Message ID | 20230718025221.51690-1-vanusuri@mvista.com |
---|---|
State | New |
Headers | show |
Series | [meta-oe,dunfell] c-ares: CVE-2023-32067 0-byte UDP payload Denial of Service | expand |
On 7/17/23 10:52 PM, Vijay Anusuri wrote: > From: Vijay Anusuri <vanusuri@mvista.com> > > Upstream-Status: Backport from https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Any chance of getting a kirkstone fix? I will be updating Micklerdore to 1.19.1 (master) to address this issue. -Armin > --- > .../c-ares/c-ares/CVE-2023-32067.patch | 84 +++++++++++++++++++ > .../recipes-support/c-ares/c-ares_1.18.1.bb | 1 + > 2 files changed, 85 insertions(+) > create mode 100644 meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch > > diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch > new file mode 100644 > index 000000000..63192d3c8 > --- /dev/null > +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch > @@ -0,0 +1,84 @@ > +From b9b8413cfdb70a3f99e1573333b23052d57ec1ae Mon Sep 17 00:00:00 2001 > +From: Brad House <brad@brad-house.com> > +Date: Mon, 22 May 2023 06:51:49 -0400 > +Subject: [PATCH] Merge pull request from GHSA-9g78-jv2r-p7vc > + > +Link: https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1 > + > +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae] > +CVE: CVE-2023-32067 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + src/lib/ares_process.c | 41 +++++++++++++++++++++++++---------------- > + 1 file changed, 25 insertions(+), 16 deletions(-) > + > +diff --git a/src/lib/ares_process.c b/src/lib/ares_process.c > +index bf0cde464..6cac0a99f 100644 > +--- a/src/lib/ares_process.c > ++++ b/src/lib/ares_process.c > +@@ -470,7 +470,7 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds, > + { > + struct server_state *server; > + int i; > +- ares_ssize_t count; > ++ ares_ssize_t read_len; > + unsigned char buf[MAXENDSSZ + 1]; > + #ifdef HAVE_RECVFROM > + ares_socklen_t fromlen; > +@@ -513,32 +513,41 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds, > + /* To reduce event loop overhead, read and process as many > + * packets as we can. */ > + do { > +- if (server->udp_socket == ARES_SOCKET_BAD) > +- count = 0; > +- > +- else { > +- if (server->addr.family == AF_INET) > ++ if (server->udp_socket == ARES_SOCKET_BAD) { > ++ read_len = -1; > ++ } else { > ++ if (server->addr.family == AF_INET) { > + fromlen = sizeof(from.sa4); > +- else > ++ } else { > + fromlen = sizeof(from.sa6); > +- count = socket_recvfrom(channel, server->udp_socket, (void *)buf, > +- sizeof(buf), 0, &from.sa, &fromlen); > ++ } > ++ read_len = socket_recvfrom(channel, server->udp_socket, (void *)buf, > ++ sizeof(buf), 0, &from.sa, &fromlen); > + } > + > +- if (count == -1 && try_again(SOCKERRNO)) > ++ if (read_len == 0) { > ++ /* UDP is connectionless, so result code of 0 is a 0-length UDP > ++ * packet, and not an indication the connection is closed like on > ++ * tcp */ > + continue; > +- else if (count <= 0) > ++ } else if (read_len < 0) { > ++ if (try_again(SOCKERRNO)) > ++ continue; > ++ > + handle_error(channel, i, now); > ++ > + #ifdef HAVE_RECVFROM > +- else if (!same_address(&from.sa, &server->addr)) > ++ } else if (!same_address(&from.sa, &server->addr)) { > + /* The address the response comes from does not match the address we > + * sent the request to. Someone may be attempting to perform a cache > + * poisoning attack. */ > +- break; > ++ continue; > + #endif > +- else > +- process_answer(channel, buf, (int)count, i, 0, now); > +- } while (count > 0); > ++ > ++ } else { > ++ process_answer(channel, buf, (int)read_len, i, 0, now); > ++ } > ++ } while (read_len >= 0); > + } > + } > + > diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb > index 152d91332..2aa789760 100644 > --- a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb > +++ b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb > @@ -9,6 +9,7 @@ SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https \ > file://CVE-2022-4904.patch \ > file://CVE-2023-31130.patch \ > file://CVE-2023-31147.patch \ > + file://CVE-2023-32067.patch \ > " > SRCREV = "2aa086f822aad5017a6f2061ef656f237a62d0ed" > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#103892): https://lists.openembedded.org/g/openembedded-devel/message/103892 > Mute This Topic: https://lists.openembedded.org/mt/100209081/3616698 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi Armin, Already patches have been sent to fix CVE-2023-32067 for kirkstone. Below is the commit https://git.openembedded.org/meta-openembedded-contrib/commit/?h=stable/kirkstone-nut&id=c34b8aad5717d5e6cfa1baef5d3da1eab544def9 Thanks & Regards, Vijay On Sat, Jul 22, 2023 at 5:17 PM akuster808 <akuster808@gmail.com> wrote: > > > On 7/17/23 10:52 PM, Vijay Anusuri wrote: > > From: Vijay Anusuri <vanusuri@mvista.com> > > > > Upstream-Status: Backport from > https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae > > > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > Any chance of getting a kirkstone fix? I will be updating Micklerdore > to 1.19.1 (master) to address this issue. > > -Armin > > --- > > .../c-ares/c-ares/CVE-2023-32067.patch | 84 +++++++++++++++++++ > > .../recipes-support/c-ares/c-ares_1.18.1.bb | 1 + > > 2 files changed, 85 insertions(+) > > create mode 100644 > meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch > > > > diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch > b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch > > new file mode 100644 > > index 000000000..63192d3c8 > > --- /dev/null > > +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch > > @@ -0,0 +1,84 @@ > > +From b9b8413cfdb70a3f99e1573333b23052d57ec1ae Mon Sep 17 00:00:00 2001 > > +From: Brad House <brad@brad-house.com> > > +Date: Mon, 22 May 2023 06:51:49 -0400 > > +Subject: [PATCH] Merge pull request from GHSA-9g78-jv2r-p7vc > > + > > +Link: https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1 > > + > > +Upstream-Status: Backport [ > https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae > ] > > +CVE: CVE-2023-32067 > > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > +--- > > + src/lib/ares_process.c | 41 +++++++++++++++++++++++++---------------- > > + 1 file changed, 25 insertions(+), 16 deletions(-) > > + > > +diff --git a/src/lib/ares_process.c b/src/lib/ares_process.c > > +index bf0cde464..6cac0a99f 100644 > > +--- a/src/lib/ares_process.c > > ++++ b/src/lib/ares_process.c > > +@@ -470,7 +470,7 @@ static void read_udp_packets(ares_channel channel, > fd_set *read_fds, > > + { > > + struct server_state *server; > > + int i; > > +- ares_ssize_t count; > > ++ ares_ssize_t read_len; > > + unsigned char buf[MAXENDSSZ + 1]; > > + #ifdef HAVE_RECVFROM > > + ares_socklen_t fromlen; > > +@@ -513,32 +513,41 @@ static void read_udp_packets(ares_channel > channel, fd_set *read_fds, > > + /* To reduce event loop overhead, read and process as many > > + * packets as we can. */ > > + do { > > +- if (server->udp_socket == ARES_SOCKET_BAD) > > +- count = 0; > > +- > > +- else { > > +- if (server->addr.family == AF_INET) > > ++ if (server->udp_socket == ARES_SOCKET_BAD) { > > ++ read_len = -1; > > ++ } else { > > ++ if (server->addr.family == AF_INET) { > > + fromlen = sizeof(from.sa4); > > +- else > > ++ } else { > > + fromlen = sizeof(from.sa6); > > +- count = socket_recvfrom(channel, server->udp_socket, (void > *)buf, > > +- sizeof(buf), 0, &from.sa, &fromlen); > > ++ } > > ++ read_len = socket_recvfrom(channel, server->udp_socket, > (void *)buf, > > ++ sizeof(buf), 0, &from.sa, > &fromlen); > > + } > > + > > +- if (count == -1 && try_again(SOCKERRNO)) > > ++ if (read_len == 0) { > > ++ /* UDP is connectionless, so result code of 0 is a 0-length > UDP > > ++ * packet, and not an indication the connection is closed > like on > > ++ * tcp */ > > + continue; > > +- else if (count <= 0) > > ++ } else if (read_len < 0) { > > ++ if (try_again(SOCKERRNO)) > > ++ continue; > > ++ > > + handle_error(channel, i, now); > > ++ > > + #ifdef HAVE_RECVFROM > > +- else if (!same_address(&from.sa, &server->addr)) > > ++ } else if (!same_address(&from.sa, &server->addr)) { > > + /* The address the response comes from does not match the > address we > > + * sent the request to. Someone may be attempting to perform > a cache > > + * poisoning attack. */ > > +- break; > > ++ continue; > > + #endif > > +- else > > +- process_answer(channel, buf, (int)count, i, 0, now); > > +- } while (count > 0); > > ++ > > ++ } else { > > ++ process_answer(channel, buf, (int)read_len, i, 0, now); > > ++ } > > ++ } while (read_len >= 0); > > + } > > + } > > + > > diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb > b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb > > index 152d91332..2aa789760 100644 > > --- a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb > > +++ b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb > > @@ -9,6 +9,7 @@ SRC_URI = "git:// > github.com/c-ares/c-ares.git;branch=main;protocol=https \ > > file://CVE-2022-4904.patch \ > > file://CVE-2023-31130.patch \ > > file://CVE-2023-31147.patch \ > > + file://CVE-2023-32067.patch \ > > " > > SRCREV = "2aa086f822aad5017a6f2061ef656f237a62d0ed" > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#103892): > https://lists.openembedded.org/g/openembedded-devel/message/103892 > > Mute This Topic: https://lists.openembedded.org/mt/100209081/3616698 > > Group Owner: openembedded-devel+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [ > akuster808@gmail.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > > >
diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch new file mode 100644 index 000000000..63192d3c8 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch @@ -0,0 +1,84 @@ +From b9b8413cfdb70a3f99e1573333b23052d57ec1ae Mon Sep 17 00:00:00 2001 +From: Brad House <brad@brad-house.com> +Date: Mon, 22 May 2023 06:51:49 -0400 +Subject: [PATCH] Merge pull request from GHSA-9g78-jv2r-p7vc + +Link: https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1 + +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae] +CVE: CVE-2023-32067 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/lib/ares_process.c | 41 +++++++++++++++++++++++++---------------- + 1 file changed, 25 insertions(+), 16 deletions(-) + +diff --git a/src/lib/ares_process.c b/src/lib/ares_process.c +index bf0cde464..6cac0a99f 100644 +--- a/src/lib/ares_process.c ++++ b/src/lib/ares_process.c +@@ -470,7 +470,7 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds, + { + struct server_state *server; + int i; +- ares_ssize_t count; ++ ares_ssize_t read_len; + unsigned char buf[MAXENDSSZ + 1]; + #ifdef HAVE_RECVFROM + ares_socklen_t fromlen; +@@ -513,32 +513,41 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds, + /* To reduce event loop overhead, read and process as many + * packets as we can. */ + do { +- if (server->udp_socket == ARES_SOCKET_BAD) +- count = 0; +- +- else { +- if (server->addr.family == AF_INET) ++ if (server->udp_socket == ARES_SOCKET_BAD) { ++ read_len = -1; ++ } else { ++ if (server->addr.family == AF_INET) { + fromlen = sizeof(from.sa4); +- else ++ } else { + fromlen = sizeof(from.sa6); +- count = socket_recvfrom(channel, server->udp_socket, (void *)buf, +- sizeof(buf), 0, &from.sa, &fromlen); ++ } ++ read_len = socket_recvfrom(channel, server->udp_socket, (void *)buf, ++ sizeof(buf), 0, &from.sa, &fromlen); + } + +- if (count == -1 && try_again(SOCKERRNO)) ++ if (read_len == 0) { ++ /* UDP is connectionless, so result code of 0 is a 0-length UDP ++ * packet, and not an indication the connection is closed like on ++ * tcp */ + continue; +- else if (count <= 0) ++ } else if (read_len < 0) { ++ if (try_again(SOCKERRNO)) ++ continue; ++ + handle_error(channel, i, now); ++ + #ifdef HAVE_RECVFROM +- else if (!same_address(&from.sa, &server->addr)) ++ } else if (!same_address(&from.sa, &server->addr)) { + /* The address the response comes from does not match the address we + * sent the request to. Someone may be attempting to perform a cache + * poisoning attack. */ +- break; ++ continue; + #endif +- else +- process_answer(channel, buf, (int)count, i, 0, now); +- } while (count > 0); ++ ++ } else { ++ process_answer(channel, buf, (int)read_len, i, 0, now); ++ } ++ } while (read_len >= 0); + } + } + diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb index 152d91332..2aa789760 100644 --- a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb +++ b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb @@ -9,6 +9,7 @@ SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https \ file://CVE-2022-4904.patch \ file://CVE-2023-31130.patch \ file://CVE-2023-31147.patch \ + file://CVE-2023-32067.patch \ " SRCREV = "2aa086f822aad5017a6f2061ef656f237a62d0ed"