avahi: fix CVE-2021-36217, crash on pinging '.local'

(From OE-Core rev: d4ff12cfd00c23ce39834b29fea89247f70f64ab) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 638beadad098e9ee4e743be8f59f5a7f11373aff) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross@burtonini.com> 2021-07-19 11:02:32 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-08-06 09:59:14 +0100
commit: 0eec0ffcce0bb79f046b722122f1dd0781c520b5 (patch)
tree: 8abf5bcc768557dbd668f7a63f0583a7d4f096b4
parent: ef2599f8677a5c52dc1217ee5168b4bf959fd156 (diff)
download: poky-0eec0ffcce0bb79f046b722122f1dd0781c520b5.tar.gz
2 files changed, 153 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index a07cdbd03c..69ac35ee07 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -25,6 +25,7 @@ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}
           file://initscript.patch \
           file://0001-Fix-opening-etc-resolv.conf-error.patch \
           file://handle-hup.patch \
+           file://local-ping.patch \
           "
 UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/local-ping.patch b/meta/recipes-connectivity/avahi/files/local-ping.patch
new file mode 100644
index 0000000000..94116ad1f3
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/local-ping.patch
@@ -0,0 +1,152 @@
+CVE: CVE-2021-36217
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From 9d31939e55280a733d930b15ac9e4dda4497680c Mon Sep 17 00:00:00 2001
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+Date: Mon, 8 Feb 2021 11:04:43 +0200
+Subject: [PATCH] Fix NULL pointer crashes from #175
+avahi-daemon is crashing when running "ping .local".
+The crash is due to failing assertion from NULL pointer.
+Add missing NULL pointer checks to fix it.
+Introduced in #175 - merge commit 8f75a045709a780c8cf92a6a21e9d35b593bdecd
+---
+ avahi-core/browse-dns-server.c   | 5 ++++-
+ avahi-core/browse-domain.c       | 5 ++++-
+ avahi-core/browse-service-type.c | 3 +++
+ avahi-core/browse-service.c      | 3 +++
+ avahi-core/browse.c              | 3 +++
+ avahi-core/resolve-address.c     | 5 ++++-
+ avahi-core/resolve-host-name.c   | 5 ++++-
+ avahi-core/resolve-service.c     | 5 ++++-
+ 8 files changed, 29 insertions(+), 5 deletions(-)
+diff --git a/avahi-core/browse-dns-server.c b/avahi-core/browse-dns-server.c
+index 049752e9..c2d914fa 100644
+--- a/avahi-core/browse-dns-server.c
+++ b/avahi-core/browse-dns-server.c
+@@ -343,7 +343,10 @@ AvahiSDNSServerBrowser *avahi_s_dns_server_browser_new(
+         AvahiSDNSServerBrowser* b;
+ 
+         b = avahi_s_dns_server_browser_prepare(server, interface, protocol, domain, type, aprotocol, flags, callback, userdata);
+        if (!b)
+            return NULL;
+
+         avahi_s_dns_server_browser_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
+}
+diff --git a/avahi-core/browse-domain.c b/avahi-core/browse-domain.c
+index f145d56a..06fa70c0 100644
+--- a/avahi-core/browse-domain.c
+++ b/avahi-core/browse-domain.c
+@@ -253,7 +253,10 @@ AvahiSDomainBrowser *avahi_s_domain_browser_new(
+         AvahiSDomainBrowser *b;
+ 
+         b = avahi_s_domain_browser_prepare(server, interface, protocol, domain, type, flags, callback, userdata);
+        if (!b)
+            return NULL;
+
+         avahi_s_domain_browser_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
+}
+diff --git a/avahi-core/browse-service-type.c b/avahi-core/browse-service-type.c
+index fdd22dcd..b1fc7af8 100644
+--- a/avahi-core/browse-service-type.c
+++ b/avahi-core/browse-service-type.c
+@@ -171,6 +171,9 @@ AvahiSServiceTypeBrowser *avahi_s_service_type_browser_new(
+         AvahiSServiceTypeBrowser *b;
+ 
+         b = avahi_s_service_type_browser_prepare(server, interface, protocol, domain, flags, callback, userdata);
+        if (!b)
+            return NULL;
+
+         avahi_s_service_type_browser_start(b);
+ 
+         return b;
+diff --git a/avahi-core/browse-service.c b/avahi-core/browse-service.c
+index 5531360c..63e0275a 100644
+--- a/avahi-core/browse-service.c
+++ b/avahi-core/browse-service.c
+@@ -184,6 +184,9 @@ AvahiSServiceBrowser *avahi_s_service_browser_new(
+         AvahiSServiceBrowser *b;
+ 
+         b = avahi_s_service_browser_prepare(server, interface, protocol, service_type, domain, flags, callback, userdata);
+        if (!b)
+            return NULL;
+
+         avahi_s_service_browser_start(b);
+ 
+         return b;
+diff --git a/avahi-core/browse.c b/avahi-core/browse.c
+index 2941e579..e8a915e9 100644
+--- a/avahi-core/browse.c
+++ b/avahi-core/browse.c
+@@ -634,6 +634,9 @@ AvahiSRecordBrowser *avahi_s_record_browser_new(
+         AvahiSRecordBrowser *b;
+ 
+         b = avahi_s_record_browser_prepare(server, interface, protocol, key, flags, callback, userdata);
+        if (!b)
+            return NULL;
+
+         avahi_s_record_browser_start_query(b);
+ 
+         return b;
+diff --git a/avahi-core/resolve-address.c b/avahi-core/resolve-address.c
+index ac0b29b1..e61dd242 100644
+--- a/avahi-core/resolve-address.c
+++ b/avahi-core/resolve-address.c
+@@ -286,7 +286,10 @@ AvahiSAddressResolver *avahi_s_address_resolver_new(
+         AvahiSAddressResolver *b;
+ 
+         b = avahi_s_address_resolver_prepare(server, interface, protocol, address, flags, callback, userdata);
+        if (!b)
+            return NULL;
+
+         avahi_s_address_resolver_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
+}
+diff --git a/avahi-core/resolve-host-name.c b/avahi-core/resolve-host-name.c
+index 808b0e72..4e8e5973 100644
+--- a/avahi-core/resolve-host-name.c
+++ b/avahi-core/resolve-host-name.c
+@@ -318,7 +318,10 @@ AvahiSHostNameResolver *avahi_s_host_name_resolver_new(
+         AvahiSHostNameResolver *b;
+ 
+         b = avahi_s_host_name_resolver_prepare(server, interface, protocol, host_name, aprotocol, flags, callback, userdata);
+        if (!b)
+            return NULL;
+
+         avahi_s_host_name_resolver_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
+}
+diff --git a/avahi-core/resolve-service.c b/avahi-core/resolve-service.c
+index 66bf3cae..43771763 100644
+--- a/avahi-core/resolve-service.c
+++ b/avahi-core/resolve-service.c
+@@ -519,7 +519,10 @@ AvahiSServiceResolver *avahi_s_service_resolver_new(
+         AvahiSServiceResolver *b;
+ 
+         b = avahi_s_service_resolver_prepare(server, interface, protocol, name, type, domain, aprotocol, flags, callback, userdata);
+        if (!b)
+            return NULL;
+
+         avahi_s_service_resolver_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
+}
author	Ross Burton <ross@burtonini.com>	2021-07-19 11:02:32 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-08-06 09:59:14 +0100
commit	0eec0ffcce0bb79f046b722122f1dd0781c520b5 (patch)
tree	8abf5bcc768557dbd668f7a63f0583a7d4f096b4
parent	ef2599f8677a5c52dc1217ee5168b4bf959fd156 (diff)
download	poky-0eec0ffcce0bb79f046b722122f1dd0781c520b5.tar.gz

diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb index a07cdbd03c..69ac35ee07 100644 --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -25,6 +25,7 @@ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}
25	file://initscript.patch \	25	file://initscript.patch \
26	file://0001-Fix-opening-etc-resolv.conf-error.patch \	26	file://0001-Fix-opening-etc-resolv.conf-error.patch \
27	file://handle-hup.patch \	27	file://handle-hup.patch \
		28	file://local-ping.patch \
28	"	29	"
29		30
30	UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"	31	UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"


diff --git a/meta/recipes-connectivity/avahi/files/local-ping.patch b/meta/recipes-connectivity/avahi/files/local-ping.patch new file mode 100644 index 0000000000..94116ad1f3 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/local-ping.patch
@@ -0,0 +1,152 @@
		1	CVE: CVE-2021-36217
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@arm.com>
		4
		5	From 9d31939e55280a733d930b15ac9e4dda4497680c Mon Sep 17 00:00:00 2001
		6	From: Tommi Rantala <tommi.t.rantala@nokia.com>
		7	Date: Mon, 8 Feb 2021 11:04:43 +0200
		8	Subject: [PATCH] Fix NULL pointer crashes from #175
		9
		10	avahi-daemon is crashing when running "ping .local".
		11	The crash is due to failing assertion from NULL pointer.
		12	Add missing NULL pointer checks to fix it.
		13
		14	Introduced in #175 - merge commit 8f75a045709a780c8cf92a6a21e9d35b593bdecd
		15	---
		16	avahi-core/browse-dns-server.c \| 5 ++++-
		17	avahi-core/browse-domain.c \| 5 ++++-
		18	avahi-core/browse-service-type.c \| 3 +++
		19	avahi-core/browse-service.c \| 3 +++
		20	avahi-core/browse.c \| 3 +++
		21	avahi-core/resolve-address.c \| 5 ++++-
		22	avahi-core/resolve-host-name.c \| 5 ++++-
		23	avahi-core/resolve-service.c \| 5 ++++-
		24	8 files changed, 29 insertions(+), 5 deletions(-)
		25
		26	diff --git a/avahi-core/browse-dns-server.c b/avahi-core/browse-dns-server.c
		27	index 049752e9..c2d914fa 100644
		28	--- a/avahi-core/browse-dns-server.c
		29	+++ b/avahi-core/browse-dns-server.c
		30	@@ -343,7 +343,10 @@ AvahiSDNSServerBrowser *avahi_s_dns_server_browser_new(
		31	AvahiSDNSServerBrowser* b;
		32
		33	b = avahi_s_dns_server_browser_prepare(server, interface, protocol, domain, type, aprotocol, flags, callback, userdata);
		34	+ if (!b)
		35	+ return NULL;
		36	+
		37	avahi_s_dns_server_browser_start(b);
		38
		39	return b;
		40	-}
		41	\ No newline at end of file
		42	+}
		43	diff --git a/avahi-core/browse-domain.c b/avahi-core/browse-domain.c
		44	index f145d56a..06fa70c0 100644
		45	--- a/avahi-core/browse-domain.c
		46	+++ b/avahi-core/browse-domain.c
		47	@@ -253,7 +253,10 @@ AvahiSDomainBrowser *avahi_s_domain_browser_new(
		48	AvahiSDomainBrowser *b;
		49
		50	b = avahi_s_domain_browser_prepare(server, interface, protocol, domain, type, flags, callback, userdata);
		51	+ if (!b)
		52	+ return NULL;
		53	+
		54	avahi_s_domain_browser_start(b);
		55
		56	return b;
		57	-}
		58	\ No newline at end of file
		59	+}
		60	diff --git a/avahi-core/browse-service-type.c b/avahi-core/browse-service-type.c
		61	index fdd22dcd..b1fc7af8 100644
		62	--- a/avahi-core/browse-service-type.c
		63	+++ b/avahi-core/browse-service-type.c
		64	@@ -171,6 +171,9 @@ AvahiSServiceTypeBrowser *avahi_s_service_type_browser_new(
		65	AvahiSServiceTypeBrowser *b;
		66
		67	b = avahi_s_service_type_browser_prepare(server, interface, protocol, domain, flags, callback, userdata);
		68	+ if (!b)
		69	+ return NULL;
		70	+
		71	avahi_s_service_type_browser_start(b);
		72
		73	return b;
		74	diff --git a/avahi-core/browse-service.c b/avahi-core/browse-service.c
		75	index 5531360c..63e0275a 100644
		76	--- a/avahi-core/browse-service.c
		77	+++ b/avahi-core/browse-service.c
		78	@@ -184,6 +184,9 @@ AvahiSServiceBrowser *avahi_s_service_browser_new(
		79	AvahiSServiceBrowser *b;
		80
		81	b = avahi_s_service_browser_prepare(server, interface, protocol, service_type, domain, flags, callback, userdata);
		82	+ if (!b)
		83	+ return NULL;
		84	+
		85	avahi_s_service_browser_start(b);
		86
		87	return b;
		88	diff --git a/avahi-core/browse.c b/avahi-core/browse.c
		89	index 2941e579..e8a915e9 100644
		90	--- a/avahi-core/browse.c
		91	+++ b/avahi-core/browse.c
		92	@@ -634,6 +634,9 @@ AvahiSRecordBrowser *avahi_s_record_browser_new(
		93	AvahiSRecordBrowser *b;
		94
		95	b = avahi_s_record_browser_prepare(server, interface, protocol, key, flags, callback, userdata);
		96	+ if (!b)
		97	+ return NULL;
		98	+
		99	avahi_s_record_browser_start_query(b);
		100
		101	return b;
		102	diff --git a/avahi-core/resolve-address.c b/avahi-core/resolve-address.c
		103	index ac0b29b1..e61dd242 100644
		104	--- a/avahi-core/resolve-address.c
		105	+++ b/avahi-core/resolve-address.c
		106	@@ -286,7 +286,10 @@ AvahiSAddressResolver *avahi_s_address_resolver_new(
		107	AvahiSAddressResolver *b;
		108
		109	b = avahi_s_address_resolver_prepare(server, interface, protocol, address, flags, callback, userdata);
		110	+ if (!b)
		111	+ return NULL;
		112	+
		113	avahi_s_address_resolver_start(b);
		114
		115	return b;
		116	-}
		117	\ No newline at end of file
		118	+}
		119	diff --git a/avahi-core/resolve-host-name.c b/avahi-core/resolve-host-name.c
		120	index 808b0e72..4e8e5973 100644
		121	--- a/avahi-core/resolve-host-name.c
		122	+++ b/avahi-core/resolve-host-name.c
		123	@@ -318,7 +318,10 @@ AvahiSHostNameResolver *avahi_s_host_name_resolver_new(
		124	AvahiSHostNameResolver *b;
		125
		126	b = avahi_s_host_name_resolver_prepare(server, interface, protocol, host_name, aprotocol, flags, callback, userdata);
		127	+ if (!b)
		128	+ return NULL;
		129	+
		130	avahi_s_host_name_resolver_start(b);
		131
		132	return b;
		133	-}
		134	\ No newline at end of file
		135	+}
		136	diff --git a/avahi-core/resolve-service.c b/avahi-core/resolve-service.c
		137	index 66bf3cae..43771763 100644
		138	--- a/avahi-core/resolve-service.c
		139	+++ b/avahi-core/resolve-service.c
		140	@@ -519,7 +519,10 @@ AvahiSServiceResolver *avahi_s_service_resolver_new(
		141	AvahiSServiceResolver *b;
		142
		143	b = avahi_s_service_resolver_prepare(server, interface, protocol, name, type, domain, aprotocol, flags, callback, userdata);
		144	+ if (!b)
		145	+ return NULL;
		146	+
		147	avahi_s_service_resolver_start(b);
		148
		149	return b;
		150	-}
		151	\ No newline at end of file
		152	+}