51 | * We copy also the fixed portion of the result (type, class, | ||
52 | * ttl, address length and the address) | ||
53 | */ | ||
54 | + if ((uptr + NS_RRFIXEDSZ) > uncomp_end) { | ||
55 | + debug("uncompressed data too large for buffer"); | ||
56 | + goto out; | ||
57 | + } | ||
58 | memcpy(uptr, ptr, NS_RRFIXEDSZ); | ||
59 | |||
60 | dns_type = uptr[0] << 8 | uptr[1]; | ||
61 | -- | ||
62 | 2.17.1 | ||
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch new file mode 100644 index 0000000000..4104e4bfc6 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch | |||
@@ -0,0 +1,231 @@ | |||
1 | From 58d397ba74873384aee449690a9070bacd5676fa Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Wee <cwee@tesla.com> | ||
3 | Date: Thu, 28 Jan 2021 19:39:14 +0100 | ||
4 | Subject: [PATCH] gdhcp: Avoid reading invalid data in dhcp_get_option | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | CVE: CVE-2021-26676 | ||
8 | |||
9 | Reference to upstream patch: | ||
10 | https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=58d397ba74873384aee449690a9070bacd5676fa | ||
11 | |||
12 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
13 | --- | ||
14 | gdhcp/client.c | 20 +++++++++++--------- | ||
15 | gdhcp/common.c | 24 +++++++++++++++++++----- | ||
16 | gdhcp/common.h | 2 +- | ||
17 | gdhcp/server.c | 12 +++++++----- | ||
18 | 4 files changed, 38 insertions(+), 20 deletions(-) | ||
19 | |||
20 | diff --git a/gdhcp/client.c b/gdhcp/client.c | ||
21 | index 09dfe5ec..6a5613e7 100644 | ||
22 | --- a/gdhcp/client.c | ||
23 | +++ b/gdhcp/client.c | ||
24 | @@ -1629,12 +1629,12 @@ static void start_request(GDHCPClient *dhcp_client) | ||
25 | NULL); | ||
26 | } | ||
27 | |||
28 | -static uint32_t get_lease(struct dhcp_packet *packet) | ||
29 | +static uint32_t get_lease(struct dhcp_packet *packet, uint16_t packet_len) | ||
30 | { | ||
31 | uint8_t *option; | ||
32 | uint32_t lease_seconds; | ||
33 | |||
34 | - option = dhcp_get_option(packet, DHCP_LEASE_TIME); | ||
35 | + option = dhcp_get_option(packet, packet_len, DHCP_LEASE_TIME); | ||
36 | if (!option) | ||
37 | return 3600; | ||
38 | |||
39 | @@ -2226,7 +2226,8 @@ static void get_dhcpv6_request(GDHCPClient *dhcp_client, | ||
40 | } | ||
41 | } | ||
42 | |||
43 | -static void get_request(GDHCPClient *dhcp_client, struct dhcp_packet *packet) | ||
44 | +static void get_request(GDHCPClient *dhcp_client, struct dhcp_packet *packet, | ||
45 | + uint16_t packet_len) | ||
46 | { | ||
47 | GDHCPOptionType type; | ||
48 | GList *list, *value_list; | ||
49 | @@ -2237,7 +2238,7 @@ static void get_request(GDHCPClient *dhcp_client, struct dhcp_packet *packet) | ||
50 | for (list = dhcp_client->request_list; list; list = list->next) { | ||
51 | code = (uint8_t) GPOINTER_TO_INT(list->data); | ||
52 | |||
53 | - option = dhcp_get_option(packet, code); | ||
54 | + option = dhcp_get_option(packet, packet_len, code); | ||
55 | if (!option) { | ||
56 | g_hash_table_remove(dhcp_client->code_value_hash, | ||
57 | GINT_TO_POINTER((int) code)); | ||
58 | @@ -2297,6 +2298,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition, | ||
59 | re = dhcp_recv_l2_packet(&packet, | ||
60 | dhcp_client->listener_sockfd, | ||
61 | &dst_addr); | ||
62 | + pkt_len = (uint16_t)(unsigned int)re; | ||
63 | xid = packet.xid; | ||
64 | } else if (dhcp_client->listen_mode == L3) { | ||
65 | if (dhcp_client->type == G_DHCP_IPV6) { | ||
66 | @@ -2361,7 +2363,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition, | ||
67 | dhcp_client->status_code = status; | ||
68 | } | ||
69 | } else { | ||
70 | - message_type = dhcp_get_option(&packet, DHCP_MESSAGE_TYPE); | ||
71 | + message_type = dhcp_get_option(&packet, pkt_len, DHCP_MESSAGE_TYPE); | ||
72 | if (!message_type) | ||
73 | return TRUE; | ||
74 | } | ||
75 | @@ -2378,7 +2380,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition, | ||
76 | dhcp_client->timeout = 0; | ||
77 | dhcp_client->retry_times = 0; | ||
78 | |||
79 | - option = dhcp_get_option(&packet, DHCP_SERVER_ID); | ||
80 | + option = dhcp_get_option(&packet, pkt_len, DHCP_SERVER_ID); | ||
81 | dhcp_client->server_ip = get_be32(option); | ||
82 | dhcp_client->requested_ip = ntohl(packet.yiaddr); | ||
83 | |||
84 | @@ -2428,9 +2430,9 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition, | ||
85 | |||
86 | remove_timeouts(dhcp_client); | ||
87 | |||
88 | - dhcp_client->lease_seconds = get_lease(&packet); | ||
89 | + dhcp_client->lease_seconds = get_lease(&packet, pkt_len); | ||
90 | |||
91 | - get_request(dhcp_client, &packet); | ||
92 | + get_request(dhcp_client, &packet, pkt_len); | ||
93 | |||
94 | switch_listening_mode(dhcp_client, L_NONE); | ||
95 | |||
96 | @@ -2438,7 +2440,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition, | ||
97 | dhcp_client->assigned_ip = get_ip(packet.yiaddr); | ||
98 | |||
99 | if (dhcp_client->state == REBOOTING) { | ||
100 | - option = dhcp_get_option(&packet, | ||
101 | + option = dhcp_get_option(&packet, pkt_len, | ||
102 | DHCP_SERVER_ID); | ||
103 | dhcp_client->server_ip = get_be32(option); | ||
104 | } | ||
105 | diff --git a/gdhcp/common.c b/gdhcp/common.c | ||
106 | index 1d667d17..c8916aa8 100644 | ||
107 | --- a/gdhcp/common.c | ||
108 | +++ b/gdhcp/common.c | ||
109 | @@ -73,18 +73,21 @@ GDHCPOptionType dhcp_get_code_type(uint8_t code) | ||
110 | return OPTION_UNKNOWN; | ||
111 | } | ||
112 | |||
113 | -uint8_t *dhcp_get_option(struct dhcp_packet *packet, int code) | ||
114 | +uint8_t *dhcp_get_option(struct dhcp_packet *packet, uint16_t packet_len, int code) | ||
115 | { | ||
116 | int len, rem; | ||
117 | - uint8_t *optionptr; | ||
118 | + uint8_t *optionptr, *options_end; | ||
119 | + size_t options_len; | ||
120 | uint8_t overload = 0; | ||
121 | |||
122 | /* option bytes: [code][len][data1][data2]..[dataLEN] */ | ||
123 | optionptr = packet->options; | ||
124 | rem = sizeof(packet->options); | ||
125 | + options_len = packet_len - (sizeof(*packet) - sizeof(packet->options)); | ||
126 | + options_end = optionptr + options_len - 1; | ||
127 | |||
128 | while (1) { | ||
129 | - if (rem <= 0) | ||
130 | + if ((rem <= 0) && (optionptr + OPT_CODE > options_end)) | ||
131 | /* Bad packet, malformed option field */ | ||
132 | return NULL; | ||
133 | |||
134 | @@ -115,14 +118,25 @@ uint8_t *dhcp_get_option(struct dhcp_packet *packet, int code) | ||
135 | break; | ||
136 | } | ||
137 | |||
138 | + if (optionptr + OPT_LEN > options_end) { | ||
139 | + /* bad packet, would read length field from OOB */ | ||
140 | + return NULL; | ||
141 | + } | ||
142 | + | ||
143 | len = 2 + optionptr[OPT_LEN]; | ||
144 | |||
145 | rem -= len; | ||
146 | if (rem < 0) | ||
147 | continue; /* complain and return NULL */ | ||
148 | |||
149 | - if (optionptr[OPT_CODE] == code) | ||
150 | - return optionptr + OPT_DATA; | ||
151 | + if (optionptr[OPT_CODE] == code) { | ||
152 | + if (optionptr + len > options_end) { | ||
153 | + /* bad packet, option length points OOB */ | ||
154 | + return NULL; | ||
155 | + } else { | ||
156 | + return optionptr + OPT_DATA; | ||
157 | + } | ||
158 | + } | ||
159 | |||
160 | if (optionptr[OPT_CODE] == DHCP_OPTION_OVERLOAD) | ||
161 | overload |= optionptr[OPT_DATA]; | ||
162 | diff --git a/gdhcp/common.h b/gdhcp/common.h | ||
163 | index 9660231c..8f63fd75 100644 | ||
164 | --- a/gdhcp/common.h | ||
165 | +++ b/gdhcp/common.h | ||
166 | @@ -179,7 +179,7 @@ struct in6_pktinfo { | ||
167 | }; | ||
168 | #endif | ||
169 | |||
170 | -uint8_t *dhcp_get_option(struct dhcp_packet *packet, int code); | ||
171 | +uint8_t *dhcp_get_option(struct dhcp_packet *packet, uint16_t packet_len, int code); | ||
172 | uint8_t *dhcpv6_get_option(struct dhcpv6_packet *packet, uint16_t pkt_len, | ||
173 | int code, uint16_t *option_len, int *option_count); | ||
174 | uint8_t *dhcpv6_get_sub_option(unsigned char *option, uint16_t max_len, | ||
175 | diff --git a/gdhcp/server.c b/gdhcp/server.c | ||
176 | index 85405f19..52ea2a55 100644 | ||
177 | --- a/gdhcp/server.c | ||
178 | +++ b/gdhcp/server.c | ||
179 | @@ -413,7 +413,7 @@ error: | ||
180 | } | ||
181 | |||
182 | |||
183 | -static uint8_t check_packet_type(struct dhcp_packet *packet) | ||
184 | +static uint8_t check_packet_type(struct dhcp_packet *packet, uint16_t packet_len) | ||
185 | { | ||
186 | uint8_t *type; | ||
187 | |||
188 | @@ -423,7 +423,7 @@ static uint8_t check_packet_type(struct dhcp_packet *packet) | ||
189 | if (packet->op != BOOTREQUEST) | ||
190 | return 0; | ||
191 | |||
192 | - type = dhcp_get_option(packet, DHCP_MESSAGE_TYPE); | ||
193 | + type = dhcp_get_option(packet, packet_len, DHCP_MESSAGE_TYPE); | ||
194 | |||
195 | if (!type) | ||
196 | return 0; | ||
197 | @@ -651,6 +651,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition, | ||
198 | struct dhcp_lease *lease; | ||
199 | uint32_t requested_nip = 0; | ||
200 | uint8_t type, *server_id_option, *request_ip_option; | ||
201 | + uint16_t packet_len; | ||
202 | int re; | ||
203 | |||
204 | if (condition & (G_IO_NVAL | G_IO_ERR | G_IO_HUP)) { | ||
205 | @@ -661,12 +662,13 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition, | ||
206 | re = dhcp_recv_l3_packet(&packet, dhcp_server->listener_sockfd); | ||
207 | if (re < 0) | ||
208 | return TRUE; | ||
209 | + packet_len = (uint16_t)(unsigned int)re; | ||
210 | |||
211 | - type = check_packet_type(&packet); | ||
212 | + type = check_packet_type(&packet, packet_len); | ||
213 | if (type == 0) | ||
214 | return TRUE; | ||
215 | |||
216 | - server_id_option = dhcp_get_option(&packet, DHCP_SERVER_ID); | ||
217 | + server_id_option = dhcp_get_option(&packet, packet_len, DHCP_SERVER_ID); | ||
218 | if (server_id_option) { | ||
219 | uint32_t server_nid = | ||
220 | get_unaligned((const uint32_t *) server_id_option); | ||
221 | @@ -675,7 +677,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition, | ||
222 | return TRUE; | ||
223 | } | ||
224 | |||
225 | - request_ip_option = dhcp_get_option(&packet, DHCP_REQUESTED_IP); | ||
226 | + request_ip_option = dhcp_get_option(&packet, packet_len, DHCP_REQUESTED_IP); | ||
227 | if (request_ip_option) | ||
228 | requested_nip = get_be32(request_ip_option); | ||
229 | |||
230 | -- | ||
231 | 2.17.1 | ||
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch new file mode 100644 index 0000000000..ce909ec293 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From a74524b3e3fad81b0fd1084ffdf9f2ea469cd9b1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Wee <cwee@tesla.com> | ||
3 | Date: Thu, 28 Jan 2021 19:41:09 +0100 | ||
4 | Subject: [PATCH] gdhcp: Avoid leaking stack data via unitiialized variable | ||
5 | |||
6 | Fixes: CVE-2021-26676 | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | CVE: CVE-2021-26676 | ||
10 | |||
11 | Reference to upstream patch: | ||
12 | https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a74524b3e3fad81b0fd1084ffdf9f2ea469cd9b1 | ||
13 | |||
14 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
15 | --- | ||
16 | gdhcp/client.c | 2 +- | ||
17 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/gdhcp/client.c b/gdhcp/client.c | ||
20 | index 6a5613e7..c7b85e58 100644 | ||
21 | --- a/gdhcp/client.c | ||
22 | +++ b/gdhcp/client.c | ||
23 | @@ -2270,7 +2270,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition, | ||
24 | { | ||
25 | GDHCPClient *dhcp_client = user_data; | ||
26 | struct sockaddr_in dst_addr = { 0 }; | ||
27 | - struct dhcp_packet packet; | ||
28 | + struct dhcp_packet packet = { 0 }; | ||
29 | struct dhcpv6_packet *packet6 = NULL; | ||
30 | uint8_t *message_type = NULL, *client_id = NULL, *option, | ||
31 | *server_id = NULL; | ||
32 | -- | ||
33 | 2.17.1 | ||
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch new file mode 100644 index 0000000000..770948fb69 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch | |||
@@ -0,0 +1,72 @@ | |||
1 | From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001 | ||
2 | From: Valery Kashcheev <v.kascheev@omp.ru> | ||
3 | Date: Mon, 7 Jun 2021 18:58:24 +0200 | ||
4 | Subject: dnsproxy: Check the length of buffers before memcpy | ||
5 | |||
6 | Fix using a stack-based buffer overflow attack by checking the length of | ||
7 | the ptr and uptr buffers. | ||
8 | |||
9 | Fix debug message output. | ||
10 | |||
11 | Fixes: CVE-2021-33833 | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c | ||
15 | CVE: CVE-2021-33833 | ||
16 | Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
17 | |||
18 | --- | ||
19 | src/dnsproxy.c | 20 +++++++++++--------- | ||
20 | 1 file changed, 11 insertions(+), 9 deletions(-) | ||
21 | |||
22 | diff --git a/src/dnsproxy.c b/src/dnsproxy.c | ||
23 | index de52df5a..38dbdd71 100644 | ||
24 | --- a/src/dnsproxy.c | ||
25 | +++ b/src/dnsproxy.c | ||
26 | @@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end, | ||
27 | * tmp buffer. | ||
28 | */ | ||
29 | |||
30 | - debug("pos %d ulen %d left %d name %s", pos, ulen, | ||
31 | - (int)(uncomp_len - (uptr - uncompressed)), uptr); | ||
32 | - | ||
33 | - ulen = strlen(name); | ||
34 | - if ((uptr + ulen + 1) > uncomp_end) { | ||
35 | + ulen = strlen(name) + 1; | ||
36 | + if ((uptr + ulen) > uncomp_end) | ||
37 | goto out; | ||
38 | - } | ||
39 | - strncpy(uptr, name, uncomp_len - (uptr - uncompressed)); | ||
40 | + strncpy(uptr, name, ulen); | ||
41 | + | ||
42 | + debug("pos %d ulen %d left %d name %s", pos, ulen, | ||
43 | + (int)(uncomp_end - (uptr + ulen)), uptr); | ||
44 | |||
45 | uptr += ulen; | ||
46 | - *uptr++ = '\0'; | ||
47 | |||
48 | ptr += pos; | ||
49 | |||
50 | @@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end, | ||
51 | } else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) { | ||
52 | dlen = uptr[-2] << 8 | uptr[-1]; | ||
53 | |||
54 | - if (ptr + dlen > end) { | ||
55 | + if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) { | ||
56 | debug("data len %d too long", dlen); | ||
57 | goto out; | ||
58 | } | ||
59 | @@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end, | ||
60 | * refresh interval, retry interval, expiration | ||
61 | * limit and minimum ttl). They are 20 bytes long. | ||
62 | */ | ||
63 | + if ((uptr + 20) > uncomp_end || (ptr + 20) > end) { | ||
64 | + debug("soa record too long"); | ||
65 | + goto out; | ||
66 | + } | ||
67 | memcpy(uptr, ptr, 20); | ||
68 | uptr += 20; | ||
69 | ptr += 20; | ||
70 | -- | ||
71 | cgit 1.2.3-1.el7 | ||
72 | |||
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch new file mode 100644 index 0000000000..7f27474830 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch | |||
@@ -0,0 +1,121 @@ | |||
1 | From e5a313736e13c90d19085e953a26256a198e4950 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Wagner <wagi@monom.org> | ||
3 | Date: Tue, 25 Jan 2022 10:00:24 +0100 | ||
4 | Subject: dnsproxy: Validate input data before using them | ||
5 | |||
6 | dnsproxy is not validating various input data. Add a bunch of checks. | ||
7 | |||
8 | Fixes: CVE-2022-23097 | ||
9 | Fixes: CVE-2022-23096 | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e5a313736e13c90d19085e953a26256a198e4950 | ||
13 | |||
14 | CVE: CVE-2022-23096 CVE-2022-23097 | ||
15 | Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
16 | |||
17 | --- | ||
18 | src/dnsproxy.c | 31 ++++++++++++++++++++++++++----- | ||
19 | 1 file changed, 26 insertions(+), 5 deletions(-) | ||
20 | |||
21 | diff --git a/src/dnsproxy.c b/src/dnsproxy.c | ||
22 | index cdfafbc2..c027bcb9 100644 | ||
23 | --- a/src/dnsproxy.c | ||
24 | +++ b/src/dnsproxy.c | ||
25 | @@ -1951,6 +1951,12 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, | ||
26 | |||
27 | if (offset < 0) | ||
28 | return offset; | ||
29 | + if (reply_len < 0) | ||
30 | + return -EINVAL; | ||
31 | + if (reply_len < offset + 1) | ||
32 | + return -EINVAL; | ||
33 | + if ((size_t)reply_len < sizeof(struct domain_hdr)) | ||
34 | + return -EINVAL; | ||
35 | |||
36 | hdr = (void *)(reply + offset); | ||
37 | dns_id = reply[offset] | reply[offset + 1] << 8; | ||
38 | @@ -1986,23 +1992,31 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, | ||
39 | */ | ||
40 | if (req->append_domain && ntohs(hdr->qdcount) == 1) { | ||
41 | uint16_t domain_len = 0; | ||
42 | - uint16_t header_len; | ||
43 | + uint16_t header_len, payload_len; | ||
44 | uint16_t dns_type, dns_class; | ||
45 | uint8_t host_len, dns_type_pos; | ||
46 | char uncompressed[NS_MAXDNAME], *uptr; | ||
47 | char *ptr, *eom = (char *)reply + reply_len; | ||
48 | + char *domain; | ||
49 | |||
50 | /* | ||
51 | * ptr points to the first char of the hostname. | ||
52 | * ->hostname.domain.net | ||
53 | */ | ||
54 | header_len = offset + sizeof(struct domain_hdr); | ||
55 | + if (reply_len < header_len) | ||
56 | + return -EINVAL; | ||
57 | + payload_len = reply_len - header_len; | ||
58 | + | ||
59 | ptr = (char *)reply + header_len; | ||
60 | |||
61 | host_len = *ptr; | ||
62 | + domain = ptr + 1 + host_len; | ||
63 | + if (domain > eom) | ||
64 | + return -EINVAL; | ||
65 | + | ||
66 | if (host_len > 0) | ||
67 | - domain_len = strnlen(ptr + 1 + host_len, | ||
68 | - reply_len - header_len); | ||
69 | + domain_len = strnlen(domain, eom - domain); | ||
70 | |||
71 | /* | ||
72 | * If the query type is anything other than A or AAAA, | ||
73 | @@ -2011,6 +2025,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, | ||
74 | */ | ||
75 | dns_type_pos = host_len + 1 + domain_len + 1; | ||
76 | |||
77 | + if (ptr + (dns_type_pos + 3) > eom) | ||
78 | + return -EINVAL; | ||
79 | dns_type = ptr[dns_type_pos] << 8 | | ||
80 | ptr[dns_type_pos + 1]; | ||
81 | dns_class = ptr[dns_type_pos + 2] << 8 | | ||
82 | @@ -2040,6 +2056,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, | ||
83 | int new_len, fixed_len; | ||
84 | char *answers; | ||
85 | |||
86 | + if (len > payload_len) | ||
87 | + return -EINVAL; | ||
88 | /* | ||
89 | * First copy host (without domain name) into | ||
90 | * tmp buffer. | ||
91 | @@ -2054,6 +2072,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, | ||
92 | * Copy type and class fields of the question. | ||
93 | */ | ||
94 | ptr += len + domain_len + 1; | ||
95 | + if (ptr + NS_QFIXEDSZ > eom) | ||
96 | + return -EINVAL; | ||
97 | memcpy(uptr, ptr, NS_QFIXEDSZ); | ||
98 | |||
99 | /* | ||
100 | @@ -2063,6 +2083,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, | ||
101 | uptr += NS_QFIXEDSZ; | ||
102 | answers = uptr; | ||
103 | fixed_len = answers - uncompressed; | ||
104 | + if (ptr + offset > eom) | ||
105 | + return -EINVAL; | ||
106 | |||
107 | /* | ||
108 | * We then uncompress the result to buffer | ||
109 | @@ -2257,8 +2279,7 @@ static gboolean udp_server_event(GIOChannel *channel, GIOCondition condition, | ||
110 | |||
111 | len = recv(sk, buf, sizeof(buf), 0); | ||
112 | |||
113 | - if (len >= 12) | ||
114 | - forward_dns_reply(buf, len, IPPROTO_UDP, data); | ||
115 | + forward_dns_reply(buf, len, IPPROTO_UDP, data); | ||
116 | |||
117 | return TRUE; | ||
118 | } | ||
119 | -- | ||
120 | cgit 1.2.3-1.el7 | ||
121 | |||
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch new file mode 100644 index 0000000000..a40c9f583f --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From d8708b85c1e8fe25af7803e8a20cf20e7201d8a4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthias Gerstner <mgerstner@suse.de> | ||
3 | Date: Tue, 25 Jan 2022 10:00:25 +0100 | ||
4 | Subject: dnsproxy: Avoid 100 % busy loop in TCP server case | ||
5 | |||
6 | Once the TCP socket is connected and until the remote server is | ||
7 | responding (if ever) ConnMan executes a 100 % CPU loop, since | ||
8 | the connected socket will always be writable (G_IO_OUT). | ||
9 | |||
10 | To fix this, modify the watch after the connection is established to | ||
11 | remove the G_IO_OUT from the callback conditions. | ||
12 | |||
13 | Fixes: CVE-2022-23098 | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d8708b85c1e8fe25af7803e8a20cf20e7201d8a4 | ||
17 | |||
18 | CVE: CVE-2022-23098 | ||
19 | Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
20 | |||
21 | --- | ||
22 | src/dnsproxy.c | 12 ++++++++++++ | ||
23 | 1 file changed, 12 insertions(+) | ||
24 | |||
25 | diff --git a/src/dnsproxy.c b/src/dnsproxy.c | ||
26 | index c027bcb9..1ccf36a9 100644 | ||
27 | --- a/src/dnsproxy.c | ||
28 | +++ b/src/dnsproxy.c | ||
29 | @@ -2360,6 +2360,18 @@ hangup: | ||
30 | } | ||
31 | } | ||
32 | |||
33 | + /* | ||
34 | + * Remove the G_IO_OUT flag from the watch, otherwise we end | ||
35 | + * up in a busy loop, because the socket is constantly writable. | ||
36 | + * | ||
37 | + * There seems to be no better way in g_io to do that than | ||
38 | + * re-adding the watch. | ||
39 | + */ | ||
40 | + g_source_remove(server->watch); | ||
41 | + server->watch = g_io_add_watch(server->channel, | ||
42 | + G_IO_IN | G_IO_HUP | G_IO_NVAL | G_IO_ERR, | ||
43 | + tcp_server_event, server); | ||
44 | + | ||
45 | server->connected = true; | ||
46 | server_list = g_slist_append(server_list, server); | ||
47 | |||
48 | -- | ||
49 | cgit 1.2.3-1.el7 | ||
50 | |||
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch new file mode 100644 index 0000000000..74a739d6a2 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001 | ||
2 | From: Nathan Crandall <ncrandall@tesla.com> | ||
3 | Date: Tue, 12 Jul 2022 08:56:34 +0200 | ||
4 | Subject: gweb: Fix OOB write in received_data() | ||
5 | |||
6 | There is a mismatch of handling binary vs. C-string data with memchr | ||
7 | and strlen, resulting in pos, count, and bytes_read to become out of | ||
8 | sync and result in a heap overflow. Instead, do not treat the buffer | ||
9 | as an ASCII C-string. We calculate the count based on the return value | ||
10 | of memchr, instead of strlen. | ||
11 | |||
12 | Fixes: CVE-2022-32292 | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312b | ||
16 | CVE: CVE-2022-32292 | ||
17 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
18 | --- | ||
19 | gweb/gweb.c | 2 +- | ||
20 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
21 | |||
22 | diff --git a/gweb/gweb.c b/gweb/gweb.c | ||
23 | index 12fcb1d8..13c6c5f2 100644 | ||
24 | --- a/gweb/gweb.c | ||
25 | +++ b/gweb/gweb.c | ||
26 | @@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond, | ||
27 | } | ||
28 | |||
29 | *pos = '\0'; | ||
30 | - count = strlen((char *) ptr); | ||
31 | + count = pos - ptr; | ||
32 | if (count > 0 && ptr[count - 1] == '\r') { | ||
33 | ptr[--count] = '\0'; | ||
34 | bytes_read--; | ||
35 | -- | ||
36 | cgit | ||
37 | |||
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch new file mode 100644 index 0000000000..83a013981c --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch | |||
@@ -0,0 +1,266 @@ | |||
1 | From 358a44b1442fae0f82846e10da0708b5c4e1ce27 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Tue, 20 Sep 2022 17:58:19 +0530 | ||
4 | Subject: [PATCH] CVE-2022-32293 | ||
5 | |||
6 | CVE: CVE-2022-32293 | ||
7 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c && https://git.kernel.org/pub/scm/network/connman/connman.git/commit/src/wispr.c?id=416bfaff988882c553c672e5bfc2d4f648d29e8a] | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | src/wispr.c | 83 ++++++++++++++++++++++++++++++++++++++++------------- | ||
11 | 1 file changed, 63 insertions(+), 20 deletions(-) | ||
12 | |||
13 | diff --git a/src/wispr.c b/src/wispr.c | ||
14 | index 473c0e0..97e0242 100644 | ||
15 | --- a/src/wispr.c | ||
16 | +++ b/src/wispr.c | ||
17 | @@ -59,6 +59,7 @@ struct wispr_route { | ||
18 | }; | ||
19 | |||
20 | struct connman_wispr_portal_context { | ||
21 | + int refcount; | ||
22 | struct connman_service *service; | ||
23 | enum connman_ipconfig_type type; | ||
24 | struct connman_wispr_portal *wispr_portal; | ||
25 | @@ -96,10 +97,13 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data); | ||
26 | |||
27 | static GHashTable *wispr_portal_list = NULL; | ||
28 | |||
29 | +#define wispr_portal_context_ref(wp_context) \ | ||
30 | + wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__) | ||
31 | +#define wispr_portal_context_unref(wp_context) \ | ||
32 | + wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__) | ||
33 | + | ||
34 | static void connman_wispr_message_init(struct connman_wispr_message *msg) | ||
35 | { | ||
36 | - DBG(""); | ||
37 | - | ||
38 | msg->has_error = false; | ||
39 | msg->current_element = NULL; | ||
40 | |||
41 | @@ -159,11 +163,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context) | ||
42 | static void free_connman_wispr_portal_context( | ||
43 | struct connman_wispr_portal_context *wp_context) | ||
44 | { | ||
45 | - DBG("context %p", wp_context); | ||
46 | - | ||
47 | - if (!wp_context) | ||
48 | - return; | ||
49 | - | ||
50 | if (wp_context->wispr_portal) { | ||
51 | if (wp_context->wispr_portal->ipv4_context == wp_context) | ||
52 | wp_context->wispr_portal->ipv4_context = NULL; | ||
53 | @@ -200,9 +199,38 @@ static void free_connman_wispr_portal_context( | ||
54 | g_free(wp_context); | ||
55 | } | ||
56 | |||
57 | +static struct connman_wispr_portal_context * | ||
58 | +wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context, | ||
59 | + const char *file, int line, const char *caller) | ||
60 | +{ | ||
61 | + DBG("%p ref %d by %s:%d:%s()", wp_context, | ||
62 | + wp_context->refcount + 1, file, line, caller); | ||
63 | + | ||
64 | + __sync_fetch_and_add(&wp_context->refcount, 1); | ||
65 | + | ||
66 | + return wp_context; | ||
67 | +} | ||
68 | + | ||
69 | +static void wispr_portal_context_unref_debug( | ||
70 | + struct connman_wispr_portal_context *wp_context, | ||
71 | + const char *file, int line, const char *caller) | ||
72 | +{ | ||
73 | + if (!wp_context) | ||
74 | + return; | ||
75 | + | ||
76 | + DBG("%p ref %d by %s:%d:%s()", wp_context, | ||
77 | + wp_context->refcount - 1, file, line, caller); | ||
78 | + | ||
79 | + if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1) | ||
80 | + return; | ||
81 | + | ||
82 | + free_connman_wispr_portal_context(wp_context); | ||
83 | +} | ||
84 | + | ||
85 | static struct connman_wispr_portal_context *create_wispr_portal_context(void) | ||
86 | { | ||
87 | - return g_try_new0(struct connman_wispr_portal_context, 1); | ||
88 | + return wispr_portal_context_ref( | ||
89 | + g_new0(struct connman_wispr_portal_context, 1)); | ||
90 | } | ||
91 | |||
92 | static void free_connman_wispr_portal(gpointer data) | ||
93 | @@ -214,8 +242,8 @@ static void free_connman_wispr_portal(gpointer data) | ||
94 | if (!wispr_portal) | ||
95 | return; | ||
96 | |||
97 | - free_connman_wispr_portal_context(wispr_portal->ipv4_context); | ||
98 | - free_connman_wispr_portal_context(wispr_portal->ipv6_context); | ||
99 | + wispr_portal_context_unref(wispr_portal->ipv4_context); | ||
100 | + wispr_portal_context_unref(wispr_portal->ipv6_context); | ||
101 | |||
102 | g_free(wispr_portal); | ||
103 | } | ||
104 | @@ -450,8 +478,6 @@ static void portal_manage_status(GWebResult *result, | ||
105 | &str)) | ||
106 | connman_info("Client-Timezone: %s", str); | ||
107 | |||
108 | - free_connman_wispr_portal_context(wp_context); | ||
109 | - | ||
110 | __connman_service_ipconfig_indicate_state(service, | ||
111 | CONNMAN_SERVICE_STATE_ONLINE, type); | ||
112 | } | ||
113 | @@ -509,14 +535,17 @@ static void wispr_portal_request_portal( | ||
114 | { | ||
115 | DBG(""); | ||
116 | |||
117 | + wispr_portal_context_ref(wp_context); | ||
118 | wp_context->request_id = g_web_request_get(wp_context->web, | ||
119 | wp_context->status_url, | ||
120 | wispr_portal_web_result, | ||
121 | wispr_route_request, | ||
122 | wp_context); | ||
123 | |||
124 | - if (wp_context->request_id == 0) | ||
125 | + if (wp_context->request_id == 0) { | ||
126 | wispr_portal_error(wp_context); | ||
127 | + wispr_portal_context_unref(wp_context); | ||
128 | + } | ||
129 | } | ||
130 | |||
131 | static bool wispr_input(const guint8 **data, gsize *length, | ||
132 | @@ -562,13 +591,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service, | ||
133 | return; | ||
134 | |||
135 | if (!authentication_done) { | ||
136 | - wispr_portal_error(wp_context); | ||
137 | free_wispr_routes(wp_context); | ||
138 | + wispr_portal_error(wp_context); | ||
139 | + wispr_portal_context_unref(wp_context); | ||
140 | return; | ||
141 | } | ||
142 | |||
143 | /* Restarting the test */ | ||
144 | __connman_service_wispr_start(service, wp_context->type); | ||
145 | + wispr_portal_context_unref(wp_context); | ||
146 | } | ||
147 | |||
148 | static void wispr_portal_request_wispr_login(struct connman_service *service, | ||
149 | @@ -592,7 +623,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service, | ||
150 | return; | ||
151 | } | ||
152 | |||
153 | - free_connman_wispr_portal_context(wp_context); | ||
154 | + wispr_portal_context_unref(wp_context); | ||
155 | return; | ||
156 | } | ||
157 | |||
158 | @@ -644,11 +675,13 @@ static bool wispr_manage_message(GWebResult *result, | ||
159 | |||
160 | wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN; | ||
161 | |||
162 | + wispr_portal_context_ref(wp_context); | ||
163 | if (__connman_agent_request_login_input(wp_context->service, | ||
164 | wispr_portal_request_wispr_login, | ||
165 | - wp_context) != -EINPROGRESS) | ||
166 | + wp_context) != -EINPROGRESS) { | ||
167 | wispr_portal_error(wp_context); | ||
168 | - else | ||
169 | + wispr_portal_context_unref(wp_context); | ||
170 | + } else | ||
171 | return true; | ||
172 | |||
173 | break; | ||
174 | @@ -697,6 +730,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
175 | if (length > 0) { | ||
176 | g_web_parser_feed_data(wp_context->wispr_parser, | ||
177 | chunk, length); | ||
178 | + wispr_portal_context_unref(wp_context); | ||
179 | return true; | ||
180 | } | ||
181 | |||
182 | @@ -714,6 +748,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
183 | |||
184 | switch (status) { | ||
185 | case 000: | ||
186 | + wispr_portal_context_ref(wp_context); | ||
187 | __connman_agent_request_browser(wp_context->service, | ||
188 | wispr_portal_browser_reply_cb, | ||
189 | wp_context->status_url, wp_context); | ||
190 | @@ -725,11 +760,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
191 | if (g_web_result_get_header(result, "X-ConnMan-Status", | ||
192 | &str)) { | ||
193 | portal_manage_status(result, wp_context); | ||
194 | + wispr_portal_context_unref(wp_context); | ||
195 | return false; | ||
196 | - } else | ||
197 | + } else { | ||
198 | + wispr_portal_context_ref(wp_context); | ||
199 | __connman_agent_request_browser(wp_context->service, | ||
200 | wispr_portal_browser_reply_cb, | ||
201 | wp_context->redirect_url, wp_context); | ||
202 | + } | ||
203 | |||
204 | break; | ||
205 | case 302: | ||
206 | @@ -737,6 +775,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
207 | !g_web_result_get_header(result, "Location", | ||
208 | &redirect)) { | ||
209 | |||
210 | + wispr_portal_context_ref(wp_context); | ||
211 | __connman_agent_request_browser(wp_context->service, | ||
212 | wispr_portal_browser_reply_cb, | ||
213 | wp_context->status_url, wp_context); | ||
214 | @@ -747,6 +786,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
215 | |||
216 | wp_context->redirect_url = g_strdup(redirect); | ||
217 | |||
218 | + wispr_portal_context_ref(wp_context); | ||
219 | wp_context->request_id = g_web_request_get(wp_context->web, | ||
220 | redirect, wispr_portal_web_result, | ||
221 | wispr_route_request, wp_context); | ||
222 | @@ -763,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
223 | |||
224 | break; | ||
225 | case 505: | ||
226 | + wispr_portal_context_ref(wp_context); | ||
227 | __connman_agent_request_browser(wp_context->service, | ||
228 | wispr_portal_browser_reply_cb, | ||
229 | wp_context->status_url, wp_context); | ||
230 | @@ -775,6 +816,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
231 | wp_context->request_id = 0; | ||
232 | done: | ||
233 | wp_context->wispr_msg.message_type = -1; | ||
234 | + wispr_portal_context_unref(wp_context); | ||
235 | return false; | ||
236 | } | ||
237 | |||
238 | @@ -809,6 +851,7 @@ static void proxy_callback(const char *proxy, void *user_data) | ||
239 | xml_wispr_parser_callback, wp_context); | ||
240 | |||
241 | wispr_portal_request_portal(wp_context); | ||
242 | + wispr_portal_context_unref(wp_context); | ||
243 | } | ||
244 | |||
245 | static gboolean no_proxy_callback(gpointer user_data) | ||
246 | @@ -903,7 +946,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context) | ||
247 | |||
248 | if (wp_context->token == 0) { | ||
249 | err = -EINVAL; | ||
250 | - free_connman_wispr_portal_context(wp_context); | ||
251 | + wispr_portal_context_unref(wp_context); | ||
252 | } | ||
253 | } else if (wp_context->timeout == 0) { | ||
254 | wp_context->timeout = g_idle_add(no_proxy_callback, wp_context); | ||
255 | @@ -952,7 +995,7 @@ int __connman_wispr_start(struct connman_service *service, | ||
256 | |||
257 | /* If there is already an existing context, we wipe it */ | ||
258 | if (wp_context) | ||
259 | - free_connman_wispr_portal_context(wp_context); | ||
260 | + wispr_portal_context_unref(wp_context); | ||
261 | |||
262 | wp_context = create_wispr_portal_context(); | ||
263 | if (!wp_context) | ||
264 | -- | ||
265 | 2.25.1 | ||
266 | |||
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch new file mode 100644 index 0000000000..ea1601cc04 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Wagner <wagi@monom.org> | ||
3 | Date: Tue, 11 Apr 2023 08:12:56 +0200 | ||
4 | Subject: gdhcp: Verify and sanitize packet length first | ||
5 | |||
6 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138] | ||
7 | CVE: CVE-2023-28488 | ||
8 | Signed-off-by: Ashish Sharma <asharma@mvista.com> | ||
9 | |||
10 | gdhcp/client.c | 16 +++++++++------- | ||
11 | 1 file changed, 9 insertions(+), 7 deletions(-) | ||
12 | |||
13 | diff --git a/gdhcp/client.c b/gdhcp/client.c | ||
14 | index 7efa7e45..82017692 100644 | ||
15 | --- a/gdhcp/client.c | ||
16 | +++ b/gdhcp/client.c | ||
17 | @@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes) | ||
18 | static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd, | ||
19 | struct sockaddr_in *dst_addr) | ||
20 | { | ||
21 | - int bytes; | ||
22 | struct ip_udp_dhcp_packet packet; | ||
23 | uint16_t check; | ||
24 | + int bytes, tot_len; | ||
25 | |||
26 | memset(&packet, 0, sizeof(packet)); | ||
27 | |||
28 | @@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd, | ||
29 | if (bytes < 0) | ||
30 | return -1; | ||
31 | |||
32 | - if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp))) | ||
33 | - return -1; | ||
34 | - | ||
35 | - if (bytes < ntohs(packet.ip.tot_len)) | ||
36 | + tot_len = ntohs(packet.ip.tot_len); | ||
37 | + if (bytes > tot_len) { | ||
38 | + /* ignore any extra garbage bytes */ | ||
39 | + bytes = tot_len; | ||
40 | + } else if (bytes < tot_len) { | ||
41 | /* packet is bigger than sizeof(packet), we did partial read */ | ||
42 | return -1; | ||
43 | + } | ||
44 | |||
45 | - /* ignore any extra garbage bytes */ | ||
46 | - bytes = ntohs(packet.ip.tot_len); | ||
47 | + if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp))) | ||
48 | + return -1; | ||
49 | |||
50 | if (!sanity_check(&packet, bytes)) | ||
51 | return -1; | ||
52 | -- | ||
53 | cgit | ||
54 | |||
diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb index 00852bf0d6..8062a094d3 100644 --- a/meta/recipes-connectivity/connman/connman_1.37.bb +++ b/meta/recipes-connectivity/connman/connman_1.37.bb | |||
@@ -6,6 +6,15 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ | |||
6 | file://0001-gweb-fix-segfault-with-musl-v1.1.21.patch \ | 6 | file://0001-gweb-fix-segfault-with-musl-v1.1.21.patch \ |
7 | file://connman \ | 7 | file://connman \ |
8 | file://no-version-scripts.patch \ | 8 | file://no-version-scripts.patch \ |
9 | file://CVE-2021-26675.patch \ | ||
10 | file://CVE-2021-26676-0001.patch \ | ||
11 | file://CVE-2021-26676-0002.patch \ | ||
12 | file://CVE-2021-33833.patch \ | ||
13 | file://CVE-2022-23096-7.patch \ | ||
14 | file://CVE-2022-23098.patch \ | ||
15 | file://CVE-2022-32292.patch \ | ||
16 | file://CVE-2022-32293.patch \ | ||
17 | file://CVE-2023-28488.patch \ | ||
9 | " | 18 | " |
10 | 19 | ||
11 | SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" | 20 | SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" |
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch new file mode 100644 index 0000000000..91aaf83a77 --- /dev/null +++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch | |||
@@ -0,0 +1,66 @@ | |||
1 | From 5a7344b05081d84343a1627e47478f3990b17700 Mon Sep 17 00:00:00 2001 | ||
2 | From: Minjae Kim <flowergom@gmail.com> | ||
3 | Date: Thu, 8 Jul 2021 00:08:25 +0000 | ||
4 | Subject: [PATCH] ISC has disclosed a vulnerability in ISC DHCP | ||
5 | (CVE-2021-25217) | ||
6 | |||
7 | On May 26, 2021, we (Internet Systems Consortium) disclosed a | ||
8 | vulnerability affecting our ISC DHCP software: | ||
9 | |||
10 | CVE-2021-25217: A buffer overrun in lease file parsing code can be | ||
11 | used to exploit a common vulnerability shared by dhcpd and dhclient | ||
12 | https://kb.isc.org/docs/cve-2021-25217 | ||
13 | |||
14 | New versions of ISC DHCP are available from https://www.isc.org/downloads | ||
15 | |||
16 | Operators and package maintainers who prefer to apply patches selectively can | ||
17 | find individual vulnerability-specific patches in the "patches" subdirectory | ||
18 | of the release directories for our two stable release branches (4.4 and 4.1-ESV) | ||
19 | |||
20 | https://downloads.isc.org/isc/dhcp/4.4.2-P1/patches | ||
21 | https://downloads.isc.org/isc/dhcp/4.1-ESV-R16-P1/patches | ||
22 | |||
23 | With the public announcement of this vulnerability, the embargo | ||
24 | period is ended and any updated software packages that have been | ||
25 | prepared may be released. | ||
26 | |||
27 | Upstream-Status: Accepted [https://www.openwall.com/lists/oss-security/2021/05/26/6] | ||
28 | CVE: CVE-2021-25217 | ||
29 | Signed-off-by: Minjae Kim <flowergom@gmail.com> | ||
30 | --- | ||
31 | common/parse.c | 7 ++++--- | ||
32 | 1 file changed, 4 insertions(+), 3 deletions(-) | ||
33 | |||
34 | diff --git a/common/parse.c b/common/parse.c | ||
35 | index 386a632..fc7b39c 100644 | ||
36 | --- a/common/parse.c | ||
37 | +++ b/common/parse.c | ||
38 | @@ -3,7 +3,7 @@ | ||
39 | Common parser code for dhcpd and dhclient. */ | ||
40 | |||
41 | /* | ||
42 | - * Copyright (c) 2004-2019 by Internet Systems Consortium, Inc. ("ISC") | ||
43 | + * Copyright (c) 2004-2021 by Internet Systems Consortium, Inc. ("ISC") | ||
44 | * Copyright (c) 1995-2003 by Internet Software Consortium | ||
45 | * | ||
46 | * This Source Code Form is subject to the terms of the Mozilla Public | ||
47 | @@ -5556,13 +5556,14 @@ int parse_X (cfile, buf, max) | ||
48 | skip_to_semi (cfile); | ||
49 | return 0; | ||
50 | } | ||
51 | - convert_num (cfile, &buf [len], val, 16, 8); | ||
52 | - if (len++ > max) { | ||
53 | + if (len >= max) { | ||
54 | parse_warn (cfile, | ||
55 | "hexadecimal constant too long."); | ||
56 | skip_to_semi (cfile); | ||
57 | return 0; | ||
58 | } | ||
59 | + convert_num (cfile, &buf [len], val, 16, 8); | ||
60 | + len++; | ||
61 | token = peek_token (&val, (unsigned *)0, cfile); | ||
62 | if (token == COLON) | ||
63 | token = next_token (&val, | ||
64 | -- | ||
65 | 2.17.1 | ||
66 | |||
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch new file mode 100644 index 0000000000..11f162cbda --- /dev/null +++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch | |||
@@ -0,0 +1,120 @@ | |||
1 | From 8a5d739eea10ee6e193f053b1662142d5657cbc6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Thu, 6 Oct 2022 09:39:18 +0530 | ||
4 | Subject: [PATCH] CVE-2022-2928 | ||
5 | |||
6 | Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/] | ||
7 | CVE: CVE-2022-2928 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | common/options.c | 7 +++++ | ||
11 | common/tests/option_unittest.c | 54 ++++++++++++++++++++++++++++++++++ | ||
12 | 2 files changed, 61 insertions(+) | ||
13 | |||
14 | diff --git a/common/options.c b/common/options.c | ||
15 | index a7ed84c..4e53bb4 100644 | ||
16 | --- a/common/options.c | ||
17 | +++ b/common/options.c | ||
18 | @@ -4452,6 +4452,8 @@ add_option(struct option_state *options, | ||
19 | if (!option_cache_allocate(&oc, MDL)) { | ||
20 | log_error("No memory for option cache adding %s (option %d).", | ||
21 | option->name, option_num); | ||
22 | + /* Get rid of reference created during hash lookup. */ | ||
23 | + option_dereference(&option, MDL); | ||
24 | return 0; | ||
25 | } | ||
26 | |||
27 | @@ -4463,6 +4465,8 @@ add_option(struct option_state *options, | ||
28 | MDL)) { | ||
29 | log_error("No memory for constant data adding %s (option %d).", | ||
30 | option->name, option_num); | ||
31 | + /* Get rid of reference created during hash lookup. */ | ||
32 | + option_dereference(&option, MDL); | ||
33 | option_cache_dereference(&oc, MDL); | ||
34 | return 0; | ||
35 | } | ||
36 | @@ -4471,6 +4475,9 @@ add_option(struct option_state *options, | ||
37 | save_option(&dhcp_universe, options, oc); | ||
38 | option_cache_dereference(&oc, MDL); | ||
39 | |||
40 | + /* Get rid of reference created during hash lookup. */ | ||
41 | + option_dereference(&option, MDL); | ||
42 | + | ||
43 | return 1; | ||
44 | } | ||
45 | |||
46 | diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c | ||
47 | index cd52cfb..690704d 100644 | ||
48 | --- a/common/tests/option_unittest.c | ||
49 | +++ b/common/tests/option_unittest.c | ||
50 | @@ -130,6 +130,59 @@ ATF_TC_BODY(pretty_print_option, tc) | ||
51 | } | ||
52 | |||
53 | |||
54 | +ATF_TC(add_option_ref_cnt); | ||
55 | + | ||
56 | +ATF_TC_HEAD(add_option_ref_cnt, tc) | ||
57 | +{ | ||
58 | + atf_tc_set_md_var(tc, "descr", | ||
59 | + "Verify add_option() does not leak option ref counts."); | ||
60 | +} | ||
61 | + | ||
62 | +ATF_TC_BODY(add_option_ref_cnt, tc) | ||
63 | +{ | ||
64 | + struct option_state *options = NULL; | ||
65 | + struct option *option = NULL; | ||
66 | + unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER; | ||
67 | + char *cid_str = "1234"; | ||
68 | + int refcnt_before = 0; | ||
69 | + | ||
70 | + // Look up the option we're going to add. | ||
71 | + initialize_common_option_spaces(); | ||
72 | + if (!option_code_hash_lookup(&option, dhcp_universe.code_hash, | ||
73 | + &cid_code, 0, MDL)) { | ||
74 | + atf_tc_fail("cannot find option definition?"); | ||
75 | + } | ||
76 | + | ||
77 | + // Get the option's reference count before we call add_options. | ||
78 | + refcnt_before = option->refcnt; | ||
79 | + | ||
80 | + // Allocate a option_state to which to add an option. | ||
81 | + if (!option_state_allocate(&options, MDL)) { | ||
82 | + atf_tc_fail("cannot allocat options state"); | ||
83 | + } | ||
84 | + | ||
85 | + // Call add_option() to add the option to the option state. | ||
86 | + if (!add_option(options, cid_code, cid_str, strlen(cid_str))) { | ||
87 | + atf_tc_fail("add_option returned 0"); | ||
88 | + } | ||
89 | + | ||
90 | + // Verify that calling add_option() only adds 1 to the option ref count. | ||
91 | + if (option->refcnt != (refcnt_before + 1)) { | ||
92 | + atf_tc_fail("after add_option(), count is wrong, before %d, after: %d", | ||
93 | + refcnt_before, option->refcnt); | ||
94 | + } | ||
95 | + | ||
96 | + // Derefrence the option_state, this should reduce the ref count to | ||
97 | + // it's starting value. | ||
98 | + option_state_dereference(&options, MDL); | ||
99 | + | ||
100 | + // Verify that dereferencing option_state restores option ref count. | ||
101 | + if (option->refcnt != refcnt_before) { | ||
102 | + atf_tc_fail("after state deref, count is wrong, before %d, after: %d", | ||
103 | + refcnt_before, option->refcnt); | ||
104 | + } | ||
105 | +} | ||
106 | + | ||
107 | /* This macro defines main() method that will call specified | ||
108 | test cases. tp and simple_test_case names can be whatever you want | ||
109 | as long as it is a valid variable identifier. */ | ||
110 | @@ -137,6 +190,7 @@ ATF_TP_ADD_TCS(tp) | ||
111 | { | ||
112 | ATF_TP_ADD_TC(tp, option_refcnt); | ||
113 | ATF_TP_ADD_TC(tp, pretty_print_option); | ||
114 | + ATF_TP_ADD_TC(tp, add_option_ref_cnt); | ||
115 | |||
116 | return (atf_no_error()); | ||
117 | } | ||
118 | -- | ||
119 | 2.25.1 | ||
120 | |||
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch new file mode 100644 index 0000000000..d605204f89 --- /dev/null +++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From 5c959166ebee7605e2048de573f2475b4d731ff7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Thu, 6 Oct 2022 09:42:59 +0530 | ||
4 | Subject: [PATCH] CVE-2022-2929 | ||
5 | |||
6 | Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/] | ||
7 | CVE: CVE-2022-2929 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | common/options.c | 8 ++++---- | ||
11 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
12 | |||
13 | diff --git a/common/options.c b/common/options.c | ||
14 | index 4e53bb4..28800fc 100644 | ||
15 | --- a/common/options.c | ||
16 | +++ b/common/options.c | ||
17 | @@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_state *options, | ||
18 | while (s < &bp -> data[0] + length + 2) { | ||
19 | len = *s; | ||
20 | if (len > 63) { | ||
21 | - log_info ("fancy bits in fqdn option"); | ||
22 | - return 0; | ||
23 | + log_info ("label length exceeds 63 in fqdn option"); | ||
24 | + goto bad; | ||
25 | } | ||
26 | if (len == 0) { | ||
27 | terminated = 1; | ||
28 | break; | ||
29 | } | ||
30 | if (s + len > &bp -> data [0] + length + 3) { | ||
31 | - log_info ("fqdn tag longer than buffer"); | ||
32 | - return 0; | ||
33 | + log_info ("fqdn label longer than buffer"); | ||
34 | + goto bad; | ||
35 | } | ||
36 | |||
37 | if (first_len == 0) { | ||
38 | -- | ||
39 | 2.25.1 | ||
40 | |||
diff --git a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb index b56a204821..d3c87d0d07 100644 --- a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb +++ b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb | |||
@@ -10,6 +10,9 @@ SRC_URI += "file://0001-define-macro-_PATH_DHCPD_CONF-and-_PATH_DHCLIENT_CON.pat | |||
10 | file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \ | 10 | file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \ |
11 | file://0013-fixup_use_libbind.patch \ | 11 | file://0013-fixup_use_libbind.patch \ |
12 | file://0001-workaround-busybox-limitation-in-linux-dhclient-script.patch \ | 12 | file://0001-workaround-busybox-limitation-in-linux-dhclient-script.patch \ |
13 | file://CVE-2021-25217.patch \ | ||
14 | file://CVE-2022-2928.patch \ | ||
15 | file://CVE-2022-2929.patch \ | ||
13 | " | 16 | " |
14 | 17 | ||
15 | SRC_URI[md5sum] = "2afdaf8498dc1edaf3012efdd589b3e1" | 18 | SRC_URI[md5sum] = "2afdaf8498dc1edaf3012efdd589b3e1" |
diff --git a/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch new file mode 100644 index 0000000000..aea07bd803 --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch | |||
@@ -0,0 +1,283 @@ | |||
1 | From 703418fe9d2e3b1e8d594df5788d8001a8116265 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jeffrey Bencteux <jeffbencteux@gmail.com> | ||
3 | Date: Fri, 30 Jun 2023 19:02:45 +0200 | ||
4 | Subject: [PATCH] CVE-2023-40303: ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check | ||
5 | set*id() return values | ||
6 | |||
7 | Several setuid(), setgid(), seteuid() and setguid() return values | ||
8 | were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially | ||
9 | leading to potential security issues. | ||
10 | |||
11 | CVE: CVE-2023-40303 | ||
12 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6] | ||
13 | Signed-off-by: Jeffrey Bencteux <jeffbencteux@gmail.com> | ||
14 | Signed-off-by: Simon Josefsson <simon@josefsson.org> | ||
15 | Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | ftpd/ftpd.c | 10 +++++++--- | ||
19 | src/rcp.c | 39 +++++++++++++++++++++++++++++++++------ | ||
20 | src/rlogin.c | 11 +++++++++-- | ||
21 | src/rsh.c | 25 +++++++++++++++++++++---- | ||
22 | src/rshd.c | 20 +++++++++++++++++--- | ||
23 | src/uucpd.c | 15 +++++++++++++-- | ||
24 | 6 files changed, 100 insertions(+), 20 deletions(-) | ||
25 | |||
26 | diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c | ||
27 | index 5db88d0..b52b122 100644 | ||
28 | --- a/ftpd/ftpd.c | ||
29 | +++ b/ftpd/ftpd.c | ||
30 | @@ -862,7 +862,9 @@ end_login (struct credentials *pcred) | ||
31 | char *remotehost = pcred->remotehost; | ||
32 | int atype = pcred->auth_type; | ||
33 | |||
34 | - seteuid ((uid_t) 0); | ||
35 | + if (seteuid ((uid_t) 0) == -1) | ||
36 | + _exit (EXIT_FAILURE); | ||
37 | + | ||
38 | if (pcred->logged_in) | ||
39 | { | ||
40 | logwtmp_keep_open (ttyline, "", ""); | ||
41 | @@ -1151,7 +1153,8 @@ getdatasock (const char *mode) | ||
42 | |||
43 | if (data >= 0) | ||
44 | return fdopen (data, mode); | ||
45 | - seteuid ((uid_t) 0); | ||
46 | + if (seteuid ((uid_t) 0) == -1) | ||
47 | + _exit (EXIT_FAILURE); | ||
48 | s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0); | ||
49 | if (s < 0) | ||
50 | goto bad; | ||
51 | @@ -1978,7 +1981,8 @@ passive (int epsv, int af) | ||
52 | else /* !AF_INET6 */ | ||
53 | ((struct sockaddr_in *) &pasv_addr)->sin_port = 0; | ||
54 | |||
55 | - seteuid ((uid_t) 0); | ||
56 | + if (seteuid ((uid_t) 0) == -1) | ||
57 | + _exit (EXIT_FAILURE); | ||
58 | if (bind (pdata, (struct sockaddr *) &pasv_addr, pasv_addrlen) < 0) | ||
59 | { | ||
60 | if (seteuid ((uid_t) cred.uid)) | ||
61 | diff --git a/src/rcp.c b/src/rcp.c | ||
62 | index bafa35f..366295c 100644 | ||
63 | --- a/src/rcp.c | ||
64 | +++ b/src/rcp.c | ||
65 | @@ -347,14 +347,23 @@ main (int argc, char *argv[]) | ||
66 | if (from_option) | ||
67 | { /* Follow "protocol", send data. */ | ||
68 | response (); | ||
69 | - setuid (userid); | ||
70 | + | ||
71 | + if (setuid (userid) == -1) | ||
72 | + { | ||
73 | + error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); | ||
74 | + } | ||
75 | + | ||
76 | source (argc, argv); | ||
77 | exit (errs); | ||
78 | } | ||
79 | |||
80 | if (to_option) | ||
81 | { /* Receive data. */ | ||
82 | - setuid (userid); | ||
83 | + if (setuid (userid) == -1) | ||
84 | + { | ||
85 | + error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); | ||
86 | + } | ||
87 | + | ||
88 | sink (argc, argv); | ||
89 | exit (errs); | ||
90 | } | ||
91 | @@ -539,7 +548,11 @@ toremote (char *targ, int argc, char *argv[]) | ||
92 | if (response () < 0) | ||
93 | exit (EXIT_FAILURE); | ||
94 | free (bp); | ||
95 | - setuid (userid); | ||
96 | + | ||
97 | + if (setuid (userid) == -1) | ||
98 | + { | ||
99 | + error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); | ||
100 | + } | ||
101 | } | ||
102 | source (1, argv + i); | ||
103 | close (rem); | ||
104 | @@ -634,7 +647,12 @@ tolocal (int argc, char *argv[]) | ||
105 | ++errs; | ||
106 | continue; | ||
107 | } | ||
108 | - seteuid (userid); | ||
109 | + | ||
110 | + if (seteuid (userid) == -1) | ||
111 | + { | ||
112 | + error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); | ||
113 | + } | ||
114 | + | ||
115 | #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT | ||
116 | sslen = sizeof (ss); | ||
117 | (void) getpeername (rem, (struct sockaddr *) &ss, &sslen); | ||
118 | @@ -647,7 +665,12 @@ tolocal (int argc, char *argv[]) | ||
119 | #endif | ||
120 | vect[0] = target; | ||
121 | sink (1, vect); | ||
122 | - seteuid (effuid); | ||
123 | + | ||
124 | + if (seteuid (effuid) == -1) | ||
125 | + { | ||
126 | + error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); | ||
127 | + } | ||
128 | + | ||
129 | close (rem); | ||
130 | rem = -1; | ||
131 | #ifdef SHISHI | ||
132 | @@ -1453,7 +1476,11 @@ susystem (char *s, int userid) | ||
133 | return (127); | ||
134 | |||
135 | case 0: | ||
136 | - setuid (userid); | ||
137 | + if (setuid (userid) == -1) | ||
138 | + { | ||
139 | + error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); | ||
140 | + } | ||
141 | + | ||
142 | execl (PATH_BSHELL, "sh", "-c", s, NULL); | ||
143 | _exit (127); | ||
144 | } | ||
145 | diff --git a/src/rlogin.c b/src/rlogin.c | ||
146 | index e5e11a7..6b38901 100644 | ||
147 | --- a/src/rlogin.c | ||
148 | +++ b/src/rlogin.c | ||
149 | @@ -649,8 +649,15 @@ try_connect: | ||
150 | /* Now change to the real user ID. We have to be set-user-ID root | ||
151 | to get the privileged port that rcmd () uses. We now want, however, | ||
152 | to run as the real user who invoked us. */ | ||
153 | - seteuid (uid); | ||
154 | - setuid (uid); | ||
155 | + if (seteuid (uid) == -1) | ||
156 | + { | ||
157 | + error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); | ||
158 | + } | ||
159 | + | ||
160 | + if (setuid (uid) == -1) | ||
161 | + { | ||
162 | + error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); | ||
163 | + } | ||
164 | |||
165 | doit (&osmask); /* The old mask will activate SIGURG and SIGUSR1! */ | ||
166 | |||
167 | diff --git a/src/rsh.c b/src/rsh.c | ||
168 | index bd70372..b451a70 100644 | ||
169 | --- a/src/rsh.c | ||
170 | +++ b/src/rsh.c | ||
171 | @@ -278,8 +278,17 @@ main (int argc, char **argv) | ||
172 | { | ||
173 | if (asrsh) | ||
174 | *argv = (char *) "rlogin"; | ||
175 | - seteuid (getuid ()); | ||
176 | - setuid (getuid ()); | ||
177 | + | ||
178 | + if (seteuid (getuid ()) == -1) | ||
179 | + { | ||
180 | + error (EXIT_FAILURE, errno, "seteuid() failed"); | ||
181 | + } | ||
182 | + | ||
183 | + if (setuid (getuid ()) == -1) | ||
184 | + { | ||
185 | + error (EXIT_FAILURE, errno, "setuid() failed"); | ||
186 | + } | ||
187 | + | ||
188 | execv (PATH_RLOGIN, argv); | ||
189 | error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN); | ||
190 | } | ||
191 | @@ -543,8 +552,16 @@ try_connect: | ||
192 | error (0, errno, "setsockopt DEBUG (ignored)"); | ||
193 | } | ||
194 | |||
195 | - seteuid (uid); | ||
196 | - setuid (uid); | ||
197 | + if (seteuid (uid) == -1) | ||
198 | + { | ||
199 | + error (EXIT_FAILURE, errno, "seteuid() failed"); | ||
200 | + } | ||
201 | + | ||
202 | + if (setuid (uid) == -1) | ||
203 | + { | ||
204 | + error (EXIT_FAILURE, errno, "setuid() failed"); | ||
205 | + } | ||
206 | + | ||
207 | #ifdef HAVE_SIGACTION | ||
208 | sigemptyset (&sigs); | ||
209 | sigaddset (&sigs, SIGINT); | ||
210 | diff --git a/src/rshd.c b/src/rshd.c | ||
211 | index b824a10..8cdcd06 100644 | ||
212 | --- a/src/rshd.c | ||
213 | +++ b/src/rshd.c | ||
214 | @@ -1848,8 +1848,18 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) | ||
215 | pwd->pw_shell = PATH_BSHELL; | ||
216 | |||
217 | /* Set the gid, then uid to become the user specified by "locuser" */ | ||
218 | - setegid ((gid_t) pwd->pw_gid); | ||
219 | - setgid ((gid_t) pwd->pw_gid); | ||
220 | + if (setegid ((gid_t) pwd->pw_gid) == -1) | ||
221 | + { | ||
222 | + rshd_error ("Cannot drop privileges (setegid() failed)\n"); | ||
223 | + exit (EXIT_FAILURE); | ||
224 | + } | ||
225 | + | ||
226 | + if (setgid ((gid_t) pwd->pw_gid) == -1) | ||
227 | + { | ||
228 | + rshd_error ("Cannot drop privileges (setgid() failed)\n"); | ||
229 | + exit (EXIT_FAILURE); | ||
230 | + } | ||
231 | + | ||
232 | #ifdef HAVE_INITGROUPS | ||
233 | initgroups (pwd->pw_name, pwd->pw_gid); /* BSD groups */ | ||
234 | #endif | ||
235 | @@ -1871,7 +1881,11 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) | ||
236 | } | ||
237 | #endif /* WITH_PAM */ | ||
238 | |||
239 | - setuid ((uid_t) pwd->pw_uid); | ||
240 | + if (setuid ((uid_t) pwd->pw_uid) == -1) | ||
241 | + { | ||
242 | + rshd_error ("Cannot drop privileges (setuid() failed)\n"); | ||
243 | + exit (EXIT_FAILURE); | ||
244 | + } | ||
245 | |||
246 | /* We'll execute the client's command in the home directory | ||
247 | * of locuser. Note, that the chdir must be executed after | ||
248 | diff --git a/src/uucpd.c b/src/uucpd.c | ||
249 | index 55c3d44..6aba294 100644 | ||
250 | --- a/src/uucpd.c | ||
251 | +++ b/src/uucpd.c | ||
252 | @@ -254,7 +254,12 @@ doit (struct sockaddr *sap, socklen_t salen) | ||
253 | sprintf (Username, "USER=%s", user); | ||
254 | sprintf (Logname, "LOGNAME=%s", user); | ||
255 | dologin (pw, sap, salen); | ||
256 | - setgid (pw->pw_gid); | ||
257 | + | ||
258 | + if (setgid (pw->pw_gid) == -1) | ||
259 | + { | ||
260 | + fprintf (stderr, "setgid() failed"); | ||
261 | + return; | ||
262 | + } | ||
263 | #ifdef HAVE_INITGROUPS | ||
264 | initgroups (pw->pw_name, pw->pw_gid); | ||
265 | #endif | ||
266 | @@ -263,7 +268,13 @@ doit (struct sockaddr *sap, socklen_t salen) | ||
267 | fprintf (stderr, "Login incorrect."); | ||
268 | return; | ||
269 | } | ||
270 | - setuid (pw->pw_uid); | ||
271 | + | ||
272 | + if (setuid (pw->pw_uid) == -1) | ||
273 | + { | ||
274 | + fprintf (stderr, "setuid() failed"); | ||
275 | + return; | ||
276 | + } | ||
277 | + | ||
278 | execl (uucico_location, "uucico", NULL); | ||
279 | perror ("uucico server: execl"); | ||
280 | } | ||
281 | -- | ||
282 | 2.25.1 | ||
283 | |||
diff --git a/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch b/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch new file mode 100644 index 0000000000..4bc354d256 --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch | |||
@@ -0,0 +1,254 @@ | |||
1 | From 70fe022f9dac760eaece0228cad17e3d29a57fb8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Josefsson <simon@josefsson.org> | ||
3 | Date: Mon, 31 Jul 2023 13:59:05 +0200 | ||
4 | Subject: [PATCH] CVE-2023-40303: Indent changes in previous commit. | ||
5 | |||
6 | CVE: CVE-2023-40303 | ||
7 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d] | ||
8 | Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
9 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
10 | --- | ||
11 | src/rcp.c | 42 ++++++++++++++++++++++++------------------ | ||
12 | src/rlogin.c | 12 ++++++------ | ||
13 | src/rsh.c | 24 ++++++++++++------------ | ||
14 | src/rshd.c | 24 ++++++++++++------------ | ||
15 | src/uucpd.c | 16 ++++++++-------- | ||
16 | 5 files changed, 62 insertions(+), 56 deletions(-) | ||
17 | |||
18 | diff --git a/src/rcp.c b/src/rcp.c | ||
19 | index cdcf8500..652f22e6 100644 | ||
20 | --- a/src/rcp.c | ||
21 | +++ b/src/rcp.c | ||
22 | @@ -347,9 +347,10 @@ main (int argc, char *argv[]) | ||
23 | response (); | ||
24 | |||
25 | if (setuid (userid) == -1) | ||
26 | - { | ||
27 | - error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); | ||
28 | - } | ||
29 | + { | ||
30 | + error (EXIT_FAILURE, 0, | ||
31 | + "Could not drop privileges (setuid() failed)"); | ||
32 | + } | ||
33 | |||
34 | source (argc, argv); | ||
35 | exit (errs); | ||
36 | @@ -358,9 +359,10 @@ main (int argc, char *argv[]) | ||
37 | if (to_option) | ||
38 | { /* Receive data. */ | ||
39 | if (setuid (userid) == -1) | ||
40 | - { | ||
41 | - error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); | ||
42 | - } | ||
43 | + { | ||
44 | + error (EXIT_FAILURE, 0, | ||
45 | + "Could not drop privileges (setuid() failed)"); | ||
46 | + } | ||
47 | |||
48 | sink (argc, argv); | ||
49 | exit (errs); | ||
50 | @@ -548,9 +550,10 @@ toremote (char *targ, int argc, char *argv[]) | ||
51 | free (bp); | ||
52 | |||
53 | if (setuid (userid) == -1) | ||
54 | - { | ||
55 | - error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); | ||
56 | - } | ||
57 | + { | ||
58 | + error (EXIT_FAILURE, 0, | ||
59 | + "Could not drop privileges (setuid() failed)"); | ||
60 | + } | ||
61 | } | ||
62 | source (1, argv + i); | ||
63 | close (rem); | ||
64 | @@ -645,9 +648,10 @@ tolocal (int argc, char *argv[]) | ||
65 | } | ||
66 | |||
67 | if (seteuid (userid) == -1) | ||
68 | - { | ||
69 | - error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); | ||
70 | - } | ||
71 | + { | ||
72 | + error (EXIT_FAILURE, 0, | ||
73 | + "Could not drop privileges (seteuid() failed)"); | ||
74 | + } | ||
75 | |||
76 | #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT | ||
77 | sslen = sizeof (ss); | ||
78 | @@ -663,9 +667,10 @@ tolocal (int argc, char *argv[]) | ||
79 | sink (1, vect); | ||
80 | |||
81 | if (seteuid (effuid) == -1) | ||
82 | - { | ||
83 | - error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); | ||
84 | - } | ||
85 | + { | ||
86 | + error (EXIT_FAILURE, 0, | ||
87 | + "Could not drop privileges (seteuid() failed)"); | ||
88 | + } | ||
89 | |||
90 | close (rem); | ||
91 | rem = -1; | ||
92 | @@ -1465,9 +1470,10 @@ susystem (char *s, int userid) | ||
93 | |||
94 | case 0: | ||
95 | if (setuid (userid) == -1) | ||
96 | - { | ||
97 | - error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); | ||
98 | - } | ||
99 | + { | ||
100 | + error (EXIT_FAILURE, 0, | ||
101 | + "Could not drop privileges (setuid() failed)"); | ||
102 | + } | ||
103 | |||
104 | execl (PATH_BSHELL, "sh", "-c", s, NULL); | ||
105 | _exit (127); | ||
106 | diff --git a/src/rlogin.c b/src/rlogin.c | ||
107 | index c543de0c..4360202f 100644 | ||
108 | --- a/src/rlogin.c | ||
109 | +++ b/src/rlogin.c | ||
110 | @@ -648,14 +648,14 @@ try_connect: | ||
111 | to get the privileged port that rcmd () uses. We now want, however, | ||
112 | to run as the real user who invoked us. */ | ||
113 | if (seteuid (uid) == -1) | ||
114 | - { | ||
115 | - error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); | ||
116 | - } | ||
117 | + { | ||
118 | + error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); | ||
119 | + } | ||
120 | |||
121 | if (setuid (uid) == -1) | ||
122 | - { | ||
123 | - error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); | ||
124 | - } | ||
125 | + { | ||
126 | + error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); | ||
127 | + } | ||
128 | |||
129 | doit (&osmask); /* The old mask will activate SIGURG and SIGUSR1! */ | ||
130 | |||
131 | diff --git a/src/rsh.c b/src/rsh.c | ||
132 | index 6f60667d..179b47cd 100644 | ||
133 | --- a/src/rsh.c | ||
134 | +++ b/src/rsh.c | ||
135 | @@ -278,14 +278,14 @@ main (int argc, char **argv) | ||
136 | *argv = (char *) "rlogin"; | ||
137 | |||
138 | if (seteuid (getuid ()) == -1) | ||
139 | - { | ||
140 | - error (EXIT_FAILURE, errno, "seteuid() failed"); | ||
141 | - } | ||
142 | + { | ||
143 | + error (EXIT_FAILURE, errno, "seteuid() failed"); | ||
144 | + } | ||
145 | |||
146 | if (setuid (getuid ()) == -1) | ||
147 | - { | ||
148 | - error (EXIT_FAILURE, errno, "setuid() failed"); | ||
149 | - } | ||
150 | + { | ||
151 | + error (EXIT_FAILURE, errno, "setuid() failed"); | ||
152 | + } | ||
153 | |||
154 | execv (PATH_RLOGIN, argv); | ||
155 | error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN); | ||
156 | @@ -551,14 +551,14 @@ try_connect: | ||
157 | } | ||
158 | |||
159 | if (seteuid (uid) == -1) | ||
160 | - { | ||
161 | - error (EXIT_FAILURE, errno, "seteuid() failed"); | ||
162 | - } | ||
163 | + { | ||
164 | + error (EXIT_FAILURE, errno, "seteuid() failed"); | ||
165 | + } | ||
166 | |||
167 | if (setuid (uid) == -1) | ||
168 | - { | ||
169 | - error (EXIT_FAILURE, errno, "setuid() failed"); | ||
170 | - } | ||
171 | + { | ||
172 | + error (EXIT_FAILURE, errno, "setuid() failed"); | ||
173 | + } | ||
174 | |||
175 | #ifdef HAVE_SIGACTION | ||
176 | sigemptyset (&sigs); | ||
177 | diff --git a/src/rshd.c b/src/rshd.c | ||
178 | index 707790e7..3a153a18 100644 | ||
179 | --- a/src/rshd.c | ||
180 | +++ b/src/rshd.c | ||
181 | @@ -1848,16 +1848,16 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) | ||
182 | |||
183 | /* Set the gid, then uid to become the user specified by "locuser" */ | ||
184 | if (setegid ((gid_t) pwd->pw_gid) == -1) | ||
185 | - { | ||
186 | - rshd_error ("Cannot drop privileges (setegid() failed)\n"); | ||
187 | - exit (EXIT_FAILURE); | ||
188 | - } | ||
189 | + { | ||
190 | + rshd_error ("Cannot drop privileges (setegid() failed)\n"); | ||
191 | + exit (EXIT_FAILURE); | ||
192 | + } | ||
193 | |||
194 | if (setgid ((gid_t) pwd->pw_gid) == -1) | ||
195 | - { | ||
196 | - rshd_error ("Cannot drop privileges (setgid() failed)\n"); | ||
197 | - exit (EXIT_FAILURE); | ||
198 | - } | ||
199 | + { | ||
200 | + rshd_error ("Cannot drop privileges (setgid() failed)\n"); | ||
201 | + exit (EXIT_FAILURE); | ||
202 | + } | ||
203 | |||
204 | #ifdef HAVE_INITGROUPS | ||
205 | initgroups (pwd->pw_name, pwd->pw_gid); /* BSD groups */ | ||
206 | @@ -1881,10 +1881,10 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) | ||
207 | #endif /* WITH_PAM */ | ||
208 | |||
209 | if (setuid ((uid_t) pwd->pw_uid) == -1) | ||
210 | - { | ||
211 | - rshd_error ("Cannot drop privileges (setuid() failed)\n"); | ||
212 | - exit (EXIT_FAILURE); | ||
213 | - } | ||
214 | + { | ||
215 | + rshd_error ("Cannot drop privileges (setuid() failed)\n"); | ||
216 | + exit (EXIT_FAILURE); | ||
217 | + } | ||
218 | |||
219 | /* We'll execute the client's command in the home directory | ||
220 | * of locuser. Note, that the chdir must be executed after | ||
221 | diff --git a/src/uucpd.c b/src/uucpd.c | ||
222 | index 29cfce35..fde7b9c9 100644 | ||
223 | --- a/src/uucpd.c | ||
224 | +++ b/src/uucpd.c | ||
225 | @@ -254,10 +254,10 @@ doit (struct sockaddr *sap, socklen_t salen) | ||
226 | dologin (pw, sap, salen); | ||
227 | |||
228 | if (setgid (pw->pw_gid) == -1) | ||
229 | - { | ||
230 | - fprintf (stderr, "setgid() failed"); | ||
231 | - return; | ||
232 | - } | ||
233 | + { | ||
234 | + fprintf (stderr, "setgid() failed"); | ||
235 | + return; | ||
236 | + } | ||
237 | #ifdef HAVE_INITGROUPS | ||
238 | initgroups (pw->pw_name, pw->pw_gid); | ||
239 | #endif | ||
240 | @@ -268,10 +268,10 @@ doit (struct sockaddr *sap, socklen_t salen) | ||
241 | } | ||
242 | |||
243 | if (setuid (pw->pw_uid) == -1) | ||
244 | - { | ||
245 | - fprintf (stderr, "setuid() failed"); | ||
246 | - return; | ||
247 | - } | ||
248 | + { | ||
249 | + fprintf (stderr, "setuid() failed"); | ||
250 | + return; | ||
251 | + } | ||
252 | |||
253 | execl (uucico_location, "uucico", NULL); | ||
254 | perror ("uucico server: execl"); | ||
diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch new file mode 100644 index 0000000000..54252d6bc7 --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From 4e355804d57d5686defc363c70f81e6f58cd08f0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Josefsson <simon@josefsson.org> | ||
3 | Date: Fri, 17 Dec 2021 21:52:18 -0800 | ||
4 | Subject: [PATCH] ftp: check that PASV/LSPV addresses match. | ||
5 | |||
6 | * NEWS: Mention change. | ||
7 | * ftp/ftp.c (initconn): Validate returned addresses. | ||
8 | |||
9 | CVE: CVE-2021-40491 | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=58cb043b190fd04effdaea7c9403416b436e50dd] | ||
13 | |||
14 | Signed-off-by: Minjae Kim <flowergom@gmail.com> | ||
15 | --- | ||
16 | ftp/ftp.c | 21 +++++++++++++++++++++ | ||
17 | 1 file changed, 21 insertions(+) | ||
18 | |||
19 | diff --git a/ftp/ftp.c b/ftp/ftp.c | ||
20 | index 9813586..7c72cb2 100644 | ||
21 | --- a/ftp/ftp.c | ||
22 | +++ b/ftp/ftp.c | ||
23 | @@ -1344,6 +1344,13 @@ initconn (void) | ||
24 | uint32_t *pu32 = (uint32_t *) &data_addr_sa4->sin_addr.s_addr; | ||
25 | pu32[0] = htonl ( (h[0] << 24) | (h[1] << 16) | (h[2] << 8) | h[3]); | ||
26 | } | ||
27 | + if (data_addr_sa4->sin_addr.s_addr | ||
28 | + != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr) | ||
29 | + { | ||
30 | + printf ("Passive mode address mismatch.\n"); | ||
31 | + (void) command ("ABOR"); /* Cancel any open connection. */ | ||
32 | + goto bad; | ||
33 | + } | ||
34 | } /* LPSV IPv4 */ | ||
35 | else /* IPv6 */ | ||
36 | { | ||
37 | @@ -1374,6 +1381,13 @@ initconn (void) | ||
38 | pu32[2] = htonl ( (h[8] << 24) | (h[9] << 16) | (h[10] << 8) | h[11]); | ||
39 | pu32[3] = htonl ( (h[12] << 24) | (h[13] << 16) | (h[14] << 8) | h[15]); | ||
40 | } | ||
41 | + if (data_addr_sa6->sin6_addr.s6_addr | ||
42 | + != ((struct sockaddr_in6 *) &hisctladdr)->sin6_addr.s6_addr) | ||
43 | + { | ||
44 | + printf ("Passive mode address mismatch.\n"); | ||
45 | + (void) command ("ABOR"); /* Cancel any open connection. */ | ||
46 | + goto bad; | ||
47 | + } | ||
48 | } /* LPSV IPv6 */ | ||
49 | } | ||
50 | else /* !EPSV && !LPSV */ | ||
51 | @@ -1394,6 +1408,13 @@ initconn (void) | ||
52 | | ((a2 & 0xff) << 8) | (a3 & 0xff) ); | ||
53 | data_addr_sa4->sin_port = | ||
54 | htons (((p0 & 0xff) << 8) | (p1 & 0xff)); | ||
55 | + if (data_addr_sa4->sin_addr.s_addr | ||
56 | + != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr) | ||
57 | + { | ||
58 | + printf ("Passive mode address mismatch.\n"); | ||
59 | + (void) command ("ABOR"); /* Cancel any open connection. */ | ||
60 | + goto bad; | ||
61 | + } | ||
62 | } /* PASV */ | ||
63 | else | ||
64 | { | ||
65 | -- | ||
66 | 2.25.1 | ||
67 | |||
diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch new file mode 100644 index 0000000000..da2da8da8a --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From eaae65aac967f9628787dca4a2501ca860bb6598 Mon Sep 17 00:00:00 2001 | ||
2 | From: Minjae Kim <flowergom@gmail.com> | ||
3 | Date: Mon, 26 Sep 2022 22:05:07 +0200 | ||
4 | Subject: [PATCH] telnetd: Handle early IAC EC or IAC EL receipt | ||
5 | |||
6 | Fix telnetd crash if the first two bytes of a new connection | ||
7 | are 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL). | ||
8 | |||
9 | The problem was reported in: | ||
10 | <https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html>. | ||
11 | |||
12 | * NEWS: Mention fix. | ||
13 | * telnetd/state.c (telrcv): Handle zero slctab[SLC_EC].sptr and | ||
14 | zero slctab[SLC_EL].sptr. | ||
15 | |||
16 | CVE: CVE-2022-39028 | ||
17 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fae8263e467380483c28513c0e5fac143e46f94f] | ||
18 | Signed-off-by: Minjae Kim<flowergom@gmail.com> | ||
19 | --- | ||
20 | telnetd/state.c | 12 +++++++++--- | ||
21 | 1 file changed, 9 insertions(+), 3 deletions(-) | ||
22 | |||
23 | diff --git a/telnetd/state.c b/telnetd/state.c | ||
24 | index 2184bca..7948503 100644 | ||
25 | --- a/telnetd/state.c | ||
26 | +++ b/telnetd/state.c | ||
27 | @@ -314,15 +314,21 @@ telrcv (void) | ||
28 | case EC: | ||
29 | case EL: | ||
30 | { | ||
31 | - cc_t ch; | ||
32 | + cc_t ch = (cc_t) (_POSIX_VDISABLE); | ||
33 | |||
34 | DEBUG (debug_options, 1, printoption ("td: recv IAC", c)); | ||
35 | ptyflush (); /* half-hearted */ | ||
36 | init_termbuf (); | ||
37 | if (c == EC) | ||
38 | - ch = *slctab[SLC_EC].sptr; | ||
39 | + { | ||
40 | + if (slctab[SLC_EC].sptr) | ||
41 | + ch = *slctab[SLC_EC].sptr; | ||
42 | + } | ||
43 | else | ||
44 | - ch = *slctab[SLC_EL].sptr; | ||
45 | + { | ||
46 | + if (slctab[SLC_EL].sptr) | ||
47 | + ch = *slctab[SLC_EL].sptr; | ||
48 | + } | ||
49 | if (ch != (cc_t) (_POSIX_VDISABLE)) | ||
50 | pty_output_byte ((unsigned char) ch); | ||
51 | break; | ||
52 | -- | ||
53 | 2.25.1 | ||
54 | |||
diff --git a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb b/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb index cc9410b94e..3a68b34825 100644 --- a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb +++ b/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb | |||
@@ -23,6 +23,10 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.gz \ | |||
23 | file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \ | 23 | file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \ |
24 | file://0001-rcp-fix-to-work-with-large-files.patch \ | 24 | file://0001-rcp-fix-to-work-with-large-files.patch \ |
25 | file://fix-buffer-fortify-tfpt.patch \ | 25 | file://fix-buffer-fortify-tfpt.patch \ |
26 | file://CVE-2021-40491.patch \ | ||
27 | file://CVE-2022-39028.patch \ | ||
28 | file://0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch \ | ||
29 | file://0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch \ | ||
26 | " | 30 | " |
27 | 31 | ||
28 | SRC_URI[md5sum] = "04852c26c47cc8c6b825f2b74f191f52" | 32 | SRC_URI[md5sum] = "04852c26c47cc8c6b825f2b74f191f52" |
diff --git a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb b/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb index 5e4460045b..5213b28345 100644 --- a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb +++ b/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Name Service Switch module for Multicast DNS (zeroconf) name resolution" | 1 | SUMMARY = "Name Service Switch module for Multicast DNS (zeroconf) name resolution" |
2 | HOMEPAGE = "https://github.com/lathiat/nss-mdns" | 2 | HOMEPAGE = "https://github.com/lathiat/nss-mdns" |
3 | DESCRIPTION = "nss-mdns is a plugin for the GNU Name Service Switch (NSS) functionality of the GNU C Library (glibc) providing host name resolution via Multicast DNS (aka Zeroconf, aka Apple Rendezvous, aka Apple Bonjour), effectively allowing name resolution by common Unix/Linux programs in the ad-hoc mDNS domain .local." | ||
3 | SECTION = "libs" | 4 | SECTION = "libs" |
4 | 5 | ||
5 | LICENSE = "LGPLv2.1+" | 6 | LICENSE = "LGPLv2.1+" |
@@ -7,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1" | |||
7 | 8 | ||
8 | DEPENDS = "avahi" | 9 | DEPENDS = "avahi" |
9 | 10 | ||
10 | SRC_URI = "git://github.com/lathiat/nss-mdns \ | 11 | SRC_URI = "git://github.com/lathiat/nss-mdns;branch=master;protocol=https \ |
11 | " | 12 | " |
12 | 13 | ||
13 | SRCREV = "41c9c5e78f287ed4b41ac438c1873fa71bfa70ae" | 14 | SRCREV = "41c9c5e78f287ed4b41ac438c1873fa71bfa70ae" |
diff --git a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb index 7dccc15e03..a4030b7b32 100644 --- a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb +++ b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb | |||
@@ -1,13 +1,15 @@ | |||
1 | SUMMARY = "Mobile Broadband Service Provider Database" | 1 | SUMMARY = "Mobile Broadband Service Provider Database" |
2 | HOMEPAGE = "http://live.gnome.org/NetworkManager/MobileBroadband/ServiceProviders" | 2 | HOMEPAGE = "http://live.gnome.org/NetworkManager/MobileBroadband/ServiceProviders" |
3 | DESCRIPTION = "Mobile Broadband Service Provider Database stores service provider specific information. When this Database is available the information can be fetched there" | ||
3 | SECTION = "network" | 4 | SECTION = "network" |
4 | LICENSE = "PD" | 5 | LICENSE = "PD" |
5 | LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04" | 6 | LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04" |
6 | SRCREV = "90f3fe28aa25135b7e4a54a7816388913bfd4a2a" | 7 | |
7 | PV = "20201225" | 8 | SRCREV = "aae7c68671d225e6d35224613d5b98192b9b2ffe" |
9 | PV = "20230416" | ||
8 | PE = "1" | 10 | PE = "1" |
9 | 11 | ||
10 | SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https" | 12 | SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main" |
11 | S = "${WORKDIR}/git" | 13 | S = "${WORKDIR}/git" |
12 | 14 | ||
13 | inherit autotools | 15 | inherit autotools |
diff --git a/meta/recipes-connectivity/neard/neard_0.16.bb b/meta/recipes-connectivity/neard/neard_0.16.bb index 7c124a3c0b..dd0742f792 100644 --- a/meta/recipes-connectivity/neard/neard_0.16.bb +++ b/meta/recipes-connectivity/neard/neard_0.16.bb | |||
@@ -2,21 +2,22 @@ SUMMARY = "Linux NFC daemon" | |||
2 | DESCRIPTION = "A daemon for the Linux Near Field Communication stack" | 2 | DESCRIPTION = "A daemon for the Linux Near Field Communication stack" |
3 | HOMEPAGE = "http://01.org/linux-nfc" | 3 | HOMEPAGE = "http://01.org/linux-nfc" |
4 | LICENSE = "GPLv2" | 4 | LICENSE = "GPLv2" |
5 | LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \ | ||
6 | file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \ | ||
7 | " | ||
5 | 8 | ||
6 | DEPENDS = "dbus glib-2.0 libnl" | 9 | DEPENDS = "dbus glib-2.0 libnl" |
7 | 10 | ||
8 | SRC_URI = "${KERNELORG_MIRROR}/linux/network/nfc/${BP}.tar.xz \ | 11 | SRC_URI = "git://git.kernel.org/pub/scm/network/nfc/neard.git;protocol=git;branch=master \ |
9 | file://neard.in \ | 12 | file://neard.in \ |
10 | file://Makefile.am-fix-parallel-issue.patch \ | 13 | file://Makefile.am-fix-parallel-issue.patch \ |
11 | file://Makefile.am-do-not-ship-version.h.patch \ | 14 | file://Makefile.am-do-not-ship-version.h.patch \ |
12 | file://0001-Add-header-dependency-to-nciattach.o.patch \ | 15 | file://0001-Add-header-dependency-to-nciattach.o.patch \ |
13 | " | 16 | " |
14 | SRC_URI[md5sum] = "5c691fb7872856dc0d909c298bc8cb41" | ||
15 | SRC_URI[sha256sum] = "eae3b11c541a988ec11ca94b7deab01080cd5b58cfef3ced6ceac9b6e6e65b36" | ||
16 | 17 | ||
17 | LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \ | 18 | SRCREV = "949795024f7625420e93e288c56e194cb9a3e74a" |
18 | file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \ | 19 | |
19 | " | 20 | S = "${WORKDIR}/git" |
20 | 21 | ||
21 | inherit autotools pkgconfig systemd update-rc.d | 22 | inherit autotools pkgconfig systemd update-rc.d |
22 | 23 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch new file mode 100644 index 0000000000..3adb981fb4 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch | |||
@@ -0,0 +1,97 @@ | |||
1 | From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Fri, 18 Sep 2020 05:23:03 +0000 | ||
4 | Subject: upstream: tweak the client hostkey preference ordering algorithm to | ||
5 | |||
6 | prefer the default ordering if the user has a key that matches the | ||
7 | best-preference default algorithm. | ||
8 | |||
9 | feedback and ok markus@ | ||
10 | |||
11 | OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f | ||
12 | |||
13 | Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> | ||
14 | --- | ||
15 | sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++--- | ||
16 | 1 file changed, 38 insertions(+), 3 deletions(-) | ||
17 | |||
18 | CVE: CVE-2020-14145 | ||
19 | Upstream-Status: Backport [https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d] | ||
20 | Comment: Refreshed first hunk | ||
21 | |||
22 | diff --git a/sshconnect2.c b/sshconnect2.c | ||
23 | index 347e348c..f64aae66 100644 | ||
24 | --- a/sshconnect2.c | ||
25 | +++ b/sshconnect2.c | ||
26 | @@ -1,4 +1,4 @@ | ||
27 | -/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */ | ||
28 | +/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */ | ||
29 | /* | ||
30 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | ||
31 | * Copyright (c) 2008 Damien Miller. All rights reserved. | ||
32 | @@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) | ||
33 | return 0; | ||
34 | } | ||
35 | |||
36 | +/* Returns the first item from a comma-separated algorithm list */ | ||
37 | +static char * | ||
38 | +first_alg(const char *algs) | ||
39 | +{ | ||
40 | + char *ret, *cp; | ||
41 | + | ||
42 | + ret = xstrdup(algs); | ||
43 | + if ((cp = strchr(ret, ',')) != NULL) | ||
44 | + *cp = '\0'; | ||
45 | + return ret; | ||
46 | +} | ||
47 | + | ||
48 | static char * | ||
49 | order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) | ||
50 | { | ||
51 | - char *oavail, *avail, *first, *last, *alg, *hostname, *ret; | ||
52 | + char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL; | ||
53 | + char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL; | ||
54 | size_t maxlen; | ||
55 | - struct hostkeys *hostkeys; | ||
56 | + struct hostkeys *hostkeys = NULL; | ||
57 | int ktype; | ||
58 | u_int i; | ||
59 | |||
60 | @@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) | ||
61 | for (i = 0; i < options.num_system_hostfiles; i++) | ||
62 | load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); | ||
63 | |||
64 | + /* | ||
65 | + * If a plain public key exists that matches the type of the best | ||
66 | + * preference HostkeyAlgorithms, then use the whole list as is. | ||
67 | + * Note that we ignore whether the best preference algorithm is a | ||
68 | + * certificate type, as sshconnect.c will downgrade certs to | ||
69 | + * plain keys if necessary. | ||
70 | + */ | ||
71 | + best = first_alg(options.hostkeyalgorithms); | ||
72 | + if (lookup_key_in_hostkeys_by_type(hostkeys, | ||
73 | + sshkey_type_plain(sshkey_type_from_name(best)), NULL)) { | ||
74 | + debug3("%s: have matching best-preference key type %s, " | ||
75 | + "using HostkeyAlgorithms verbatim", __func__, best); | ||
76 | + ret = xstrdup(options.hostkeyalgorithms); | ||
77 | + goto out; | ||
78 | + } | ||
79 | + | ||
80 | + /* | ||
81 | + * Otherwise, prefer the host key algorithms that match known keys | ||
82 | + * while keeping the ordering of HostkeyAlgorithms as much as possible. | ||
83 | + */ | ||
84 | oavail = avail = xstrdup(options.hostkeyalgorithms); | ||
85 | maxlen = strlen(avail) + 1; | ||
86 | first = xmalloc(maxlen); | ||
87 | @@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) | ||
88 | if (*first != '\0') | ||
89 | debug3("%s: prefer hostkeyalgs: %s", __func__, first); | ||
90 | |||
91 | + out: | ||
92 | + free(best); | ||
93 | free(first); | ||
94 | free(last); | ||
95 | free(hostname); | ||
96 | -- | ||
97 | cgit v1.2.3 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch new file mode 100644 index 0000000000..9fd7e932d1 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch | |||
@@ -0,0 +1,20 @@ | |||
1 | Description: fix double-free memory corruption in ssh-agent | ||
2 | Author: Marc Deslauriers <marc.deslauriers@canonical.com> | ||
3 | Origin: minimal fix for https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db | ||
4 | |||
5 | Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> | ||
6 | |||
7 | CVE: CVE-2021-28041 | ||
8 | Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_8.2p1-4ubuntu0.3.debian.tar.xz] | ||
9 | Comment: No change in any hunk | ||
10 | |||
11 | --- a/ssh-agent.c | ||
12 | +++ b/ssh-agent.c | ||
13 | @@ -496,6 +496,7 @@ process_add_identity(SocketEntry *e) | ||
14 | goto err; | ||
15 | } | ||
16 | free(ext_name); | ||
17 | + ext_name = NULL; | ||
18 | break; | ||
19 | default: | ||
20 | error("%s: Unknown constraint %d", __func__, ctype); | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch new file mode 100644 index 0000000000..bda896f581 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From a6414400ec94a17871081f7df24f910a6ee01b8b Mon Sep 17 00:00:00 2001 | ||
2 | From: Ali Abdallah <aabdallah@suse.de> | ||
3 | Date: Wed, 24 Nov 2021 13:33:39 +0100 | ||
4 | Subject: [PATCH] CVE-2021-41617 fix | ||
5 | |||
6 | backport of the following two upstream commits | ||
7 | |||
8 | f3cbe43e28fe71427d41cfe3a17125b972710455 | ||
9 | bf944e3794eff5413f2df1ef37cddf96918c6bde | ||
10 | |||
11 | CVE-2021-41617 failed to correctly initialise supplemental groups | ||
12 | when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, | ||
13 | where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser | ||
14 | directive has been set to run the command as a different user. Instead | ||
15 | these commands would inherit the groups that sshd(8) was started with. | ||
16 | --- | ||
17 | auth.c | 8 ++++++++ | ||
18 | 1 file changed, 8 insertions(+) | ||
19 | |||
20 | CVE: CVE-2021-41617 | ||
21 | Upstream-Status: Backport [https://bugzilla.suse.com/attachment.cgi?id=854015] | ||
22 | Comment: No change in any hunk | ||
23 | Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> | ||
24 | |||
25 | diff --git a/auth.c b/auth.c | ||
26 | index 163038f..a47b267 100644 | ||
27 | --- a/auth.c | ||
28 | +++ b/auth.c | ||
29 | @@ -52,6 +52,7 @@ | ||
30 | #include <limits.h> | ||
31 | #include <netdb.h> | ||
32 | #include <time.h> | ||
33 | +#include <grp.h> | ||
34 | |||
35 | #include "xmalloc.h" | ||
36 | #include "match.h" | ||
37 | @@ -851,6 +852,13 @@ subprocess(const char *tag, struct passwd *pw, const char *command, | ||
38 | } | ||
39 | closefrom(STDERR_FILENO + 1); | ||
40 | |||
41 | + if (geteuid() == 0 && | ||
42 | + initgroups(pw->pw_name, pw->pw_gid) == -1) { | ||
43 | + error("%s: initgroups(%s, %u): %s", tag, | ||
44 | + pw->pw_name, (u_int)pw->pw_gid, strerror(errno)); | ||
45 | + _exit(1); | ||
46 | + } | ||
47 | + | ||
48 | /* Don't use permanently_set_uid() here to avoid fatal() */ | ||
49 | if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) { | ||
50 | error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid, | ||
51 | -- | ||
52 | 2.26.2 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch new file mode 100644 index 0000000000..c899056337 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch | |||
@@ -0,0 +1,189 @@ | |||
1 | From f6213e03887237714eb5bcfc9089c707069f87c5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Miller <djm@mindrot.org> | ||
3 | Date: Fri, 1 Oct 2021 16:35:49 +1000 | ||
4 | Subject: [PATCH 01/12] make OPENSSL_HAS_ECC checks more thorough | ||
5 | |||
6 | ok dtucker | ||
7 | |||
8 | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/dee22129bbc61e25b1003adfa2bc584c5406ef2d] | ||
9 | CVE: CVE-2023-38408 | ||
10 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
11 | --- | ||
12 | ssh-pkcs11-client.c | 16 ++++++++-------- | ||
13 | ssh-pkcs11.c | 26 +++++++++++++------------- | ||
14 | 2 files changed, 21 insertions(+), 21 deletions(-) | ||
15 | |||
16 | diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c | ||
17 | index 8a0ffef..41114c7 100644 | ||
18 | --- a/ssh-pkcs11-client.c | ||
19 | +++ b/ssh-pkcs11-client.c | ||
20 | @@ -163,7 +163,7 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding) | ||
21 | return (ret); | ||
22 | } | ||
23 | |||
24 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
25 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
26 | static ECDSA_SIG * | ||
27 | ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, | ||
28 | const BIGNUM *rp, EC_KEY *ec) | ||
29 | @@ -220,12 +220,12 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, | ||
30 | sshbuf_free(msg); | ||
31 | return (ret); | ||
32 | } | ||
33 | -#endif /* HAVE_EC_KEY_METHOD_NEW */ | ||
34 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
35 | |||
36 | static RSA_METHOD *helper_rsa; | ||
37 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
38 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
39 | static EC_KEY_METHOD *helper_ecdsa; | ||
40 | -#endif /* HAVE_EC_KEY_METHOD_NEW */ | ||
41 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
42 | |||
43 | /* redirect private key crypto operations to the ssh-pkcs11-helper */ | ||
44 | static void | ||
45 | @@ -233,10 +233,10 @@ wrap_key(struct sshkey *k) | ||
46 | { | ||
47 | if (k->type == KEY_RSA) | ||
48 | RSA_set_method(k->rsa, helper_rsa); | ||
49 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
50 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
51 | else if (k->type == KEY_ECDSA) | ||
52 | EC_KEY_set_method(k->ecdsa, helper_ecdsa); | ||
53 | -#endif /* HAVE_EC_KEY_METHOD_NEW */ | ||
54 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
55 | else | ||
56 | fatal("%s: unknown key type", __func__); | ||
57 | } | ||
58 | @@ -247,7 +247,7 @@ pkcs11_start_helper_methods(void) | ||
59 | if (helper_rsa != NULL) | ||
60 | return (0); | ||
61 | |||
62 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
63 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
64 | int (*orig_sign)(int, const unsigned char *, int, unsigned char *, | ||
65 | unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL; | ||
66 | if (helper_ecdsa != NULL) | ||
67 | @@ -257,7 +257,7 @@ pkcs11_start_helper_methods(void) | ||
68 | return (-1); | ||
69 | EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL); | ||
70 | EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign); | ||
71 | -#endif /* HAVE_EC_KEY_METHOD_NEW */ | ||
72 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
73 | |||
74 | if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL) | ||
75 | fatal("%s: RSA_meth_dup failed", __func__); | ||
76 | diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c | ||
77 | index a302c79..b56a41b 100644 | ||
78 | --- a/ssh-pkcs11.c | ||
79 | +++ b/ssh-pkcs11.c | ||
80 | @@ -78,7 +78,7 @@ struct pkcs11_key { | ||
81 | |||
82 | int pkcs11_interactive = 0; | ||
83 | |||
84 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
85 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
86 | static void | ||
87 | ossl_error(const char *msg) | ||
88 | { | ||
89 | @@ -89,7 +89,7 @@ ossl_error(const char *msg) | ||
90 | error("%s: libcrypto error: %.100s", __func__, | ||
91 | ERR_error_string(e, NULL)); | ||
92 | } | ||
93 | -#endif /* HAVE_EC_KEY_METHOD_NEW */ | ||
94 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
95 | |||
96 | int | ||
97 | pkcs11_init(int interactive) | ||
98 | @@ -190,10 +190,10 @@ pkcs11_del_provider(char *provider_id) | ||
99 | |||
100 | static RSA_METHOD *rsa_method; | ||
101 | static int rsa_idx = 0; | ||
102 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
103 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
104 | static EC_KEY_METHOD *ec_key_method; | ||
105 | static int ec_key_idx = 0; | ||
106 | -#endif | ||
107 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
108 | |||
109 | /* release a wrapped object */ | ||
110 | static void | ||
111 | @@ -492,7 +492,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, | ||
112 | return (0); | ||
113 | } | ||
114 | |||
115 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
116 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
117 | /* openssl callback doing the actual signing operation */ | ||
118 | static ECDSA_SIG * | ||
119 | ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, | ||
120 | @@ -604,7 +604,7 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, | ||
121 | |||
122 | return (0); | ||
123 | } | ||
124 | -#endif /* HAVE_EC_KEY_METHOD_NEW */ | ||
125 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
126 | |||
127 | /* remove trailing spaces */ | ||
128 | static void | ||
129 | @@ -679,7 +679,7 @@ pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key) | ||
130 | return (0); | ||
131 | } | ||
132 | |||
133 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
134 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
135 | static struct sshkey * | ||
136 | pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, | ||
137 | CK_OBJECT_HANDLE *obj) | ||
138 | @@ -802,7 +802,7 @@ fail: | ||
139 | |||
140 | return (key); | ||
141 | } | ||
142 | -#endif /* HAVE_EC_KEY_METHOD_NEW */ | ||
143 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
144 | |||
145 | static struct sshkey * | ||
146 | pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, | ||
147 | @@ -910,7 +910,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, | ||
148 | #endif | ||
149 | struct sshkey *key = NULL; | ||
150 | int i; | ||
151 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
152 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
153 | int nid; | ||
154 | #endif | ||
155 | const u_char *cp; | ||
156 | @@ -999,7 +999,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, | ||
157 | key->type = KEY_RSA; | ||
158 | key->flags |= SSHKEY_FLAG_EXT; | ||
159 | rsa = NULL; /* now owned by key */ | ||
160 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
161 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
162 | } else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) { | ||
163 | if (EVP_PKEY_get0_EC_KEY(evp) == NULL) { | ||
164 | error("invalid x509; no ec key"); | ||
165 | @@ -1030,7 +1030,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, | ||
166 | key->type = KEY_ECDSA; | ||
167 | key->flags |= SSHKEY_FLAG_EXT; | ||
168 | ec = NULL; /* now owned by key */ | ||
169 | -#endif /* HAVE_EC_KEY_METHOD_NEW */ | ||
170 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
171 | } else { | ||
172 | error("unknown certificate key type"); | ||
173 | goto out; | ||
174 | @@ -1237,11 +1237,11 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, | ||
175 | case CKK_RSA: | ||
176 | key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj); | ||
177 | break; | ||
178 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
179 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
180 | case CKK_ECDSA: | ||
181 | key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj); | ||
182 | break; | ||
183 | -#endif /* HAVE_EC_KEY_METHOD_NEW */ | ||
184 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
185 | default: | ||
186 | /* XXX print key type? */ | ||
187 | key = NULL; | ||
188 | -- | ||
189 | 2.41.0 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch new file mode 100644 index 0000000000..25ba921869 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch | |||
@@ -0,0 +1,581 @@ | |||
1 | From 92cebfbcc221c9ef3f6bbb78da3d7699c0ae56be Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Wed, 19 Jul 2023 14:03:45 +0000 | ||
4 | Subject: [PATCH 02/12] upstream: Separate ssh-pkcs11-helpers for each p11 | ||
5 | module | ||
6 | |||
7 | Make ssh-pkcs11-client start an independent helper for each provider, | ||
8 | providing better isolation between modules and reliability if a single | ||
9 | module misbehaves. | ||
10 | |||
11 | This also implements reference counting of PKCS#11-hosted keys, | ||
12 | allowing ssh-pkcs11-helper subprocesses to be automatically reaped | ||
13 | when no remaining keys reference them. This fixes some bugs we have | ||
14 | that make PKCS11 keys unusable after they have been deleted, e.g. | ||
15 | https://bugzilla.mindrot.org/show_bug.cgi?id=3125 | ||
16 | |||
17 | ok markus@ | ||
18 | |||
19 | OpenBSD-Commit-ID: 0ce188b14fe271ab0568f4500070d96c5657244e | ||
20 | |||
21 | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/099cdf59ce1e72f55d421c8445bf6321b3004755] | ||
22 | CVE: CVE-2023-38408 | ||
23 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
24 | --- | ||
25 | ssh-pkcs11-client.c | 372 +++++++++++++++++++++++++++++++++----------- | ||
26 | 1 file changed, 282 insertions(+), 90 deletions(-) | ||
27 | |||
28 | diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c | ||
29 | index 41114c7..4f3c6ed 100644 | ||
30 | --- a/ssh-pkcs11-client.c | ||
31 | +++ b/ssh-pkcs11-client.c | ||
32 | @@ -1,4 +1,4 @@ | ||
33 | -/* $OpenBSD: ssh-pkcs11-client.c,v 1.16 2020/01/25 00:03:36 djm Exp $ */ | ||
34 | +/* $OpenBSD: ssh-pkcs11-client.c,v 1.18 2023/07/19 14:03:45 djm Exp $ */ | ||
35 | /* | ||
36 | * Copyright (c) 2010 Markus Friedl. All rights reserved. | ||
37 | * Copyright (c) 2014 Pedro Martelletto. All rights reserved. | ||
38 | @@ -30,12 +30,11 @@ | ||
39 | #include <string.h> | ||
40 | #include <unistd.h> | ||
41 | #include <errno.h> | ||
42 | +#include <limits.h> | ||
43 | |||
44 | #include <openssl/ecdsa.h> | ||
45 | #include <openssl/rsa.h> | ||
46 | |||
47 | -#include "openbsd-compat/openssl-compat.h" | ||
48 | - | ||
49 | #include "pathnames.h" | ||
50 | #include "xmalloc.h" | ||
51 | #include "sshbuf.h" | ||
52 | @@ -47,18 +46,140 @@ | ||
53 | #include "ssh-pkcs11.h" | ||
54 | #include "ssherr.h" | ||
55 | |||
56 | +#include "openbsd-compat/openssl-compat.h" | ||
57 | + | ||
58 | /* borrows code from sftp-server and ssh-agent */ | ||
59 | |||
60 | -static int fd = -1; | ||
61 | -static pid_t pid = -1; | ||
62 | +/* | ||
63 | + * Maintain a list of ssh-pkcs11-helper subprocesses. These may be looked up | ||
64 | + * by provider path or their unique EC/RSA METHOD pointers. | ||
65 | + */ | ||
66 | +struct helper { | ||
67 | + char *path; | ||
68 | + pid_t pid; | ||
69 | + int fd; | ||
70 | + RSA_METHOD *rsa_meth; | ||
71 | + EC_KEY_METHOD *ec_meth; | ||
72 | + int (*rsa_finish)(RSA *rsa); | ||
73 | + void (*ec_finish)(EC_KEY *key); | ||
74 | + size_t nrsa, nec; /* number of active keys of each type */ | ||
75 | +}; | ||
76 | +static struct helper **helpers; | ||
77 | +static size_t nhelpers; | ||
78 | + | ||
79 | +static struct helper * | ||
80 | +helper_by_provider(const char *path) | ||
81 | +{ | ||
82 | + size_t i; | ||
83 | + | ||
84 | + for (i = 0; i < nhelpers; i++) { | ||
85 | + if (helpers[i] == NULL || helpers[i]->path == NULL || | ||
86 | + helpers[i]->fd == -1) | ||
87 | + continue; | ||
88 | + if (strcmp(helpers[i]->path, path) == 0) | ||
89 | + return helpers[i]; | ||
90 | + } | ||
91 | + return NULL; | ||
92 | +} | ||
93 | + | ||
94 | +static struct helper * | ||
95 | +helper_by_rsa(const RSA *rsa) | ||
96 | +{ | ||
97 | + size_t i; | ||
98 | + const RSA_METHOD *meth; | ||
99 | + | ||
100 | + if ((meth = RSA_get_method(rsa)) == NULL) | ||
101 | + return NULL; | ||
102 | + for (i = 0; i < nhelpers; i++) { | ||
103 | + if (helpers[i] != NULL && helpers[i]->rsa_meth == meth) | ||
104 | + return helpers[i]; | ||
105 | + } | ||
106 | + return NULL; | ||
107 | + | ||
108 | +} | ||
109 | + | ||
110 | +static struct helper * | ||
111 | +helper_by_ec(const EC_KEY *ec) | ||
112 | +{ | ||
113 | + size_t i; | ||
114 | + const EC_KEY_METHOD *meth; | ||
115 | + | ||
116 | + if ((meth = EC_KEY_get_method(ec)) == NULL) | ||
117 | + return NULL; | ||
118 | + for (i = 0; i < nhelpers; i++) { | ||
119 | + if (helpers[i] != NULL && helpers[i]->ec_meth == meth) | ||
120 | + return helpers[i]; | ||
121 | + } | ||
122 | + return NULL; | ||
123 | + | ||
124 | +} | ||
125 | + | ||
126 | +static void | ||
127 | +helper_free(struct helper *helper) | ||
128 | +{ | ||
129 | + size_t i; | ||
130 | + int found = 0; | ||
131 | + | ||
132 | + if (helper == NULL) | ||
133 | + return; | ||
134 | + if (helper->path == NULL || helper->ec_meth == NULL || | ||
135 | + helper->rsa_meth == NULL) | ||
136 | + fatal("%s: inconsistent helper", __func__); | ||
137 | + debug3("%s: free helper for provider %s", __func__ , helper->path); | ||
138 | + for (i = 0; i < nhelpers; i++) { | ||
139 | + if (helpers[i] == helper) { | ||
140 | + if (found) | ||
141 | + fatal("%s: helper recorded more than once", __func__); | ||
142 | + found = 1; | ||
143 | + } | ||
144 | + else if (found) | ||
145 | + helpers[i - 1] = helpers[i]; | ||
146 | + } | ||
147 | + if (found) { | ||
148 | + helpers = xrecallocarray(helpers, nhelpers, | ||
149 | + nhelpers - 1, sizeof(*helpers)); | ||
150 | + nhelpers--; | ||
151 | + } | ||
152 | + free(helper->path); | ||
153 | + EC_KEY_METHOD_free(helper->ec_meth); | ||
154 | + RSA_meth_free(helper->rsa_meth); | ||
155 | + free(helper); | ||
156 | +} | ||
157 | + | ||
158 | +static void | ||
159 | +helper_terminate(struct helper *helper) | ||
160 | +{ | ||
161 | + if (helper == NULL) { | ||
162 | + return; | ||
163 | + } else if (helper->fd == -1) { | ||
164 | + debug3("%s: already terminated", __func__); | ||
165 | + } else { | ||
166 | + debug3("terminating helper for %s; " | ||
167 | + "remaining %zu RSA %zu ECDSA", __func__, | ||
168 | + helper->path, helper->nrsa, helper->nec); | ||
169 | + close(helper->fd); | ||
170 | + /* XXX waitpid() */ | ||
171 | + helper->fd = -1; | ||
172 | + helper->pid = -1; | ||
173 | + } | ||
174 | + /* | ||
175 | + * Don't delete the helper entry until there are no remaining keys | ||
176 | + * that reference it. Otherwise, any signing operation would call | ||
177 | + * a free'd METHOD pointer and that would be bad. | ||
178 | + */ | ||
179 | + if (helper->nrsa == 0 && helper->nec == 0) | ||
180 | + helper_free(helper); | ||
181 | +} | ||
182 | |||
183 | static void | ||
184 | -send_msg(struct sshbuf *m) | ||
185 | +send_msg(int fd, struct sshbuf *m) | ||
186 | { | ||
187 | u_char buf[4]; | ||
188 | size_t mlen = sshbuf_len(m); | ||
189 | int r; | ||
190 | |||
191 | + if (fd == -1) | ||
192 | + return; | ||
193 | POKE_U32(buf, mlen); | ||
194 | if (atomicio(vwrite, fd, buf, 4) != 4 || | ||
195 | atomicio(vwrite, fd, sshbuf_mutable_ptr(m), | ||
196 | @@ -69,12 +190,15 @@ send_msg(struct sshbuf *m) | ||
197 | } | ||
198 | |||
199 | static int | ||
200 | -recv_msg(struct sshbuf *m) | ||
201 | +recv_msg(int fd, struct sshbuf *m) | ||
202 | { | ||
203 | u_int l, len; | ||
204 | u_char c, buf[1024]; | ||
205 | int r; | ||
206 | |||
207 | + sshbuf_reset(m); | ||
208 | + if (fd == -1) | ||
209 | + return 0; /* XXX */ | ||
210 | if ((len = atomicio(read, fd, buf, 4)) != 4) { | ||
211 | error("read from helper failed: %u", len); | ||
212 | return (0); /* XXX */ | ||
213 | @@ -83,7 +207,6 @@ recv_msg(struct sshbuf *m) | ||
214 | if (len > 256 * 1024) | ||
215 | fatal("response too long: %u", len); | ||
216 | /* read len bytes into m */ | ||
217 | - sshbuf_reset(m); | ||
218 | while (len > 0) { | ||
219 | l = len; | ||
220 | if (l > sizeof(buf)) | ||
221 | @@ -104,14 +227,17 @@ recv_msg(struct sshbuf *m) | ||
222 | int | ||
223 | pkcs11_init(int interactive) | ||
224 | { | ||
225 | - return (0); | ||
226 | + return 0; | ||
227 | } | ||
228 | |||
229 | void | ||
230 | pkcs11_terminate(void) | ||
231 | { | ||
232 | - if (fd >= 0) | ||
233 | - close(fd); | ||
234 | + size_t i; | ||
235 | + | ||
236 | + debug3("%s: terminating %zu helpers", __func__, nhelpers); | ||
237 | + for (i = 0; i < nhelpers; i++) | ||
238 | + helper_terminate(helpers[i]); | ||
239 | } | ||
240 | |||
241 | static int | ||
242 | @@ -122,7 +248,11 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding) | ||
243 | u_char *blob = NULL, *signature = NULL; | ||
244 | size_t blen, slen = 0; | ||
245 | int r, ret = -1; | ||
246 | + struct helper *helper; | ||
247 | |||
248 | + if ((helper = helper_by_rsa(rsa)) == NULL || helper->fd == -1) | ||
249 | + fatal("%s: no helper for PKCS11 key", __func__); | ||
250 | + debug3("%s: signing with PKCS11 provider %s", __func__, helper->path); | ||
251 | if (padding != RSA_PKCS1_PADDING) | ||
252 | goto fail; | ||
253 | key = sshkey_new(KEY_UNSPEC); | ||
254 | @@ -144,10 +274,10 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding) | ||
255 | (r = sshbuf_put_string(msg, from, flen)) != 0 || | ||
256 | (r = sshbuf_put_u32(msg, 0)) != 0) | ||
257 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
258 | - send_msg(msg); | ||
259 | + send_msg(helper->fd, msg); | ||
260 | sshbuf_reset(msg); | ||
261 | |||
262 | - if (recv_msg(msg) == SSH2_AGENT_SIGN_RESPONSE) { | ||
263 | + if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) { | ||
264 | if ((r = sshbuf_get_string(msg, &signature, &slen)) != 0) | ||
265 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
266 | if (slen <= (size_t)RSA_size(rsa)) { | ||
267 | @@ -163,7 +293,26 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding) | ||
268 | return (ret); | ||
269 | } | ||
270 | |||
271 | -#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
272 | +static int | ||
273 | +rsa_finish(RSA *rsa) | ||
274 | +{ | ||
275 | + struct helper *helper; | ||
276 | + | ||
277 | + if ((helper = helper_by_rsa(rsa)) == NULL) | ||
278 | + fatal("%s: no helper for PKCS11 key", __func__); | ||
279 | + debug3("%s: free PKCS11 RSA key for provider %s", __func__, helper->path); | ||
280 | + if (helper->rsa_finish != NULL) | ||
281 | + helper->rsa_finish(rsa); | ||
282 | + if (helper->nrsa == 0) | ||
283 | + fatal("%s: RSA refcount error", __func__); | ||
284 | + helper->nrsa--; | ||
285 | + debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__, | ||
286 | + helper->path, helper->nrsa, helper->nec); | ||
287 | + if (helper->nrsa == 0 && helper->nec == 0) | ||
288 | + helper_terminate(helper); | ||
289 | + return 1; | ||
290 | +} | ||
291 | + | ||
292 | static ECDSA_SIG * | ||
293 | ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, | ||
294 | const BIGNUM *rp, EC_KEY *ec) | ||
295 | @@ -175,7 +324,11 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, | ||
296 | u_char *blob = NULL, *signature = NULL; | ||
297 | size_t blen, slen = 0; | ||
298 | int r, nid; | ||
299 | + struct helper *helper; | ||
300 | |||
301 | + if ((helper = helper_by_ec(ec)) == NULL || helper->fd == -1) | ||
302 | + fatal("%s: no helper for PKCS11 key", __func__); | ||
303 | + debug3("%s: signing with PKCS11 provider %s", __func__, helper->path); | ||
304 | nid = sshkey_ecdsa_key_to_nid(ec); | ||
305 | if (nid < 0) { | ||
306 | error("%s: couldn't get curve nid", __func__); | ||
307 | @@ -203,10 +356,10 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, | ||
308 | (r = sshbuf_put_string(msg, dgst, dgst_len)) != 0 || | ||
309 | (r = sshbuf_put_u32(msg, 0)) != 0) | ||
310 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
311 | - send_msg(msg); | ||
312 | + send_msg(helper->fd, msg); | ||
313 | sshbuf_reset(msg); | ||
314 | |||
315 | - if (recv_msg(msg) == SSH2_AGENT_SIGN_RESPONSE) { | ||
316 | + if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) { | ||
317 | if ((r = sshbuf_get_string(msg, &signature, &slen)) != 0) | ||
318 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
319 | cp = signature; | ||
320 | @@ -220,75 +373,110 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, | ||
321 | sshbuf_free(msg); | ||
322 | return (ret); | ||
323 | } | ||
324 | -#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
325 | |||
326 | -static RSA_METHOD *helper_rsa; | ||
327 | -#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
328 | -static EC_KEY_METHOD *helper_ecdsa; | ||
329 | -#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
330 | +static void | ||
331 | +ecdsa_do_finish(EC_KEY *ec) | ||
332 | +{ | ||
333 | + struct helper *helper; | ||
334 | + | ||
335 | + if ((helper = helper_by_ec(ec)) == NULL) | ||
336 | + fatal("%s: no helper for PKCS11 key", __func__); | ||
337 | + debug3("%s: free PKCS11 ECDSA key for provider %s", __func__, helper->path); | ||
338 | + if (helper->ec_finish != NULL) | ||
339 | + helper->ec_finish(ec); | ||
340 | + if (helper->nec == 0) | ||
341 | + fatal("%s: ECDSA refcount error", __func__); | ||
342 | + helper->nec--; | ||
343 | + debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__, | ||
344 | + helper->path, helper->nrsa, helper->nec); | ||
345 | + if (helper->nrsa == 0 && helper->nec == 0) | ||
346 | + helper_terminate(helper); | ||
347 | +} | ||
348 | |||
349 | /* redirect private key crypto operations to the ssh-pkcs11-helper */ | ||
350 | static void | ||
351 | -wrap_key(struct sshkey *k) | ||
352 | +wrap_key(struct helper *helper, struct sshkey *k) | ||
353 | { | ||
354 | - if (k->type == KEY_RSA) | ||
355 | - RSA_set_method(k->rsa, helper_rsa); | ||
356 | -#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
357 | - else if (k->type == KEY_ECDSA) | ||
358 | - EC_KEY_set_method(k->ecdsa, helper_ecdsa); | ||
359 | -#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
360 | - else | ||
361 | + debug3("%s: wrap %s for provider %s", __func__, sshkey_type(k), helper->path); | ||
362 | + if (k->type == KEY_RSA) { | ||
363 | + RSA_set_method(k->rsa, helper->rsa_meth); | ||
364 | + if (helper->nrsa++ >= INT_MAX) | ||
365 | + fatal("%s: RSA refcount error", __func__); | ||
366 | + } else if (k->type == KEY_ECDSA) { | ||
367 | + EC_KEY_set_method(k->ecdsa, helper->ec_meth); | ||
368 | + if (helper->nec++ >= INT_MAX) | ||
369 | + fatal("%s: EC refcount error", __func__); | ||
370 | + } else | ||
371 | fatal("%s: unknown key type", __func__); | ||
372 | + k->flags |= SSHKEY_FLAG_EXT; | ||
373 | + debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__, | ||
374 | + helper->path, helper->nrsa, helper->nec); | ||
375 | } | ||
376 | |||
377 | static int | ||
378 | -pkcs11_start_helper_methods(void) | ||
379 | +pkcs11_start_helper_methods(struct helper *helper) | ||
380 | { | ||
381 | - if (helper_rsa != NULL) | ||
382 | - return (0); | ||
383 | - | ||
384 | -#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
385 | - int (*orig_sign)(int, const unsigned char *, int, unsigned char *, | ||
386 | + int (*ec_init)(EC_KEY *key); | ||
387 | + int (*ec_copy)(EC_KEY *dest, const EC_KEY *src); | ||
388 | + int (*ec_set_group)(EC_KEY *key, const EC_GROUP *grp); | ||
389 | + int (*ec_set_private)(EC_KEY *key, const BIGNUM *priv_key); | ||
390 | + int (*ec_set_public)(EC_KEY *key, const EC_POINT *pub_key); | ||
391 | + int (*ec_sign)(int, const unsigned char *, int, unsigned char *, | ||
392 | unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL; | ||
393 | - if (helper_ecdsa != NULL) | ||
394 | - return (0); | ||
395 | - helper_ecdsa = EC_KEY_METHOD_new(EC_KEY_OpenSSL()); | ||
396 | - if (helper_ecdsa == NULL) | ||
397 | - return (-1); | ||
398 | - EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL); | ||
399 | - EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign); | ||
400 | -#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
401 | - | ||
402 | - if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL) | ||
403 | + RSA_METHOD *rsa_meth; | ||
404 | + EC_KEY_METHOD *ec_meth; | ||
405 | + | ||
406 | + if ((ec_meth = EC_KEY_METHOD_new(EC_KEY_OpenSSL())) == NULL) | ||
407 | + return -1; | ||
408 | + EC_KEY_METHOD_get_sign(ec_meth, &ec_sign, NULL, NULL); | ||
409 | + EC_KEY_METHOD_set_sign(ec_meth, ec_sign, NULL, ecdsa_do_sign); | ||
410 | + EC_KEY_METHOD_get_init(ec_meth, &ec_init, &helper->ec_finish, | ||
411 | + &ec_copy, &ec_set_group, &ec_set_private, &ec_set_public); | ||
412 | + EC_KEY_METHOD_set_init(ec_meth, ec_init, ecdsa_do_finish, | ||
413 | + ec_copy, ec_set_group, ec_set_private, ec_set_public); | ||
414 | + | ||
415 | + if ((rsa_meth = RSA_meth_dup(RSA_get_default_method())) == NULL) | ||
416 | fatal("%s: RSA_meth_dup failed", __func__); | ||
417 | - if (!RSA_meth_set1_name(helper_rsa, "ssh-pkcs11-helper") || | ||
418 | - !RSA_meth_set_priv_enc(helper_rsa, rsa_encrypt)) | ||
419 | + helper->rsa_finish = RSA_meth_get_finish(rsa_meth); | ||
420 | + if (!RSA_meth_set1_name(rsa_meth, "ssh-pkcs11-helper") || | ||
421 | + !RSA_meth_set_priv_enc(rsa_meth, rsa_encrypt) || | ||
422 | + !RSA_meth_set_finish(rsa_meth, rsa_finish)) | ||
423 | fatal("%s: failed to prepare method", __func__); | ||
424 | |||
425 | - return (0); | ||
426 | + helper->ec_meth = ec_meth; | ||
427 | + helper->rsa_meth = rsa_meth; | ||
428 | + return 0; | ||
429 | } | ||
430 | |||
431 | -static int | ||
432 | -pkcs11_start_helper(void) | ||
433 | +static struct helper * | ||
434 | +pkcs11_start_helper(const char *path) | ||
435 | { | ||
436 | int pair[2]; | ||
437 | - char *helper, *verbosity = NULL; | ||
438 | - | ||
439 | - if (log_level_get() >= SYSLOG_LEVEL_DEBUG1) | ||
440 | - verbosity = "-vvv"; | ||
441 | - | ||
442 | - if (pkcs11_start_helper_methods() == -1) { | ||
443 | - error("pkcs11_start_helper_methods failed"); | ||
444 | - return (-1); | ||
445 | - } | ||
446 | + char *prog, *verbosity = NULL; | ||
447 | + struct helper *helper; | ||
448 | + pid_t pid; | ||
449 | |||
450 | + if (nhelpers >= INT_MAX) | ||
451 | + fatal("%s: too many helpers", __func__); | ||
452 | + debug3("%s: start helper for %s", __func__, path); | ||
453 | if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) { | ||
454 | error("socketpair: %s", strerror(errno)); | ||
455 | - return (-1); | ||
456 | + return NULL; | ||
457 | + } | ||
458 | + helper = xcalloc(1, sizeof(*helper)); | ||
459 | + if (pkcs11_start_helper_methods(helper) == -1) { | ||
460 | + error("pkcs11_start_helper_methods failed"); | ||
461 | + goto fail; | ||
462 | } | ||
463 | if ((pid = fork()) == -1) { | ||
464 | error("fork: %s", strerror(errno)); | ||
465 | - return (-1); | ||
466 | + fail: | ||
467 | + close(pair[0]); | ||
468 | + close(pair[1]); | ||
469 | + RSA_meth_free(helper->rsa_meth); | ||
470 | + EC_KEY_METHOD_free(helper->ec_meth); | ||
471 | + free(helper); | ||
472 | + return NULL; | ||
473 | } else if (pid == 0) { | ||
474 | if ((dup2(pair[1], STDIN_FILENO) == -1) || | ||
475 | (dup2(pair[1], STDOUT_FILENO) == -1)) { | ||
476 | @@ -297,18 +485,27 @@ pkcs11_start_helper(void) | ||
477 | } | ||
478 | close(pair[0]); | ||
479 | close(pair[1]); | ||
480 | - helper = getenv("SSH_PKCS11_HELPER"); | ||
481 | - if (helper == NULL || strlen(helper) == 0) | ||
482 | - helper = _PATH_SSH_PKCS11_HELPER; | ||
483 | + prog = getenv("SSH_PKCS11_HELPER"); | ||
484 | + if (prog == NULL || strlen(prog) == 0) | ||
485 | + prog = _PATH_SSH_PKCS11_HELPER; | ||
486 | + if (log_level_get() >= SYSLOG_LEVEL_DEBUG1) | ||
487 | + verbosity = "-vvv"; | ||
488 | debug("%s: starting %s %s", __func__, helper, | ||
489 | verbosity == NULL ? "" : verbosity); | ||
490 | - execlp(helper, helper, verbosity, (char *)NULL); | ||
491 | - fprintf(stderr, "exec: %s: %s\n", helper, strerror(errno)); | ||
492 | + execlp(prog, prog, verbosity, (char *)NULL); | ||
493 | + fprintf(stderr, "exec: %s: %s\n", prog, strerror(errno)); | ||
494 | _exit(1); | ||
495 | } | ||
496 | close(pair[1]); | ||
497 | - fd = pair[0]; | ||
498 | - return (0); | ||
499 | + helper->fd = pair[0]; | ||
500 | + helper->path = xstrdup(path); | ||
501 | + helper->pid = pid; | ||
502 | + debug3("%s: helper %zu for \"%s\" on fd %d pid %ld", __func__, nhelpers, | ||
503 | + helper->path, helper->fd, (long)helper->pid); | ||
504 | + helpers = xrecallocarray(helpers, nhelpers, | ||
505 | + nhelpers + 1, sizeof(*helpers)); | ||
506 | + helpers[nhelpers++] = helper; | ||
507 | + return helper; | ||
508 | } | ||
509 | |||
510 | int | ||
511 | @@ -322,9 +519,11 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp, | ||
512 | size_t blen; | ||
513 | u_int nkeys, i; | ||
514 | struct sshbuf *msg; | ||
515 | + struct helper *helper; | ||
516 | |||
517 | - if (fd < 0 && pkcs11_start_helper() < 0) | ||
518 | - return (-1); | ||
519 | + if ((helper = helper_by_provider(name)) == NULL && | ||
520 | + (helper = pkcs11_start_helper(name)) == NULL) | ||
521 | + return -1; | ||
522 | |||
523 | if ((msg = sshbuf_new()) == NULL) | ||
524 | fatal("%s: sshbuf_new failed", __func__); | ||
525 | @@ -332,10 +531,10 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp, | ||
526 | (r = sshbuf_put_cstring(msg, name)) != 0 || | ||
527 | (r = sshbuf_put_cstring(msg, pin)) != 0) | ||
528 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
529 | - send_msg(msg); | ||
530 | + send_msg(helper->fd, msg); | ||
531 | sshbuf_reset(msg); | ||
532 | |||
533 | - type = recv_msg(msg); | ||
534 | + type = recv_msg(helper->fd, msg); | ||
535 | if (type == SSH2_AGENT_IDENTITIES_ANSWER) { | ||
536 | if ((r = sshbuf_get_u32(msg, &nkeys)) != 0) | ||
537 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
538 | @@ -350,7 +549,7 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp, | ||
539 | __func__, ssh_err(r)); | ||
540 | if ((r = sshkey_from_blob(blob, blen, &k)) != 0) | ||
541 | fatal("%s: bad key: %s", __func__, ssh_err(r)); | ||
542 | - wrap_key(k); | ||
543 | + wrap_key(helper, k); | ||
544 | (*keysp)[i] = k; | ||
545 | if (labelsp) | ||
546 | (*labelsp)[i] = label; | ||
547 | @@ -371,22 +570,15 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp, | ||
548 | int | ||
549 | pkcs11_del_provider(char *name) | ||
550 | { | ||
551 | - int r, ret = -1; | ||
552 | - struct sshbuf *msg; | ||
553 | - | ||
554 | - if ((msg = sshbuf_new()) == NULL) | ||
555 | - fatal("%s: sshbuf_new failed", __func__); | ||
556 | - if ((r = sshbuf_put_u8(msg, SSH_AGENTC_REMOVE_SMARTCARD_KEY)) != 0 || | ||
557 | - (r = sshbuf_put_cstring(msg, name)) != 0 || | ||
558 | - (r = sshbuf_put_cstring(msg, "")) != 0) | ||
559 | - fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
560 | - send_msg(msg); | ||
561 | - sshbuf_reset(msg); | ||
562 | - | ||
563 | - if (recv_msg(msg) == SSH_AGENT_SUCCESS) | ||
564 | - ret = 0; | ||
565 | - sshbuf_free(msg); | ||
566 | - return (ret); | ||
567 | + struct helper *helper; | ||
568 | + | ||
569 | + /* | ||
570 | + * ssh-agent deletes keys before calling this, so the helper entry | ||
571 | + * should be gone before we get here. | ||
572 | + */ | ||
573 | + debug3("%s: delete %s", __func__, name); | ||
574 | + if ((helper = helper_by_provider(name)) != NULL) | ||
575 | + helper_terminate(helper); | ||
576 | + return 0; | ||
577 | } | ||
578 | - | ||
579 | #endif /* ENABLE_PKCS11 */ | ||
580 | -- | ||
581 | 2.41.0 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch new file mode 100644 index 0000000000..e16e5e245e --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch | |||
@@ -0,0 +1,171 @@ | |||
1 | From 2f1be98e83feb90665b9292eff8bb734537fd491 Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Wed, 19 Jul 2023 14:02:27 +0000 | ||
4 | Subject: [PATCH 03/12] upstream: Ensure FIDO/PKCS11 libraries contain expected | ||
5 | symbols | ||
6 | |||
7 | This checks via nlist(3) that candidate provider libraries contain one | ||
8 | of the symbols that we will require prior to dlopen(), which can cause | ||
9 | a number of side effects, including execution of constructors. | ||
10 | |||
11 | Feedback deraadt; ok markus | ||
12 | |||
13 | OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe | ||
14 | |||
15 | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/29ef8a04866ca14688d5b7fed7b8b9deab851f77] | ||
16 | CVE: CVE-2023-38408 | ||
17 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
18 | --- | ||
19 | misc.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++ | ||
20 | misc.h | 1 + | ||
21 | ssh-pkcs11.c | 4 +++ | ||
22 | ssh-sk.c | 6 ++-- | ||
23 | 4 files changed, 86 insertions(+), 2 deletions(-) | ||
24 | |||
25 | diff --git a/misc.c b/misc.c | ||
26 | index 3a31d5c..8a107e4 100644 | ||
27 | --- a/misc.c | ||
28 | +++ b/misc.c | ||
29 | @@ -28,6 +28,7 @@ | ||
30 | |||
31 | #include <sys/types.h> | ||
32 | #include <sys/ioctl.h> | ||
33 | +#include <sys/mman.h> | ||
34 | #include <sys/socket.h> | ||
35 | #include <sys/stat.h> | ||
36 | #include <sys/time.h> | ||
37 | @@ -41,6 +42,9 @@ | ||
38 | #ifdef HAVE_POLL_H | ||
39 | #include <poll.h> | ||
40 | #endif | ||
41 | +#ifdef HAVE_NLIST_H | ||
42 | +#include <nlist.h> | ||
43 | +#endif | ||
44 | #include <signal.h> | ||
45 | #include <stdarg.h> | ||
46 | #include <stdio.h> | ||
47 | @@ -2266,3 +2270,76 @@ ssh_signal(int signum, sshsig_t handler) | ||
48 | } | ||
49 | return osa.sa_handler; | ||
50 | } | ||
51 | + | ||
52 | + | ||
53 | +/* | ||
54 | + * Returns zero if the library at 'path' contains symbol 's', nonzero | ||
55 | + * otherwise. | ||
56 | + */ | ||
57 | +int | ||
58 | +lib_contains_symbol(const char *path, const char *s) | ||
59 | +{ | ||
60 | +#ifdef HAVE_NLIST_H | ||
61 | + struct nlist nl[2]; | ||
62 | + int ret = -1, r; | ||
63 | + | ||
64 | + memset(nl, 0, sizeof(nl)); | ||
65 | + nl[0].n_name = xstrdup(s); | ||
66 | + nl[1].n_name = NULL; | ||
67 | + if ((r = nlist(path, nl)) == -1) { | ||
68 | + error("%s: nlist failed for %s", __func__, path); | ||
69 | + goto out; | ||
70 | + } | ||
71 | + if (r != 0 || nl[0].n_value == 0 || nl[0].n_type == 0) { | ||
72 | + error("%s: library %s does not contain symbol %s", __func__, path, s); | ||
73 | + goto out; | ||
74 | + } | ||
75 | + /* success */ | ||
76 | + ret = 0; | ||
77 | + out: | ||
78 | + free(nl[0].n_name); | ||
79 | + return ret; | ||
80 | +#else /* HAVE_NLIST_H */ | ||
81 | + int fd, ret = -1; | ||
82 | + struct stat st; | ||
83 | + void *m = NULL; | ||
84 | + size_t sz = 0; | ||
85 | + | ||
86 | + memset(&st, 0, sizeof(st)); | ||
87 | + if ((fd = open(path, O_RDONLY)) < 0) { | ||
88 | + error("%s: open %s: %s", __func__, path, strerror(errno)); | ||
89 | + return -1; | ||
90 | + } | ||
91 | + if (fstat(fd, &st) != 0) { | ||
92 | + error("%s: fstat %s: %s", __func__, path, strerror(errno)); | ||
93 | + goto out; | ||
94 | + } | ||
95 | + if (!S_ISREG(st.st_mode)) { | ||
96 | + error("%s: %s is not a regular file", __func__, path); | ||
97 | + goto out; | ||
98 | + } | ||
99 | + if (st.st_size < 0 || | ||
100 | + (size_t)st.st_size < strlen(s) || | ||
101 | + st.st_size >= INT_MAX/2) { | ||
102 | + error("%s: %s bad size %lld", __func__, path, (long long)st.st_size); | ||
103 | + goto out; | ||
104 | + } | ||
105 | + sz = (size_t)st.st_size; | ||
106 | + if ((m = mmap(NULL, sz, PROT_READ, MAP_PRIVATE, fd, 0)) == MAP_FAILED || | ||
107 | + m == NULL) { | ||
108 | + error("%s: mmap %s: %s", __func__, path, strerror(errno)); | ||
109 | + goto out; | ||
110 | + } | ||
111 | + if (memmem(m, sz, s, strlen(s)) == NULL) { | ||
112 | + error("%s: %s does not contain expected string %s", __func__, path, s); | ||
113 | + goto out; | ||
114 | + } | ||
115 | + /* success */ | ||
116 | + ret = 0; | ||
117 | + out: | ||
118 | + if (m != NULL && m != MAP_FAILED) | ||
119 | + munmap(m, sz); | ||
120 | + close(fd); | ||
121 | + return ret; | ||
122 | +#endif /* HAVE_NLIST_H */ | ||
123 | +} | ||
124 | diff --git a/misc.h b/misc.h | ||
125 | index 4a05db2..3f9f4db 100644 | ||
126 | --- a/misc.h | ||
127 | +++ b/misc.h | ||
128 | @@ -86,6 +86,7 @@ const char *atoi_err(const char *, int *); | ||
129 | int parse_absolute_time(const char *, uint64_t *); | ||
130 | void format_absolute_time(uint64_t, char *, size_t); | ||
131 | int path_absolute(const char *); | ||
132 | +int lib_contains_symbol(const char *, const char *); | ||
133 | |||
134 | void sock_set_v6only(int); | ||
135 | |||
136 | diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c | ||
137 | index b56a41b..639a6f7 100644 | ||
138 | --- a/ssh-pkcs11.c | ||
139 | +++ b/ssh-pkcs11.c | ||
140 | @@ -1499,6 +1499,10 @@ pkcs11_register_provider(char *provider_id, char *pin, | ||
141 | __func__, provider_id); | ||
142 | goto fail; | ||
143 | } | ||
144 | + if (lib_contains_symbol(provider_id, "C_GetFunctionList") != 0) { | ||
145 | + error("provider %s is not a PKCS11 library", provider_id); | ||
146 | + goto fail; | ||
147 | + } | ||
148 | /* open shared pkcs11-library */ | ||
149 | if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) { | ||
150 | error("dlopen %s failed: %s", provider_id, dlerror()); | ||
151 | diff --git a/ssh-sk.c b/ssh-sk.c | ||
152 | index 5ff9381..9df12cc 100644 | ||
153 | --- a/ssh-sk.c | ||
154 | +++ b/ssh-sk.c | ||
155 | @@ -119,10 +119,12 @@ sshsk_open(const char *path) | ||
156 | #endif | ||
157 | return ret; | ||
158 | } | ||
159 | - if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) { | ||
160 | - error("Provider \"%s\" dlopen failed: %s", path, dlerror()); | ||
161 | + if (lib_contains_symbol(path, "sk_api_version") != 0) { | ||
162 | + error("provider %s is not an OpenSSH FIDO library", path); | ||
163 | goto fail; | ||
164 | } | ||
165 | + if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) | ||
166 | + fatal("Provider \"%s\" dlopen failed: %s", path, dlerror()); | ||
167 | if ((ret->sk_api_version = dlsym(ret->dlhandle, | ||
168 | "sk_api_version")) == NULL) { | ||
169 | error("Provider \"%s\" dlsym(sk_api_version) failed: %s", | ||
170 | -- | ||
171 | 2.41.0 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch new file mode 100644 index 0000000000..5e8040c9bf --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From 0862f338941bfdfb2cadee87de6d5fdca1b8f457 Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Wed, 19 Jul 2023 13:55:53 +0000 | ||
4 | Subject: [PATCH 04/12] upstream: terminate process if requested to load a | ||
5 | PKCS#11 provider that isn't a PKCS#11 provider; from / ok markus@ | ||
6 | |||
7 | OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c | ||
8 | |||
9 | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc] | ||
10 | CVE: CVE-2023-38408 | ||
11 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
12 | --- | ||
13 | ssh-pkcs11.c | 6 ++---- | ||
14 | 1 file changed, 2 insertions(+), 4 deletions(-) | ||
15 | |||
16 | diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c | ||
17 | index 639a6f7..7530acc 100644 | ||
18 | --- a/ssh-pkcs11.c | ||
19 | +++ b/ssh-pkcs11.c | ||
20 | @@ -1508,10 +1508,8 @@ pkcs11_register_provider(char *provider_id, char *pin, | ||
21 | error("dlopen %s failed: %s", provider_id, dlerror()); | ||
22 | goto fail; | ||
23 | } | ||
24 | - if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { | ||
25 | - error("dlsym(C_GetFunctionList) failed: %s", dlerror()); | ||
26 | - goto fail; | ||
27 | - } | ||
28 | + if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) | ||
29 | + fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); | ||
30 | p = xcalloc(1, sizeof(*p)); | ||
31 | p->name = xstrdup(provider_id); | ||
32 | p->handle = handle; | ||
33 | -- | ||
34 | 2.41.0 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch new file mode 100644 index 0000000000..0ddbdc68d4 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch | |||
@@ -0,0 +1,194 @@ | |||
1 | From a6cee3905edf070c0de135d3f2ee5b74da1dbd28 Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Tue, 26 May 2020 01:26:58 +0000 | ||
4 | Subject: [PATCH 05/12] upstream: Restrict ssh-agent from signing web | ||
5 | challenges for FIDO | ||
6 | |||
7 | keys. | ||
8 | |||
9 | When signing messages in ssh-agent using a FIDO key that has an | ||
10 | application string that does not start with "ssh:", ensure that the | ||
11 | message being signed is one of the forms expected for the SSH protocol | ||
12 | (currently pubkey authentication and sshsig signatures). | ||
13 | |||
14 | This prevents ssh-agent forwarding on a host that has FIDO keys | ||
15 | attached granting the ability for the remote side to sign challenges | ||
16 | for web authentication using those keys too. | ||
17 | |||
18 | Note that the converse case of web browsers signing SSH challenges is | ||
19 | already precluded because no web RP can have the "ssh:" prefix in the | ||
20 | application string that we require. | ||
21 | |||
22 | ok markus@ | ||
23 | |||
24 | OpenBSD-Commit-ID: 9ab6012574ed0352d2f097d307f4a988222d1b19 | ||
25 | |||
26 | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/0c111eb84efba7c2a38b2cc3278901a0123161b9] | ||
27 | CVE: CVE-2023-38408 | ||
28 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
29 | --- | ||
30 | ssh-agent.c | 110 +++++++++++++++++++++++++++++++++++++++++++++++----- | ||
31 | 1 file changed, 100 insertions(+), 10 deletions(-) | ||
32 | |||
33 | diff --git a/ssh-agent.c b/ssh-agent.c | ||
34 | index ceb348c..1794f35 100644 | ||
35 | --- a/ssh-agent.c | ||
36 | +++ b/ssh-agent.c | ||
37 | @@ -1,4 +1,4 @@ | ||
38 | -/* $OpenBSD: ssh-agent.c,v 1.255 2020/02/06 22:30:54 naddy Exp $ */ | ||
39 | +/* $OpenBSD: ssh-agent.c,v 1.258 2020/05/26 01:26:58 djm Exp $ */ | ||
40 | /* | ||
41 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | ||
42 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
43 | @@ -77,6 +77,7 @@ | ||
44 | |||
45 | #include "xmalloc.h" | ||
46 | #include "ssh.h" | ||
47 | +#include "ssh2.h" | ||
48 | #include "sshbuf.h" | ||
49 | #include "sshkey.h" | ||
50 | #include "authfd.h" | ||
51 | @@ -167,6 +168,9 @@ static long lifetime = 0; | ||
52 | |||
53 | static int fingerprint_hash = SSH_FP_HASH_DEFAULT; | ||
54 | |||
55 | +/* Refuse signing of non-SSH messages for web-origin FIDO keys */ | ||
56 | +static int restrict_websafe = 1; | ||
57 | + | ||
58 | static void | ||
59 | close_socket(SocketEntry *e) | ||
60 | { | ||
61 | @@ -282,6 +286,80 @@ agent_decode_alg(struct sshkey *key, u_int flags) | ||
62 | return NULL; | ||
63 | } | ||
64 | |||
65 | +/* | ||
66 | + * This function inspects a message to be signed by a FIDO key that has a | ||
67 | + * web-like application string (i.e. one that does not begin with "ssh:". | ||
68 | + * It checks that the message is one of those expected for SSH operations | ||
69 | + * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges | ||
70 | + * for the web. | ||
71 | + */ | ||
72 | +static int | ||
73 | +check_websafe_message_contents(struct sshkey *key, | ||
74 | + const u_char *msg, size_t len) | ||
75 | +{ | ||
76 | + int matched = 0; | ||
77 | + struct sshbuf *b; | ||
78 | + u_char m, n; | ||
79 | + char *cp1 = NULL, *cp2 = NULL; | ||
80 | + int r; | ||
81 | + struct sshkey *mkey = NULL; | ||
82 | + | ||
83 | + if ((b = sshbuf_from(msg, len)) == NULL) | ||
84 | + fatal("%s: sshbuf_new", __func__); | ||
85 | + | ||
86 | + /* SSH userauth request */ | ||
87 | + if ((r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* sess_id */ | ||
88 | + (r = sshbuf_get_u8(b, &m)) == 0 && /* SSH2_MSG_USERAUTH_REQUEST */ | ||
89 | + (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* server user */ | ||
90 | + (r = sshbuf_get_cstring(b, &cp1, NULL)) == 0 && /* service */ | ||
91 | + (r = sshbuf_get_cstring(b, &cp2, NULL)) == 0 && /* method */ | ||
92 | + (r = sshbuf_get_u8(b, &n)) == 0 && /* sig-follows */ | ||
93 | + (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* alg */ | ||
94 | + (r = sshkey_froms(b, &mkey)) == 0 && /* key */ | ||
95 | + sshbuf_len(b) == 0) { | ||
96 | + debug("%s: parsed userauth", __func__); | ||
97 | + if (m == SSH2_MSG_USERAUTH_REQUEST && n == 1 && | ||
98 | + strcmp(cp1, "ssh-connection") == 0 && | ||
99 | + strcmp(cp2, "publickey") == 0 && | ||
100 | + sshkey_equal(key, mkey)) { | ||
101 | + debug("%s: well formed userauth", __func__); | ||
102 | + matched = 1; | ||
103 | + } | ||
104 | + } | ||
105 | + free(cp1); | ||
106 | + free(cp2); | ||
107 | + sshkey_free(mkey); | ||
108 | + sshbuf_free(b); | ||
109 | + if (matched) | ||
110 | + return 1; | ||
111 | + | ||
112 | + if ((b = sshbuf_from(msg, len)) == NULL) | ||
113 | + fatal("%s: sshbuf_new", __func__); | ||
114 | + cp1 = cp2 = NULL; | ||
115 | + mkey = NULL; | ||
116 | + | ||
117 | + /* SSHSIG */ | ||
118 | + if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) == 0 && | ||
119 | + (r = sshbuf_consume(b, 6)) == 0 && | ||
120 | + (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* namespace */ | ||
121 | + (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* reserved */ | ||
122 | + (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* hashalg */ | ||
123 | + (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* H(msg) */ | ||
124 | + sshbuf_len(b) == 0) { | ||
125 | + debug("%s: parsed sshsig", __func__); | ||
126 | + matched = 1; | ||
127 | + } | ||
128 | + | ||
129 | + sshbuf_free(b); | ||
130 | + if (matched) | ||
131 | + return 1; | ||
132 | + | ||
133 | + /* XXX CA signature operation */ | ||
134 | + | ||
135 | + error("web-origin key attempting to sign non-SSH message"); | ||
136 | + return 0; | ||
137 | +} | ||
138 | + | ||
139 | /* ssh2 only */ | ||
140 | static void | ||
141 | process_sign_request2(SocketEntry *e) | ||
142 | @@ -314,14 +392,20 @@ process_sign_request2(SocketEntry *e) | ||
143 | verbose("%s: user refused key", __func__); | ||
144 | goto send; | ||
145 | } | ||
146 | - if (sshkey_is_sk(id->key) && | ||
147 | - (id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) { | ||
148 | - if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, | ||
149 | - SSH_FP_DEFAULT)) == NULL) | ||
150 | - fatal("%s: fingerprint failed", __func__); | ||
151 | - notifier = notify_start(0, | ||
152 | - "Confirm user presence for key %s %s", | ||
153 | - sshkey_type(id->key), fp); | ||
154 | + if (sshkey_is_sk(id->key)) { | ||
155 | + if (strncmp(id->key->sk_application, "ssh:", 4) != 0 && | ||
156 | + !check_websafe_message_contents(key, data, dlen)) { | ||
157 | + /* error already logged */ | ||
158 | + goto send; | ||
159 | + } | ||
160 | + if ((id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) { | ||
161 | + if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, | ||
162 | + SSH_FP_DEFAULT)) == NULL) | ||
163 | + fatal("%s: fingerprint failed", __func__); | ||
164 | + notifier = notify_start(0, | ||
165 | + "Confirm user presence for key %s %s", | ||
166 | + sshkey_type(id->key), fp); | ||
167 | + } | ||
168 | } | ||
169 | if ((r = sshkey_sign(id->key, &signature, &slen, | ||
170 | data, dlen, agent_decode_alg(key, flags), | ||
171 | @@ -1214,7 +1298,7 @@ main(int ac, char **av) | ||
172 | __progname = ssh_get_progname(av[0]); | ||
173 | seed_rng(); | ||
174 | |||
175 | - while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) { | ||
176 | + while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) { | ||
177 | switch (ch) { | ||
178 | case 'E': | ||
179 | fingerprint_hash = ssh_digest_alg_by_name(optarg); | ||
180 | @@ -1229,6 +1313,12 @@ main(int ac, char **av) | ||
181 | case 'k': | ||
182 | k_flag++; | ||
183 | break; | ||
184 | + case 'O': | ||
185 | + if (strcmp(optarg, "no-restrict-websafe") == 0) | ||
186 | + restrict_websafe = 0; | ||
187 | + else | ||
188 | + fatal("Unknown -O option"); | ||
189 | + break; | ||
190 | case 'P': | ||
191 | if (provider_whitelist != NULL) | ||
192 | fatal("-P option already specified"); | ||
193 | -- | ||
194 | 2.41.0 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch new file mode 100644 index 0000000000..ac494aab0b --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From a5d845b7b42861d18f43e83de9f24c7374d1b458 Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Fri, 18 Sep 2020 08:16:38 +0000 | ||
4 | Subject: [PATCH 06/12] upstream: handle multiple messages in a single read() | ||
5 | |||
6 | PR#183 by Dennis Kaarsemaker; feedback and ok markus@ | ||
7 | |||
8 | OpenBSD-Commit-ID: 8570bb4d02d00cf70b98590716ea6a7d1cce68d1 | ||
9 | |||
10 | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/52a03e9fca2d74eef953ddd4709250f365ca3975] | ||
11 | CVE: CVE-2023-38408 | ||
12 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
13 | --- | ||
14 | ssh-agent.c | 19 +++++++++++++------ | ||
15 | 1 file changed, 13 insertions(+), 6 deletions(-) | ||
16 | |||
17 | diff --git a/ssh-agent.c b/ssh-agent.c | ||
18 | index 1794f35..78f7268 100644 | ||
19 | --- a/ssh-agent.c | ||
20 | +++ b/ssh-agent.c | ||
21 | @@ -1,4 +1,4 @@ | ||
22 | -/* $OpenBSD: ssh-agent.c,v 1.258 2020/05/26 01:26:58 djm Exp $ */ | ||
23 | +/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */ | ||
24 | /* | ||
25 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | ||
26 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
27 | @@ -853,8 +853,10 @@ send: | ||
28 | } | ||
29 | #endif /* ENABLE_PKCS11 */ | ||
30 | |||
31 | -/* dispatch incoming messages */ | ||
32 | - | ||
33 | +/* | ||
34 | + * dispatch incoming message. | ||
35 | + * returns 1 on success, 0 for incomplete messages or -1 on error. | ||
36 | + */ | ||
37 | static int | ||
38 | process_message(u_int socknum) | ||
39 | { | ||
40 | @@ -908,7 +910,7 @@ process_message(u_int socknum) | ||
41 | /* send a fail message for all other request types */ | ||
42 | send_status(e, 0); | ||
43 | } | ||
44 | - return 0; | ||
45 | + return 1; | ||
46 | } | ||
47 | |||
48 | switch (type) { | ||
49 | @@ -952,7 +954,7 @@ process_message(u_int socknum) | ||
50 | send_status(e, 0); | ||
51 | break; | ||
52 | } | ||
53 | - return 0; | ||
54 | + return 1; | ||
55 | } | ||
56 | |||
57 | static void | ||
58 | @@ -1043,7 +1045,12 @@ handle_conn_read(u_int socknum) | ||
59 | if ((r = sshbuf_put(sockets[socknum].input, buf, len)) != 0) | ||
60 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
61 | explicit_bzero(buf, sizeof(buf)); | ||
62 | - process_message(socknum); | ||
63 | + for (;;) { | ||
64 | + if ((r = process_message(socknum)) == -1) | ||
65 | + return -1; | ||
66 | + else if (r == 0) | ||
67 | + break; | ||
68 | + } | ||
69 | return 0; | ||
70 | } | ||
71 | |||
72 | -- | ||
73 | 2.41.0 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch new file mode 100644 index 0000000000..0dcf23ae17 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch | |||
@@ -0,0 +1,125 @@ | |||
1 | From 653cc18c922fc387b3d3aa1b081c5e5283cce28a Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Tue, 26 Jan 2021 00:47:47 +0000 | ||
4 | Subject: [PATCH 07/12] upstream: use recallocarray to allocate the agent | ||
5 | sockets table; | ||
6 | |||
7 | also clear socket entries that are being marked as unused. | ||
8 | |||
9 | spinkle in some debug2() spam to make it easier to watch an agent | ||
10 | do its thing. | ||
11 | |||
12 | ok markus | ||
13 | |||
14 | OpenBSD-Commit-ID: 74582c8e82e96afea46f6c7b6813a429cbc75922 | ||
15 | |||
16 | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1fe16fd61bb53944ec510882acc0491abd66ff76] | ||
17 | CVE: CVE-2023-38408 | ||
18 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
19 | --- | ||
20 | ssh-agent.c | 20 ++++++++++++++++---- | ||
21 | 1 file changed, 16 insertions(+), 4 deletions(-) | ||
22 | |||
23 | diff --git a/ssh-agent.c b/ssh-agent.c | ||
24 | index 78f7268..2635bc5 100644 | ||
25 | --- a/ssh-agent.c | ||
26 | +++ b/ssh-agent.c | ||
27 | @@ -1,4 +1,4 @@ | ||
28 | -/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */ | ||
29 | +/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */ | ||
30 | /* | ||
31 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | ||
32 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
33 | @@ -175,11 +175,12 @@ static void | ||
34 | close_socket(SocketEntry *e) | ||
35 | { | ||
36 | close(e->fd); | ||
37 | - e->fd = -1; | ||
38 | - e->type = AUTH_UNUSED; | ||
39 | sshbuf_free(e->input); | ||
40 | sshbuf_free(e->output); | ||
41 | sshbuf_free(e->request); | ||
42 | + memset(e, '\0', sizeof(*e)); | ||
43 | + e->fd = -1; | ||
44 | + e->type = AUTH_UNUSED; | ||
45 | } | ||
46 | |||
47 | static void | ||
48 | @@ -249,6 +250,8 @@ process_request_identities(SocketEntry *e) | ||
49 | struct sshbuf *msg; | ||
50 | int r; | ||
51 | |||
52 | + debug2("%s: entering", __func__); | ||
53 | + | ||
54 | if ((msg = sshbuf_new()) == NULL) | ||
55 | fatal("%s: sshbuf_new failed", __func__); | ||
56 | if ((r = sshbuf_put_u8(msg, SSH2_AGENT_IDENTITIES_ANSWER)) != 0 || | ||
57 | @@ -441,6 +444,7 @@ process_remove_identity(SocketEntry *e) | ||
58 | struct sshkey *key = NULL; | ||
59 | Identity *id; | ||
60 | |||
61 | + debug2("%s: entering", __func__); | ||
62 | if ((r = sshkey_froms(e->request, &key)) != 0) { | ||
63 | error("%s: get key: %s", __func__, ssh_err(r)); | ||
64 | goto done; | ||
65 | @@ -467,6 +471,7 @@ process_remove_all_identities(SocketEntry *e) | ||
66 | { | ||
67 | Identity *id; | ||
68 | |||
69 | + debug2("%s: entering", __func__); | ||
70 | /* Loop over all identities and clear the keys. */ | ||
71 | for (id = TAILQ_FIRST(&idtab->idlist); id; | ||
72 | id = TAILQ_FIRST(&idtab->idlist)) { | ||
73 | @@ -520,6 +525,7 @@ process_add_identity(SocketEntry *e) | ||
74 | u_char ctype; | ||
75 | int r = SSH_ERR_INTERNAL_ERROR; | ||
76 | |||
77 | + debug2("%s: entering", __func__); | ||
78 | if ((r = sshkey_private_deserialize(e->request, &k)) != 0 || | ||
79 | k == NULL || | ||
80 | (r = sshbuf_get_cstring(e->request, &comment, NULL)) != 0) { | ||
81 | @@ -667,6 +673,7 @@ process_lock_agent(SocketEntry *e, int lock) | ||
82 | static u_int fail_count = 0; | ||
83 | size_t pwlen; | ||
84 | |||
85 | + debug2("%s: entering", __func__); | ||
86 | /* | ||
87 | * This is deliberately fatal: the user has requested that we lock, | ||
88 | * but we can't parse their request properly. The only safe thing to | ||
89 | @@ -738,6 +745,7 @@ process_add_smartcard_key(SocketEntry *e) | ||
90 | struct sshkey **keys = NULL, *k; | ||
91 | Identity *id; | ||
92 | |||
93 | + debug2("%s: entering", __func__); | ||
94 | if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 || | ||
95 | (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) { | ||
96 | error("%s: buffer error: %s", __func__, ssh_err(r)); | ||
97 | @@ -818,6 +826,7 @@ process_remove_smartcard_key(SocketEntry *e) | ||
98 | int r, success = 0; | ||
99 | Identity *id, *nxt; | ||
100 | |||
101 | + debug2("%s: entering", __func__); | ||
102 | if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 || | ||
103 | (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) { | ||
104 | error("%s: buffer error: %s", __func__, ssh_err(r)); | ||
105 | @@ -962,6 +971,8 @@ new_socket(sock_type type, int fd) | ||
106 | { | ||
107 | u_int i, old_alloc, new_alloc; | ||
108 | |||
109 | + debug("%s: type = %s", __func__, type == AUTH_CONNECTION ? "CONNECTION" : | ||
110 | + (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN")); | ||
111 | set_nonblock(fd); | ||
112 | |||
113 | if (fd > max_fd) | ||
114 | @@ -981,7 +992,8 @@ new_socket(sock_type type, int fd) | ||
115 | } | ||
116 | old_alloc = sockets_alloc; | ||
117 | new_alloc = sockets_alloc + 10; | ||
118 | - sockets = xreallocarray(sockets, new_alloc, sizeof(sockets[0])); | ||
119 | + sockets = xrecallocarray(sockets, old_alloc, new_alloc, | ||
120 | + sizeof(sockets[0])); | ||
121 | for (i = old_alloc; i < new_alloc; i++) | ||
122 | sockets[i].type = AUTH_UNUSED; | ||
123 | sockets_alloc = new_alloc; | ||
124 | -- | ||
125 | 2.41.0 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch new file mode 100644 index 0000000000..141c8113bf --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch | |||
@@ -0,0 +1,315 @@ | |||
1 | From c30158ea225cf8ad67c3dcc88fa9e4afbf8959a7 Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Tue, 26 Jan 2021 00:53:31 +0000 | ||
4 | Subject: [PATCH 08/12] upstream: more ssh-agent refactoring | ||
5 | |||
6 | Allow confirm_key() to accept an additional reason suffix | ||
7 | |||
8 | Factor publickey userauth parsing out into its own function and allow | ||
9 | it to optionally return things it parsed out of the message to its | ||
10 | caller. | ||
11 | |||
12 | feedback/ok markus@ | ||
13 | |||
14 | OpenBSD-Commit-ID: 29006515617d1aa2d8b85cd2bf667e849146477e | ||
15 | |||
16 | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/e0e8bee8024fa9e31974244d14f03d799e5c0775] | ||
17 | CVE: CVE-2023-38408 | ||
18 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
19 | --- | ||
20 | ssh-agent.c | 197 ++++++++++++++++++++++++++++++++++------------------ | ||
21 | 1 file changed, 130 insertions(+), 67 deletions(-) | ||
22 | |||
23 | diff --git a/ssh-agent.c b/ssh-agent.c | ||
24 | index 2635bc5..7ad323c 100644 | ||
25 | --- a/ssh-agent.c | ||
26 | +++ b/ssh-agent.c | ||
27 | @@ -1,4 +1,4 @@ | ||
28 | -/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */ | ||
29 | +/* $OpenBSD: ssh-agent.c,v 1.270 2021/01/26 00:53:31 djm Exp $ */ | ||
30 | /* | ||
31 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | ||
32 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
33 | @@ -216,15 +216,16 @@ lookup_identity(struct sshkey *key) | ||
34 | |||
35 | /* Check confirmation of keysign request */ | ||
36 | static int | ||
37 | -confirm_key(Identity *id) | ||
38 | +confirm_key(Identity *id, const char *extra) | ||
39 | { | ||
40 | char *p; | ||
41 | int ret = -1; | ||
42 | |||
43 | p = sshkey_fingerprint(id->key, fingerprint_hash, SSH_FP_DEFAULT); | ||
44 | if (p != NULL && | ||
45 | - ask_permission("Allow use of key %s?\nKey fingerprint %s.", | ||
46 | - id->comment, p)) | ||
47 | + ask_permission("Allow use of key %s?\nKey fingerprint %s.%s%s", | ||
48 | + id->comment, p, | ||
49 | + extra == NULL ? "" : "\n", extra == NULL ? "" : extra)) | ||
50 | ret = 0; | ||
51 | free(p); | ||
52 | |||
53 | @@ -290,74 +291,133 @@ agent_decode_alg(struct sshkey *key, u_int flags) | ||
54 | } | ||
55 | |||
56 | /* | ||
57 | - * This function inspects a message to be signed by a FIDO key that has a | ||
58 | - * web-like application string (i.e. one that does not begin with "ssh:". | ||
59 | - * It checks that the message is one of those expected for SSH operations | ||
60 | - * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges | ||
61 | - * for the web. | ||
62 | + * Attempt to parse the contents of a buffer as a SSH publickey userauth | ||
63 | + * request, checking its contents for consistency and matching the embedded | ||
64 | + * key against the one that is being used for signing. | ||
65 | + * Note: does not modify msg buffer. | ||
66 | + * Optionally extract the username and session ID from the request. | ||
67 | */ | ||
68 | static int | ||
69 | -check_websafe_message_contents(struct sshkey *key, | ||
70 | - const u_char *msg, size_t len) | ||
71 | +parse_userauth_request(struct sshbuf *msg, const struct sshkey *expected_key, | ||
72 | + char **userp, struct sshbuf **sess_idp) | ||
73 | { | ||
74 | - int matched = 0; | ||
75 | - struct sshbuf *b; | ||
76 | - u_char m, n; | ||
77 | - char *cp1 = NULL, *cp2 = NULL; | ||
78 | + struct sshbuf *b = NULL, *sess_id = NULL; | ||
79 | + char *user = NULL, *service = NULL, *method = NULL, *pkalg = NULL; | ||
80 | int r; | ||
81 | + u_char t, sig_follows; | ||
82 | struct sshkey *mkey = NULL; | ||
83 | |||
84 | - if ((b = sshbuf_from(msg, len)) == NULL) | ||
85 | - fatal("%s: sshbuf_new", __func__); | ||
86 | + if (userp != NULL) | ||
87 | + *userp = NULL; | ||
88 | + if (sess_idp != NULL) | ||
89 | + *sess_idp = NULL; | ||
90 | + if ((b = sshbuf_fromb(msg)) == NULL) | ||
91 | + fatal("%s: sshbuf_fromb", __func__); | ||
92 | |||
93 | /* SSH userauth request */ | ||
94 | - if ((r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* sess_id */ | ||
95 | - (r = sshbuf_get_u8(b, &m)) == 0 && /* SSH2_MSG_USERAUTH_REQUEST */ | ||
96 | - (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* server user */ | ||
97 | - (r = sshbuf_get_cstring(b, &cp1, NULL)) == 0 && /* service */ | ||
98 | - (r = sshbuf_get_cstring(b, &cp2, NULL)) == 0 && /* method */ | ||
99 | - (r = sshbuf_get_u8(b, &n)) == 0 && /* sig-follows */ | ||
100 | - (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* alg */ | ||
101 | - (r = sshkey_froms(b, &mkey)) == 0 && /* key */ | ||
102 | - sshbuf_len(b) == 0) { | ||
103 | - debug("%s: parsed userauth", __func__); | ||
104 | - if (m == SSH2_MSG_USERAUTH_REQUEST && n == 1 && | ||
105 | - strcmp(cp1, "ssh-connection") == 0 && | ||
106 | - strcmp(cp2, "publickey") == 0 && | ||
107 | - sshkey_equal(key, mkey)) { | ||
108 | - debug("%s: well formed userauth", __func__); | ||
109 | - matched = 1; | ||
110 | - } | ||
111 | + if ((r = sshbuf_froms(b, &sess_id)) != 0) | ||
112 | + goto out; | ||
113 | + if (sshbuf_len(sess_id) == 0) { | ||
114 | + r = SSH_ERR_INVALID_FORMAT; | ||
115 | + goto out; | ||
116 | } | ||
117 | - free(cp1); | ||
118 | - free(cp2); | ||
119 | - sshkey_free(mkey); | ||
120 | + if ((r = sshbuf_get_u8(b, &t)) != 0 || /* SSH2_MSG_USERAUTH_REQUEST */ | ||
121 | + (r = sshbuf_get_cstring(b, &user, NULL)) != 0 || /* server user */ | ||
122 | + (r = sshbuf_get_cstring(b, &service, NULL)) != 0 || /* service */ | ||
123 | + (r = sshbuf_get_cstring(b, &method, NULL)) != 0 || /* method */ | ||
124 | + (r = sshbuf_get_u8(b, &sig_follows)) != 0 || /* sig-follows */ | ||
125 | + (r = sshbuf_get_cstring(b, &pkalg, NULL)) != 0 || /* alg */ | ||
126 | + (r = sshkey_froms(b, &mkey)) != 0) /* key */ | ||
127 | + goto out; | ||
128 | + if (t != SSH2_MSG_USERAUTH_REQUEST || | ||
129 | + sig_follows != 1 || | ||
130 | + strcmp(service, "ssh-connection") != 0 || | ||
131 | + !sshkey_equal(expected_key, mkey) || | ||
132 | + sshkey_type_from_name(pkalg) != expected_key->type) { | ||
133 | + r = SSH_ERR_INVALID_FORMAT; | ||
134 | + goto out; | ||
135 | + } | ||
136 | + if (strcmp(method, "publickey") != 0) { | ||
137 | + r = SSH_ERR_INVALID_FORMAT; | ||
138 | + goto out; | ||
139 | + } | ||
140 | + if (sshbuf_len(b) != 0) { | ||
141 | + r = SSH_ERR_INVALID_FORMAT; | ||
142 | + goto out; | ||
143 | + } | ||
144 | + /* success */ | ||
145 | + r = 0; | ||
146 | + debug("%s: well formed userauth", __func__); | ||
147 | + if (userp != NULL) { | ||
148 | + *userp = user; | ||
149 | + user = NULL; | ||
150 | + } | ||
151 | + if (sess_idp != NULL) { | ||
152 | + *sess_idp = sess_id; | ||
153 | + sess_id = NULL; | ||
154 | + } | ||
155 | + out: | ||
156 | sshbuf_free(b); | ||
157 | - if (matched) | ||
158 | - return 1; | ||
159 | + sshbuf_free(sess_id); | ||
160 | + free(user); | ||
161 | + free(service); | ||
162 | + free(method); | ||
163 | + free(pkalg); | ||
164 | + sshkey_free(mkey); | ||
165 | + return r; | ||
166 | +} | ||
167 | |||
168 | - if ((b = sshbuf_from(msg, len)) == NULL) | ||
169 | - fatal("%s: sshbuf_new", __func__); | ||
170 | - cp1 = cp2 = NULL; | ||
171 | - mkey = NULL; | ||
172 | - | ||
173 | - /* SSHSIG */ | ||
174 | - if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) == 0 && | ||
175 | - (r = sshbuf_consume(b, 6)) == 0 && | ||
176 | - (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* namespace */ | ||
177 | - (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* reserved */ | ||
178 | - (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* hashalg */ | ||
179 | - (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* H(msg) */ | ||
180 | - sshbuf_len(b) == 0) { | ||
181 | - debug("%s: parsed sshsig", __func__); | ||
182 | - matched = 1; | ||
183 | - } | ||
184 | +/* | ||
185 | + * Attempt to parse the contents of a buffer as a SSHSIG signature request. | ||
186 | + * Note: does not modify buffer. | ||
187 | + */ | ||
188 | +static int | ||
189 | +parse_sshsig_request(struct sshbuf *msg) | ||
190 | +{ | ||
191 | + int r; | ||
192 | + struct sshbuf *b; | ||
193 | |||
194 | + if ((b = sshbuf_fromb(msg)) == NULL) | ||
195 | + fatal("%s: sshbuf_fromb", __func__); | ||
196 | + | ||
197 | + if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) != 0 || | ||
198 | + (r = sshbuf_consume(b, 6)) != 0 || | ||
199 | + (r = sshbuf_get_cstring(b, NULL, NULL)) != 0 || /* namespace */ | ||
200 | + (r = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || /* reserved */ | ||
201 | + (r = sshbuf_get_cstring(b, NULL, NULL)) != 0 || /* hashalg */ | ||
202 | + (r = sshbuf_get_string_direct(b, NULL, NULL)) != 0) /* H(msg) */ | ||
203 | + goto out; | ||
204 | + if (sshbuf_len(b) != 0) { | ||
205 | + r = SSH_ERR_INVALID_FORMAT; | ||
206 | + goto out; | ||
207 | + } | ||
208 | + /* success */ | ||
209 | + r = 0; | ||
210 | + out: | ||
211 | sshbuf_free(b); | ||
212 | - if (matched) | ||
213 | + return r; | ||
214 | +} | ||
215 | + | ||
216 | +/* | ||
217 | + * This function inspects a message to be signed by a FIDO key that has a | ||
218 | + * web-like application string (i.e. one that does not begin with "ssh:". | ||
219 | + * It checks that the message is one of those expected for SSH operations | ||
220 | + * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges | ||
221 | + * for the web. | ||
222 | + */ | ||
223 | +static int | ||
224 | +check_websafe_message_contents(struct sshkey *key, struct sshbuf *data) | ||
225 | +{ | ||
226 | + if (parse_userauth_request(data, key, NULL, NULL) == 0) { | ||
227 | + debug("%s: signed data matches public key userauth request", __func__); | ||
228 | return 1; | ||
229 | + } | ||
230 | + if (parse_sshsig_request(data) == 0) { | ||
231 | + debug("%s: signed data matches SSHSIG signature request", __func__); | ||
232 | + return 1; | ||
233 | + } | ||
234 | |||
235 | - /* XXX CA signature operation */ | ||
236 | + /* XXX check CA signature operation */ | ||
237 | |||
238 | error("web-origin key attempting to sign non-SSH message"); | ||
239 | return 0; | ||
240 | @@ -367,21 +427,22 @@ check_websafe_message_contents(struct sshkey *key, | ||
241 | static void | ||
242 | process_sign_request2(SocketEntry *e) | ||
243 | { | ||
244 | - const u_char *data; | ||
245 | u_char *signature = NULL; | ||
246 | - size_t dlen, slen = 0; | ||
247 | + size_t i, slen = 0; | ||
248 | u_int compat = 0, flags; | ||
249 | int r, ok = -1; | ||
250 | char *fp = NULL; | ||
251 | - struct sshbuf *msg; | ||
252 | + struct sshbuf *msg = NULL, *data = NULL; | ||
253 | struct sshkey *key = NULL; | ||
254 | struct identity *id; | ||
255 | struct notifier_ctx *notifier = NULL; | ||
256 | |||
257 | - if ((msg = sshbuf_new()) == NULL) | ||
258 | + debug("%s: entering", __func__); | ||
259 | + | ||
260 | + if ((msg = sshbuf_new()) == NULL | (data = sshbuf_new()) == NULL) | ||
261 | fatal("%s: sshbuf_new failed", __func__); | ||
262 | if ((r = sshkey_froms(e->request, &key)) != 0 || | ||
263 | - (r = sshbuf_get_string_direct(e->request, &data, &dlen)) != 0 || | ||
264 | + (r = sshbuf_get_stringb(e->request, data)) != 0 || | ||
265 | (r = sshbuf_get_u32(e->request, &flags)) != 0) { | ||
266 | error("%s: couldn't parse request: %s", __func__, ssh_err(r)); | ||
267 | goto send; | ||
268 | @@ -391,13 +452,13 @@ process_sign_request2(SocketEntry *e) | ||
269 | verbose("%s: %s key not found", __func__, sshkey_type(key)); | ||
270 | goto send; | ||
271 | } | ||
272 | - if (id->confirm && confirm_key(id) != 0) { | ||
273 | + if (id->confirm && confirm_key(id, NULL) != 0) { | ||
274 | verbose("%s: user refused key", __func__); | ||
275 | goto send; | ||
276 | } | ||
277 | if (sshkey_is_sk(id->key)) { | ||
278 | if (strncmp(id->key->sk_application, "ssh:", 4) != 0 && | ||
279 | - !check_websafe_message_contents(key, data, dlen)) { | ||
280 | + !check_websafe_message_contents(key, data)) { | ||
281 | /* error already logged */ | ||
282 | goto send; | ||
283 | } | ||
284 | @@ -411,7 +472,7 @@ process_sign_request2(SocketEntry *e) | ||
285 | } | ||
286 | } | ||
287 | if ((r = sshkey_sign(id->key, &signature, &slen, | ||
288 | - data, dlen, agent_decode_alg(key, flags), | ||
289 | + sshbuf_ptr(data), sshbuf_len(data), agent_decode_alg(key, flags), | ||
290 | id->sk_provider, compat)) != 0) { | ||
291 | error("%s: sshkey_sign: %s", __func__, ssh_err(r)); | ||
292 | goto send; | ||
293 | @@ -420,8 +481,7 @@ process_sign_request2(SocketEntry *e) | ||
294 | ok = 0; | ||
295 | send: | ||
296 | notify_complete(notifier); | ||
297 | - sshkey_free(key); | ||
298 | - free(fp); | ||
299 | + | ||
300 | if (ok == 0) { | ||
301 | if ((r = sshbuf_put_u8(msg, SSH2_AGENT_SIGN_RESPONSE)) != 0 || | ||
302 | (r = sshbuf_put_string(msg, signature, slen)) != 0) | ||
303 | @@ -432,7 +492,10 @@ process_sign_request2(SocketEntry *e) | ||
304 | if ((r = sshbuf_put_stringb(e->output, msg)) != 0) | ||
305 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
306 | |||
307 | + sshbuf_free(data); | ||
308 | sshbuf_free(msg); | ||
309 | + sshkey_free(key); | ||
310 | + free(fp); | ||
311 | free(signature); | ||
312 | } | ||
313 | |||
314 | -- | ||
315 | 2.41.0 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch new file mode 100644 index 0000000000..b519ccce42 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 7adba46611e5d076d7d12d9f4162dd4cabd5ff50 Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Fri, 29 Jan 2021 06:28:10 +0000 | ||
4 | Subject: [PATCH 09/12] upstream: give typedef'd struct a struct name; makes | ||
5 | the fuzzer I'm | ||
6 | |||
7 | writing a bit easier | ||
8 | |||
9 | OpenBSD-Commit-ID: 1052ab521505a4d8384d67acb3974ef81b8896cb | ||
10 | |||
11 | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/8afaa7d7918419d3da6c0477b83db2159879cb33] | ||
12 | CVE: CVE-2023-38408 | ||
13 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
14 | --- | ||
15 | ssh-agent.c | 4 ++-- | ||
16 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
17 | |||
18 | diff --git a/ssh-agent.c b/ssh-agent.c | ||
19 | index 7ad323c..c99927c 100644 | ||
20 | --- a/ssh-agent.c | ||
21 | +++ b/ssh-agent.c | ||
22 | @@ -1,4 +1,4 @@ | ||
23 | -/* $OpenBSD: ssh-agent.c,v 1.270 2021/01/26 00:53:31 djm Exp $ */ | ||
24 | +/* $OpenBSD: ssh-agent.c,v 1.274 2021/01/29 06:28:10 djm Exp $ */ | ||
25 | /* | ||
26 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | ||
27 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
28 | @@ -108,7 +108,7 @@ typedef enum { | ||
29 | AUTH_CONNECTION | ||
30 | } sock_type; | ||
31 | |||
32 | -typedef struct { | ||
33 | +typedef struct socket_entry { | ||
34 | int fd; | ||
35 | sock_type type; | ||
36 | struct sshbuf *input; | ||
37 | -- | ||
38 | 2.41.0 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch new file mode 100644 index 0000000000..27b2eadfae --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From 343e2a2c0ef754a7a86118016b248f7a73f8d510 Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Fri, 29 Jan 2021 06:29:46 +0000 | ||
4 | Subject: [PATCH 10/12] upstream: fix the values of enum sock_type | ||
5 | |||
6 | OpenBSD-Commit-ID: 18d048f4dbfbb159ff500cfc2700b8fb1407facd | ||
7 | |||
8 | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1a4b92758690faa12f49079dd3b72567f909466d] | ||
9 | CVE: CVE-2023-38408 | ||
10 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
11 | --- | ||
12 | ssh-agent.c | 8 ++++---- | ||
13 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
14 | |||
15 | diff --git a/ssh-agent.c b/ssh-agent.c | ||
16 | index c99927c..7f1e14b 100644 | ||
17 | --- a/ssh-agent.c | ||
18 | +++ b/ssh-agent.c | ||
19 | @@ -1,4 +1,4 @@ | ||
20 | -/* $OpenBSD: ssh-agent.c,v 1.274 2021/01/29 06:28:10 djm Exp $ */ | ||
21 | +/* $OpenBSD: ssh-agent.c,v 1.275 2021/01/29 06:29:46 djm Exp $ */ | ||
22 | /* | ||
23 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | ||
24 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
25 | @@ -103,9 +103,9 @@ | ||
26 | #define AGENT_RBUF_LEN (4096) | ||
27 | |||
28 | typedef enum { | ||
29 | - AUTH_UNUSED, | ||
30 | - AUTH_SOCKET, | ||
31 | - AUTH_CONNECTION | ||
32 | + AUTH_UNUSED = 0, | ||
33 | + AUTH_SOCKET = 1, | ||
34 | + AUTH_CONNECTION = 2, | ||
35 | } sock_type; | ||
36 | |||
37 | typedef struct socket_entry { | ||
38 | -- | ||
39 | 2.41.0 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch new file mode 100644 index 0000000000..c300393ebf --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch | |||
@@ -0,0 +1,307 @@ | |||
1 | From 2b3b369c8cf71f9ef5942a5e074e6f86e7ca1e0c Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Sun, 19 Dec 2021 22:09:23 +0000 | ||
4 | Subject: [PATCH 11/12] upstream: ssh-agent side of binding | ||
5 | |||
6 | record session ID/hostkey/forwarding status for each active socket. | ||
7 | |||
8 | Attempt to parse data-to-be-signed at signature request time and extract | ||
9 | session ID from the blob if it is a pubkey userauth request. | ||
10 | |||
11 | ok markus@ | ||
12 | |||
13 | OpenBSD-Commit-ID: a80fd41e292b18b67508362129e9fed549abd318 | ||
14 | |||
15 | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/4c1e3ce85e183a9d0c955c88589fed18e4d6a058] | ||
16 | CVE: CVE-2023-38408 | ||
17 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
18 | --- | ||
19 | authfd.h | 3 + | ||
20 | ssh-agent.c | 175 +++++++++++++++++++++++++++++++++++++++++++++++++--- | ||
21 | 2 files changed, 170 insertions(+), 8 deletions(-) | ||
22 | |||
23 | diff --git a/authfd.h b/authfd.h | ||
24 | index c3bf625..9cc9807 100644 | ||
25 | --- a/authfd.h | ||
26 | +++ b/authfd.h | ||
27 | @@ -76,6 +76,9 @@ int ssh_agent_sign(int sock, const struct sshkey *key, | ||
28 | #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25 | ||
29 | #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26 | ||
30 | |||
31 | +/* generic extension mechanism */ | ||
32 | +#define SSH_AGENTC_EXTENSION 27 | ||
33 | + | ||
34 | #define SSH_AGENT_CONSTRAIN_LIFETIME 1 | ||
35 | #define SSH_AGENT_CONSTRAIN_CONFIRM 2 | ||
36 | #define SSH_AGENT_CONSTRAIN_MAXSIGN 3 | ||
37 | diff --git a/ssh-agent.c b/ssh-agent.c | ||
38 | index 7f1e14b..01c7f2b 100644 | ||
39 | --- a/ssh-agent.c | ||
40 | +++ b/ssh-agent.c | ||
41 | @@ -1,4 +1,4 @@ | ||
42 | -/* $OpenBSD: ssh-agent.c,v 1.275 2021/01/29 06:29:46 djm Exp $ */ | ||
43 | +/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */ | ||
44 | /* | ||
45 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | ||
46 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
47 | @@ -98,9 +98,15 @@ | ||
48 | #endif | ||
49 | |||
50 | /* Maximum accepted message length */ | ||
51 | -#define AGENT_MAX_LEN (256*1024) | ||
52 | +#define AGENT_MAX_LEN (256*1024) | ||
53 | /* Maximum bytes to read from client socket */ | ||
54 | -#define AGENT_RBUF_LEN (4096) | ||
55 | +#define AGENT_RBUF_LEN (4096) | ||
56 | +/* Maximum number of recorded session IDs/hostkeys per connection */ | ||
57 | +#define AGENT_MAX_SESSION_IDS 16 | ||
58 | +/* Maximum size of session ID */ | ||
59 | +#define AGENT_MAX_SID_LEN 128 | ||
60 | + | ||
61 | +/* XXX store hostkey_sid in a refcounted tree */ | ||
62 | |||
63 | typedef enum { | ||
64 | AUTH_UNUSED = 0, | ||
65 | @@ -108,12 +114,20 @@ typedef enum { | ||
66 | AUTH_CONNECTION = 2, | ||
67 | } sock_type; | ||
68 | |||
69 | +struct hostkey_sid { | ||
70 | + struct sshkey *key; | ||
71 | + struct sshbuf *sid; | ||
72 | + int forwarded; | ||
73 | +}; | ||
74 | + | ||
75 | typedef struct socket_entry { | ||
76 | int fd; | ||
77 | sock_type type; | ||
78 | struct sshbuf *input; | ||
79 | struct sshbuf *output; | ||
80 | struct sshbuf *request; | ||
81 | + size_t nsession_ids; | ||
82 | + struct hostkey_sid *session_ids; | ||
83 | } SocketEntry; | ||
84 | |||
85 | u_int sockets_alloc = 0; | ||
86 | @@ -174,10 +188,17 @@ static int restrict_websafe = 1; | ||
87 | static void | ||
88 | close_socket(SocketEntry *e) | ||
89 | { | ||
90 | + size_t i; | ||
91 | + | ||
92 | close(e->fd); | ||
93 | sshbuf_free(e->input); | ||
94 | sshbuf_free(e->output); | ||
95 | sshbuf_free(e->request); | ||
96 | + for (i = 0; i < e->nsession_ids; i++) { | ||
97 | + sshkey_free(e->session_ids[i].key); | ||
98 | + sshbuf_free(e->session_ids[i].sid); | ||
99 | + } | ||
100 | + free(e->session_ids); | ||
101 | memset(e, '\0', sizeof(*e)); | ||
102 | e->fd = -1; | ||
103 | e->type = AUTH_UNUSED; | ||
104 | @@ -423,6 +444,18 @@ check_websafe_message_contents(struct sshkey *key, struct sshbuf *data) | ||
105 | return 0; | ||
106 | } | ||
107 | |||
108 | +static int | ||
109 | +buf_equal(const struct sshbuf *a, const struct sshbuf *b) | ||
110 | +{ | ||
111 | + if (sshbuf_ptr(a) == NULL || sshbuf_ptr(b) == NULL) | ||
112 | + return SSH_ERR_INVALID_ARGUMENT; | ||
113 | + if (sshbuf_len(a) != sshbuf_len(b)) | ||
114 | + return SSH_ERR_INVALID_FORMAT; | ||
115 | + if (timingsafe_bcmp(sshbuf_ptr(a), sshbuf_ptr(b), sshbuf_len(a)) != 0) | ||
116 | + return SSH_ERR_INVALID_FORMAT; | ||
117 | + return 0; | ||
118 | +} | ||
119 | + | ||
120 | /* ssh2 only */ | ||
121 | static void | ||
122 | process_sign_request2(SocketEntry *e) | ||
123 | @@ -431,8 +464,8 @@ process_sign_request2(SocketEntry *e) | ||
124 | size_t i, slen = 0; | ||
125 | u_int compat = 0, flags; | ||
126 | int r, ok = -1; | ||
127 | - char *fp = NULL; | ||
128 | - struct sshbuf *msg = NULL, *data = NULL; | ||
129 | + char *fp = NULL, *user = NULL, *sig_dest = NULL; | ||
130 | + struct sshbuf *msg = NULL, *data = NULL, *sid = NULL; | ||
131 | struct sshkey *key = NULL; | ||
132 | struct identity *id; | ||
133 | struct notifier_ctx *notifier = NULL; | ||
134 | @@ -452,7 +485,33 @@ process_sign_request2(SocketEntry *e) | ||
135 | verbose("%s: %s key not found", __func__, sshkey_type(key)); | ||
136 | goto send; | ||
137 | } | ||
138 | - if (id->confirm && confirm_key(id, NULL) != 0) { | ||
139 | + /* | ||
140 | + * If session IDs were recorded for this socket, then use them to | ||
141 | + * annotate the confirmation messages with the host keys. | ||
142 | + */ | ||
143 | + if (e->nsession_ids > 0 && | ||
144 | + parse_userauth_request(data, key, &user, &sid) == 0) { | ||
145 | + /* | ||
146 | + * session ID from userauth request should match the final | ||
147 | + * ID in the list recorded in the socket, unless the ssh | ||
148 | + * client at that point lacks the binding extension (or if | ||
149 | + * an attacker is trying to steal use of the agent). | ||
150 | + */ | ||
151 | + i = e->nsession_ids - 1; | ||
152 | + if (buf_equal(sid, e->session_ids[i].sid) == 0) { | ||
153 | + if ((fp = sshkey_fingerprint(e->session_ids[i].key, | ||
154 | + SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL) | ||
155 | + fatal("%s: fingerprint failed", __func__); | ||
156 | + debug3("%s: destination %s %s (slot %zu)", __func__, | ||
157 | + sshkey_type(e->session_ids[i].key), fp, i); | ||
158 | + xasprintf(&sig_dest, "public key request for " | ||
159 | + "target user \"%s\" to %s %s", user, | ||
160 | + sshkey_type(e->session_ids[i].key), fp); | ||
161 | + free(fp); | ||
162 | + fp = NULL; | ||
163 | + } | ||
164 | + }// | ||
165 | + if (id->confirm && confirm_key(id, sig_dest) != 0) { | ||
166 | verbose("%s: user refused key", __func__); | ||
167 | goto send; | ||
168 | } | ||
169 | @@ -467,8 +526,10 @@ process_sign_request2(SocketEntry *e) | ||
170 | SSH_FP_DEFAULT)) == NULL) | ||
171 | fatal("%s: fingerprint failed", __func__); | ||
172 | notifier = notify_start(0, | ||
173 | - "Confirm user presence for key %s %s", | ||
174 | - sshkey_type(id->key), fp); | ||
175 | + "Confirm user presence for key %s %s%s%s", | ||
176 | + sshkey_type(id->key), fp, | ||
177 | + sig_dest == NULL ? "" : "\n", | ||
178 | + sig_dest == NULL ? "" : sig_dest); | ||
179 | } | ||
180 | } | ||
181 | if ((r = sshkey_sign(id->key, &signature, &slen, | ||
182 | @@ -492,11 +553,14 @@ process_sign_request2(SocketEntry *e) | ||
183 | if ((r = sshbuf_put_stringb(e->output, msg)) != 0) | ||
184 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
185 | |||
186 | + sshbuf_free(sid); | ||
187 | sshbuf_free(data); | ||
188 | sshbuf_free(msg); | ||
189 | sshkey_free(key); | ||
190 | free(fp); | ||
191 | free(signature); | ||
192 | + free(sig_dest); | ||
193 | + free(user); | ||
194 | } | ||
195 | |||
196 | /* shared */ | ||
197 | @@ -925,6 +989,98 @@ send: | ||
198 | } | ||
199 | #endif /* ENABLE_PKCS11 */ | ||
200 | |||
201 | +static int | ||
202 | +process_ext_session_bind(SocketEntry *e) | ||
203 | +{ | ||
204 | + int r, sid_match, key_match; | ||
205 | + struct sshkey *key = NULL; | ||
206 | + struct sshbuf *sid = NULL, *sig = NULL; | ||
207 | + char *fp = NULL; | ||
208 | + u_char fwd; | ||
209 | + size_t i; | ||
210 | + | ||
211 | + debug2("%s: entering", __func__); | ||
212 | + if ((r = sshkey_froms(e->request, &key)) != 0 || | ||
213 | + (r = sshbuf_froms(e->request, &sid)) != 0 || | ||
214 | + (r = sshbuf_froms(e->request, &sig)) != 0 || | ||
215 | + (r = sshbuf_get_u8(e->request, &fwd)) != 0) { | ||
216 | + error("%s: parse: %s", __func__, ssh_err(r)); | ||
217 | + goto out; | ||
218 | + } | ||
219 | + if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, | ||
220 | + SSH_FP_DEFAULT)) == NULL) | ||
221 | + fatal("%s: fingerprint failed", __func__); | ||
222 | + /* check signature with hostkey on session ID */ | ||
223 | + if ((r = sshkey_verify(key, sshbuf_ptr(sig), sshbuf_len(sig), | ||
224 | + sshbuf_ptr(sid), sshbuf_len(sid), NULL, 0, NULL)) != 0) { | ||
225 | + error("%s: sshkey_verify for %s %s: %s", __func__, sshkey_type(key), fp, ssh_err(r)); | ||
226 | + goto out; | ||
227 | + } | ||
228 | + /* check whether sid/key already recorded */ | ||
229 | + for (i = 0; i < e->nsession_ids; i++) { | ||
230 | + sid_match = buf_equal(sid, e->session_ids[i].sid) == 0; | ||
231 | + key_match = sshkey_equal(key, e->session_ids[i].key); | ||
232 | + if (sid_match && key_match) { | ||
233 | + debug("%s: session ID already recorded for %s %s", __func__, | ||
234 | + sshkey_type(key), fp); | ||
235 | + r = 0; | ||
236 | + goto out; | ||
237 | + } else if (sid_match) { | ||
238 | + error("%s: session ID recorded against different key " | ||
239 | + "for %s %s", __func__, sshkey_type(key), fp); | ||
240 | + r = -1; | ||
241 | + goto out; | ||
242 | + } | ||
243 | + /* | ||
244 | + * new sid with previously-seen key can happen, e.g. multiple | ||
245 | + * connections to the same host. | ||
246 | + */ | ||
247 | + } | ||
248 | + /* record new key/sid */ | ||
249 | + if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) { | ||
250 | + error("%s: too many session IDs recorded", __func__); | ||
251 | + goto out; | ||
252 | + } | ||
253 | + e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids, | ||
254 | + e->nsession_ids + 1, sizeof(*e->session_ids)); | ||
255 | + i = e->nsession_ids++; | ||
256 | + debug("%s: recorded %s %s (slot %zu of %d)", __func__, sshkey_type(key), fp, i, | ||
257 | + AGENT_MAX_SESSION_IDS); | ||
258 | + e->session_ids[i].key = key; | ||
259 | + e->session_ids[i].forwarded = fwd != 0; | ||
260 | + key = NULL; /* transferred */ | ||
261 | + /* can't transfer sid; it's refcounted and scoped to request's life */ | ||
262 | + if ((e->session_ids[i].sid = sshbuf_new()) == NULL) | ||
263 | + fatal("%s: sshbuf_new", __func__); | ||
264 | + if ((r = sshbuf_putb(e->session_ids[i].sid, sid)) != 0) | ||
265 | + fatal("%s: sshbuf_putb session ID: %s", __func__, ssh_err(r)); | ||
266 | + /* success */ | ||
267 | + r = 0; | ||
268 | + out: | ||
269 | + sshkey_free(key); | ||
270 | + sshbuf_free(sid); | ||
271 | + sshbuf_free(sig); | ||
272 | + return r == 0 ? 1 : 0; | ||
273 | +} | ||
274 | + | ||
275 | +static void | ||
276 | +process_extension(SocketEntry *e) | ||
277 | +{ | ||
278 | + int r, success = 0; | ||
279 | + char *name; | ||
280 | + | ||
281 | + debug2("%s: entering", __func__); | ||
282 | + if ((r = sshbuf_get_cstring(e->request, &name, NULL)) != 0) { | ||
283 | + error("%s: parse: %s", __func__, ssh_err(r)); | ||
284 | + goto send; | ||
285 | + } | ||
286 | + if (strcmp(name, "session-bind@openssh.com") == 0) | ||
287 | + success = process_ext_session_bind(e); | ||
288 | + else | ||
289 | + debug("%s: unsupported extension \"%s\"", __func__, name); | ||
290 | +send: | ||
291 | + send_status(e, success); | ||
292 | +} | ||
293 | /* | ||
294 | * dispatch incoming message. | ||
295 | * returns 1 on success, 0 for incomplete messages or -1 on error. | ||
296 | @@ -1019,6 +1175,9 @@ process_message(u_int socknum) | ||
297 | process_remove_smartcard_key(e); | ||
298 | break; | ||
299 | #endif /* ENABLE_PKCS11 */ | ||
300 | + case SSH_AGENTC_EXTENSION: | ||
301 | + process_extension(e); | ||
302 | + break; | ||
303 | default: | ||
304 | /* Unknown message. Respond with failure. */ | ||
305 | error("Unknown message %d", type); | ||
306 | -- | ||
307 | 2.41.0 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch new file mode 100644 index 0000000000..934775bdec --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch | |||
@@ -0,0 +1,120 @@ | |||
1 | From 4fe3d0fbd3d6dc1f19354e0d73a3231c461ed044 Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Wed, 19 Jul 2023 13:56:33 +0000 | ||
4 | Subject: [PATCH 12/12] upstream: Disallow remote addition of FIDO/PKCS11 | ||
5 | provider libraries to ssh-agent by default. | ||
6 | |||
7 | The old behaviour of allowing remote clients from loading providers | ||
8 | can be restored using `ssh-agent -O allow-remote-pkcs11`. | ||
9 | |||
10 | Detection of local/remote clients requires a ssh(1) that supports | ||
11 | the `session-bind@openssh.com` extension. Forwarding access to a | ||
12 | ssh-agent socket using non-OpenSSH tools may circumvent this control. | ||
13 | |||
14 | ok markus@ | ||
15 | |||
16 | OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c | ||
17 | |||
18 | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a] | ||
19 | CVE: CVE-2023-38408 | ||
20 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
21 | --- | ||
22 | ssh-agent.1 | 20 ++++++++++++++++++++ | ||
23 | ssh-agent.c | 26 ++++++++++++++++++++++++-- | ||
24 | 2 files changed, 44 insertions(+), 2 deletions(-) | ||
25 | |||
26 | diff --git a/ssh-agent.1 b/ssh-agent.1 | ||
27 | index fff0db6..a0f1e21 100644 | ||
28 | --- a/ssh-agent.1 | ||
29 | +++ b/ssh-agent.1 | ||
30 | @@ -97,6 +97,26 @@ The default is | ||
31 | Kill the current agent (given by the | ||
32 | .Ev SSH_AGENT_PID | ||
33 | environment variable). | ||
34 | +Currently two options are supported: | ||
35 | +.Cm allow-remote-pkcs11 | ||
36 | +and | ||
37 | +.Pp | ||
38 | +The | ||
39 | +.Cm allow-remote-pkcs11 | ||
40 | +option allows clients of a forwarded | ||
41 | +.Nm | ||
42 | +to load PKCS#11 or FIDO provider libraries. | ||
43 | +By default only local clients may perform this operation. | ||
44 | +Note that signalling that a | ||
45 | +.Nm | ||
46 | +client remote is performed by | ||
47 | +.Xr ssh 1 , | ||
48 | +and use of other tools to forward access to the agent socket may circumvent | ||
49 | +this restriction. | ||
50 | +.Pp | ||
51 | +The | ||
52 | +.Cm no-restrict-websafe , | ||
53 | +instructs | ||
54 | .It Fl P Ar provider_whitelist | ||
55 | Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator | ||
56 | shared libraries that may be used with the | ||
57 | diff --git a/ssh-agent.c b/ssh-agent.c | ||
58 | index 01c7f2b..40c1b6b 100644 | ||
59 | --- a/ssh-agent.c | ||
60 | +++ b/ssh-agent.c | ||
61 | @@ -1,4 +1,4 @@ | ||
62 | -/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */ | ||
63 | +/* $OpenBSD: ssh-agent.c,v 1.300 2023/07/19 13:56:33 djm Exp $ */ | ||
64 | /* | ||
65 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | ||
66 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
67 | @@ -167,6 +167,12 @@ char socket_dir[PATH_MAX]; | ||
68 | /* PKCS#11/Security key path whitelist */ | ||
69 | static char *provider_whitelist; | ||
70 | |||
71 | +/* | ||
72 | + * Allows PKCS11 providers or SK keys that use non-internal providers to | ||
73 | + * be added over a remote connection (identified by session-bind@openssh.com). | ||
74 | + */ | ||
75 | +static int remote_add_provider; | ||
76 | + | ||
77 | /* locking */ | ||
78 | #define LOCK_SIZE 32 | ||
79 | #define LOCK_SALT_SIZE 16 | ||
80 | @@ -736,6 +742,15 @@ process_add_identity(SocketEntry *e) | ||
81 | if (strcasecmp(sk_provider, "internal") == 0) { | ||
82 | debug("%s: internal provider", __func__); | ||
83 | } else { | ||
84 | + if (e->nsession_ids != 0 && !remote_add_provider) { | ||
85 | + verbose("failed add of SK provider \"%.100s\": " | ||
86 | + "remote addition of providers is disabled", | ||
87 | + sk_provider); | ||
88 | + free(sk_provider); | ||
89 | + free(comment); | ||
90 | + sshkey_free(k); | ||
91 | + goto send; | ||
92 | + } | ||
93 | if (realpath(sk_provider, canonical_provider) == NULL) { | ||
94 | verbose("failed provider \"%.100s\": " | ||
95 | "realpath: %s", sk_provider, | ||
96 | @@ -901,6 +916,11 @@ process_add_smartcard_key(SocketEntry *e) | ||
97 | goto send; | ||
98 | } | ||
99 | } | ||
100 | + if (e->nsession_ids != 0 && !remote_add_provider) { | ||
101 | + verbose("failed PKCS#11 add of \"%.100s\": remote addition of " | ||
102 | + "providers is disabled", provider); | ||
103 | + goto send; | ||
104 | + } | ||
105 | if (realpath(provider, canonical_provider) == NULL) { | ||
106 | verbose("failed PKCS#11 add of \"%.100s\": realpath: %s", | ||
107 | provider, strerror(errno)); | ||
108 | @@ -1556,7 +1576,9 @@ main(int ac, char **av) | ||
109 | break; | ||
110 | case 'O': | ||
111 | if (strcmp(optarg, "no-restrict-websafe") == 0) | ||
112 | - restrict_websafe = 0; | ||
113 | + restrict_websafe = 0; | ||
114 | + else if (strcmp(optarg, "allow-remote-pkcs11") == 0) | ||
115 | + remote_add_provider = 1; | ||
116 | else | ||
117 | fatal("Unknown -O option"); | ||
118 | break; | ||
119 | -- | ||
120 | 2.41.0 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch new file mode 100644 index 0000000000..57c45e3d93 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch | |||
@@ -0,0 +1,468 @@ | |||
1 | (modified to not remove ssh_packet_read_expect(), to add to | ||
2 | KexAlgorithms in sshd.c and sshconnect2.c as this version pre-dates | ||
3 | kex_proposal_populate_entries(), replace debug*_f() with debug*(), | ||
4 | error*_f() with error*(), and fatal_f() with fatal()) | ||
5 | |||
6 | Backport of: | ||
7 | |||
8 | From 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 Mon Sep 17 00:00:00 2001 | ||
9 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
10 | Date: Mon, 18 Dec 2023 14:45:17 +0000 | ||
11 | Subject: [PATCH] upstream: implement "strict key exchange" in ssh and sshd | ||
12 | |||
13 | This adds a protocol extension to improve the integrity of the SSH | ||
14 | transport protocol, particular in and around the initial key exchange | ||
15 | (KEX) phase. | ||
16 | |||
17 | Full details of the extension are in the PROTOCOL file. | ||
18 | |||
19 | with markus@ | ||
20 | |||
21 | OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14 | ||
22 | |||
23 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/CVE-2023-48795.patch?h=ubuntu/focal-security | ||
24 | Upstream commit https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5] | ||
25 | CVE: CVE-2023-48795 | ||
26 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
27 | --- | ||
28 | PROTOCOL | 26 +++++++++++++++++ | ||
29 | kex.c | 68 +++++++++++++++++++++++++++++++++----------- | ||
30 | kex.h | 1 + | ||
31 | packet.c | 78 ++++++++++++++++++++++++++++++++++++++------------- | ||
32 | sshconnect2.c | 14 +++------ | ||
33 | sshd.c | 7 +++-- | ||
34 | 6 files changed, 146 insertions(+), 48 deletions(-) | ||
35 | |||
36 | diff --git a/PROTOCOL b/PROTOCOL | ||
37 | index f75c1c0..89bddfe 100644 | ||
38 | --- a/PROTOCOL | ||
39 | +++ b/PROTOCOL | ||
40 | @@ -102,6 +102,32 @@ OpenSSH supports the use of ECDH in Curve25519 for key exchange as | ||
41 | described at: | ||
42 | http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519 | ||
43 | |||
44 | +1.9 transport: strict key exchange extension | ||
45 | + | ||
46 | +OpenSSH supports a number of transport-layer hardening measures under | ||
47 | +a "strict KEX" feature. This feature is signalled similarly to the | ||
48 | +RFC8308 ext-info feature: by including a additional algorithm in the | ||
49 | +initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append | ||
50 | +"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server | ||
51 | +may append "kex-strict-s-v00@openssh.com". These pseudo-algorithms | ||
52 | +are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored | ||
53 | +if they are present in subsequent SSH2_MSG_KEXINIT packets. | ||
54 | + | ||
55 | +When an endpoint that supports this extension observes this algorithm | ||
56 | +name in a peer's KEXINIT packet, it MUST make the following changes to | ||
57 | +the the protocol: | ||
58 | + | ||
59 | +a) During initial KEX, terminate the connection if any unexpected or | ||
60 | + out-of-sequence packet is received. This includes terminating the | ||
61 | + connection if the first packet received is not SSH2_MSG_KEXINIT. | ||
62 | + Unexpected packets for the purpose of strict KEX include messages | ||
63 | + that are otherwise valid at any time during the connection such as | ||
64 | + SSH2_MSG_DEBUG and SSH2_MSG_IGNORE. | ||
65 | +b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the | ||
66 | + packet sequence number to zero. This behaviour persists for the | ||
67 | + duration of the connection (i.e. not just the first | ||
68 | + SSH2_MSG_NEWKEYS). | ||
69 | + | ||
70 | 2. Connection protocol changes | ||
71 | |||
72 | 2.1. connection: Channel write close extension "eow@openssh.com" | ||
73 | diff --git a/kex.c b/kex.c | ||
74 | index ce85f04..3129a4e 100644 | ||
75 | --- a/kex.c | ||
76 | +++ b/kex.c | ||
77 | @@ -63,7 +63,7 @@ | ||
78 | #include "digest.h" | ||
79 | |||
80 | /* prototype */ | ||
81 | -static int kex_choose_conf(struct ssh *); | ||
82 | +static int kex_choose_conf(struct ssh *, uint32_t seq); | ||
83 | static int kex_input_newkeys(int, u_int32_t, struct ssh *); | ||
84 | |||
85 | static const char *proposal_names[PROPOSAL_MAX] = { | ||
86 | @@ -173,6 +173,18 @@ kex_names_valid(const char *names) | ||
87 | return 1; | ||
88 | } | ||
89 | |||
90 | +/* returns non-zero if proposal contains any algorithm from algs */ | ||
91 | +static int | ||
92 | +has_any_alg(const char *proposal, const char *algs) | ||
93 | +{ | ||
94 | + char *cp; | ||
95 | + | ||
96 | + if ((cp = match_list(proposal, algs, NULL)) == NULL) | ||
97 | + return 0; | ||
98 | + free(cp); | ||
99 | + return 1; | ||
100 | +} | ||
101 | + | ||
102 | /* | ||
103 | * Concatenate algorithm names, avoiding duplicates in the process. | ||
104 | * Caller must free returned string. | ||
105 | @@ -180,7 +192,7 @@ kex_names_valid(const char *names) | ||
106 | char * | ||
107 | kex_names_cat(const char *a, const char *b) | ||
108 | { | ||
109 | - char *ret = NULL, *tmp = NULL, *cp, *p, *m; | ||
110 | + char *ret = NULL, *tmp = NULL, *cp, *p; | ||
111 | size_t len; | ||
112 | |||
113 | if (a == NULL || *a == '\0') | ||
114 | @@ -197,10 +209,8 @@ kex_names_cat(const char *a, const char *b) | ||
115 | } | ||
116 | strlcpy(ret, a, len); | ||
117 | for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { | ||
118 | - if ((m = match_list(ret, p, NULL)) != NULL) { | ||
119 | - free(m); | ||
120 | + if (has_any_alg(ret, p)) | ||
121 | continue; /* Algorithm already present */ | ||
122 | - } | ||
123 | if (strlcat(ret, ",", len) >= len || | ||
124 | strlcat(ret, p, len) >= len) { | ||
125 | free(tmp); | ||
126 | @@ -409,7 +419,12 @@ kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh) | ||
127 | { | ||
128 | int r; | ||
129 | |||
130 | - error("kex protocol error: type %d seq %u", type, seq); | ||
131 | + /* If in strict mode, any unexpected message is an error */ | ||
132 | + if ((ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) { | ||
133 | + ssh_packet_disconnect(ssh, "strict KEX violation: " | ||
134 | + "unexpected packet type %u (seqnr %u)", type, seq); | ||
135 | + } | ||
136 | + error("type %u seq %u", type, seq); | ||
137 | if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 || | ||
138 | (r = sshpkt_put_u32(ssh, seq)) != 0 || | ||
139 | (r = sshpkt_send(ssh)) != 0) | ||
140 | @@ -481,6 +496,11 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) | ||
141 | ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); | ||
142 | if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) | ||
143 | return r; | ||
144 | + if (ninfo >= 1024) { | ||
145 | + error("SSH2_MSG_EXT_INFO with too many entries, expected " | ||
146 | + "<=1024, received %u", ninfo); | ||
147 | + return dispatch_protocol_error(type, seq, ssh); | ||
148 | + } | ||
149 | for (i = 0; i < ninfo; i++) { | ||
150 | if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) | ||
151 | return r; | ||
152 | @@ -581,7 +601,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) | ||
153 | error("%s: no hex", __func__); | ||
154 | return SSH_ERR_INTERNAL_ERROR; | ||
155 | } | ||
156 | - ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); | ||
157 | + ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error); | ||
158 | ptr = sshpkt_ptr(ssh, &dlen); | ||
159 | if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) | ||
160 | return r; | ||
161 | @@ -617,7 +637,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) | ||
162 | if (!(kex->flags & KEX_INIT_SENT)) | ||
163 | if ((r = kex_send_kexinit(ssh)) != 0) | ||
164 | return r; | ||
165 | - if ((r = kex_choose_conf(ssh)) != 0) | ||
166 | + if ((r = kex_choose_conf(ssh, seq)) != 0) | ||
167 | return r; | ||
168 | |||
169 | if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL) | ||
170 | @@ -880,7 +900,13 @@ proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) | ||
171 | } | ||
172 | |||
173 | static int | ||
174 | -kex_choose_conf(struct ssh *ssh) | ||
175 | +kexalgs_contains(char **peer, const char *ext) | ||
176 | +{ | ||
177 | + return has_any_alg(peer[PROPOSAL_KEX_ALGS], ext); | ||
178 | +} | ||
179 | + | ||
180 | +static int | ||
181 | +kex_choose_conf(struct ssh *ssh, uint32_t seq) | ||
182 | { | ||
183 | struct kex *kex = ssh->kex; | ||
184 | struct newkeys *newkeys; | ||
185 | @@ -905,13 +931,23 @@ kex_choose_conf(struct ssh *ssh) | ||
186 | sprop=peer; | ||
187 | } | ||
188 | |||
189 | - /* Check whether client supports ext_info_c */ | ||
190 | - if (kex->server && (kex->flags & KEX_INITIAL)) { | ||
191 | - char *ext; | ||
192 | - | ||
193 | - ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL); | ||
194 | - kex->ext_info_c = (ext != NULL); | ||
195 | - free(ext); | ||
196 | + /* Check whether peer supports ext_info/kex_strict */ | ||
197 | + if ((kex->flags & KEX_INITIAL) != 0) { | ||
198 | + if (kex->server) { | ||
199 | + kex->ext_info_c = kexalgs_contains(peer, "ext-info-c"); | ||
200 | + kex->kex_strict = kexalgs_contains(peer, | ||
201 | + "kex-strict-c-v00@openssh.com"); | ||
202 | + } else { | ||
203 | + kex->kex_strict = kexalgs_contains(peer, | ||
204 | + "kex-strict-s-v00@openssh.com"); | ||
205 | + } | ||
206 | + if (kex->kex_strict) { | ||
207 | + debug3("will use strict KEX ordering"); | ||
208 | + if (seq != 0) | ||
209 | + ssh_packet_disconnect(ssh, | ||
210 | + "strict KEX violation: " | ||
211 | + "KEXINIT was not the first packet"); | ||
212 | + } | ||
213 | } | ||
214 | |||
215 | /* Algorithm Negotiation */ | ||
216 | diff --git a/kex.h b/kex.h | ||
217 | index a5ae6ac..cae38f7 100644 | ||
218 | --- a/kex.h | ||
219 | +++ b/kex.h | ||
220 | @@ -145,6 +145,7 @@ struct kex { | ||
221 | u_int kex_type; | ||
222 | char *server_sig_algs; | ||
223 | int ext_info_c; | ||
224 | + int kex_strict; | ||
225 | struct sshbuf *my; | ||
226 | struct sshbuf *peer; | ||
227 | struct sshbuf *client_version; | ||
228 | diff --git a/packet.c b/packet.c | ||
229 | index 6d3e917..43139f9 100644 | ||
230 | --- a/packet.c | ||
231 | +++ b/packet.c | ||
232 | @@ -1203,8 +1203,13 @@ ssh_packet_send2_wrapped(struct ssh *ssh) | ||
233 | sshbuf_dump(state->output, stderr); | ||
234 | #endif | ||
235 | /* increment sequence number for outgoing packets */ | ||
236 | - if (++state->p_send.seqnr == 0) | ||
237 | + if (++state->p_send.seqnr == 0) { | ||
238 | + if ((ssh->kex->flags & KEX_INITIAL) != 0) { | ||
239 | + ssh_packet_disconnect(ssh, "outgoing sequence number " | ||
240 | + "wrapped during initial key exchange"); | ||
241 | + } | ||
242 | logit("outgoing seqnr wraps around"); | ||
243 | + } | ||
244 | if (++state->p_send.packets == 0) | ||
245 | if (!(ssh->compat & SSH_BUG_NOREKEY)) | ||
246 | return SSH_ERR_NEED_REKEY; | ||
247 | @@ -1212,6 +1217,11 @@ ssh_packet_send2_wrapped(struct ssh *ssh) | ||
248 | state->p_send.bytes += len; | ||
249 | sshbuf_reset(state->outgoing_packet); | ||
250 | |||
251 | + if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) { | ||
252 | + debug("resetting send seqnr %u", state->p_send.seqnr); | ||
253 | + state->p_send.seqnr = 0; | ||
254 | + } | ||
255 | + | ||
256 | if (type == SSH2_MSG_NEWKEYS) | ||
257 | r = ssh_set_newkeys(ssh, MODE_OUT); | ||
258 | else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side) | ||
259 | @@ -1345,8 +1355,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) | ||
260 | /* Stay in the loop until we have received a complete packet. */ | ||
261 | for (;;) { | ||
262 | /* Try to read a packet from the buffer. */ | ||
263 | - r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p); | ||
264 | - if (r != 0) | ||
265 | + if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0) | ||
266 | break; | ||
267 | /* If we got a packet, return it. */ | ||
268 | if (*typep != SSH_MSG_NONE) | ||
269 | @@ -1633,10 +1642,16 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) | ||
270 | if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0) | ||
271 | goto out; | ||
272 | } | ||
273 | + | ||
274 | if (seqnr_p != NULL) | ||
275 | *seqnr_p = state->p_read.seqnr; | ||
276 | - if (++state->p_read.seqnr == 0) | ||
277 | + if (++state->p_read.seqnr == 0) { | ||
278 | + if ((ssh->kex->flags & KEX_INITIAL) != 0) { | ||
279 | + ssh_packet_disconnect(ssh, "incoming sequence number " | ||
280 | + "wrapped during initial key exchange"); | ||
281 | + } | ||
282 | logit("incoming seqnr wraps around"); | ||
283 | + } | ||
284 | if (++state->p_read.packets == 0) | ||
285 | if (!(ssh->compat & SSH_BUG_NOREKEY)) | ||
286 | return SSH_ERR_NEED_REKEY; | ||
287 | @@ -1702,6 +1717,10 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) | ||
288 | #endif | ||
289 | /* reset for next packet */ | ||
290 | state->packlen = 0; | ||
291 | + if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) { | ||
292 | + debug("resetting read seqnr %u", state->p_read.seqnr); | ||
293 | + state->p_read.seqnr = 0; | ||
294 | + } | ||
295 | |||
296 | /* do we need to rekey? */ | ||
297 | if (ssh_packet_need_rekeying(ssh, 0)) { | ||
298 | @@ -1726,10 +1745,39 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) | ||
299 | r = ssh_packet_read_poll2(ssh, typep, seqnr_p); | ||
300 | if (r != 0) | ||
301 | return r; | ||
302 | - if (*typep) { | ||
303 | - state->keep_alive_timeouts = 0; | ||
304 | - DBG(debug("received packet type %d", *typep)); | ||
305 | + if (*typep == 0) { | ||
306 | + /* no message ready */ | ||
307 | + return 0; | ||
308 | + } | ||
309 | + state->keep_alive_timeouts = 0; | ||
310 | + DBG(debug("received packet type %d", *typep)); | ||
311 | + | ||
312 | + /* Always process disconnect messages */ | ||
313 | + if (*typep == SSH2_MSG_DISCONNECT) { | ||
314 | + if ((r = sshpkt_get_u32(ssh, &reason)) != 0 || | ||
315 | + (r = sshpkt_get_string(ssh, &msg, NULL)) != 0) | ||
316 | + return r; | ||
317 | + /* Ignore normal client exit notifications */ | ||
318 | + do_log2(ssh->state->server_side && | ||
319 | + reason == SSH2_DISCONNECT_BY_APPLICATION ? | ||
320 | + SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, | ||
321 | + "Received disconnect from %s port %d:" | ||
322 | + "%u: %.400s", ssh_remote_ipaddr(ssh), | ||
323 | + ssh_remote_port(ssh), reason, msg); | ||
324 | + free(msg); | ||
325 | + return SSH_ERR_DISCONNECTED; | ||
326 | } | ||
327 | + | ||
328 | + /* | ||
329 | + * Do not implicitly handle any messages here during initial | ||
330 | + * KEX when in strict mode. They will be need to be allowed | ||
331 | + * explicitly by the KEX dispatch table or they will generate | ||
332 | + * protocol errors. | ||
333 | + */ | ||
334 | + if (ssh->kex != NULL && | ||
335 | + (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) | ||
336 | + return 0; | ||
337 | + /* Implicitly handle transport-level messages */ | ||
338 | switch (*typep) { | ||
339 | case SSH2_MSG_IGNORE: | ||
340 | debug3("Received SSH2_MSG_IGNORE"); | ||
341 | @@ -1744,19 +1792,6 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) | ||
342 | debug("Remote: %.900s", msg); | ||
343 | free(msg); | ||
344 | break; | ||
345 | - case SSH2_MSG_DISCONNECT: | ||
346 | - if ((r = sshpkt_get_u32(ssh, &reason)) != 0 || | ||
347 | - (r = sshpkt_get_string(ssh, &msg, NULL)) != 0) | ||
348 | - return r; | ||
349 | - /* Ignore normal client exit notifications */ | ||
350 | - do_log2(ssh->state->server_side && | ||
351 | - reason == SSH2_DISCONNECT_BY_APPLICATION ? | ||
352 | - SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, | ||
353 | - "Received disconnect from %s port %d:" | ||
354 | - "%u: %.400s", ssh_remote_ipaddr(ssh), | ||
355 | - ssh_remote_port(ssh), reason, msg); | ||
356 | - free(msg); | ||
357 | - return SSH_ERR_DISCONNECTED; | ||
358 | case SSH2_MSG_UNIMPLEMENTED: | ||
359 | if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0) | ||
360 | return r; | ||
361 | @@ -2235,6 +2270,7 @@ kex_to_blob(struct sshbuf *m, struct kex *kex) | ||
362 | (r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 || | ||
363 | (r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 || | ||
364 | (r = sshbuf_put_u32(m, kex->kex_type)) != 0 || | ||
365 | + (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 || | ||
366 | (r = sshbuf_put_stringb(m, kex->my)) != 0 || | ||
367 | (r = sshbuf_put_stringb(m, kex->peer)) != 0 || | ||
368 | (r = sshbuf_put_stringb(m, kex->client_version)) != 0 || | ||
369 | @@ -2397,6 +2433,7 @@ kex_from_blob(struct sshbuf *m, struct kex **kexp) | ||
370 | (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 || | ||
371 | (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 || | ||
372 | (r = sshbuf_get_u32(m, &kex->kex_type)) != 0 || | ||
373 | + (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 || | ||
374 | (r = sshbuf_get_stringb(m, kex->my)) != 0 || | ||
375 | (r = sshbuf_get_stringb(m, kex->peer)) != 0 || | ||
376 | (r = sshbuf_get_stringb(m, kex->client_version)) != 0 || | ||
377 | @@ -2724,6 +2761,7 @@ sshpkt_disconnect(struct ssh *ssh, const char *fmt,...) | ||
378 | vsnprintf(buf, sizeof(buf), fmt, args); | ||
379 | va_end(args); | ||
380 | |||
381 | + debug2("sending SSH2_MSG_DISCONNECT: %s", buf); | ||
382 | if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 || | ||
383 | (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 || | ||
384 | (r = sshpkt_put_cstring(ssh, buf)) != 0 || | ||
385 | diff --git a/sshconnect2.c b/sshconnect2.c | ||
386 | index 5df9477..617ed9f 100644 | ||
387 | --- a/sshconnect2.c | ||
388 | +++ b/sshconnect2.c | ||
389 | @@ -218,7 +218,8 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) | ||
390 | fatal("%s: kex_assemble_namelist", __func__); | ||
391 | free(all_key); | ||
392 | |||
393 | - if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) | ||
394 | + if ((s = kex_names_cat(options.kex_algorithms, | ||
395 | + "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL) | ||
396 | fatal("%s: kex_names_cat", __func__); | ||
397 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s); | ||
398 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = | ||
399 | @@ -343,7 +344,6 @@ struct cauthmethod { | ||
400 | }; | ||
401 | |||
402 | static int input_userauth_service_accept(int, u_int32_t, struct ssh *); | ||
403 | -static int input_userauth_ext_info(int, u_int32_t, struct ssh *); | ||
404 | static int input_userauth_success(int, u_int32_t, struct ssh *); | ||
405 | static int input_userauth_failure(int, u_int32_t, struct ssh *); | ||
406 | static int input_userauth_banner(int, u_int32_t, struct ssh *); | ||
407 | @@ -460,7 +460,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, | ||
408 | |||
409 | ssh->authctxt = &authctxt; | ||
410 | ssh_dispatch_init(ssh, &input_userauth_error); | ||
411 | - ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info); | ||
412 | + ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, kex_input_ext_info); | ||
413 | ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept); | ||
414 | ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success); /* loop until success */ | ||
415 | pubkey_cleanup(ssh); | ||
416 | @@ -505,13 +505,6 @@ input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh) | ||
417 | return r; | ||
418 | } | ||
419 | |||
420 | -/* ARGSUSED */ | ||
421 | -static int | ||
422 | -input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh) | ||
423 | -{ | ||
424 | - return kex_input_ext_info(type, seqnr, ssh); | ||
425 | -} | ||
426 | - | ||
427 | void | ||
428 | userauth(struct ssh *ssh, char *authlist) | ||
429 | { | ||
430 | @@ -593,6 +586,7 @@ input_userauth_success(int type, u_int32_t seq, struct ssh *ssh) | ||
431 | free(authctxt->methoddata); | ||
432 | authctxt->methoddata = NULL; | ||
433 | authctxt->success = 1; /* break out */ | ||
434 | + ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, dispatch_protocol_error); | ||
435 | return 0; | ||
436 | } | ||
437 | |||
438 | diff --git a/sshd.c b/sshd.c | ||
439 | index 60b2aaf..ffea38c 100644 | ||
440 | --- a/sshd.c | ||
441 | +++ b/sshd.c | ||
442 | @@ -2323,11 +2323,13 @@ static void | ||
443 | do_ssh2_kex(struct ssh *ssh) | ||
444 | { | ||
445 | char *myproposal[PROPOSAL_MAX] = { KEX_SERVER }; | ||
446 | + char *s; | ||
447 | struct kex *kex; | ||
448 | int r; | ||
449 | |||
450 | - myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | ||
451 | - options.kex_algorithms); | ||
452 | + if ((s = kex_names_cat(options.kex_algorithms, "kex-strict-s-v00@openssh.com")) == NULL) | ||
453 | + fatal("kex_names_cat"); | ||
454 | + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s); | ||
455 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal( | ||
456 | options.ciphers); | ||
457 | myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal( | ||
458 | @@ -2382,6 +2384,7 @@ do_ssh2_kex(struct ssh *ssh) | ||
459 | packet_send(); | ||
460 | packet_write_wait(); | ||
461 | #endif | ||
462 | + free(s); | ||
463 | debug("KEX done"); | ||
464 | } | ||
465 | |||
466 | -- | ||
467 | 2.25.1 | ||
468 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch new file mode 100644 index 0000000000..0ba8c312d0 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch | |||
@@ -0,0 +1,95 @@ | |||
1 | From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Mon, 18 Dec 2023 14:47:44 +0000 | ||
4 | Subject: [PATCH] upstream: ban user/hostnames with most shell metacharacters | ||
5 | |||
6 | This makes ssh(1) refuse user or host names provided on the | ||
7 | commandline that contain most shell metacharacters. | ||
8 | |||
9 | Some programs that invoke ssh(1) using untrusted data do not filter | ||
10 | metacharacters in arguments they supply. This could create | ||
11 | interactions with user-specified ProxyCommand and other directives | ||
12 | that allow shell injection attacks to occur. | ||
13 | |||
14 | It's a mistake to invoke ssh(1) with arbitrary untrusted arguments, | ||
15 | but getting this stuff right can be tricky, so this should prevent | ||
16 | most obvious ways of creating risky situations. It however is not | ||
17 | and cannot be perfect: ssh(1) has no practical way of interpreting | ||
18 | what shell quoting rules are in use and how they interact with the | ||
19 | user's specified ProxyCommand. | ||
20 | |||
21 | To allow configurations that use strange user or hostnames to | ||
22 | continue to work, this strictness is applied only to names coming | ||
23 | from the commandline. Names specified using User or Hostname | ||
24 | directives in ssh_config(5) are not affected. | ||
25 | |||
26 | feedback/ok millert@ markus@ dtucker@ deraadt@ | ||
27 | |||
28 | OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9 | ||
29 | |||
30 | CVE: CVE-2023-51385 | ||
31 | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a] | ||
32 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
33 | Comment: Hunks refreshed to apply cleanly | ||
34 | |||
35 | --- | ||
36 | ssh.c | 41 ++++++++++++++++++++++++++++++++++++++++- | ||
37 | 1 file changed, 40 insertions(+), 1 deletion(-) | ||
38 | |||
39 | diff --git a/ssh.c b/ssh.c | ||
40 | index 35c48e62d18..48d93ddf2a9 100644 | ||
41 | --- a/ssh.c | ||
42 | +++ b/ssh.c | ||
43 | @@ -583,6 +583,41 @@ set_addrinfo_port(struct addrinfo *addrs | ||
44 | } | ||
45 | } | ||
46 | |||
47 | +static int | ||
48 | +valid_hostname(const char *s) | ||
49 | +{ | ||
50 | + size_t i; | ||
51 | + | ||
52 | + if (*s == '-') | ||
53 | + return 0; | ||
54 | + for (i = 0; s[i] != 0; i++) { | ||
55 | + if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL || | ||
56 | + isspace((u_char)s[i]) || iscntrl((u_char)s[i])) | ||
57 | + return 0; | ||
58 | + } | ||
59 | + return 1; | ||
60 | +} | ||
61 | + | ||
62 | +static int | ||
63 | +valid_ruser(const char *s) | ||
64 | +{ | ||
65 | + size_t i; | ||
66 | + | ||
67 | + if (*s == '-') | ||
68 | + return 0; | ||
69 | + for (i = 0; s[i] != 0; i++) { | ||
70 | + if (strchr("'`\";&<>|(){}", s[i]) != NULL) | ||
71 | + return 0; | ||
72 | + /* Disallow '-' after whitespace */ | ||
73 | + if (isspace((u_char)s[i]) && s[i + 1] == '-') | ||
74 | + return 0; | ||
75 | + /* Disallow \ in last position */ | ||
76 | + if (s[i] == '\\' && s[i + 1] == '\0') | ||
77 | + return 0; | ||
78 | + } | ||
79 | + return 1; | ||
80 | +} | ||
81 | + | ||
82 | /* | ||
83 | * Main program for the ssh client. | ||
84 | */ | ||
85 | @@ -1069,6 +1104,10 @@ main(int ac, char **av) | ||
86 | if (!host) | ||
87 | usage(); | ||
88 | |||
89 | + if (!valid_hostname(host)) | ||
90 | + fatal("hostname contains invalid characters"); | ||
91 | + if (options.user != NULL && !valid_ruser(options.user)) | ||
92 | + fatal("remote username contains invalid characters"); | ||
93 | host_arg = xstrdup(host); | ||
94 | |||
95 | /* Initialize the command to execute on remote host. */ | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket index 12c39b26b5..8d76d62309 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd.socket +++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket | |||
@@ -1,5 +1,6 @@ | |||
1 | [Unit] | 1 | [Unit] |
2 | Conflicts=sshd.service | 2 | Conflicts=sshd.service |
3 | Wants=sshdgenkeys.service | ||
3 | 4 | ||
4 | [Socket] | 5 | [Socket] |
5 | ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd | 6 | ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd |
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service b/meta/recipes-connectivity/openssh/openssh/sshd@.service index 9d83dfb2bb..422450c7a1 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd@.service +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service | |||
@@ -1,13 +1,11 @@ | |||
1 | [Unit] | 1 | [Unit] |
2 | Description=OpenSSH Per-Connection Daemon | 2 | Description=OpenSSH Per-Connection Daemon |
3 | Wants=sshdgenkeys.service | ||
4 | After=sshdgenkeys.service | 3 | After=sshdgenkeys.service |
5 | 4 | ||
6 | [Service] | 5 | [Service] |
7 | Environment="SSHD_OPTS=" | 6 | Environment="SSHD_OPTS=" |
8 | EnvironmentFile=-/etc/default/ssh | 7 | EnvironmentFile=-/etc/default/ssh |
9 | ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS | 8 | ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS |
10 | ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID | ||
11 | StandardInput=socket | 9 | StandardInput=socket |
12 | StandardError=syslog | 10 | StandardError=syslog |
13 | KillMode=process | 11 | KillMode=process |
diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb index fe94f30503..9d6cf7da6c 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb | |||
@@ -5,7 +5,7 @@ Ssh (Secure Shell) is a program for logging into a remote machine \ | |||
5 | and for executing commands on a remote machine." | 5 | and for executing commands on a remote machine." |
6 | HOMEPAGE = "http://www.openssh.com/" | 6 | HOMEPAGE = "http://www.openssh.com/" |
7 | SECTION = "console/network" | 7 | SECTION = "console/network" |
8 | LICENSE = "BSD & ISC & MIT" | 8 | LICENSE = "BSD-2-Clause & BSD-3-Clause & BSD-4-Clause & ISC & MIT" |
9 | LIC_FILES_CHKSUM = "file://LICENCE;md5=18d9e5a8b3dd1790d73502f50426d4d3" | 9 | LIC_FILES_CHKSUM = "file://LICENCE;md5=18d9e5a8b3dd1790d73502f50426d4d3" |
10 | 10 | ||
11 | DEPENDS = "zlib openssl virtual/crypt" | 11 | DEPENDS = "zlib openssl virtual/crypt" |
@@ -24,14 +24,63 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar | |||
24 | file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ | 24 | file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ |
25 | file://sshd_check_keys \ | 25 | file://sshd_check_keys \ |
26 | file://add-test-support-for-busybox.patch \ | 26 | file://add-test-support-for-busybox.patch \ |
27 | file://CVE-2020-14145.patch \ | ||
28 | file://CVE-2021-28041.patch \ | ||
29 | file://CVE-2021-41617.patch \ | ||
30 | file://CVE-2023-38408-01.patch \ | ||
31 | file://CVE-2023-38408-02.patch \ | ||
32 | file://CVE-2023-38408-03.patch \ | ||
33 | file://CVE-2023-38408-04.patch \ | ||
34 | file://CVE-2023-38408-05.patch \ | ||
35 | file://CVE-2023-38408-06.patch \ | ||
36 | file://CVE-2023-38408-07.patch \ | ||
37 | file://CVE-2023-38408-08.patch \ | ||
38 | file://CVE-2023-38408-09.patch \ | ||
39 | file://CVE-2023-38408-10.patch \ | ||
40 | file://CVE-2023-38408-11.patch \ | ||
41 | file://CVE-2023-38408-12.patch \ | ||
42 | file://CVE-2023-48795.patch \ | ||
43 | file://CVE-2023-51385.patch \ | ||
27 | " | 44 | " |
28 | SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091" | 45 | SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091" |
29 | SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671" | 46 | SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671" |
30 | 47 | ||
48 | # This CVE is specific to OpenSSH with the pam opie which we don't build/use here | ||
49 | CVE_CHECK_WHITELIST += "CVE-2007-2768" | ||
50 | |||
31 | # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 | 51 | # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 |
32 | # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded | 52 | # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded |
33 | CVE_CHECK_WHITELIST += "CVE-2014-9278" | 53 | CVE_CHECK_WHITELIST += "CVE-2014-9278" |
34 | 54 | ||
55 | # As per upstream, because of the way scp is based on a historical protocol called rcp | ||
56 | # which relies on that style of argument passing and therefore encounters expansion | ||
57 | # problems. Making changes to how the scp command line works breaks the pattern used | ||
58 | # by scp consumers. Upstream therefore recommends the use of rsync in the place of | ||
59 | # scp for better security. https://bugzilla.redhat.com/show_bug.cgi?id=1860487 | ||
60 | CVE_CHECK_WHITELIST += "CVE-2020-15778" | ||
61 | |||
62 | # CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux and | ||
63 | # certain packages may have been compromised. This CVE is not applicable | ||
64 | # as our source is OpenBSD. https://securitytracker.com/id?1020730 | ||
65 | # https://www.securityfocus.com/bid/30794 | ||
66 | CVE_CHECK_WHITELIST += "CVE-2008-3844" | ||
67 | |||
68 | # openssh-ssh1 is provided for compatibility with old devices that | ||
69 | # cannot be upgraded to modern protocols. Thus they may not provide security | ||
70 | # support for this package because doing so would prevent access to equipment. | ||
71 | # The upstream OpenSSH developers see this as an important | ||
72 | # security feature and do not intend to 'fix' it. | ||
73 | # https://security-tracker.debian.org/tracker/CVE-2016-20012 | ||
74 | # https://ubuntu.com/security/CVE-2016-20012 | ||
75 | CVE_CHECK_WHITELIST += "CVE-2016-20012" | ||
76 | |||
77 | # As per debian, the issue is fixed by a feature called "agent restriction" in openssh 8.9 | ||
78 | # Urgency is unimportant as per debian, Hence this CVE is whitelisting. | ||
79 | # https://security-tracker.debian.org/tracker/CVE-2021-36368 | ||
80 | # https://bugzilla.mindrot.org/show_bug.cgi?id=3316#c2 | ||
81 | # https://docs.ssh-mitm.at/trivialauth.html | ||
82 | CVE_CHECK_WHITELIST += "CVE-2021-36368" | ||
83 | |||
35 | PAM_SRC_URI = "file://sshd" | 84 | PAM_SRC_URI = "file://sshd" |
36 | 85 | ||
37 | inherit manpages useradd update-rc.d update-alternatives systemd | 86 | inherit manpages useradd update-rc.d update-alternatives systemd |
@@ -155,12 +204,17 @@ FILES_${PN}-sftp-server = "${libexecdir}/sftp-server" | |||
155 | FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" | 204 | FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" |
156 | FILES_${PN}-keygen = "${bindir}/ssh-keygen" | 205 | FILES_${PN}-keygen = "${bindir}/ssh-keygen" |
157 | 206 | ||
158 | RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" | 207 | RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server" |
159 | RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" | 208 | RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" |
160 | RRECOMMENDS_${PN}-sshd_append_class-target = "\ | 209 | RRECOMMENDS_${PN}-sshd_append_class-target = "\ |
161 | ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \ | 210 | ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \ |
162 | " | 211 | " |
163 | 212 | ||
213 | # break dependency on base package for -dev package | ||
214 | # otherwise SDK fails to build as the main openssh and dropbear packages | ||
215 | # conflict with each other | ||
216 | RDEPENDS:${PN}-dev = "" | ||
217 | |||
164 | # gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies | 218 | # gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies |
165 | RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils" | 219 | RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils" |
166 | 220 | ||
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-add-2-missing-key-sorts.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-add-2-missing-key-sorts.patch new file mode 100644 index 0000000000..e2a65d0998 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-add-2-missing-key-sorts.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 679ae2f72ef8cf37609cb0eff5de3b98aa85e395 Mon Sep 17 00:00:00 2001 | ||
2 | From: Steve Sakoman <steve@sakoman.com> | ||
3 | Date: Thu, 20 Jul 2023 04:14:42 -1000 | ||
4 | Subject: [PATCH] Configure: add 2 missing key sorts in generation of unified_info | ||
5 | |||
6 | Otherwise generation of this section in configdata.pm is not reproducible | ||
7 | |||
8 | Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
9 | Upstream-Status: Backport [adapted from 3.x commit https://github.com/openssl/openssl/commit/764cf5b26306a8712e8b3d41599c44dc5ed07a25] | ||
10 | --- | ||
11 | Configure | 4 ++-- | ||
12 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
13 | |||
14 | diff --git a/Configure b/Configure | ||
15 | index 2a01746..8fc5a2c 100755 | ||
16 | --- a/Configure | ||
17 | +++ b/Configure | ||
18 | @@ -2326,7 +2326,7 @@ EOF | ||
19 | "dso" => [ @{$unified_info{engines}} ], | ||
20 | "bin" => [ @{$unified_info{programs}} ], | ||
21 | "script" => [ @{$unified_info{scripts}} ] ); | ||
22 | - foreach my $type (keys %loopinfo) { | ||
23 | + foreach my $type (sort keys %loopinfo) { | ||
24 | foreach my $product (@{$loopinfo{$type}}) { | ||
25 | my %dirs = (); | ||
26 | my $pd = dirname($product); | ||
27 | @@ -2347,7 +2347,7 @@ EOF | ||
28 | push @{$unified_info{dirinfo}->{$d}->{deps}}, $_ | ||
29 | if $d ne $pd; | ||
30 | } | ||
31 | - foreach (keys %dirs) { | ||
32 | + foreach (sort keys %dirs) { | ||
33 | push @{$unified_info{dirinfo}->{$_}->{products}->{$type}}, | ||
34 | $product; | ||
35 | } | ||
36 | -- | ||
37 | 2.34.1 | ||
38 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch new file mode 100644 index 0000000000..b3f6a942d5 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From 326909baf81a638d51fa8be1d8227518784f5cc4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Kanavin <alex@linutronix.de> | ||
3 | Date: Tue, 14 Sep 2021 12:18:25 +0200 | ||
4 | Subject: [PATCH] Configure: do not tweak mips cflags | ||
5 | |||
6 | This conflicts with mips machine definitons from yocto, | ||
7 | e.g. | ||
8 | | Error: -mips3 conflicts with the other architecture options, which imply -mips64r2 | ||
9 | |||
10 | Upstream-Status: Inappropriate [oe-core specific] | ||
11 | Signed-off-by: Alexander Kanavin <alex@linutronix.de> | ||
12 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
13 | --- | ||
14 | Configure | 10 ---------- | ||
15 | 1 file changed, 10 deletions(-) | ||
16 | |||
17 | Index: openssl-3.0.4/Configure | ||
18 | =================================================================== | ||
19 | --- openssl-3.0.4.orig/Configure | ||
20 | +++ openssl-3.0.4/Configure | ||
21 | @@ -1243,16 +1243,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) | ||
22 | push @{$config{shared_ldflag}}, "-mno-cygwin"; | ||
23 | } | ||
24 | |||
25 | -if ($target =~ /linux.*-mips/ && !$disabled{asm} | ||
26 | - && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { | ||
27 | - # minimally required architecture flags for assembly modules | ||
28 | - my $value; | ||
29 | - $value = '-mips2' if ($target =~ /mips32/); | ||
30 | - $value = '-mips3' if ($target =~ /mips64/); | ||
31 | - unshift @{$config{cflags}}, $value; | ||
32 | - unshift @{$config{cxxflags}}, $value if $config{CXX}; | ||
33 | -} | ||
34 | - | ||
35 | # If threads aren't disabled, check how possible they are | ||
36 | unless ($disabled{threads}) { | ||
37 | if ($auto_threads) { | ||
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch new file mode 100644 index 0000000000..3da6879ccb --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch | |||
@@ -0,0 +1,122 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001 | ||
4 | From: Matt Caswell <matt@openssl.org> | ||
5 | Date: Fri, 19 Jan 2024 11:28:58 +0000 | ||
6 | Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL | ||
7 | |||
8 | PKCS12 structures contain PKCS7 ContentInfo fields. These fields are | ||
9 | optional and can be NULL even if the "type" is a valid value. OpenSSL | ||
10 | was not properly accounting for this and a NULL dereference can occur | ||
11 | causing a crash. | ||
12 | |||
13 | CVE-2024-0727 | ||
14 | |||
15 | Reviewed-by: Tomas Mraz <tomas@openssl.org> | ||
16 | Reviewed-by: Hugo Landau <hlandau@openssl.org> | ||
17 | Reviewed-by: Neil Horman <nhorman@openssl.org> | ||
18 | (Merged from https://github.com/openssl/openssl/pull/23362) | ||
19 | |||
20 | (cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c) | ||
21 | |||
22 | Upstream-Status: Backport [https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c] | ||
23 | |||
24 | CVE: CVE-2024-0727 | ||
25 | |||
26 | Signed-off-by: virendra thakur <virendrak@kpit.com> | ||
27 | --- | ||
28 | crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++ | ||
29 | crypto/pkcs12/p12_mutl.c | 5 +++++ | ||
30 | crypto/pkcs12/p12_npas.c | 5 +++-- | ||
31 | crypto/pkcs7/pk7_mime.c | 7 +++++-- | ||
32 | 4 files changed, 31 insertions(+), 4 deletions(-) | ||
33 | |||
34 | --- a/crypto/pkcs12/p12_add.c | ||
35 | +++ b/crypto/pkcs12/p12_add.c | ||
36 | @@ -76,6 +76,13 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_ | ||
37 | PKCS12_R_CONTENT_TYPE_NOT_DATA); | ||
38 | return NULL; | ||
39 | } | ||
40 | + | ||
41 | + if (p7->d.data == NULL) { | ||
42 | + PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, | ||
43 | + PKCS12_R_DECODE_ERROR); | ||
44 | + return NULL; | ||
45 | + } | ||
46 | + | ||
47 | return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); | ||
48 | } | ||
49 | |||
50 | @@ -132,6 +139,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_ | ||
51 | { | ||
52 | if (!PKCS7_type_is_encrypted(p7)) | ||
53 | return NULL; | ||
54 | + | ||
55 | + if (p7->d.encrypted == NULL) { | ||
56 | + PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR); | ||
57 | + return NULL; | ||
58 | + } | ||
59 | + | ||
60 | return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm, | ||
61 | ASN1_ITEM_rptr(PKCS12_SAFEBAGS), | ||
62 | pass, passlen, | ||
63 | @@ -159,6 +172,13 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes | ||
64 | PKCS12_R_CONTENT_TYPE_NOT_DATA); | ||
65 | return NULL; | ||
66 | } | ||
67 | + | ||
68 | + if (p12->authsafes->d.data == NULL) { | ||
69 | + PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES, | ||
70 | + PKCS12_R_DECODE_ERROR); | ||
71 | + return NULL; | ||
72 | + } | ||
73 | + | ||
74 | return ASN1_item_unpack(p12->authsafes->d.data, | ||
75 | ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); | ||
76 | } | ||
77 | --- a/crypto/pkcs12/p12_mutl.c | ||
78 | +++ b/crypto/pkcs12/p12_mutl.c | ||
79 | @@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, c | ||
80 | return 0; | ||
81 | } | ||
82 | |||
83 | + if (p12->authsafes->d.data == NULL) { | ||
84 | + PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR); | ||
85 | + return 0; | ||
86 | + } | ||
87 | + | ||
88 | salt = p12->mac->salt->data; | ||
89 | saltlen = p12->mac->salt->length; | ||
90 | if (!p12->mac->iter) | ||
91 | --- a/crypto/pkcs12/p12_npas.c | ||
92 | +++ b/crypto/pkcs12/p12_npas.c | ||
93 | @@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, cons | ||
94 | bags = PKCS12_unpack_p7data(p7); | ||
95 | } else if (bagnid == NID_pkcs7_encrypted) { | ||
96 | bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); | ||
97 | - if (!alg_get(p7->d.encrypted->enc_data->algorithm, | ||
98 | - &pbe_nid, &pbe_iter, &pbe_saltlen)) | ||
99 | + if (p7->d.encrypted == NULL | ||
100 | + || !alg_get(p7->d.encrypted->enc_data->algorithm, | ||
101 | + &pbe_nid, &pbe_iter, &pbe_saltlen)) | ||
102 | goto err; | ||
103 | } else { | ||
104 | continue; | ||
105 | --- a/crypto/pkcs7/pk7_mime.c | ||
106 | +++ b/crypto/pkcs7/pk7_mime.c | ||
107 | @@ -30,10 +30,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p | ||
108 | { | ||
109 | STACK_OF(X509_ALGOR) *mdalgs; | ||
110 | int ctype_nid = OBJ_obj2nid(p7->type); | ||
111 | - if (ctype_nid == NID_pkcs7_signed) | ||
112 | + if (ctype_nid == NID_pkcs7_signed) { | ||
113 | + if (p7->d.sign == NULL) | ||
114 | + return 0; | ||
115 | mdalgs = p7->d.sign->md_algs; | ||
116 | - else | ||
117 | + } else { | ||
118 | mdalgs = NULL; | ||
119 | + } | ||
120 | |||
121 | flags ^= SMIME_OLDMIME; | ||
122 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/reproducibility.patch b/meta/recipes-connectivity/openssl/openssl/reproducibility.patch new file mode 100644 index 0000000000..8accbc9df2 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/reproducibility.patch | |||
@@ -0,0 +1,22 @@ | |||
1 | Using localtime() means the output can depend on the timezone of the build machine. | ||
2 | Using gmtime() is safer. For complete reproducibility use SOURCE_DATE_EPOCH if set. | ||
3 | |||
4 | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> | ||
5 | Upstream-Status: Pending [should be suitable] | ||
6 | |||
7 | Index: openssl-3.0.1/apps/progs.pl | ||
8 | =================================================================== | ||
9 | --- openssl-3.0.1.orig/apps/progs.pl | ||
10 | +++ openssl-3.0.1/apps/progs.pl | ||
11 | @@ -21,7 +21,10 @@ die "Unrecognised option, must be -C or | ||
12 | my %commands = (); | ||
13 | my $cmdre = qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/; | ||
14 | my $apps_openssl = shift @ARGV; | ||
15 | -my $YEAR = [localtime()]->[5] + 1900; | ||
16 | +my $YEAR = [gmtime()]->[5] + 1900; | ||
17 | +if (defined($ENV{SOURCE_DATE_EPOCH}) && $ENV{SOURCE_DATE_EPOCH} !~ /\D/) { | ||
18 | + $YEAR = [gmtime($ENV{SOURCE_DATE_EPOCH})]->[5] + 1900; | ||
19 | +} | ||
20 | |||
21 | # because the program apps/openssl has object files as sources, and | ||
22 | # they then have the corresponding C files as source, we need to chain | ||
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb index 5d22c511aa..0e490eabc3 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb | |||
@@ -17,13 +17,17 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ | |||
17 | file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ | 17 | file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ |
18 | file://afalg.patch \ | 18 | file://afalg.patch \ |
19 | file://reproducible.patch \ | 19 | file://reproducible.patch \ |
20 | file://reproducibility.patch \ | ||
21 | file://0001-Configure-add-2-missing-key-sorts.patch \ | ||
22 | file://0001-Configure-do-not-tweak-mips-cflags.patch \ | ||
23 | file://CVE-2024-0727.patch \ | ||
20 | " | 24 | " |
21 | 25 | ||
22 | SRC_URI_append_class-nativesdk = " \ | 26 | SRC_URI_append_class-nativesdk = " \ |
23 | file://environment.d-openssl.sh \ | 27 | file://environment.d-openssl.sh \ |
24 | " | 28 | " |
25 | 29 | ||
26 | SRC_URI[sha256sum] = "e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242" | 30 | SRC_URI[sha256sum] = "cf3098950cb4d853ad95c0841f1f9c6d3dc102dccfcacd521d93925208b76ac8" |
27 | 31 | ||
28 | inherit lib_package multilib_header multilib_script ptest | 32 | inherit lib_package multilib_header multilib_script ptest |
29 | MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" | 33 | MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" |
@@ -179,6 +183,7 @@ do_install_ptest () { | |||
179 | install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps | 183 | install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps |
180 | 184 | ||
181 | install -d ${D}${PTEST_PATH}/engines | 185 | install -d ${D}${PTEST_PATH}/engines |
186 | install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines | ||
182 | install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines | 187 | install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines |
183 | } | 188 | } |
184 | 189 | ||
diff --git a/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb b/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb index b5f68951d7..b0097aa480 100644 --- a/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb +++ b/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Enables PPP dial-in through a serial connection" | 1 | SUMMARY = "Enables PPP dial-in through a serial connection" |
2 | SECTION = "console/network" | 2 | SECTION = "console/network" |
3 | DESCRIPTION = "PPP dail-in provides a point to point protocol (PPP), so that other computers can dial up to it and access connected networks." | ||
3 | DEPENDS = "ppp" | 4 | DEPENDS = "ppp" |
4 | RDEPENDS_${PN} = "ppp" | 5 | RDEPENDS_${PN} = "ppp" |
5 | PR = "r8" | 6 | PR = "r8" |
diff --git a/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch b/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch new file mode 100644 index 0000000000..27b8863a4e --- /dev/null +++ b/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From 2aeb41a9a3a43b11b1e46628d0bf98197ff9f141 Mon Sep 17 00:00:00 2001 | ||
2 | From: Paul Mackerras <paulus@ozlabs.org> | ||
3 | Date: Thu, 29 Dec 2022 18:00:20 +0100 | ||
4 | Subject: [PATCH] pppdump: Avoid out-of-range access to packet buffer | ||
5 | |||
6 | This fixes a potential vulnerability where data is written to spkt.buf | ||
7 | and rpkt.buf without a check on the array index. To fix this, we | ||
8 | check the array index (pkt->cnt) before storing the byte or | ||
9 | incrementing the count. This also means we no longer have a potential | ||
10 | signed integer overflow on the increment of pkt->cnt. | ||
11 | |||
12 | Fortunately, pppdump is not used in the normal process of setting up a | ||
13 | PPP connection, is not installed setuid-root, and is not invoked | ||
14 | automatically in any scenario that I am aware of. | ||
15 | |||
16 | Ustream-Status: Backport [https://github.com/ppp-project/ppp/commit/a75fb7b198eed50d769c80c36629f38346882cbf] | ||
17 | CVE: CVE-2022-4603 | ||
18 | Signed-off-by:Minjae Kim <flowergom@gmail.com> | ||
19 | --- | ||
20 | pppdump/pppdump.c | 7 ++++++- | ||
21 | 1 file changed, 6 insertions(+), 1 deletion(-) | ||
22 | |||
23 | diff --git a/pppdump/pppdump.c b/pppdump/pppdump.c | ||
24 | index 87c2e8f..dec4def 100644 | ||
25 | --- a/pppdump/pppdump.c | ||
26 | +++ b/pppdump/pppdump.c | ||
27 | @@ -296,6 +296,10 @@ dumpppp(f) | ||
28 | printf("%s aborted packet:\n ", dir); | ||
29 | q = " "; | ||
30 | } | ||
31 | + if (pkt->cnt >= sizeof(pkt->buf)) { | ||
32 | + printf("%s over-long packet truncated:\n ", dir); | ||
33 | + q = " "; | ||
34 | + } | ||
35 | nb = pkt->cnt; | ||
36 | p = pkt->buf; | ||
37 | pkt->cnt = 0; | ||
38 | @@ -399,7 +403,8 @@ dumpppp(f) | ||
39 | c ^= 0x20; | ||
40 | pkt->esc = 0; | ||
41 | } | ||
42 | - pkt->buf[pkt->cnt++] = c; | ||
43 | + if (pkt->cnt < sizeof(pkt->buf)) | ||
44 | + pkt->buf[pkt->cnt++] = c; | ||
45 | break; | ||
46 | } | ||
47 | } | ||
48 | -- | ||
49 | 2.25.1 | ||
50 | |||
diff --git a/meta/recipes-connectivity/ppp/ppp_2.4.7.bb b/meta/recipes-connectivity/ppp/ppp_2.4.7.bb index 76c1cc62a7..51ec25e660 100644 --- a/meta/recipes-connectivity/ppp/ppp_2.4.7.bb +++ b/meta/recipes-connectivity/ppp/ppp_2.4.7.bb | |||
@@ -34,6 +34,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \ | |||
34 | file://0001-ppp-Remove-unneeded-include.patch \ | 34 | file://0001-ppp-Remove-unneeded-include.patch \ |
35 | file://ppp-2.4.7-DES-openssl.patch \ | 35 | file://ppp-2.4.7-DES-openssl.patch \ |
36 | file://0001-pppd-Fix-bounds-check-in-EAP-code.patch \ | 36 | file://0001-pppd-Fix-bounds-check-in-EAP-code.patch \ |
37 | file://CVE-2022-4603.patch \ | ||
37 | " | 38 | " |
38 | 39 | ||
39 | SRC_URI_append_libc-musl = "\ | 40 | SRC_URI_append_libc-musl = "\ |
diff --git a/meta/recipes-connectivity/resolvconf/resolvconf_1.82.bb b/meta/recipes-connectivity/resolvconf/resolvconf_1.82.bb index 67959576e8..5f0a5eac70 100644 --- a/meta/recipes-connectivity/resolvconf/resolvconf_1.82.bb +++ b/meta/recipes-connectivity/resolvconf/resolvconf_1.82.bb | |||
@@ -11,7 +11,7 @@ AUTHOR = "Thomas Hood" | |||
11 | HOMEPAGE = "http://packages.debian.org/resolvconf" | 11 | HOMEPAGE = "http://packages.debian.org/resolvconf" |
12 | RDEPENDS_${PN} = "bash" | 12 | RDEPENDS_${PN} = "bash" |
13 | 13 | ||
14 | SRC_URI = "git://salsa.debian.org/debian/resolvconf.git;protocol=https \ | 14 | SRC_URI = "git://salsa.debian.org/debian/resolvconf.git;protocol=https;branch=unstable \ |
15 | file://fix-path-for-busybox.patch \ | 15 | file://fix-path-for-busybox.patch \ |
16 | file://99_resolvconf \ | 16 | file://99_resolvconf \ |
17 | " | 17 | " |
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch new file mode 100644 index 0000000000..8c90fa3421 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001 | ||
2 | From: Jouni Malinen <jouni@codeaurora.org> | ||
3 | Date: Mon, 9 Nov 2020 11:43:12 +0200 | ||
4 | Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group | ||
5 | client | ||
6 | |||
7 | Parsing and copying of WPS secondary device types list was verifying | ||
8 | that the contents is not too long for the internal maximum in the case | ||
9 | of WPS messages, but similar validation was missing from the case of P2P | ||
10 | group information which encodes this information in a different | ||
11 | attribute. This could result in writing beyond the memory area assigned | ||
12 | for these entries and corrupting memory within an instance of struct | ||
13 | p2p_device. This could result in invalid operations and unexpected | ||
14 | behavior when trying to free pointers from that corrupted memory. | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | CVE: CVE-2021-0326 | ||
18 | |||
19 | Reference to upstream patch: | ||
20 | [https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e] | ||
21 | |||
22 | Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269 | ||
23 | Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers") | ||
24 | Signed-off-by: Jouni Malinen <jouni@codeaurora.org> | ||
25 | Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> | ||
26 | --- | ||
27 | src/p2p/p2p.c | 2 ++ | ||
28 | 1 file changed, 2 insertions(+) | ||
29 | |||
30 | diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c | ||
31 | index a08ba02..079270f 100644 | ||
32 | --- a/src/p2p/p2p.c | ||
33 | +++ b/src/p2p/p2p.c | ||
34 | @@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev, | ||
35 | dev->info.config_methods = cli->config_methods; | ||
36 | os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8); | ||
37 | dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types; | ||
38 | + if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN) | ||
39 | + dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN; | ||
40 | os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types, | ||
41 | dev->info.wps_sec_dev_type_list_len); | ||
42 | } | ||
43 | -- | ||
44 | 2.17.1 | ||
45 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch new file mode 100644 index 0000000000..004b1dbd19 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jouni Malinen <jouni@codeaurora.org> | ||
3 | Date: Tue, 8 Dec 2020 23:52:50 +0200 | ||
4 | Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request | ||
5 | |||
6 | p2p_add_device() may remove the oldest entry if there is no room in the | ||
7 | peer table for a new peer. This would result in any pointer to that | ||
8 | removed entry becoming stale. A corner case with an invalid PD Request | ||
9 | frame could result in such a case ending up using (read+write) freed | ||
10 | memory. This could only by triggered when the peer table has reached its | ||
11 | maximum size and the PD Request frame is received from the P2P Device | ||
12 | Address of the oldest remaining entry and the frame has incorrect P2P | ||
13 | Device Address in the payload. | ||
14 | |||
15 | Fix this by fetching the dev pointer again after having called | ||
16 | p2p_add_device() so that the stale pointer cannot be used. | ||
17 | |||
18 | Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") | ||
19 | Signed-off-by: Jouni Malinen <jouni@codeaurora.org> | ||
20 | |||
21 | Upstream-Status: Backport | ||
22 | CVE: CVE-2021-27803 | ||
23 | |||
24 | Reference to upstream patch: | ||
25 | [https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32] | ||
26 | |||
27 | Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> | ||
28 | --- | ||
29 | src/p2p/p2p_pd.c | 12 +++++------- | ||
30 | 1 file changed, 5 insertions(+), 7 deletions(-) | ||
31 | |||
32 | diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c | ||
33 | index 3994ec0..05fd593 100644 | ||
34 | --- a/src/p2p/p2p_pd.c | ||
35 | +++ b/src/p2p/p2p_pd.c | ||
36 | @@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, | ||
37 | goto out; | ||
38 | } | ||
39 | |||
40 | + dev = p2p_get_device(p2p, sa); | ||
41 | if (!dev) { | ||
42 | - dev = p2p_get_device(p2p, sa); | ||
43 | - if (!dev) { | ||
44 | - p2p_dbg(p2p, | ||
45 | - "Provision Discovery device not found " | ||
46 | - MACSTR, MAC2STR(sa)); | ||
47 | - goto out; | ||
48 | - } | ||
49 | + p2p_dbg(p2p, | ||
50 | + "Provision Discovery device not found " | ||
51 | + MACSTR, MAC2STR(sa)); | ||
52 | + goto out; | ||
53 | } | ||
54 | } else if (msg.wfd_subelems) { | ||
55 | wpabuf_free(dev->info.wfd_subelems); | ||
56 | -- | ||
57 | 2.17.1 | ||
58 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch new file mode 100644 index 0000000000..e2540fc26b --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch | |||
@@ -0,0 +1,123 @@ | |||
1 | From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jouni Malinen <j@w1.fi> | ||
3 | Date: Sat, 13 Mar 2021 18:19:31 +0200 | ||
4 | Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters | ||
5 | |||
6 | The supported hash algorithms do not use AlgorithmIdentifier parameters. | ||
7 | However, there are implementations that include NULL parameters in | ||
8 | addition to ones that omit the parameters. Previous implementation did | ||
9 | not check the parameters value at all which supported both these cases, | ||
10 | but did not reject any other unexpected information. | ||
11 | |||
12 | Use strict validation of digest algorithm parameters and reject any | ||
13 | unexpected value when validating a signature. This is needed to prevent | ||
14 | potential forging attacks. | ||
15 | |||
16 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | CVE: CVE-2021-30004 | ||
20 | |||
21 | Reference to upstream patch: | ||
22 | [https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15] | ||
23 | |||
24 | Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> | ||
25 | --- | ||
26 | src/tls/pkcs1.c | 21 +++++++++++++++++++++ | ||
27 | src/tls/x509v3.c | 20 ++++++++++++++++++++ | ||
28 | 2 files changed, 41 insertions(+) | ||
29 | |||
30 | diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c | ||
31 | index 141ac50..e09db07 100644 | ||
32 | --- a/src/tls/pkcs1.c | ||
33 | +++ b/src/tls/pkcs1.c | ||
34 | @@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, | ||
35 | os_free(decrypted); | ||
36 | return -1; | ||
37 | } | ||
38 | + wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo", | ||
39 | + hdr.payload, hdr.length); | ||
40 | |||
41 | pos = hdr.payload; | ||
42 | end = pos + hdr.length; | ||
43 | @@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, | ||
44 | os_free(decrypted); | ||
45 | return -1; | ||
46 | } | ||
47 | + wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier", | ||
48 | + hdr.payload, hdr.length); | ||
49 | da_end = hdr.payload + hdr.length; | ||
50 | |||
51 | if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { | ||
52 | @@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, | ||
53 | os_free(decrypted); | ||
54 | return -1; | ||
55 | } | ||
56 | + wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters", | ||
57 | + next, da_end - next); | ||
58 | + | ||
59 | + /* | ||
60 | + * RFC 5754: The correct encoding for the SHA2 algorithms would be to | ||
61 | + * omit the parameters, but there are implementation that encode these | ||
62 | + * as a NULL element. Allow these two cases and reject anything else. | ||
63 | + */ | ||
64 | + if (da_end > next && | ||
65 | + (asn1_get_next(next, da_end - next, &hdr) < 0 || | ||
66 | + !asn1_is_null(&hdr) || | ||
67 | + hdr.payload + hdr.length != da_end)) { | ||
68 | + wpa_printf(MSG_DEBUG, | ||
69 | + "PKCS #1: Unexpected digest algorithm parameters"); | ||
70 | + os_free(decrypted); | ||
71 | + return -1; | ||
72 | + } | ||
73 | |||
74 | if (!asn1_oid_equal(&oid, hash_alg)) { | ||
75 | char txt[100], txt2[100]; | ||
76 | diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c | ||
77 | index 1bd5aa0..bf2289f 100644 | ||
78 | --- a/src/tls/x509v3.c | ||
79 | +++ b/src/tls/x509v3.c | ||
80 | @@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer, | ||
81 | os_free(data); | ||
82 | return -1; | ||
83 | } | ||
84 | + wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length); | ||
85 | |||
86 | pos = hdr.payload; | ||
87 | end = pos + hdr.length; | ||
88 | @@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer, | ||
89 | os_free(data); | ||
90 | return -1; | ||
91 | } | ||
92 | + wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier", | ||
93 | + hdr.payload, hdr.length); | ||
94 | da_end = hdr.payload + hdr.length; | ||
95 | |||
96 | if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { | ||
97 | @@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer, | ||
98 | os_free(data); | ||
99 | return -1; | ||
100 | } | ||
101 | + wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters", | ||
102 | + next, da_end - next); | ||
103 | + | ||
104 | + /* | ||
105 | + * RFC 5754: The correct encoding for the SHA2 algorithms would be to | ||
106 | + * omit the parameters, but there are implementation that encode these | ||
107 | + * as a NULL element. Allow these two cases and reject anything else. | ||
108 | + */ | ||
109 | + if (da_end > next && | ||
110 | + (asn1_get_next(next, da_end - next, &hdr) < 0 || | ||
111 | + !asn1_is_null(&hdr) || | ||
112 | + hdr.payload + hdr.length != da_end)) { | ||
113 | + wpa_printf(MSG_DEBUG, | ||
114 | + "X509: Unexpected digest algorithm parameters"); | ||
115 | + os_free(data); | ||
116 | + return -1; | ||
117 | + } | ||
118 | |||
119 | if (x509_sha1_oid(&oid)) { | ||
120 | if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) { | ||
121 | -- | ||
122 | 2.17.1 | ||
123 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-23303-4.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-23303-4.patch new file mode 100644 index 0000000000..21e65ba961 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-23303-4.patch | |||
@@ -0,0 +1,609 @@ | |||
1 | From 208e5687ff2e48622e28d8888ce5444a54353bbd Mon Sep 17 00:00:00 2001 | ||
2 | From: Jouni Malinen <jouni@codeaurora.org> | ||
3 | Date: Tue, 27 Aug 2019 16:33:15 +0300 | ||
4 | Subject: [PATCH 1/4] crypto: Add more bignum/EC helper functions | ||
5 | |||
6 | These are needed for implementing SAE hash-to-element. | ||
7 | |||
8 | Signed-off-by: Jouni Malinen <jouni@codeaurora.org> | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | https://w1.fi/security/2022-1/ | ||
12 | |||
13 | CVE: CVE-2022-23303 CVE-2022-23304 | ||
14 | Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
15 | |||
16 | --- | ||
17 | src/crypto/crypto.h | 45 ++++++++++++++++++ | ||
18 | src/crypto/crypto_openssl.c | 94 +++++++++++++++++++++++++++++++++++++ | ||
19 | src/crypto/crypto_wolfssl.c | 66 ++++++++++++++++++++++++++ | ||
20 | 3 files changed, 205 insertions(+) | ||
21 | |||
22 | diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h | ||
23 | index 15f8ad04cea4..68476dbce96c 100644 | ||
24 | --- a/src/crypto/crypto.h | ||
25 | +++ b/src/crypto/crypto.h | ||
26 | @@ -518,6 +518,13 @@ struct crypto_bignum * crypto_bignum_init(void); | ||
27 | */ | ||
28 | struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len); | ||
29 | |||
30 | +/** | ||
31 | + * crypto_bignum_init_set - Allocate memory for bignum and set the value (uint) | ||
32 | + * @val: Value to set | ||
33 | + * Returns: Pointer to allocated bignum or %NULL on failure | ||
34 | + */ | ||
35 | +struct crypto_bignum * crypto_bignum_init_uint(unsigned int val); | ||
36 | + | ||
37 | /** | ||
38 | * crypto_bignum_deinit - Free bignum | ||
39 | * @n: Bignum from crypto_bignum_init() or crypto_bignum_init_set() | ||
40 | @@ -612,6 +619,19 @@ int crypto_bignum_div(const struct crypto_bignum *a, | ||
41 | const struct crypto_bignum *b, | ||
42 | struct crypto_bignum *c); | ||
43 | |||
44 | +/** | ||
45 | + * crypto_bignum_addmod - d = a + b (mod c) | ||
46 | + * @a: Bignum | ||
47 | + * @b: Bignum | ||
48 | + * @c: Bignum | ||
49 | + * @d: Bignum; used to store the result of (a + b) % c | ||
50 | + * Returns: 0 on success, -1 on failure | ||
51 | + */ | ||
52 | +int crypto_bignum_addmod(const struct crypto_bignum *a, | ||
53 | + const struct crypto_bignum *b, | ||
54 | + const struct crypto_bignum *c, | ||
55 | + struct crypto_bignum *d); | ||
56 | + | ||
57 | /** | ||
58 | * crypto_bignum_mulmod - d = a * b (mod c) | ||
59 | * @a: Bignum | ||
60 | @@ -625,6 +645,28 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a, | ||
61 | const struct crypto_bignum *c, | ||
62 | struct crypto_bignum *d); | ||
63 | |||
64 | +/** | ||
65 | + * crypto_bignum_sqrmod - c = a^2 (mod b) | ||
66 | + * @a: Bignum | ||
67 | + * @b: Bignum | ||
68 | + * @c: Bignum; used to store the result of a^2 % b | ||
69 | + * Returns: 0 on success, -1 on failure | ||
70 | + */ | ||
71 | +int crypto_bignum_sqrmod(const struct crypto_bignum *a, | ||
72 | + const struct crypto_bignum *b, | ||
73 | + struct crypto_bignum *c); | ||
74 | + | ||
75 | +/** | ||
76 | + * crypto_bignum_sqrtmod - returns sqrt(a) (mod b) | ||
77 | + * @a: Bignum | ||
78 | + * @b: Bignum | ||
79 | + * @c: Bignum; used to store the result | ||
80 | + * Returns: 0 on success, -1 on failure | ||
81 | + */ | ||
82 | +int crypto_bignum_sqrtmod(const struct crypto_bignum *a, | ||
83 | + const struct crypto_bignum *b, | ||
84 | + struct crypto_bignum *c); | ||
85 | + | ||
86 | /** | ||
87 | * crypto_bignum_rshift - r = a >> n | ||
88 | * @a: Bignum | ||
89 | @@ -731,6 +773,9 @@ const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e); | ||
90 | */ | ||
91 | const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e); | ||
92 | |||
93 | +const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e); | ||
94 | +const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e); | ||
95 | + | ||
96 | /** | ||
97 | * struct crypto_ec_point - Elliptic curve point | ||
98 | * | ||
99 | diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c | ||
100 | index bab33a537293..ed463105e8f1 100644 | ||
101 | --- a/src/crypto/crypto_openssl.c | ||
102 | +++ b/src/crypto/crypto_openssl.c | ||
103 | @@ -1283,6 +1283,24 @@ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len) | ||
104 | } | ||
105 | |||
106 | |||
107 | +struct crypto_bignum * crypto_bignum_init_uint(unsigned int val) | ||
108 | +{ | ||
109 | + BIGNUM *bn; | ||
110 | + | ||
111 | + if (TEST_FAIL()) | ||
112 | + return NULL; | ||
113 | + | ||
114 | + bn = BN_new(); | ||
115 | + if (!bn) | ||
116 | + return NULL; | ||
117 | + if (BN_set_word(bn, val) != 1) { | ||
118 | + BN_free(bn); | ||
119 | + return NULL; | ||
120 | + } | ||
121 | + return (struct crypto_bignum *) bn; | ||
122 | +} | ||
123 | + | ||
124 | + | ||
125 | void crypto_bignum_deinit(struct crypto_bignum *n, int clear) | ||
126 | { | ||
127 | if (clear) | ||
128 | @@ -1449,6 +1467,28 @@ int crypto_bignum_div(const struct crypto_bignum *a, | ||
129 | } | ||
130 | |||
131 | |||
132 | +int crypto_bignum_addmod(const struct crypto_bignum *a, | ||
133 | + const struct crypto_bignum *b, | ||
134 | + const struct crypto_bignum *c, | ||
135 | + struct crypto_bignum *d) | ||
136 | +{ | ||
137 | + int res; | ||
138 | + BN_CTX *bnctx; | ||
139 | + | ||
140 | + if (TEST_FAIL()) | ||
141 | + return -1; | ||
142 | + | ||
143 | + bnctx = BN_CTX_new(); | ||
144 | + if (!bnctx) | ||
145 | + return -1; | ||
146 | + res = BN_mod_add((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b, | ||
147 | + (const BIGNUM *) c, bnctx); | ||
148 | + BN_CTX_free(bnctx); | ||
149 | + | ||
150 | + return res ? 0 : -1; | ||
151 | +} | ||
152 | + | ||
153 | + | ||
154 | int crypto_bignum_mulmod(const struct crypto_bignum *a, | ||
155 | const struct crypto_bignum *b, | ||
156 | const struct crypto_bignum *c, | ||
157 | @@ -1472,6 +1512,48 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a, | ||
158 | } | ||
159 | |||
160 | |||
161 | +int crypto_bignum_sqrmod(const struct crypto_bignum *a, | ||
162 | + const struct crypto_bignum *b, | ||
163 | + struct crypto_bignum *c) | ||
164 | +{ | ||
165 | + int res; | ||
166 | + BN_CTX *bnctx; | ||
167 | + | ||
168 | + if (TEST_FAIL()) | ||
169 | + return -1; | ||
170 | + | ||
171 | + bnctx = BN_CTX_new(); | ||
172 | + if (!bnctx) | ||
173 | + return -1; | ||
174 | + res = BN_mod_sqr((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b, | ||
175 | + bnctx); | ||
176 | + BN_CTX_free(bnctx); | ||
177 | + | ||
178 | + return res ? 0 : -1; | ||
179 | +} | ||
180 | + | ||
181 | + | ||
182 | +int crypto_bignum_sqrtmod(const struct crypto_bignum *a, | ||
183 | + const struct crypto_bignum *b, | ||
184 | + struct crypto_bignum *c) | ||
185 | +{ | ||
186 | + BN_CTX *bnctx; | ||
187 | + BIGNUM *res; | ||
188 | + | ||
189 | + if (TEST_FAIL()) | ||
190 | + return -1; | ||
191 | + | ||
192 | + bnctx = BN_CTX_new(); | ||
193 | + if (!bnctx) | ||
194 | + return -1; | ||
195 | + res = BN_mod_sqrt((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b, | ||
196 | + bnctx); | ||
197 | + BN_CTX_free(bnctx); | ||
198 | + | ||
199 | + return res ? 0 : -1; | ||
200 | +} | ||
201 | + | ||
202 | + | ||
203 | int crypto_bignum_rshift(const struct crypto_bignum *a, int n, | ||
204 | struct crypto_bignum *r) | ||
205 | { | ||
206 | @@ -1682,6 +1764,18 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e) | ||
207 | } | ||
208 | |||
209 | |||
210 | +const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e) | ||
211 | +{ | ||
212 | + return (const struct crypto_bignum *) e->a; | ||
213 | +} | ||
214 | + | ||
215 | + | ||
216 | +const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e) | ||
217 | +{ | ||
218 | + return (const struct crypto_bignum *) e->b; | ||
219 | +} | ||
220 | + | ||
221 | + | ||
222 | void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear) | ||
223 | { | ||
224 | if (clear) | ||
225 | diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c | ||
226 | index 4cedab4367cd..e9894b335e53 100644 | ||
227 | --- a/src/crypto/crypto_wolfssl.c | ||
228 | +++ b/src/crypto/crypto_wolfssl.c | ||
229 | @@ -1042,6 +1042,26 @@ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len) | ||
230 | } | ||
231 | |||
232 | |||
233 | +struct crypto_bignum * crypto_bignum_init_uint(unsigned int val) | ||
234 | +{ | ||
235 | + mp_int *a; | ||
236 | + | ||
237 | + if (TEST_FAIL()) | ||
238 | + return NULL; | ||
239 | + | ||
240 | + a = (mp_int *) crypto_bignum_init(); | ||
241 | + if (!a) | ||
242 | + return NULL; | ||
243 | + | ||
244 | + if (mp_set_int(a, val) != MP_OKAY) { | ||
245 | + os_free(a); | ||
246 | + a = NULL; | ||
247 | + } | ||
248 | + | ||
249 | + return (struct crypto_bignum *) a; | ||
250 | +} | ||
251 | + | ||
252 | + | ||
253 | void crypto_bignum_deinit(struct crypto_bignum *n, int clear) | ||
254 | { | ||
255 | if (!n) | ||
256 | @@ -1168,6 +1188,19 @@ int crypto_bignum_div(const struct crypto_bignum *a, | ||
257 | } | ||
258 | |||
259 | |||
260 | +int crypto_bignum_addmod(const struct crypto_bignum *a, | ||
261 | + const struct crypto_bignum *b, | ||
262 | + const struct crypto_bignum *c, | ||
263 | + struct crypto_bignum *d) | ||
264 | +{ | ||
265 | + if (TEST_FAIL()) | ||
266 | + return -1; | ||
267 | + | ||
268 | + return mp_addmod((mp_int *) a, (mp_int *) b, (mp_int *) c, | ||
269 | + (mp_int *) d) == MP_OKAY ? 0 : -1; | ||
270 | +} | ||
271 | + | ||
272 | + | ||
273 | int crypto_bignum_mulmod(const struct crypto_bignum *a, | ||
274 | const struct crypto_bignum *b, | ||
275 | const struct crypto_bignum *m, | ||
276 | @@ -1181,6 +1214,27 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a, | ||
277 | } | ||
278 | |||
279 | |||
280 | +int crypto_bignum_sqrmod(const struct crypto_bignum *a, | ||
281 | + const struct crypto_bignum *b, | ||
282 | + struct crypto_bignum *c) | ||
283 | +{ | ||
284 | + if (TEST_FAIL()) | ||
285 | + return -1; | ||
286 | + | ||
287 | + return mp_sqrmod((mp_int *) a, (mp_int *) b, | ||
288 | + (mp_int *) c) == MP_OKAY ? 0 : -1; | ||
289 | +} | ||
290 | + | ||
291 | + | ||
292 | +int crypto_bignum_sqrtmod(const struct crypto_bignum *a, | ||
293 | + const struct crypto_bignum *b, | ||
294 | + struct crypto_bignum *c) | ||
295 | +{ | ||
296 | + /* TODO */ | ||
297 | + return -1; | ||
298 | +} | ||
299 | + | ||
300 | + | ||
301 | int crypto_bignum_rshift(const struct crypto_bignum *a, int n, | ||
302 | struct crypto_bignum *r) | ||
303 | { | ||
304 | @@ -1386,6 +1440,18 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e) | ||
305 | } | ||
306 | |||
307 | |||
308 | +const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e) | ||
309 | +{ | ||
310 | + return (const struct crypto_bignum *) &e->a; | ||
311 | +} | ||
312 | + | ||
313 | + | ||
314 | +const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e) | ||
315 | +{ | ||
316 | + return (const struct crypto_bignum *) &e->b; | ||
317 | +} | ||
318 | + | ||
319 | + | ||
320 | void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear) | ||
321 | { | ||
322 | ecc_point *point = (ecc_point *) p; | ||
323 | -- | ||
324 | 2.25.1 | ||
325 | |||
326 | From 2232d3d5f188b65dbb6c823ac62175412739eb16 Mon Sep 17 00:00:00 2001 | ||
327 | From: Jouni Malinen <j@w1.fi> | ||
328 | Date: Fri, 7 Jan 2022 13:47:16 +0200 | ||
329 | Subject: [PATCH 2/4] dragonfly: Add sqrt() helper function | ||
330 | |||
331 | This is a backport of "SAE: Move sqrt() implementation into a helper | ||
332 | function" to introduce the helper function needed for the following | ||
333 | patches. | ||
334 | |||
335 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
336 | --- | ||
337 | src/common/dragonfly.c | 34 ++++++++++++++++++++++++++++++++++ | ||
338 | src/common/dragonfly.h | 2 ++ | ||
339 | 2 files changed, 36 insertions(+) | ||
340 | |||
341 | diff --git a/src/common/dragonfly.c b/src/common/dragonfly.c | ||
342 | index 547be66f1561..1e842716668e 100644 | ||
343 | --- a/src/common/dragonfly.c | ||
344 | +++ b/src/common/dragonfly.c | ||
345 | @@ -213,3 +213,37 @@ int dragonfly_generate_scalar(const struct crypto_bignum *order, | ||
346 | "dragonfly: Unable to get randomness for own scalar"); | ||
347 | return -1; | ||
348 | } | ||
349 | + | ||
350 | + | ||
351 | +/* res = sqrt(val) */ | ||
352 | +int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val, | ||
353 | + struct crypto_bignum *res) | ||
354 | +{ | ||
355 | + const struct crypto_bignum *prime; | ||
356 | + struct crypto_bignum *tmp, *one; | ||
357 | + int ret = 0; | ||
358 | + u8 prime_bin[DRAGONFLY_MAX_ECC_PRIME_LEN]; | ||
359 | + size_t prime_len; | ||
360 | + | ||
361 | + /* For prime p such that p = 3 mod 4, sqrt(w) = w^((p+1)/4) mod p */ | ||
362 | + | ||
363 | + prime = crypto_ec_get_prime(ec); | ||
364 | + prime_len = crypto_ec_prime_len(ec); | ||
365 | + tmp = crypto_bignum_init(); | ||
366 | + one = crypto_bignum_init_uint(1); | ||
367 | + | ||
368 | + if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin), | ||
369 | + prime_len) < 0 || | ||
370 | + (prime_bin[prime_len - 1] & 0x03) != 3 || | ||
371 | + !tmp || !one || | ||
372 | + /* tmp = (p+1)/4 */ | ||
373 | + crypto_bignum_add(prime, one, tmp) < 0 || | ||
374 | + crypto_bignum_rshift(tmp, 2, tmp) < 0 || | ||
375 | + /* res = sqrt(val) */ | ||
376 | + crypto_bignum_exptmod(val, tmp, prime, res) < 0) | ||
377 | + ret = -1; | ||
378 | + | ||
379 | + crypto_bignum_deinit(tmp, 0); | ||
380 | + crypto_bignum_deinit(one, 0); | ||
381 | + return ret; | ||
382 | +} | ||
383 | diff --git a/src/common/dragonfly.h b/src/common/dragonfly.h | ||
384 | index ec3dd593eda4..84d67f575c54 100644 | ||
385 | --- a/src/common/dragonfly.h | ||
386 | +++ b/src/common/dragonfly.h | ||
387 | @@ -27,5 +27,7 @@ int dragonfly_generate_scalar(const struct crypto_bignum *order, | ||
388 | struct crypto_bignum *_rand, | ||
389 | struct crypto_bignum *_mask, | ||
390 | struct crypto_bignum *scalar); | ||
391 | +int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val, | ||
392 | + struct crypto_bignum *res); | ||
393 | |||
394 | #endif /* DRAGONFLY_H */ | ||
395 | -- | ||
396 | 2.25.1 | ||
397 | |||
398 | From fe534b0baaa8c0e6ddeb24cf529d6e50e33dc501 Mon Sep 17 00:00:00 2001 | ||
399 | From: Jouni Malinen <j@w1.fi> | ||
400 | Date: Fri, 7 Jan 2022 13:47:16 +0200 | ||
401 | Subject: [PATCH 3/4] SAE: Derive the y coordinate for PWE with own | ||
402 | implementation | ||
403 | |||
404 | The crypto_ec_point_solve_y_coord() wrapper function might not use | ||
405 | constant time operations in the crypto library and as such, could leak | ||
406 | side channel information about the password that is used to generate the | ||
407 | PWE in the hunting and pecking loop. As such, calculate the two possible | ||
408 | y coordinate values and pick the correct one to use with constant time | ||
409 | selection. | ||
410 | |||
411 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
412 | --- | ||
413 | src/common/sae.c | 47 +++++++++++++++++++++++++++++++++-------------- | ||
414 | 1 file changed, 33 insertions(+), 14 deletions(-) | ||
415 | |||
416 | diff --git a/src/common/sae.c b/src/common/sae.c | ||
417 | index 08fdbfd18173..8d79ed962768 100644 | ||
418 | --- a/src/common/sae.c | ||
419 | +++ b/src/common/sae.c | ||
420 | @@ -286,14 +286,16 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, | ||
421 | int pwd_seed_odd = 0; | ||
422 | u8 prime[SAE_MAX_ECC_PRIME_LEN]; | ||
423 | size_t prime_len; | ||
424 | - struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL; | ||
425 | + struct crypto_bignum *x = NULL, *y = NULL, *qr = NULL, *qnr = NULL; | ||
426 | u8 x_bin[SAE_MAX_ECC_PRIME_LEN]; | ||
427 | u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN]; | ||
428 | u8 qr_bin[SAE_MAX_ECC_PRIME_LEN]; | ||
429 | u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN]; | ||
430 | + u8 x_y[2 * SAE_MAX_ECC_PRIME_LEN]; | ||
431 | int res = -1; | ||
432 | u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_* | ||
433 | * mask */ | ||
434 | + unsigned int is_eq; | ||
435 | |||
436 | os_memset(x_bin, 0, sizeof(x_bin)); | ||
437 | |||
438 | @@ -402,25 +404,42 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, | ||
439 | goto fail; | ||
440 | } | ||
441 | |||
442 | - if (!sae->tmp->pwe_ecc) | ||
443 | - sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec); | ||
444 | - if (!sae->tmp->pwe_ecc) | ||
445 | - res = -1; | ||
446 | - else | ||
447 | - res = crypto_ec_point_solve_y_coord(sae->tmp->ec, | ||
448 | - sae->tmp->pwe_ecc, x, | ||
449 | - pwd_seed_odd); | ||
450 | - if (res < 0) { | ||
451 | - /* | ||
452 | - * This should not happen since we already checked that there | ||
453 | - * is a result. | ||
454 | - */ | ||
455 | + /* y = sqrt(x^3 + ax + b) mod p | ||
456 | + * if LSB(save) == LSB(y): PWE = (x, y) | ||
457 | + * else: PWE = (x, p - y) | ||
458 | + * | ||
459 | + * Calculate y and the two possible values for PWE and after that, | ||
460 | + * use constant time selection to copy the correct alternative. | ||
461 | + */ | ||
462 | + y = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x); | ||
463 | + if (!y || | ||
464 | + dragonfly_sqrt(sae->tmp->ec, y, y) < 0 || | ||
465 | + crypto_bignum_to_bin(y, x_y, SAE_MAX_ECC_PRIME_LEN, | ||
466 | + prime_len) < 0 || | ||
467 | + crypto_bignum_sub(sae->tmp->prime, y, y) < 0 || | ||
468 | + crypto_bignum_to_bin(y, x_y + SAE_MAX_ECC_PRIME_LEN, | ||
469 | + SAE_MAX_ECC_PRIME_LEN, prime_len) < 0) { | ||
470 | wpa_printf(MSG_DEBUG, "SAE: Could not solve y"); | ||
471 | + goto fail; | ||
472 | + } | ||
473 | + | ||
474 | + is_eq = const_time_eq(pwd_seed_odd, x_y[prime_len - 1] & 0x01); | ||
475 | + const_time_select_bin(is_eq, x_y, x_y + SAE_MAX_ECC_PRIME_LEN, | ||
476 | + prime_len, x_y + prime_len); | ||
477 | + os_memcpy(x_y, x_bin, prime_len); | ||
478 | + wpa_hexdump_key(MSG_DEBUG, "SAE: PWE", x_y, 2 * prime_len); | ||
479 | + crypto_ec_point_deinit(sae->tmp->pwe_ecc, 1); | ||
480 | + sae->tmp->pwe_ecc = crypto_ec_point_from_bin(sae->tmp->ec, x_y); | ||
481 | + if (!sae->tmp->pwe_ecc) { | ||
482 | + wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE"); | ||
483 | + res = -1; | ||
484 | } | ||
485 | |||
486 | fail: | ||
487 | + forced_memzero(x_y, sizeof(x_y)); | ||
488 | crypto_bignum_deinit(qr, 0); | ||
489 | crypto_bignum_deinit(qnr, 0); | ||
490 | + crypto_bignum_deinit(y, 1); | ||
491 | os_free(dummy_password); | ||
492 | bin_clear_free(tmp_password, password_len); | ||
493 | crypto_bignum_deinit(x, 1); | ||
494 | -- | ||
495 | 2.25.1 | ||
496 | |||
497 | From 603cd880e7f90595482658a7136fa6a7be5cb485 Mon Sep 17 00:00:00 2001 | ||
498 | From: Jouni Malinen <j@w1.fi> | ||
499 | Date: Fri, 7 Jan 2022 18:52:27 +0200 | ||
500 | Subject: [PATCH 4/4] EAP-pwd: Derive the y coordinate for PWE with own | ||
501 | implementation | ||
502 | |||
503 | The crypto_ec_point_solve_y_coord() wrapper function might not use | ||
504 | constant time operations in the crypto library and as such, could leak | ||
505 | side channel information about the password that is used to generate the | ||
506 | PWE in the hunting and pecking loop. As such, calculate the two possible | ||
507 | y coordinate values and pick the correct one to use with constant time | ||
508 | selection. | ||
509 | |||
510 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
511 | --- | ||
512 | src/eap_common/eap_pwd_common.c | 46 ++++++++++++++++++++++++++------- | ||
513 | 1 file changed, 36 insertions(+), 10 deletions(-) | ||
514 | |||
515 | diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c | ||
516 | index 2b2b8efdbd01..ff22b29b087a 100644 | ||
517 | --- a/src/eap_common/eap_pwd_common.c | ||
518 | +++ b/src/eap_common/eap_pwd_common.c | ||
519 | @@ -127,7 +127,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, | ||
520 | u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN]; | ||
521 | u8 x_bin[MAX_ECC_PRIME_LEN]; | ||
522 | u8 prime_bin[MAX_ECC_PRIME_LEN]; | ||
523 | - struct crypto_bignum *tmp2 = NULL; | ||
524 | + u8 x_y[2 * MAX_ECC_PRIME_LEN]; | ||
525 | + struct crypto_bignum *tmp2 = NULL, *y = NULL; | ||
526 | struct crypto_hash *hash; | ||
527 | unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr; | ||
528 | int ret = 0, res; | ||
529 | @@ -139,6 +140,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, | ||
530 | u8 found_ctr = 0, is_odd = 0; | ||
531 | int cmp_prime; | ||
532 | unsigned int in_range; | ||
533 | + unsigned int is_eq; | ||
534 | |||
535 | if (grp->pwe) | ||
536 | return -1; | ||
537 | @@ -151,11 +153,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, | ||
538 | if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin), | ||
539 | primebytelen) < 0) | ||
540 | return -1; | ||
541 | - grp->pwe = crypto_ec_point_init(grp->group); | ||
542 | - if (!grp->pwe) { | ||
543 | - wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums"); | ||
544 | - goto fail; | ||
545 | - } | ||
546 | |||
547 | if ((prfbuf = os_malloc(primebytelen)) == NULL) { | ||
548 | wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf " | ||
549 | @@ -261,10 +258,37 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, | ||
550 | */ | ||
551 | crypto_bignum_deinit(x_candidate, 1); | ||
552 | x_candidate = crypto_bignum_init_set(x_bin, primebytelen); | ||
553 | - if (!x_candidate || | ||
554 | - crypto_ec_point_solve_y_coord(grp->group, grp->pwe, x_candidate, | ||
555 | - is_odd) != 0) { | ||
556 | - wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y"); | ||
557 | + if (!x_candidate) | ||
558 | + goto fail; | ||
559 | + | ||
560 | + /* y = sqrt(x^3 + ax + b) mod p | ||
561 | + * if LSB(y) == LSB(pwd-seed): PWE = (x, y) | ||
562 | + * else: PWE = (x, p - y) | ||
563 | + * | ||
564 | + * Calculate y and the two possible values for PWE and after that, | ||
565 | + * use constant time selection to copy the correct alternative. | ||
566 | + */ | ||
567 | + y = crypto_ec_point_compute_y_sqr(grp->group, x_candidate); | ||
568 | + if (!y || | ||
569 | + dragonfly_sqrt(grp->group, y, y) < 0 || | ||
570 | + crypto_bignum_to_bin(y, x_y, MAX_ECC_PRIME_LEN, primebytelen) < 0 || | ||
571 | + crypto_bignum_sub(prime, y, y) < 0 || | ||
572 | + crypto_bignum_to_bin(y, x_y + MAX_ECC_PRIME_LEN, | ||
573 | + MAX_ECC_PRIME_LEN, primebytelen) < 0) { | ||
574 | + wpa_printf(MSG_DEBUG, "SAE: Could not solve y"); | ||
575 | + goto fail; | ||
576 | + } | ||
577 | + | ||
578 | + /* Constant time selection of the y coordinate from the two | ||
579 | + * options */ | ||
580 | + is_eq = const_time_eq(is_odd, x_y[primebytelen - 1] & 0x01); | ||
581 | + const_time_select_bin(is_eq, x_y, x_y + MAX_ECC_PRIME_LEN, | ||
582 | + primebytelen, x_y + primebytelen); | ||
583 | + os_memcpy(x_y, x_bin, primebytelen); | ||
584 | + wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: PWE", x_y, 2 * primebytelen); | ||
585 | + grp->pwe = crypto_ec_point_from_bin(grp->group, x_y); | ||
586 | + if (!grp->pwe) { | ||
587 | + wpa_printf(MSG_DEBUG, "EAP-pwd: Could not generate PWE"); | ||
588 | goto fail; | ||
589 | } | ||
590 | |||
591 | @@ -289,6 +313,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, | ||
592 | /* cleanliness and order.... */ | ||
593 | crypto_bignum_deinit(x_candidate, 1); | ||
594 | crypto_bignum_deinit(tmp2, 1); | ||
595 | + crypto_bignum_deinit(y, 1); | ||
596 | crypto_bignum_deinit(qr, 1); | ||
597 | crypto_bignum_deinit(qnr, 1); | ||
598 | bin_clear_free(prfbuf, primebytelen); | ||
599 | @@ -296,6 +321,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, | ||
600 | os_memset(qnr_bin, 0, sizeof(qnr_bin)); | ||
601 | os_memset(qr_or_qnr_bin, 0, sizeof(qr_or_qnr_bin)); | ||
602 | os_memset(pwe_digest, 0, sizeof(pwe_digest)); | ||
603 | + forced_memzero(x_y, sizeof(x_y)); | ||
604 | |||
605 | return ret; | ||
606 | } | ||
607 | -- | ||
608 | 2.25.1 | ||
609 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb index 7cc03fef7d..a8fb34b1a1 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Client for Wi-Fi Protected Access (WPA)" | 1 | SUMMARY = "Client for Wi-Fi Protected Access (WPA)" |
2 | HOMEPAGE = "http://w1.fi/wpa_supplicant/" | 2 | HOMEPAGE = "http://w1.fi/wpa_supplicant/" |
3 | DESCRIPTION = "wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver." | ||
3 | BUGTRACKER = "http://w1.fi/security/" | 4 | BUGTRACKER = "http://w1.fi/security/" |
4 | SECTION = "network" | 5 | SECTION = "network" |
5 | LICENSE = "BSD-3-Clause" | 6 | LICENSE = "BSD-3-Clause" |
@@ -29,6 +30,10 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ | |||
29 | file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \ | 30 | file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \ |
30 | file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \ | 31 | file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \ |
31 | file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \ | 32 | file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \ |
33 | file://CVE-2021-0326.patch \ | ||
34 | file://CVE-2021-27803.patch \ | ||
35 | file://CVE-2021-30004.patch \ | ||
36 | file://CVE-2022-23303-4.patch \ | ||
32 | " | 37 | " |
33 | SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190" | 38 | SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190" |
34 | SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17" | 39 | SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17" |