diff options
| author | Meenali Gupta <meenali.gupta@windriver.com> | 2023-11-16 10:37:34 +0000 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2023-11-28 05:00:32 -1000 |
| commit | 1867c0de3577f4d45076b44365a3d3af57702385 (patch) | |
| tree | d95e2cbad18df2357c4cbf2180bf5707b18ce042 | |
| parent | 24646e55b255acd38fb8f78ffec2e406a0b2c449 (diff) | |
| download | poky-1867c0de3577f4d45076b44365a3d3af57702385.tar.gz | |
avahi: fix CVE-2023-38471
A vulnerability was found in Avahi. A reachable assertion exists
in the dbus_set_host_name function.
(From OE-Core rev: f4286c3a3070fd50e334a48f1b7c068d34747115)
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-connectivity/avahi/avahi_0.8.bb | 1 | ||||
| -rw-r--r-- | meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch | 73 |
2 files changed, 74 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb index b5c966c102..ac04b42614 100644 --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb | |||
| @@ -26,6 +26,7 @@ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV} | |||
| 26 | file://0001-Fix-opening-etc-resolv.conf-error.patch \ | 26 | file://0001-Fix-opening-etc-resolv.conf-error.patch \ |
| 27 | file://handle-hup.patch \ | 27 | file://handle-hup.patch \ |
| 28 | file://local-ping.patch \ | 28 | file://local-ping.patch \ |
| 29 | file://CVE-2023-38471.patch \ | ||
| 29 | " | 30 | " |
| 30 | 31 | ||
| 31 | UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/" | 32 | UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/" |
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch new file mode 100644 index 0000000000..40b61b71dd --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch | |||
| @@ -0,0 +1,73 @@ | |||
| 1 | From 9cd4ea89b3ac89b7bb0196fda1aa88cd51b106b6 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Michal Sekletar <msekleta@redhat.com> | ||
| 3 | Date: Mon, 23 Oct 2023 13:38:35 +0200 | ||
| 4 | Subject: [PATCH] core: extract host name using avahi_unescape_label() | ||
| 5 | |||
| 6 | Previously we could create invalid escape sequence when we split the | ||
| 7 | string on dot. For example, from valid host name "foo\\.bar" we have | ||
| 8 | created invalid name "foo\\" and tried to set that as the host name | ||
| 9 | which crashed the daemon. | ||
| 10 | |||
| 11 | Fixes #453 | ||
| 12 | |||
| 13 | Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09] | ||
| 14 | CVE: CVE-2023-38471 | ||
| 15 | |||
| 16 | Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> | ||
| 17 | --- | ||
| 18 | avahi-core/server.c | 27 +++++++++++++++++++++------ | ||
| 19 | 1 file changed, 21 insertions(+), 6 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/avahi-core/server.c b/avahi-core/server.c | ||
| 22 | index e507750..40f1d68 100644 | ||
| 23 | --- a/avahi-core/server.c | ||
| 24 | +++ b/avahi-core/server.c | ||
| 25 | @@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) { | ||
| 26 | } | ||
| 27 | |||
| 28 | int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { | ||
| 29 | - char *hn = NULL; | ||
| 30 | + char label_escaped[AVAHI_LABEL_MAX*4+1]; | ||
| 31 | + char label[AVAHI_LABEL_MAX]; | ||
| 32 | + char *hn = NULL, *h; | ||
| 33 | + size_t len; | ||
| 34 | + | ||
| 35 | assert(s); | ||
| 36 | |||
| 37 | AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME); | ||
| 38 | @@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { | ||
| 39 | else | ||
| 40 | hn = avahi_normalize_name_strdup(host_name); | ||
| 41 | |||
| 42 | - hn[strcspn(hn, ".")] = 0; | ||
| 43 | + h = hn; | ||
| 44 | + if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { | ||
| 45 | + avahi_free(h); | ||
| 46 | + return AVAHI_ERR_INVALID_HOST_NAME; | ||
| 47 | + } | ||
| 48 | + | ||
| 49 | + avahi_free(h); | ||
| 50 | + | ||
| 51 | + h = label_escaped; | ||
| 52 | + len = sizeof(label_escaped); | ||
| 53 | + if (!avahi_escape_label(label, strlen(label), &h, &len)) | ||
| 54 | + return AVAHI_ERR_INVALID_HOST_NAME; | ||
| 55 | |||
| 56 | - if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) { | ||
| 57 | - avahi_free(hn); | ||
| 58 | + if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) | ||
| 59 | return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); | ||
| 60 | - } | ||
| 61 | |||
| 62 | withdraw_host_rrs(s); | ||
| 63 | |||
| 64 | avahi_free(s->host_name); | ||
| 65 | - s->host_name = hn; | ||
| 66 | + s->host_name = avahi_strdup(label_escaped); | ||
| 67 | + if (!s->host_name) | ||
| 68 | + return AVAHI_ERR_NO_MEMORY; | ||
| 69 | |||
| 70 | update_fqdn(s); | ||
| 71 | |||
| 72 | -- | ||
| 73 | 2.40.0 | ||
