diff options
Diffstat (limited to 'meta/recipes-connectivity')
-rw-r--r-- | meta/recipes-connectivity/avahi/avahi_0.8.bb | 1 | ||||
-rw-r--r-- | meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch | 73 |
2 files changed, 74 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb index a0b31a4697..9c903d6868 100644 --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb | |||
@@ -28,6 +28,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \ | |||
28 | file://invalid-service.patch \ | 28 | file://invalid-service.patch \ |
29 | file://CVE-2023-38469.patch \ | 29 | file://CVE-2023-38469.patch \ |
30 | file://CVE-2023-38470.patch \ | 30 | file://CVE-2023-38470.patch \ |
31 | file://CVE-2023-38471.patch \ | ||
31 | " | 32 | " |
32 | 33 | ||
33 | GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/" | 34 | GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/" |
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch new file mode 100644 index 0000000000..b3f716495d --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From 48d745db7fd554fc33e96ec86d3675ebd530bb8e Mon Sep 17 00:00:00 2001 | ||
2 | From: Michal Sekletar <msekleta@redhat.com> | ||
3 | Date: Mon, 23 Oct 2023 13:38:35 +0200 | ||
4 | Subject: [PATCH] avahi: core: extract host name using avahi_unescape_label() | ||
5 | |||
6 | Previously we could create invalid escape sequence when we split the | ||
7 | string on dot. For example, from valid host name "foo\\.bar" we have | ||
8 | created invalid name "foo\\" and tried to set that as the host name | ||
9 | which crashed the daemon. | ||
10 | |||
11 | Fixes #453 | ||
12 | |||
13 | Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09] | ||
14 | CVE: CVE-2023-38471 | ||
15 | |||
16 | Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> | ||
17 | --- | ||
18 | avahi-core/server.c | 27 +++++++++++++++++++++------ | ||
19 | 1 file changed, 21 insertions(+), 6 deletions(-) | ||
20 | |||
21 | diff --git a/avahi-core/server.c b/avahi-core/server.c | ||
22 | index e507750..40f1d68 100644 | ||
23 | --- a/avahi-core/server.c | ||
24 | +++ b/avahi-core/server.c | ||
25 | @@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) { | ||
26 | } | ||
27 | |||
28 | int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { | ||
29 | - char *hn = NULL; | ||
30 | + char label_escaped[AVAHI_LABEL_MAX*4+1]; | ||
31 | + char label[AVAHI_LABEL_MAX]; | ||
32 | + char *hn = NULL, *h; | ||
33 | + size_t len; | ||
34 | + | ||
35 | assert(s); | ||
36 | |||
37 | AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME); | ||
38 | @@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { | ||
39 | else | ||
40 | hn = avahi_normalize_name_strdup(host_name); | ||
41 | |||
42 | - hn[strcspn(hn, ".")] = 0; | ||
43 | + h = hn; | ||
44 | + if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { | ||
45 | + avahi_free(h); | ||
46 | + return AVAHI_ERR_INVALID_HOST_NAME; | ||
47 | + } | ||
48 | + | ||
49 | + avahi_free(h); | ||
50 | + | ||
51 | + h = label_escaped; | ||
52 | + len = sizeof(label_escaped); | ||
53 | + if (!avahi_escape_label(label, strlen(label), &h, &len)) | ||
54 | + return AVAHI_ERR_INVALID_HOST_NAME; | ||
55 | |||
56 | - if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) { | ||
57 | - avahi_free(hn); | ||
58 | + if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) | ||
59 | return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); | ||
60 | - } | ||
61 | |||
62 | withdraw_host_rrs(s); | ||
63 | |||
64 | avahi_free(s->host_name); | ||
65 | - s->host_name = hn; | ||
66 | + s->host_name = avahi_strdup(label_escaped); | ||
67 | + if (!s->host_name) | ||
68 | + return AVAHI_ERR_NO_MEMORY; | ||
69 | |||
70 | update_fqdn(s); | ||
71 | |||
72 | -- | ||
73 | 2.40.0 | ||