summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMeenali Gupta <meenali.gupta@windriver.com>2023-11-16 10:37:34 +0000
committerSteve Sakoman <steve@sakoman.com>2023-11-28 05:00:32 -1000
commit1867c0de3577f4d45076b44365a3d3af57702385 (patch)
treed95e2cbad18df2357c4cbf2180bf5707b18ce042
parent24646e55b255acd38fb8f78ffec2e406a0b2c449 (diff)
downloadpoky-1867c0de3577f4d45076b44365a3d3af57702385.tar.gz
avahi: fix CVE-2023-38471
A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function. (From OE-Core rev: f4286c3a3070fd50e334a48f1b7c068d34747115) Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r--meta/recipes-connectivity/avahi/avahi_0.8.bb1
-rw-r--r--meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch73
2 files changed, 74 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index b5c966c102..ac04b42614 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -26,6 +26,7 @@ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}
26 file://0001-Fix-opening-etc-resolv.conf-error.patch \ 26 file://0001-Fix-opening-etc-resolv.conf-error.patch \
27 file://handle-hup.patch \ 27 file://handle-hup.patch \
28 file://local-ping.patch \ 28 file://local-ping.patch \
29 file://CVE-2023-38471.patch \
29 " 30 "
30 31
31UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/" 32UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch
new file mode 100644
index 0000000000..40b61b71dd
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch
@@ -0,0 +1,73 @@
1From 9cd4ea89b3ac89b7bb0196fda1aa88cd51b106b6 Mon Sep 17 00:00:00 2001
2From: Michal Sekletar <msekleta@redhat.com>
3Date: Mon, 23 Oct 2023 13:38:35 +0200
4Subject: [PATCH] core: extract host name using avahi_unescape_label()
5
6Previously we could create invalid escape sequence when we split the
7string on dot. For example, from valid host name "foo\\.bar" we have
8created invalid name "foo\\" and tried to set that as the host name
9which crashed the daemon.
10
11Fixes #453
12
13Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09]
14CVE: CVE-2023-38471
15
16Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
17---
18 avahi-core/server.c | 27 +++++++++++++++++++++------
19 1 file changed, 21 insertions(+), 6 deletions(-)
20
21diff --git a/avahi-core/server.c b/avahi-core/server.c
22index e507750..40f1d68 100644
23--- a/avahi-core/server.c
24+++ b/avahi-core/server.c
25@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) {
26 }
27
28 int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
29- char *hn = NULL;
30+ char label_escaped[AVAHI_LABEL_MAX*4+1];
31+ char label[AVAHI_LABEL_MAX];
32+ char *hn = NULL, *h;
33+ size_t len;
34+
35 assert(s);
36
37 AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
38@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
39 else
40 hn = avahi_normalize_name_strdup(host_name);
41
42- hn[strcspn(hn, ".")] = 0;
43+ h = hn;
44+ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
45+ avahi_free(h);
46+ return AVAHI_ERR_INVALID_HOST_NAME;
47+ }
48+
49+ avahi_free(h);
50+
51+ h = label_escaped;
52+ len = sizeof(label_escaped);
53+ if (!avahi_escape_label(label, strlen(label), &h, &len))
54+ return AVAHI_ERR_INVALID_HOST_NAME;
55
56- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
57- avahi_free(hn);
58+ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
59 return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
60- }
61
62 withdraw_host_rrs(s);
63
64 avahi_free(s->host_name);
65- s->host_name = hn;
66+ s->host_name = avahi_strdup(label_escaped);
67+ if (!s->host_name)
68+ return AVAHI_ERR_NO_MEMORY;
69
70 update_fqdn(s);
71
72--
732.40.0