[master,mickledore,kirkstone,1/1] avahi: fix CVE-2023-38470

Message ID	20231029093644.3918509-1-meenali.gupta@windriver.com
State	New, archived
Headers	show Return-Path: <meenali.gupta@windriver.com> ip: 205.220.166.238, mailfrom: prvs=9666a5140e=meenali.gupta@windriver.com) From: mgupta1 <meenali.gupta@windriver.com> To: <openembedded-core@lists.openembedded.org> Subject: [oe-core][master][mickledore][kirkstone][PATCH 1/1] avahi: fix CVE-2023-38470 Date: Sun, 29 Oct 2023 09:36:44 +0000 Message-ID: <20231029093644.3918509-1-meenali.gupta@windriver.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[master,mickledore,kirkstone,1/1] avahi: fix CVE-2023-38470 \| expand [master,mickledore,kirkstone,1/1] avahi: fix CVE-2023-38470

Message ID

20231029093644.3918509-1-meenali.gupta@windriver.com

State

New, archived

Headers

From: mgupta1 <meenali.gupta@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: [oe-core][master][mickledore][kirkstone][PATCH 1/1] avahi: fix
 CVE-2023-38470
Date: Sun, 29 Oct 2023 09:36:44 +0000
Message-ID: <20231029093644.3918509-1-meenali.gupta@windriver.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

[master,mickledore,kirkstone,1/1] avahi: fix CVE-2023-38470 | expand

Commit Message

mgupta1 Oct. 29, 2023, 9:36 a.m. UTC

From: Meenali Gupta <meenali.gupta@windriver.com>

The only allowed exception is single dot, where it should return empty
string.

Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
---
 meta/recipes-connectivity/avahi/avahi_0.8.bb  |  1 +
 .../avahi/files/CVE-2023-38470.patch          | 54 +++++++++++++++++++
 2 files changed, 55 insertions(+)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38470.patch

Comments

Richard Purdie Oct. 29, 2023, 10:36 a.m. UTC | #1

On Sun, 2023-10-29 at 09:36 +0000, Meenali Gupta via
lists.openembedded.org wrote:
> From: Meenali Gupta <meenali.gupta@windriver.com>
> 
> The only allowed exception is single dot, where it should return empty
> string.

This patch doesn't appear to apply to master I'm afraid. The commit
message above is a little bit out of context too, for the OE level
commit we should have more information about the CVE itself rather than
implementation details which make no sense without the source code for
context.

Cheers,

Richard

diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index b5c966c102..14e2548a55 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -26,6 +26,7 @@  SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}
            file://0001-Fix-opening-etc-resolv.conf-error.patch \
            file://handle-hup.patch \
            file://local-ping.patch \
+           file://CVE-2023-38470.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470.patch
new file mode 100644
index 0000000000..fedb73e665
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470.patch
@@ -0,0 +1,54 @@ 
+From 5fe17efad532a39d550f364683bc9386822a9eb9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Tue, 11 Apr 2023 15:29:59 +0200
+Subject: [PATCH] avahi: Ensure each label is at least one byte long
+
+Upstream-Status: Backport [https://github.com/lathiat/avahi/pull/457/commits/b6cf29f98adce7355e8c51a6af1e338a5f94e16e]
+CVE: CVE-2023-38470
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ avahi-common/domain-test.c | 14 ++++++++++++++
+ avahi-common/domain.c      |  2 +-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c
+index cf763ec..3acc1c1 100644
+--- a/avahi-common/domain-test.c
++++ b/avahi-common/domain-test.c
+@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+     printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo."));
+     avahi_free(s);
+
++    printf("%s\n", s = avahi_normalize_name_strdup("."));
++    avahi_free(s);
++
++    s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}."
++		    "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}"
++		    ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`"
++		    "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?."
++		    "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}."
++		    "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?"
++		    "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM."
++		    "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?."
++		    "}.?.?.?.}.=.?.?.}");
++    assert(s == NULL);
++
+     printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff"));
+     printf("%i\n", avahi_domain_equal("A", "a"));
+
+diff --git a/avahi-common/domain.c b/avahi-common/domain.c
+index 3b1ab68..e66d241 100644
+--- a/avahi-common/domain.c
++++ b/avahi-common/domain.c
+@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s, char *ret_s, size_t size) {
+         }
+
+         if (!empty) {
+-            if (size < 1)
++            if (size < 2)
+                 return NULL;
+
+             *(r++) = '.';
+--
+2.40.0

[master,mickledore,kirkstone,1/1] avahi: fix CVE-2023-38470

Commit Message

Comments

Patch