From be07743960fb4a0ddf1c79c1c63d5787b1fda08e Mon Sep 17 00:00:00 2001 From: Kai Kang Date: Tue, 2 Apr 2019 03:44:26 -0400 Subject: avahi: fix CVE-2017-6519 Backport patch to fix CVE-2017-6519. CVE: CVE-2017-6519 (From OE-Core rev: 979e3f4ac1e12228d368315169a32d5ab0209e91) Signed-off-by: Kai Kang Signed-off-by: Richard Purdie --- meta/recipes-connectivity/avahi/avahi.inc | 4 +- .../avahi/files/fix-CVE-2017-6519.patch | 48 ++++++++++++++++++++++ 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-connectivity/avahi/files/fix-CVE-2017-6519.patch (limited to 'meta/recipes-connectivity/avahi') diff --git a/meta/recipes-connectivity/avahi/avahi.inc b/meta/recipes-connectivity/avahi/avahi.inc index 11846849f0..8339e451f5 100644 --- a/meta/recipes-connectivity/avahi/avahi.inc +++ b/meta/recipes-connectivity/avahi/avahi.inc @@ -19,7 +19,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \ file://avahi-daemon/main.c;endline=21;md5=9ee77368c5407af77caaef1b07285969 \ file://avahi-client/client.h;endline=23;md5=f4ac741a25c4f434039ba3e18c8674cf" -SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz" +SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \ + file://fix-CVE-2017-6519.patch \ + " UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/" SRC_URI[md5sum] = "d76c59d0882ac6c256d70a2a585362a6" diff --git a/meta/recipes-connectivity/avahi/files/fix-CVE-2017-6519.patch b/meta/recipes-connectivity/avahi/files/fix-CVE-2017-6519.patch new file mode 100644 index 0000000000..7461fe193d --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/fix-CVE-2017-6519.patch @@ -0,0 +1,48 @@ +Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/e111def] + +CVE: CVE-2017-6519 + +Signed-off-by: Kai Kang + +From e111def44a7df4624a4aa3f85fe98054bffb6b4f Mon Sep 17 00:00:00 2001 +From: Trent Lloyd +Date: Sat, 22 Dec 2018 09:06:07 +0800 +Subject: [PATCH] Drop legacy unicast queries from address not on local link + +When handling legacy unicast queries, ensure that the source IP is +inside a subnet on the local link, otherwise drop the packet. + +Fixes #145 +Fixes #203 +CVE-2017-6519 +CVE-2018-1000845 +--- + avahi-core/server.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/avahi-core/server.c b/avahi-core/server.c +index a2cb19a8..a2580e38 100644 +--- a/avahi-core/server.c ++++ b/avahi-core/server.c +@@ -930,6 +930,7 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres + + if (avahi_dns_packet_is_query(p)) { + int legacy_unicast = 0; ++ char t[AVAHI_ADDRESS_STR_MAX]; + + /* For queries EDNS0 might allow ARCOUNT != 0. We ignore the + * AR section completely here, so far. Until the day we add +@@ -947,6 +948,13 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres + legacy_unicast = 1; + } + ++ if (!is_mdns_mcast_address(dst_address) && ++ !avahi_interface_address_on_link(i, src_address)) { ++ ++ avahi_log_debug("Received non-local unicast query from host %s on interface '%s.%i'.", avahi_address_snprint(t, sizeof(t), src_address), i->hardware->name, i->protocol); ++ return; ++ } ++ + if (legacy_unicast) + reflect_legacy_unicast_query_packet(s, p, i, src_address, port); + -- cgit v1.2.3-54-g00ecf