connman: Upgrade 1.44 -> 1.45

Upgrade to release 1.45: - Add missing newlines on error messages - timezone: Replace Localtime file copy with symbolic link - Fix CVE-2025-32366 vulnerability - Fix CVE-2025-32743 vulnerability - vpn: Fix extracting of PrefixLength D-Bus value - vpn: Fix mem leak of gid_list in task setup - dchpv6: Set err to 0 when client creation succeeds (From OE-Core rev: c5fd636aa6f310e868ea29a72913ea96edcf57c5) Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Leon Anavi <leon.anavi@konsulko.com> 2025-08-21 23:43:50 +0300
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-08-25 17:47:21 +0100
commit: e91bc261dc5d3bb6e23ab1678d493ac26203f6ea (patch)
tree: 025f3bacf03aef8bc9bd798580979fe930f0b729
parent: 4f531677b82ab0e84855814a50b4d51aed4d72dc (diff)
download: poky-e91bc261dc5d3bb6e23ab1678d493ac26203f6ea.tar.gz
3 files changed, 1 insertions, 92 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
deleted file mode 100644
index 62f07e707a..0000000000
--- a/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
-From: Yoonje Shin <ioerts@kookmin.ac.kr>
-Date: Mon, 12 May 2025 10:48:18 +0200
-Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability
-In Connman parse_rr in dnsproxy.c has a memcpy length
-that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
-and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
-than the amount of remaining packet data in the current state of
-parsing. As a result, values of stack memory locations may be sent
-over the network in a response.
-This patch adds a check to ensure that (*end + *rdlen) does not exceed
-the valid range. If the condition is violated, the function returns
-EINVAL.
-CVE: CVE-2025-32366
-Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4]
-Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
---
- src/dnsproxy.c | 3 +++
- 1 file changed, 3 insertions(+)
-diff --git a/src/dnsproxy.c b/src/dnsproxy.c
-index 7ee26d9..1dd2f7f 100644
--- a/src/dnsproxy.c
-+++ b/src/dnsproxy.c
-@@ -998,6 +998,9 @@ static int parse_rr(const unsigned char *buf, const unsigned char *start,
-        if ((offset + *rdlen) > *response_size)
-                return -ENOBUFS;
-+       if ((*end + *rdlen) > max)
-+               return -EINVAL;
-+
-        memcpy(response + offset, *end, *rdlen);
-        *end += *rdlen;
--
-2.40.0
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch
deleted file mode 100644
index c114589679..0000000000
--- a/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001
-From: Praveen Kumar <praveen.kumar@windriver.com>
-Date: Thu, 24 Apr 2025 11:39:29 +0000
-Subject: [PATCH] dnsproxy: Fix NULL/empty lookup causing potential crash
-In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
-can be NULL or an empty string when the TC (Truncated) bit is set in
-a DNS response. This allows attackers to cause a denial of service
-(application crash) or possibly execute arbitrary code, because those
-lookup values lead to incorrect length calculations and incorrect
-memcpy operations.
-This patch includes a check to make sure loookup value is valid before
-using it. This helps avoid unexpected value when the input is empty or
-incorrect.
-Fixes: CVE-2025-32743
-CVE: CVE-2025-32743
-Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f]
-Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
---
- src/dnsproxy.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-diff --git a/src/dnsproxy.c b/src/dnsproxy.c
-index f28a5d7..7ee26d9 100644
--- a/src/dnsproxy.c
-+++ b/src/dnsproxy.c
-@@ -1685,8 +1685,13 @@ static int ns_resolv(struct server_data *server, struct request_data *req,
-                                gpointer request, gpointer name)
- {
-        int sk = -1;
-+       int err;
-        const char *lookup = (const char *)name;
-       int err = ns_try_resolv_from_cache(req, request, lookup);
-+
-+       if (!lookup || strlen(lookup) == 0)
-+               return -EINVAL;
-+
-+       err = ns_try_resolv_from_cache(req, request, lookup);
-        if (err > 0)
-                /* cache hit */
--
-2.40.0
diff --git a/meta/recipes-connectivity/connman/connman_1.44.bb b/meta/recipes-connectivity/connman/connman_1.45.bb
index 1b0fbe438c..cfc6114712 100644
--- a/meta/recipes-connectivity/connman/connman_1.44.bb
+++ b/meta/recipes-connectivity/connman/connman_1.45.bb
@@ -21,11 +21,9 @@ DEPENDS  = "dbus glib-2.0"
 SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
           file://connman \
           file://0002-resolve-musl-does-not-implement-res_ninit.patch \
-           file://CVE-2025-32743.patch \
-           file://CVE-2025-32366.patch \
           "
-SRC_URI[sha256sum] = "2be2b00321632b775f9eff713acd04ef21e31fbf388f6ebf45512ff4289574ff"
+SRC_URI[sha256sum] = "77128cce80865455c4f106b5901a575e2dfdb35a7d2e2e2996f16e85cba10913"
 RRECOMMENDS:${PN} = "connman-conf"
 RCONFLICTS:${PN} = "networkmanager"
author	Leon Anavi <leon.anavi@konsulko.com>	2025-08-21 23:43:50 +0300
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-08-25 17:47:21 +0100
commit	e91bc261dc5d3bb6e23ab1678d493ac26203f6ea (patch)
tree	025f3bacf03aef8bc9bd798580979fe930f0b729
parent	4f531677b82ab0e84855814a50b4d51aed4d72dc (diff)
download	poky-e91bc261dc5d3bb6e23ab1678d493ac26203f6ea.tar.gz

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch deleted file mode 100644 index 62f07e707a..0000000000 --- a/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch +++ /dev/null
@@ -1,41 +0,0 @@
1	From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
2	From: Yoonje Shin <ioerts@kookmin.ac.kr>
3	Date: Mon, 12 May 2025 10:48:18 +0200
4	Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability
5
6	In Connman parse_rr in dnsproxy.c has a memcpy length
7	that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
8	and memcpy(response+offset,end,rdlen)). Here, rdlen may be larger
9	than the amount of remaining packet data in the current state of
10	parsing. As a result, values of stack memory locations may be sent
11	over the network in a response.
12
13	This patch adds a check to ensure that (end + rdlen) does not exceed
14	the valid range. If the condition is violated, the function returns
15	-EINVAL.
16
17	CVE: CVE-2025-32366
18
19	Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4]
20
21	Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
22	---
23	src/dnsproxy.c \| 3 +++
24	1 file changed, 3 insertions(+)
25
26	diff --git a/src/dnsproxy.c b/src/dnsproxy.c
27	index 7ee26d9..1dd2f7f 100644
28	--- a/src/dnsproxy.c
29	+++ b/src/dnsproxy.c
30	@@ -998,6 +998,9 @@ static int parse_rr(const unsigned char buf, const unsigned char start,
31	if ((offset + rdlen) > response_size)
32	return -ENOBUFS;
33
34	+ if ((end + rdlen) > max)
35	+ return -EINVAL;
36	+
37	memcpy(response + offset, end, rdlen);
38
39	end += rdlen;
40	--
41	2.40.0


diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch deleted file mode 100644 index c114589679..0000000000 --- a/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch +++ /dev/null
@@ -1,48 +0,0 @@
1	From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001
2	From: Praveen Kumar <praveen.kumar@windriver.com>
3	Date: Thu, 24 Apr 2025 11:39:29 +0000
4	Subject: [PATCH] dnsproxy: Fix NULL/empty lookup causing potential crash
5
6	In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
7	can be NULL or an empty string when the TC (Truncated) bit is set in
8	a DNS response. This allows attackers to cause a denial of service
9	(application crash) or possibly execute arbitrary code, because those
10	lookup values lead to incorrect length calculations and incorrect
11	memcpy operations.
12
13	This patch includes a check to make sure loookup value is valid before
14	using it. This helps avoid unexpected value when the input is empty or
15	incorrect.
16
17	Fixes: CVE-2025-32743
18
19	CVE: CVE-2025-32743
20
21	Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f]
22
23	Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
24	---
25	src/dnsproxy.c \| 7 ++++++-
26	1 file changed, 6 insertions(+), 1 deletion(-)
27
28	diff --git a/src/dnsproxy.c b/src/dnsproxy.c
29	index f28a5d7..7ee26d9 100644
30	--- a/src/dnsproxy.c
31	+++ b/src/dnsproxy.c
32	@@ -1685,8 +1685,13 @@ static int ns_resolv(struct server_data server, struct request_data req,
33	gpointer request, gpointer name)
34	{
35	int sk = -1;
36	+ int err;
37	const char lookup = (const char )name;
38	- int err = ns_try_resolv_from_cache(req, request, lookup);
39	+
40	+ if (!lookup \|\| strlen(lookup) == 0)
41	+ return -EINVAL;
42	+
43	+ err = ns_try_resolv_from_cache(req, request, lookup);
44
45	if (err > 0)
46	/* cache hit */
47	--
48	2.40.0


diff --git a/meta/recipes-connectivity/connman/connman_1.44.bb b/meta/recipes-connectivity/connman/connman_1.45.bb index 1b0fbe438c..cfc6114712 100644 --- a/meta/recipes-connectivity/connman/connman_1.44.bb +++ b/meta/recipes-connectivity/connman/connman_1.45.bb
@@ -21,11 +21,9 @@ DEPENDS = "dbus glib-2.0"
21	SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \	21	SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
22	file://connman \	22	file://connman \
23	file://0002-resolve-musl-does-not-implement-res_ninit.patch \	23	file://0002-resolve-musl-does-not-implement-res_ninit.patch \
24	file://CVE-2025-32743.patch \
25	file://CVE-2025-32366.patch \
26	"	24	"
27		25
28	SRC_URI[sha256sum] = "2be2b00321632b775f9eff713acd04ef21e31fbf388f6ebf45512ff4289574ff"	26	SRC_URI[sha256sum] = "77128cce80865455c4f106b5901a575e2dfdb35a7d2e2e2996f16e85cba10913"
29		27
30	RRECOMMENDS:${PN} = "connman-conf"	28	RRECOMMENDS:${PN} = "connman-conf"
31	RCONFLICTS:${PN} = "networkmanager"	29	RCONFLICTS:${PN} = "networkmanager"