mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-19 06:32:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

avahi: backport Debian patches to fix multiple CVE's

Browse Source 
import patches from ubuntu to fix
 CVE-2023-1981
 CVE-2023-38469
 CVE-2023-38470
 CVE-2023-38471
 CVE-2023-38472
 CVE-2023-38473

Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/focal-security
Upstream commit
a2696da2f2
&
a337a1ba7d
&
c6cab87df2
&
94cb648911
&
20dec84b24
&
894f085f40
&
b675f70739
&
b024ae5749
&
b448c9f771]

(From OE-Core rev: 4771e335cd4d95e734d7f07a718319f4543ce2f1)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Vijay Anusuri
2023-11-22 13:29:23 +05:30
committed by Steve Sakoman
parent 8cabed090e
commit 716693cccc
10 changed files with 571 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
meta/recipes-connectivity/avahi/avahi.inc
View File

@@ -22,6 +22,15 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \
file://fix-CVE-2017-6519.patch \
file://CVE-2021-3468.patch \
file://CVE-2023-1981.patch \
file://CVE-2023-38469-1.patch \
file://CVE-2023-38469-2.patch \
file://CVE-2023-38470-1.patch \
file://CVE-2023-38470-2.patch \
file://CVE-2023-38471-1.patch \
file://CVE-2023-38471-2.patch \
file://CVE-2023-38472.patch \
file://CVE-2023-38473.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"

60
meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch Normal file
View File

@@ -0,0 +1,60 @@
Backport of:
From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 17 Nov 2022 01:51:53 +0100
Subject: [PATCH] Emit error if requested service is not found
It currently just crashes instead of replying with error. Check return
value and emit error instead of passing NULL pointer to reply.
Fixes #375
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-1981.patch?h=ubuntu/focal-security
Upstream commit https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f]
CVE: CVE-2023-1981
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
--- a/avahi-daemon/dbus-protocol.c
+++ b/avahi-daemon/dbus-protocol.c
@@ -391,10 +391,14 @@ static DBusHandlerResult msg_server_impl
}
t = avahi_alternative_host_name(n);
- avahi_dbus_respond_string(c, m, t);
- avahi_free(t);
-
- return DBUS_HANDLER_RESULT_HANDLED;
+ if (t) {
+ avahi_dbus_respond_string(c, m, t);
+ avahi_free(t);
+
+ return DBUS_HANDLER_RESULT_HANDLED;
+ } else {
+ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found");
+ }
} else if (dbus_message_is_method_call(m, AVAHI_DBUS_INTERFACE_SERVER, "GetAlternativeServiceName")) {
char *n, *t;
@@ -405,10 +409,14 @@ static DBusHandlerResult msg_server_impl
}
t = avahi_alternative_service_name(n);
- avahi_dbus_respond_string(c, m, t);
- avahi_free(t);
-
- return DBUS_HANDLER_RESULT_HANDLED;
+ if (t) {
+ avahi_dbus_respond_string(c, m, t);
+ avahi_free(t);
+
+ return DBUS_HANDLER_RESULT_HANDLED;
+ } else {
+ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found");
+ }
} else if (dbus_message_is_method_call(m, AVAHI_DBUS_INTERFACE_SERVER, "EntryGroupNew")) {
Client *client;

48
meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch Normal file
View File

@@ -0,0 +1,48 @@
From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Mon, 23 Oct 2023 20:29:31 +0000
Subject: [PATCH] core: reject overly long TXT resource records
Closes https://github.com/lathiat/avahi/issues/455
CVE-2023-38469
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-1.patch?h=ubuntu/focal-security
Upstream commit https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf]
CVE: CVE-2023-38469
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
avahi-core/rr.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
Index: avahi-0.7/avahi-core/rr.c
===================================================================
--- avahi-0.7.orig/avahi-core/rr.c
+++ avahi-0.7/avahi-core/rr.c
@@ -32,6 +32,7 @@
#include <avahi-common/malloc.h>
#include <avahi-common/defs.h>
+#include "dns.h"
#include "rr.h"
#include "log.h"
#include "util.h"
@@ -688,11 +689,17 @@ int avahi_record_is_valid(AvahiRecord *r
case AVAHI_DNS_TYPE_TXT: {
AvahiStringList *strlst;
+ size_t used = 0;
- for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next)
+ for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) {
if (strlst->size > 255 || strlst->size <= 0)
return 0;
+ used += 1+strlst->size;
+ if (used > AVAHI_DNS_RDATA_MAX)
+ return 0;
+ }
+
return 1;
}
}

65
meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch Normal file
View File

@@ -0,0 +1,65 @@
From c6cab87df290448a63323c8ca759baa516166237 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Wed, 25 Oct 2023 18:15:42 +0000
Subject: [PATCH] tests: pass overly long TXT resource records
to make sure they don't crash avahi any more.
It reproduces https://github.com/lathiat/avahi/issues/455
Canonical notes:
nickgalanis> removed first hunk since there is no .github dir in this release
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-2.patch?h=ubuntu/focal-security
Upstream commit https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237]
CVE: CVE-2023-38469
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
avahi-client/client-test.c | 14 ++++++++++++++
1 files changed, 14 insertions(+)
Index: avahi-0.7/avahi-client/client-test.c
===================================================================
--- avahi-0.7.orig/avahi-client/client-test.c
+++ avahi-0.7/avahi-client/client-test.c
@@ -22,6 +22,7 @@
#endif
#include <stdio.h>
+#include <string.h>
#include <assert.h>
#include <avahi-client/client.h>
@@ -33,6 +34,8 @@
#include <avahi-common/malloc.h>
#include <avahi-common/timeval.h>
+#include <avahi-core/dns.h>
+
static const AvahiPoll *poll_api = NULL;
static AvahiSimplePoll *simple_poll = NULL;
@@ -222,6 +225,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
uint32_t cookie;
struct timeval tv;
AvahiAddress a;
+ uint8_t rdata[AVAHI_DNS_RDATA_MAX+1];
+ AvahiStringList *txt = NULL;
+ int r;
simple_poll = avahi_simple_poll_new();
poll_api = avahi_simple_poll_get(simple_poll);
@@ -258,6 +264,14 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL)));
printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6));
+ memset(rdata, 1, sizeof(rdata));
+ r = avahi_string_list_parse(rdata, sizeof(rdata), &txt);
+ assert(r >= 0);
+ assert(avahi_string_list_serialize(txt, NULL, 0) == sizeof(rdata));
+ error = avahi_entry_group_add_service_strlst(group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", "_qotd._tcp", NULL, NULL, 123, txt);
+ assert(error == AVAHI_ERR_INVALID_RECORD);
+ avahi_string_list_free(txt);
+
avahi_entry_group_commit (group);
domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");

57
meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch Normal file
View File

@@ -0,0 +1,57 @@
From 94cb6489114636940ac683515417990b55b5d66c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 11 Apr 2023 15:29:59 +0200
Subject: [PATCH] Ensure each label is at least one byte long
The only allowed exception is single dot, where it should return empty
string.
Fixes #454.
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38470-1.patch?h=ubuntu/focal-security
Upstream commit https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c]
CVE: CVE-2023-38470
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
avahi-common/domain-test.c | 14 ++++++++++++++
avahi-common/domain.c | 2 +-
2 files changed, 15 insertions(+), 1 deletion(-)
Index: avahi-0.7/avahi-common/domain-test.c
===================================================================
--- avahi-0.7.orig/avahi-common/domain-test.c
+++ avahi-0.7/avahi-common/domain-test.c
@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAH
printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo."));
avahi_free(s);
+ printf("%s\n", s = avahi_normalize_name_strdup("."));
+ avahi_free(s);
+
+ s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}."
+ "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}"
+ ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`"
+ "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?."
+ "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}."
+ "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?"
+ "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM."
+ "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?."
+ "}.?.?.?.}.=.?.?.}");
+ assert(s == NULL);
+
printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff"));
printf("%i\n", avahi_domain_equal("A", "a"));
Index: avahi-0.7/avahi-common/domain.c
===================================================================
--- avahi-0.7.orig/avahi-common/domain.c
+++ avahi-0.7/avahi-common/domain.c
@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s
}
if (!empty) {
- if (size < 1)
+ if (size < 2)
return NULL;
*(r++) = '.';

53
meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch Normal file
View File

@@ -0,0 +1,53 @@
From 20dec84b2480821704258bc908e7b2bd2e883b24 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Tue, 19 Sep 2023 03:21:25 +0000
Subject: [PATCH] [common] bail out when escaped labels can't fit into ret
Fixes:
```
==93410==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f9e76f14c16 at pc 0x00000047208d bp 0x7ffee90a6a00 sp 0x7ffee90a61c8
READ of size 1110 at 0x7f9e76f14c16 thread T0
#0 0x47208c in __interceptor_strlen (out/fuzz-domain+0x47208c) (BuildId: 731b20c1eef22c2104e75a6496a399b10cfc7cba)
#1 0x534eb0 in avahi_strdup avahi/avahi-common/malloc.c:167:12
#2 0x53862c in avahi_normalize_name_strdup avahi/avahi-common/domain.c:226:12
```
and
```
fuzz-domain: fuzz/fuzz-domain.c:38: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `avahi_domain_equal(s, t)' failed.
==101571== ERROR: libFuzzer: deadly signal
#0 0x501175 in __sanitizer_print_stack_trace (/home/vagrant/avahi/out/fuzz-domain+0x501175) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
#1 0x45ad2c in fuzzer::PrintStackTrace() (/home/vagrant/avahi/out/fuzz-domain+0x45ad2c) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
#2 0x43fc07 in fuzzer::Fuzzer::CrashCallback() (/home/vagrant/avahi/out/fuzz-domain+0x43fc07) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
#3 0x7f1581d7ebaf (/lib64/libc.so.6+0x3dbaf) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
#4 0x7f1581dcf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
#5 0x7f1581d7eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
#6 0x7f1581d6787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
#7 0x7f1581d6779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
#8 0x7f1581d77186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
#9 0x5344a4 in LLVMFuzzerTestOneInput /home/vagrant/avahi/fuzz/fuzz-domain.c:38:9
```
It's a follow-up to 94cb6489114636940ac683515417990b55b5d66c
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-2.patch?h=ubuntu/focal-security
Upstream commit https://github.com/lathiat/avahi/commit/20dec84b2480821704258bc908e7b2bd2e883b24]
CVE: CVE-2023-38470 #Follow-up patch
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
avahi-common/domain.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Index: avahi-0.7/avahi-common/domain.c
===================================================================
--- avahi-0.7.orig/avahi-common/domain.c
+++ avahi-0.7/avahi-common/domain.c
@@ -210,7 +210,8 @@ char *avahi_normalize_name(const char *s
} else
empty = 0;
- avahi_escape_label(label, strlen(label), &r, &size);
+ if (!(avahi_escape_label(label, strlen(label), &r, &size)))
+ return NULL;
}
return ret_s;

73
meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch Normal file
View File

@@ -0,0 +1,73 @@
From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Mon, 23 Oct 2023 13:38:35 +0200
Subject: [PATCH] core: extract host name using avahi_unescape_label()
Previously we could create invalid escape sequence when we split the
string on dot. For example, from valid host name "foo\\.bar" we have
created invalid name "foo\\" and tried to set that as the host name
which crashed the daemon.
Fixes #453
CVE-2023-38471
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-1.patch?h=ubuntu/focal-security
Upstream commit https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09]
CVE: CVE-2023-38471
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
avahi-core/server.c | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
Index: avahi-0.7/avahi-core/server.c
===================================================================
--- avahi-0.7.orig/avahi-core/server.c
+++ avahi-0.7/avahi-core/server.c
@@ -1253,7 +1253,11 @@ static void update_fqdn(AvahiServer *s)
}
int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
- char *hn = NULL;
+ char label_escaped[AVAHI_LABEL_MAX*4+1];
+ char label[AVAHI_LABEL_MAX];
+ char *hn = NULL, *h;
+ size_t len;
+
assert(s);
AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
@@ -1263,17 +1267,28 @@ int avahi_server_set_host_name(AvahiServ
else
hn = avahi_normalize_name_strdup(host_name);
- hn[strcspn(hn, ".")] = 0;
+ h = hn;
+ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
+ avahi_free(h);
+ return AVAHI_ERR_INVALID_HOST_NAME;
+ }
+
+ avahi_free(h);
- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
- avahi_free(hn);
+ h = label_escaped;
+ len = sizeof(label_escaped);
+ if (!avahi_escape_label(label, strlen(label), &h, &len))
+ return AVAHI_ERR_INVALID_HOST_NAME;
+
+ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
- }
withdraw_host_rrs(s);
avahi_free(s->host_name);
- s->host_name = hn;
+ s->host_name = avahi_strdup(label_escaped);
+ if (!s->host_name)
+ return AVAHI_ERR_NO_MEMORY;
update_fqdn(s);

52
meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch Normal file
View File

@@ -0,0 +1,52 @@
From b675f70739f404342f7f78635d6e2dcd85a13460 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Tue, 24 Oct 2023 22:04:51 +0000
Subject: [PATCH] core: return errors from avahi_server_set_host_name properly
It's a follow-up to 894f085f402e023a98cbb6f5a3d117bd88d93b09
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-2.patch?h=ubuntu/focal-security
Upstream commit https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460]
CVE: CVE-2023-38471 #Follow-up Patch
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
avahi-core/server.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
Index: avahi-0.7/avahi-core/server.c
===================================================================
--- avahi-0.7.orig/avahi-core/server.c
+++ avahi-0.7/avahi-core/server.c
@@ -1267,10 +1267,13 @@ int avahi_server_set_host_name(AvahiServ
else
hn = avahi_normalize_name_strdup(host_name);
+ if (!hn)
+ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
+
h = hn;
if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
avahi_free(h);
- return AVAHI_ERR_INVALID_HOST_NAME;
+ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
}
avahi_free(h);
@@ -1278,7 +1281,7 @@ int avahi_server_set_host_name(AvahiServ
h = label_escaped;
len = sizeof(label_escaped);
if (!avahi_escape_label(label, strlen(label), &h, &len))
- return AVAHI_ERR_INVALID_HOST_NAME;
+ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
@@ -1288,7 +1291,7 @@ int avahi_server_set_host_name(AvahiServ
avahi_free(s->host_name);
s->host_name = avahi_strdup(label_escaped);
if (!s->host_name)
- return AVAHI_ERR_NO_MEMORY;
+ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
update_fqdn(s);

45
meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch Normal file
View File

@@ -0,0 +1,45 @@
From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Thu, 19 Oct 2023 17:36:44 +0200
Subject: [PATCH] core: make sure there is rdata to process before parsing it
Fixes #452
CVE-2023-38472
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38472.patch?h=ubuntu/focal-security
Upstream commit https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40]
CVE: CVE-2023-38472
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
avahi-client/client-test.c | 3 +++
avahi-daemon/dbus-entry-group.c | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
Index: avahi-0.7/avahi-client/client-test.c
===================================================================
--- avahi-0.7.orig/avahi-client/client-test.c
+++ avahi-0.7/avahi-client/client-test.c
@@ -272,6 +272,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
assert(error == AVAHI_ERR_INVALID_RECORD);
avahi_string_list_free(txt);
+ error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
+ assert(error != AVAHI_OK);
+
avahi_entry_group_commit (group);
domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
Index: avahi-0.7/avahi-daemon/dbus-entry-group.c
===================================================================
--- avahi-0.7.orig/avahi-daemon/dbus-entry-group.c
+++ avahi-0.7/avahi-daemon/dbus-entry-group.c
@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_g
if (!(r = avahi_record_new_full (name, clazz, type, ttl)))
return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL);
- if (avahi_rdata_parse (r, rdata, size) < 0) {
+ if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) {
avahi_record_unref (r);
return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL);
}

109
meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch Normal file
View File

@@ -0,0 +1,109 @@
From b448c9f771bada14ae8de175695a9729f8646797 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Wed, 11 Oct 2023 17:45:44 +0200
Subject: [PATCH] common: derive alternative host name from its unescaped
version
Normalization of input makes sure we don't have to deal with special
cases like unescaped dot at the end of label.
Fixes #451 #487
CVE-2023-38473
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38473.patch?h=ubuntu/focal-security
Upstream commit https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797]
CVE: CVE-2023-38473
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
avahi-common/alternative-test.c | 3 +++
avahi-common/alternative.c | 27 +++++++++++++++++++--------
2 files changed, 22 insertions(+), 8 deletions(-)
Index: avahi-0.7/avahi-common/alternative-test.c
===================================================================
--- avahi-0.7.orig/avahi-common/alternative-test.c
+++ avahi-0.7/avahi-common/alternative-test.c
@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAH
const char* const test_strings[] = {
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü",
+ ").",
+ "\\.",
+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\",
"gurke",
"-",
" #",
Index: avahi-0.7/avahi-common/alternative.c
===================================================================
--- avahi-0.7.orig/avahi-common/alternative.c
+++ avahi-0.7/avahi-common/alternative.c
@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c
}
char *avahi_alternative_host_name(const char *s) {
+ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1];
+ char *alt, *r, *ret;
const char *e;
- char *r;
+ size_t len;
assert(s);
if (!avahi_is_valid_host_name(s))
return NULL;
- if ((e = strrchr(s, '-'))) {
+ if (!avahi_unescape_label(&s, label, sizeof(label)))
+ return NULL;
+
+ if ((e = strrchr(label, '-'))) {
const char *p;
e++;
@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const
if (e) {
char *c, *m;
- size_t l;
int n;
n = atoi(e)+1;
if (!(m = avahi_strdup_printf("%i", n)))
return NULL;
- l = e-s-1;
+ len = e-label-1;
- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1)
- l = AVAHI_LABEL_MAX-1-strlen(m)-1;
+ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1)
+ len = AVAHI_LABEL_MAX-1-strlen(m)-1;
- if (!(c = avahi_strndup(s, l))) {
+ if (!(c = avahi_strndup(label, len))) {
avahi_free(m);
return NULL;
}
@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const
} else {
char *c;
- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2)))
+ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2)))
return NULL;
drop_incomplete_utf8(c);
@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const
avahi_free(c);
}
+ alt = alternative;
+ len = sizeof(alternative);
+ ret = avahi_escape_label(r, strlen(r), &alt, &len);
+
+ avahi_free(r);
+ r = avahi_strdup(ret);
+
assert(avahi_is_valid_host_name(r));
return r;