Hi Ross, As discussed with Vijay, we'll cooperate on this CVE fixes.
Regards Meenali ________________________________ From: Vijay Anusuri <vanus...@mvista.com> Sent: 16 November 2023 21:31 To: jpuhl...@mvista.com <jpuhl...@mvista.com>; Ross Burton <ross.bur...@arm.com>; Gupta, Meenali <meenali.gu...@windriver.com> Cc: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> Subject: Re: [OE-core][kirkstone][PATCH] avahi: Fix for multiple CVE's CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi Ross, As discussed with Meenali, I agreed she was going to do this work. She has already submitted patches for multiple branches ( master, mickledore and kirkstone ). For CVE-2023-38469, we need to include 2 commits to fix the CVE. Meenali will send the v2 patch for CVE-2023-38469 which will include 2 patches for all the branches. Thank you Meenali for your timely response. Thanks & Regards, Vijay On Thu, Nov 16, 2023 at 7:56 PM Jeremy Puhlman via lists.openembedded.org<https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPwKv5R-0$> <jpuhlman=mvista....@lists.openembedded.org<mailto:mvista....@lists.openembedded.org>> wrote: On 11/16/2023 3:22 AM, Ross Burton wrote: > Hi Vijay and Meenali, > > Hopefully this will show everyone - especially WR and Montavista - that we > need to communicate better when working on CVEs. In the short term at least, > Marta proposed a wiki page which can be updated via a tool and when someone > is working on an issue that can be marked to avoid duplication of effort. > Would that be acceptable to both of your companies? Yeah, I think something like that would be great on our end, provided its automated and the data can be extracted, so it can be consolidated in internal CVE tracking that we are currently required to. > > I’ve not checked that the fixes are identical, but apparently I need to > remind everyone that we take fixes in *master first* and then backport to the > releases in order. There should also be an agree upon change decoration to indicate non-applicability/differently addressed in earlier releases. With 4 year LTS releases many issues are just not going to be applicable to master. Also there may well be very good reasons to fix a given set of CVEs in completely different ways, but making sure they are addressed in both is important. Setting aside this example, in almost all cases on master moving to the fixed version, is almost always the right answer, where as on say dunfell, moving to the new version may have too many knock on effects to make sense. In this instance, Khem has already indicated moving to the new release may make sense for both kirkstone and master. > > Luckily the avahi recipe is fairly untouched so this should be trivial. Can > you both discuss and agree who is going to do this? Vijay can you work with Meenali to consolidate this patch. > > Ross > >> On 16 Nov 2023, at 04:05, Vijay Anusuri via >> lists.openembedded.org<https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPwKv5R-0$> >> >> <vanusuri=mvista....@lists.openembedded.org<mailto:mvista....@lists.openembedded.org>> >> wrote: >> >> From: Vijay Anusuri <vanus...@mvista.com<mailto:vanus...@mvista.com>> >> >> Patches to fix: >> CVE-2023-38469 >> CVE-2023-38470 >> CVE-2023-38471 >> CVE-2023-38472 >> CVE-2023-38473 >> >> Upstream-Status: Backport >> [https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf<https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPSO96cKo$> >> & >> https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237<https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPlqjXgoU$> >> & >> https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c<https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPRzxTKP8$> >> & >> https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09<https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPwzmpbVo$> >> & >> https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40<https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPOROFOvo$> >> & >> https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797<https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPLLeXBTg$>] >> >> Signed-off-by: Vijay Anusuri >> <vanus...@mvista.com<mailto:vanus...@mvista.com>> >> --- >> meta/recipes-connectivity/avahi/avahi_0.8.bb<https://urldefense.com/v3/__http://avahi_0.8.bb__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPSo_Ck9E$> >> | 6 + >> .../avahi/files/CVE-2023-38469-1.patch | 47 ++++++++ >> .../avahi/files/CVE-2023-38469-2.patch | 65 +++++++++++ >> .../avahi/files/CVE-2023-38470.patch | 56 +++++++++ >> .../avahi/files/CVE-2023-38471.patch | 72 ++++++++++++ >> .../avahi/files/CVE-2023-38472.patch | 47 ++++++++ >> .../avahi/files/CVE-2023-38473.patch | 108 ++++++++++++++++++ >> 7 files changed, 401 insertions(+) >> create mode 100644 >> meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch >> create mode 100644 >> meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch >> create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38470.patch >> create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch >> create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch >> create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch >> >> diff --git >> a/meta/recipes-connectivity/avahi/avahi_0.8.bb<https://urldefense.com/v3/__http://avahi_0.8.bb__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPSo_Ck9E$> >> >> b/meta/recipes-connectivity/avahi/avahi_0.8.bb<https://urldefense.com/v3/__http://avahi_0.8.bb__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPSo_Ck9E$> >> index b5c966c102..772fb43939 100644 >> --- >> a/meta/recipes-connectivity/avahi/avahi_0.8.bb<https://urldefense.com/v3/__http://avahi_0.8.bb__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPSo_Ck9E$> >> +++ >> b/meta/recipes-connectivity/avahi/avahi_0.8.bb<https://urldefense.com/v3/__http://avahi_0.8.bb__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPSo_Ck9E$> >> @@ -26,6 +26,12 @@ SRC_URI = >> "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}<https://urldefense.com/v3/__https://github.com/lathiat/avahi/releases/download/v$*7BPV*7D/avahi-$*7BPV*7D__;JSUlJQ!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHP0Am2ovI$> >> file://0001-Fix-opening-etc-resolv.conf-error.patch \ >> file://handle-hup.patch \ >> file://local-ping.patch \ >> + file://CVE-2023-38469-1.patch \ >> + file://CVE-2023-38469-2.patch \ >> + file://CVE-2023-38470.patch \ >> + file://CVE-2023-38471.patch \ >> + file://CVE-2023-38472.patch \ >> + file://CVE-2023-38473.patch \ >> " >> >> UPSTREAM_CHECK_URI = >> "https://github.com/lathiat/avahi/releases/<https://urldefense.com/v3/__https://github.com/lathiat/avahi/releases/__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHP0Xuk60k$>" >> diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch >> b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch >> new file mode 100644 >> index 0000000000..99c717daf3 >> --- /dev/null >> +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch >> @@ -0,0 +1,47 @@ >> +From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001 >> +From: Evgeny Vereshchagin <evv...@ya.ru<mailto:evv...@ya.ru>> >> +Date: Mon, 23 Oct 2023 20:29:31 +0000 >> +Subject: [PATCH] core: reject overly long TXT resource records >> + >> +Closes >> https://github.com/lathiat/avahi/issues/455<https://urldefense.com/v3/__https://github.com/lathiat/avahi/issues/455__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHP-9siEVs$> >> + >> +CVE-2023-38469 >> + >> +Upstream-Status: Backport >> [https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf<https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPSO96cKo$>] >> +CVE: CVE-2023-38469 >> +Signed-off-by: Vijay Anusuri >> <vanus...@mvista.com<mailto:vanus...@mvista.com>> >> +--- >> + avahi-core/rr.c | 9 ++++++++- >> + 1 file changed, 8 insertions(+), 1 deletion(-) >> + >> +diff --git a/avahi-core/rr.c b/avahi-core/rr.c >> +index 2bb89244..9c04ebbd 100644 >> +--- a/avahi-core/rr.c >> ++++ b/avahi-core/rr.c >> +@@ -32,6 +32,7 @@ >> + #include <avahi-common/malloc.h> >> + #include <avahi-common/defs.h> >> + >> ++#include "dns.h" >> + #include "rr.h" >> + #include "log.h" >> + #include "util.h" >> +@@ -689,11 +690,17 @@ int avahi_record_is_valid(AvahiRecord *r) { >> + case AVAHI_DNS_TYPE_TXT: { >> + >> + AvahiStringList *strlst; >> ++ size_t used = 0; >> + >> +- for (strlst = r->data.txt.string_list; strlst; strlst = >> strlst->next) >> ++ for (strlst = r->data.txt.string_list; strlst; strlst = >> strlst->next) { >> + if (strlst->size > 255 || strlst->size <= 0) >> + return 0; >> + >> ++ used += 1+strlst->size; >> ++ if (used > AVAHI_DNS_RDATA_MAX) >> ++ return 0; >> ++ } >> ++ >> + return 1; >> + } >> + } >> diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch >> b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch >> new file mode 100644 >> index 0000000000..b83a70e29b >> --- /dev/null >> +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch >> @@ -0,0 +1,65 @@ >> +From c6cab87df290448a63323c8ca759baa516166237 Mon Sep 17 00:00:00 2001 >> +From: Evgeny Vereshchagin <evv...@ya.ru<mailto:evv...@ya.ru>> >> +Date: Wed, 25 Oct 2023 18:15:42 +0000 >> +Subject: [PATCH] tests: pass overly long TXT resource records >> + >> +to make sure they don't crash avahi any more. >> + >> +It reproduces >> https://github.com/lathiat/avahi/issues/455<https://urldefense.com/v3/__https://github.com/lathiat/avahi/issues/455__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHP-9siEVs$> >> + >> +Upstream-Status: Backport >> [https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237<https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPlqjXgoU$>] >> +CVE: CVE-2023-38469 >> +Signed-off-by: Vijay Anusuri >> <vanus...@mvista.com<mailto:vanus...@mvista.com>> >> +--- >> + avahi-client/client-test.c | 14 ++++++++++++++ >> + 1 file changed, 14 insertions(+) >> + >> +diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c >> +index 7d04a6a..66e3574 100644 >> +--- a/avahi-client/client-test.c >> ++++ b/avahi-client/client-test.c >> +@@ -22,6 +22,7 @@ >> + #endif >> + >> + #include <stdio.h> >> ++#include <string.h> >> + #include <assert.h> >> + >> + #include <avahi-client/client.h> >> +@@ -33,6 +34,8 @@ >> + #include <avahi-common/malloc.h> >> + #include <avahi-common/timeval.h> >> + >> ++#include <avahi-core/dns.h> >> ++ >> + static const AvahiPoll *poll_api = NULL; >> + static AvahiSimplePoll *simple_poll = NULL; >> + >> +@@ -222,6 +225,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED >> char *argv[]) { >> + uint32_t cookie; >> + struct timeval tv; >> + AvahiAddress a; >> ++ uint8_t rdata[AVAHI_DNS_RDATA_MAX+1]; >> ++ AvahiStringList *txt = NULL; >> ++ int r; >> + >> + simple_poll = avahi_simple_poll_new(); >> + poll_api = avahi_simple_poll_get(simple_poll); >> +@@ -258,6 +264,14 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED >> char *argv[]) { >> + printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, >> AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", >> NULL, NULL, 80, "foo=bar", NULL))); >> + printf("add_record: %d\n", avahi_entry_group_add_record (group, >> AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", >> 6)); >> + >> ++ memset(rdata, 1, sizeof(rdata)); >> ++ r = avahi_string_list_parse(rdata, sizeof(rdata), &txt); >> ++ assert(r >= 0); >> ++ assert(avahi_string_list_serialize(txt, NULL, 0) == sizeof(rdata)); >> ++ error = avahi_entry_group_add_service_strlst(group, AVAHI_IF_UNSPEC, >> AVAHI_PROTO_UNSPEC, 0, "TestX", "_qotd._tcp", NULL, NULL, 123, txt); >> ++ assert(error == AVAHI_ERR_INVALID_RECORD); >> ++ avahi_string_list_free(txt); >> ++ >> + avahi_entry_group_commit (group); >> + >> + domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, >> AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, >> avahi_domain_browser_callback, (char*) "omghai3u"); >> +-- >> +2.25.1 >> + >> diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470.patch >> b/meta/recipes-connectivity/avahi/files/CVE-2023-38470.patch >> new file mode 100644 >> index 0000000000..1cbb00dcab >> --- /dev/null >> +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470.patch >> @@ -0,0 +1,56 @@ >> +From 94cb6489114636940ac683515417990b55b5d66c Mon Sep 17 00:00:00 2001 >> +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= >> <pemen...@redhat.com<mailto:pemen...@redhat.com>> >> +Date: Tue, 11 Apr 2023 15:29:59 +0200 >> +Subject: [PATCH] Ensure each label is at least one byte long >> + >> +The only allowed exception is single dot, where it should return empty >> +string. >> + >> +Fixes #454. >> + >> +Upstream-Status: Backport >> [https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c<https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPRzxTKP8$>] >> +CVE: CVE-2023-38470 >> +Signed-off-by: Vijay Anusuri >> <vanus...@mvista.com<mailto:vanus...@mvista.com>> >> +--- >> + avahi-common/domain-test.c | 14 ++++++++++++++ >> + avahi-common/domain.c | 2 +- >> + 2 files changed, 15 insertions(+), 1 deletion(-) >> + >> +diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c >> +index cf763eca6..3acc1c1e4 100644 >> +--- a/avahi-common/domain-test.c >> ++++ b/avahi-common/domain-test.c >> +@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED >> char *argv[]) { >> + printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo.")); >> + avahi_free(s); >> + >> ++ printf("%s\n", s = avahi_normalize_name_strdup(".")); >> ++ avahi_free(s); >> ++ >> ++ s = >> avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}." >> ++ "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}" >> ++ ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`" >> ++ "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?." >> ++ "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}." >> ++ "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?" >> ++ "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM." >> ++ "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?." >> ++ "}.?.?.?.}.=.?.?.}"); >> ++ assert(s == NULL); >> ++ >> + printf("%i\n", avahi_domain_equal("\\065aa >> bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff")); >> + printf("%i\n", avahi_domain_equal("A", "a")); >> + >> +diff --git a/avahi-common/domain.c b/avahi-common/domain.c >> +index 3b1ab6834..e66d2416c 100644 >> +--- a/avahi-common/domain.c >> ++++ b/avahi-common/domain.c >> +@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s, char *ret_s, >> size_t size) { >> + } >> + >> + if (!empty) { >> +- if (size < 1) >> ++ if (size < 2) >> + return NULL; >> + >> + *(r++) = '.'; >> diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch >> b/meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch >> new file mode 100644 >> index 0000000000..8242646da1 >> --- /dev/null >> +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch >> @@ -0,0 +1,72 @@ >> +From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001 >> +From: Michal Sekletar <msekl...@redhat.com<mailto:msekl...@redhat.com>> >> +Date: Mon, 23 Oct 2023 13:38:35 +0200 >> +Subject: [PATCH] core: extract host name using avahi_unescape_label() >> + >> +Previously we could create invalid escape sequence when we split the >> +string on dot. For example, from valid host name "foo\\.bar" we have >> +created invalid name "foo\\" and tried to set that as the host name >> +which crashed the daemon. >> + >> +Fixes #453 >> + >> +CVE-2023-38471 >> + >> +Upstream-Status: Backport >> [https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09<https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPwzmpbVo$>] >> +CVE: CVE-2023-38471 >> +Signed-off-by: Vijay Anusuri >> <vanus...@mvista.com<mailto:vanus...@mvista.com>> >> +--- >> + avahi-core/server.c | 27 +++++++++++++++++++++------ >> + 1 file changed, 21 insertions(+), 6 deletions(-) >> + >> +diff --git a/avahi-core/server.c b/avahi-core/server.c >> +index c32637af8..f6a21bb77 100644 >> +--- a/avahi-core/server.c >> ++++ b/avahi-core/server.c >> +@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) { >> + } >> + >> + int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { >> +- char *hn = NULL; >> ++ char label_escaped[AVAHI_LABEL_MAX*4+1]; >> ++ char label[AVAHI_LABEL_MAX]; >> ++ char *hn = NULL, *h; >> ++ size_t len; >> ++ >> + assert(s); >> + >> + AVAHI_CHECK_VALIDITY(s, !host_name || >> avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME); >> +@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, >> const char *host_name) { >> + else >> + hn = avahi_normalize_name_strdup(host_name); >> + >> +- hn[strcspn(hn, ".")] = 0; >> ++ h = hn; >> ++ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { >> ++ avahi_free(h); >> ++ return AVAHI_ERR_INVALID_HOST_NAME; >> ++ } >> ++ >> ++ avahi_free(h); >> ++ >> ++ h = label_escaped; >> ++ len = sizeof(label_escaped); >> ++ if (!avahi_escape_label(label, strlen(label), &h, &len)) >> ++ return AVAHI_ERR_INVALID_HOST_NAME; >> + >> +- if (avahi_domain_equal(s->host_name, hn) && s->state != >> AVAHI_SERVER_COLLISION) { >> +- avahi_free(hn); >> ++ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != >> AVAHI_SERVER_COLLISION) >> + return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); >> +- } >> + >> + withdraw_host_rrs(s); >> + >> + avahi_free(s->host_name); >> +- s->host_name = hn; >> ++ s->host_name = avahi_strdup(label_escaped); >> ++ if (!s->host_name) >> ++ return AVAHI_ERR_NO_MEMORY; >> + >> + update_fqdn(s); >> + >> diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch >> b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch >> new file mode 100644 >> index 0000000000..43b26c1132 >> --- /dev/null >> +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch >> @@ -0,0 +1,47 @@ >> +From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001 >> +From: Michal Sekletar <msekl...@redhat.com<mailto:msekl...@redhat.com>> >> +Date: Thu, 19 Oct 2023 17:36:44 +0200 >> +Subject: [PATCH] core: make sure there is rdata to process before parsing it >> + >> +Fixes #452 >> + >> +CVE-2023-38472 >> + >> +Upstream-Status: Backport >> [https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40<https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPOROFOvo$>] >> +CVE: CVE-2023-38472 >> +Signed-off-by: Vijay Anusuri >> <vanus...@mvista.com<mailto:vanus...@mvista.com>> >> +--- >> + avahi-client/client-test.c | 3 +++ >> + avahi-daemon/dbus-entry-group.c | 2 +- >> + 2 files changed, 4 insertions(+), 1 deletion(-) >> + >> +diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c >> +index 66e3574..9a015d7 100644 >> +--- a/avahi-client/client-test.c >> ++++ b/avahi-client/client-test.c >> +@@ -272,6 +272,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED >> char *argv[]) { >> + assert(error == AVAHI_ERR_INVALID_RECORD); >> + avahi_string_list_free(txt); >> + >> ++ error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, >> AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0); >> ++ assert(error != AVAHI_OK); >> ++ >> + avahi_entry_group_commit (group); >> + >> + domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, >> AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, >> avahi_domain_browser_callback, (char*) "omghai3u"); >> +diff --git a/avahi-daemon/dbus-entry-group.c >> b/avahi-daemon/dbus-entry-group.c >> +index 4e879a5..aa23d4b 100644 >> +--- a/avahi-daemon/dbus-entry-group.c >> ++++ b/avahi-daemon/dbus-entry-group.c >> +@@ -340,7 +340,7 @@ DBusHandlerResult >> avahi_dbus_msg_entry_group_impl(DBusConnection *c, DBusMessage >> + if (!(r = avahi_record_new_full (name, clazz, type, ttl))) >> + return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, >> NULL); >> + >> +- if (avahi_rdata_parse (r, rdata, size) < 0) { >> ++ if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) { >> + avahi_record_unref (r); >> + return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, >> NULL); >> + } >> +-- >> +2.25.1 >> + >> diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch >> b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch >> new file mode 100644 >> index 0000000000..7b33d564f8 >> --- /dev/null >> +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch >> @@ -0,0 +1,108 @@ >> +From b448c9f771bada14ae8de175695a9729f8646797 Mon Sep 17 00:00:00 2001 >> +From: Michal Sekletar <msekl...@redhat.com<mailto:msekl...@redhat.com>> >> +Date: Wed, 11 Oct 2023 17:45:44 +0200 >> +Subject: [PATCH] common: derive alternative host name from its unescaped >> + version >> + >> +Normalization of input makes sure we don't have to deal with special >> +cases like unescaped dot at the end of label. >> + >> +Fixes #451 #487 >> +CVE-2023-38473 >> + >> +Upstream-Status: Backport >> [https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797<https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPLLeXBTg$>] >> +CVE: CVE-2023-38473 >> +Signed-off-by: Vijay Anusuri >> <vanus...@mvista.com<mailto:vanus...@mvista.com>> >> +--- >> + avahi-common/alternative-test.c | 3 +++ >> + avahi-common/alternative.c | 27 +++++++++++++++++++-------- >> + 2 files changed, 22 insertions(+), 8 deletions(-) >> + >> +diff --git a/avahi-common/alternative-test.c >> b/avahi-common/alternative-test.c >> +index 9255435ec..681fc15b8 100644 >> +--- a/avahi-common/alternative-test.c >> ++++ b/avahi-common/alternative-test.c >> +@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char >> *argv[]) { >> + const char* const test_strings[] = { >> + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", >> + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü", >> ++ ").", >> ++ "\\.", >> ++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\", >> + "gurke", >> + "-", >> + " #", >> +diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c >> +index b3d39f0ed..a094e6d76 100644 >> +--- a/avahi-common/alternative.c >> ++++ b/avahi-common/alternative.c >> +@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) { >> + } >> + >> + char *avahi_alternative_host_name(const char *s) { >> ++ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1]; >> ++ char *alt, *r, *ret; >> + const char *e; >> +- char *r; >> ++ size_t len; >> + >> + assert(s); >> + >> + if (!avahi_is_valid_host_name(s)) >> + return NULL; >> + >> +- if ((e = strrchr(s, '-'))) { >> ++ if (!avahi_unescape_label(&s, label, sizeof(label))) >> ++ return NULL; >> ++ >> ++ if ((e = strrchr(label, '-'))) { >> + const char *p; >> + >> + e++; >> +@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) { >> + >> + if (e) { >> + char *c, *m; >> +- size_t l; >> + int n; >> + >> + n = atoi(e)+1; >> + if (!(m = avahi_strdup_printf("%i", n))) >> + return NULL; >> + >> +- l = e-s-1; >> ++ len = e-label-1; >> + >> +- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1) >> +- l = AVAHI_LABEL_MAX-1-strlen(m)-1; >> ++ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1) >> ++ len = AVAHI_LABEL_MAX-1-strlen(m)-1; >> + >> +- if (!(c = avahi_strndup(s, l))) { >> ++ if (!(c = avahi_strndup(label, len))) { >> + avahi_free(m); >> + return NULL; >> + } >> +@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) { >> + } else { >> + char *c; >> + >> +- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2))) >> ++ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2))) >> + return NULL; >> + >> + drop_incomplete_utf8(c); >> +@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) { >> + avahi_free(c); >> + } >> + >> ++ alt = alternative; >> ++ len = sizeof(alternative); >> ++ ret = avahi_escape_label(r, strlen(r), &alt, &len); >> ++ >> ++ avahi_free(r); >> ++ r = avahi_strdup(ret); >> ++ >> + assert(avahi_is_valid_host_name(r)); >> + >> + return r; >> -- >> 2.25.1 >> >> >> >> > > > -- Jeremy Puhlman jpuhl...@mvista.com<mailto:jpuhl...@mvista.com>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#190851): https://lists.openembedded.org/g/openembedded-core/message/190851 Mute This Topic: https://lists.openembedded.org/mt/102621335/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
