Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package connman for openSUSE:Factory checked in at 2021-06-11 00:18:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/connman (Old) and /work/SRC/openSUSE:Factory/.connman.new.32437 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "connman" Fri Jun 11 00:18:58 2021 rev:7 rq:899071 version:1.39 Changes: -------- --- /work/SRC/openSUSE:Factory/connman/connman.changes 2021-03-03 18:35:03.679385773 +0100 +++ /work/SRC/openSUSE:Factory/.connman.new.32437/connman.changes 2021-06-11 00:19:34.421410738 +0200 @@ -1,0 +2,7 @@ +Wed Jun 9 08:03:22 UTC 2021 - Daniel Wagner <daniel.wag...@suse.com> + +- Address buffer overflow in dnsproxy (bsc#1186869): + * Rename connman-1.35-service.patch to 0001-connman-1.35-service.patch + * Add 0002-dnsproxy-Check-the-length-of-buffers-before-memcpy.patch (CVE-2021-33833) + +------------------------------------------------------------------- Old: ---- connman-1.35-service.patch New: ---- 0001-connman-1.35-service.patch 0002-dnsproxy-Check-the-length-of-buffers-before-memcpy.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ connman.spec ++++++ --- /var/tmp/diff_new_pack.5M84qh/_old 2021-06-11 00:19:34.821411433 +0200 +++ /var/tmp/diff_new_pack.5M84qh/_new 2021-06-11 00:19:34.825411440 +0200 @@ -36,7 +36,8 @@ Source1: http://www.kernel.org/pub/linux/network/connman/connman-%{version}.tar.sign Source2: connman.keyring # PATCH-FIX-OPENSUSE -- Greate symlink to network.service -Patch0: connman-1.35-service.patch +Patch0: 0001-connman-1.35-service.patch +Patch1: 0002-dnsproxy-Check-the-length-of-buffers-before-memcpy.patch BuildRequires: dhcp BuildRequires: openvpn BuildRequires: pkgconfig @@ -75,10 +76,10 @@ %description doc Documentation in form of man pages for Connman (Connection Manager). + ############################## #Plugins ############################## - %if %{hh2serial_working} %package plugin-hh2serial-gps Summary: HH2Serial GPS plugin for connman @@ -115,8 +116,8 @@ %description plugin-vpnc Provides VPNC support for Connman (Connection Manager). -#------------------------------------- +#------------------------------------- %package plugin-openvpn Summary: OpenVPN plugin for connman Group: System/Daemons @@ -126,8 +127,8 @@ %description plugin-openvpn Provides OpenVPN support for Connman (Connection Manager). -#------------------------------------- +#------------------------------------- %package plugin-pptp Summary: PPTP plugin for connman Group: System/Daemons @@ -135,8 +136,8 @@ %description plugin-pptp Provides PPTP support for Connman (Connection Manager). -#------------------------------------- +#------------------------------------- %package plugin-wireguard Summary: WireGuard plugin for connman Group: System/Daemons @@ -144,8 +145,8 @@ %description plugin-wireguard Provides WireGuard network support for Connman (Connection Manager). -#------------------------------------- +#------------------------------------- %if %{tist_working} %package plugin-tist Summary: TIST plugin for connman @@ -164,8 +165,8 @@ %description plugin-l2tp Provides L2TP (Layer 2 Tunneling Protocol) support for Connman (Connection Manager). -#------------------------------------- +#------------------------------------- %package plugin-iospm Summary: Intel OSPM plugin for connman Group: System/Daemons @@ -175,8 +176,8 @@ %description plugin-iospm Provides Intel OSPM support for Connman (Connection Manager). -#------------------------------------- +#------------------------------------- %package test Summary: Test and example scripts for connman Group: System/Daemons @@ -184,8 +185,8 @@ %description test Provides test and example scripts for Connman (Connection Manager). -#------------------------------------- +#------------------------------------- %package nmcompat Summary: NetworkManager compatibility for connman Group: System/Daemons @@ -193,8 +194,8 @@ %description nmcompat Provides NetworkManager compatibility for Connman (Connection Manager). -#------------------------------------- +#------------------------------------- %package plugin-polkit Summary: PolicyKit plugin for connman Group: System/Daemons @@ -204,8 +205,8 @@ %description plugin-polkit Provides PolicyKit support for Connman (Connection Manager). -#------------------------------------- +#------------------------------------- %package client Summary: Client script for connman Group: System/Daemons @@ -217,6 +218,7 @@ %prep %setup -q -n connman-%{version} %patch0 -p1 +%patch1 -p1 %build # Using i586 repository, so explicitly forward it to CC. ++++++ 0001-connman-1.35-service.patch ++++++ diff -ruN connman-1.35.orig/src/connman.service.in connman-1.35/src/connman.service.in --- connman-1.35.orig/src/connman.service.in 2017-04-27 14:46:41.000000000 +0300 +++ connman-1.35/src/connman.service.in 2017-12-26 15:17:11.743397882 +0300 @@ -19,3 +19,4 @@ [Install] WantedBy=multi-user.target +Alias=network.service ++++++ 0002-dnsproxy-Check-the-length-of-buffers-before-memcpy.patch ++++++ From: Valery Kashcheev <v.kasch...@omp.ru> Date: Mon, 7 Jun 2021 18:58:24 +0200 Subject: dnsproxy: Check the length of buffers before memcpy Git-commit: eceb2e8d2341c041df55a5e2f047d9a8c491463 Fix using a stack-based buffer overflow attack by checking the length of the ptr and uptr buffers. Fix debug message output. Fixes: CVE-2021-33833 --- src/dnsproxy.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) --- a/src/dnsproxy.c +++ b/src/dnsproxy.c @@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_co * tmp buffer. */ - debug("pos %d ulen %d left %d name %s", pos, ulen, - (int)(uncomp_len - (uptr - uncompressed)), uptr); - - ulen = strlen(name); - if ((uptr + ulen + 1) > uncomp_end) { + ulen = strlen(name) + 1; + if ((uptr + ulen) > uncomp_end) goto out; - } - strncpy(uptr, name, uncomp_len - (uptr - uncompressed)); + strncpy(uptr, name, ulen); + + debug("pos %d ulen %d left %d name %s", pos, ulen, + (int)(uncomp_end - (uptr + ulen)), uptr); uptr += ulen; - *uptr++ = '\0'; ptr += pos; @@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_co } else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) { dlen = uptr[-2] << 8 | uptr[-1]; - if (ptr + dlen > end) { + if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) { debug("data len %d too long", dlen); goto out; } @@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_co * refresh interval, retry interval, expiration * limit and minimum ttl). They are 20 bytes long. */ + if ((uptr + 20) > uncomp_end || (ptr + 20) > end) { + debug("soa record too long"); + goto out; + } memcpy(uptr, ptr, 20); uptr += 20; ptr += 20;
