From patchwork Tue Dec 21 13:09:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ernst_Sj=C3=B6strand?= X-Patchwork-Id: 1771 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B07ABC433F5 for ; Tue, 21 Dec 2021 13:09:35 +0000 (UTC) Received: from mx08-00271601.pphosted.com (mx08-00271601.pphosted.com [185.132.182.208]) by mx.groups.io with SMTP id smtpd.web10.5389.1640092173802939569 for ; Tue, 21 Dec 2021 05:09:34 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@verisure.com header.s=pp16032020 header.b=StXOmo0/; spf=none, err=permanent DNS error (domain: lists.verisure.com, ip: 185.132.182.208, mailfrom: ernst.sjostrand@lists.verisure.com) Received: from pps.filterd (m0107398.ppops.net [127.0.0.1]) by mx08-00271601.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 1BLCXu3r029102 for ; Tue, 21 Dec 2021 14:09:31 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisure.com; h=from : to : subject : date : message-id : content-type : content-id : content-transfer-encoding : mime-version; s=pp16032020; bh=yYbcp/UeZ4i9xAHbAuzVMiha1BHai60v4sBgNjuK+d8=; b=StXOmo0/pT/zl6V3kDR0/XNdA4RD0IdYQ+YN5ogiG90hP1Pke2jALPK5Fatlv1vgVCik I3EygXtWn8iyUzVpKhmDbjoyRzUCzK4MDFdspQKer8nxdbSxfoZWBNXry63tOEd5T0WZ yflQY8OjEELpmKYOG9/imeC6RkcVIG7tIfyNhQQ5bcDKuRhX45pBUkLDPjzv66qw+xCs Qmtap+ZMK210Hdlt/ZLU/3pauTlOR/aK3N15O1L0BgtjZuOswH0kWHyChXnUomS7CKZQ RdWyit2r1pudZ4b6rvS1JblYw+9cU3/EOpZ3SOrWVDThaW+4N2Otine9XtBLba8pDtFa Bw== Received: from eur01-ve1-obe.outbound.protection.outlook.com (mail-ve1eur01lp2053.outbound.protection.outlook.com [104.47.1.53]) by mx08-00271601.pphosted.com (PPS) with ESMTPS id 3d39wvkh05-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 21 Dec 2021 14:09:31 +0100 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=d/MlPfqEgRs1zMgnPYCWEWI7C7GDh3FgDm1Ue60TujZXeSqss5XZXIRhWp0S+WFBJvdmCkbMMwPgxAdcETL/sT8OelfxL+2jj5WOXh/fpzef6TBX9wR6wV5JEka/VewZVuXqf9HXgTxM7G0MXa2VN53VRHYEBIP/TWb996YIs8fENiKNK0QP729CMvB0AQDekuv4qd9yu9Vm2TUSb63uv3ysr5U1+YDWHRMDGO4yiqXJJ4QZPdB4DXLHpUVyKxW2S8yI3XksCWlR6S2JvN0R0UOsVL8vMk/DT1xkC++OcYyprudo35hIrxHOJDVmmNoQBSGi7mVVXPvBzx/UxwF2hA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yYbcp/UeZ4i9xAHbAuzVMiha1BHai60v4sBgNjuK+d8=; b=MO5IN+noLQLmcjFZ3oVy+24n1SIhEqvWpKoqlY6GRwipflblA9BkMV/jZPmR5IGpx48xPhHzD7fQxsy4j9pkK8JMB5Ezgti550pIsZolHW7kfnJviLy2Jli97K0uZHnJR+Vyd7a+Dp1cXpCyK2noKZxAESQ1VIk/bGF+oh4J6m9zx5r3i27Ox/4VWdbRVP8WXZlaGtAjmgEwp8vw1rC/ZhArbqLBylSDcyT5VNd6EZE+DmkYiFO03xGpkOoBj04sjt6OLidBHe49TGbUYVLixzwfket8hncIbVCD8Agib7834IStrryQbp/Ze1gV6Ibg36OcC8FgKtyE0OIeG4Zrow== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=lists.verisure.com; dmarc=pass action=none header.from=lists.verisure.com; dkim=pass header.d=lists.verisure.com; arc=none Received: from AM9PR10MB5132.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:43b::18) by AS4PR10MB5393.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:4bb::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4801.15; Tue, 21 Dec 2021 13:09:30 +0000 Received: from AM9PR10MB5132.EURPRD10.PROD.OUTLOOK.COM ([fe80::66:11c9:5d2a:e49c]) by AM9PR10MB5132.EURPRD10.PROD.OUTLOOK.COM ([fe80::66:11c9:5d2a:e49c%4]) with mapi id 15.20.4801.020; Tue, 21 Dec 2021 13:09:30 +0000 From: =?utf-8?q?Ernst_Sj=C3=B6strand?= To: "openembedded-devel@lists.openembedded.org" Subject: [meta-oe][dunfell][PATCH] libmicrohttpd: Add patch to fix CVE-2021-3466 Thread-Topic: [meta-oe][dunfell][PATCH] libmicrohttpd: Add patch to fix CVE-2021-3466 Thread-Index: AQHX9mv9iGfI04M+IE6rtCzq+QJukQ== Date: Tue, 21 Dec 2021 13:09:30 +0000 Message-ID: <4880577cbd16ccf732daf804bb720373c3a4de05.camel@lists.verisure.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: f33c933c-4a7c-4209-3b0c-08d9c4831fd7 x-ms-traffictypediagnostic: AS4PR10MB5393:EE_ x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:37; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: +9BVGnDQ+KwzpgapTnbtxtxeloqdTirosm4CQ3WpWsA7VCPOa7X0212fIpkMhs0jTjTHxlqa7EANRUGVYmYuIyu0WVPBUXwqkR6ymZ+QTooQwwVzBIBcOpjb0Xxl9lCA0mRMj4so2JJvOZb16IETNbhHEpTk3t9SqItBKrr4tU57Yiv4OjyMw9/X2Y0yZn4Fg99nP7tRbAvbBxRo6zE7z85Q+lZcchqCWHLBYJs3qvkuZyNEHERaqpi3a/2Q+Vu5aIoWAXRDm611nQc9Gd3BpzD9vNERFuB5E9Ggs7vuNNkyZEn/3qAAkHdGwza+3WX+MdtxH1jrOEGBgpyCEs699jBuEwv1S4v5AjnAlakdSPMPBH4NHTb0ejoZECCKr4T/ka6POarMnOQwIGdXY6y9LchXVU9R8iREhOWbl7lsiPFzp2UBJ01/8OAoXTGVqRUTPGK3RaJHy756he8hoFEIg5nFlWAAxCLtye7qOdqckrHWHPnW4XEqpiwqsnfX5ng3AUPWHgC2bvKEsujqJ2CFUHL6ieARa9Xz7NCD/YTatSFpOGmw47RlN2QEX0LSX52U3f9VIZE6tV5GgHsKjNc79gOoPnY+tumQ28gIM/GIAJxPVi0t6XkkR2coGnfQ/vevzFyFuBIqyc7T7BXD7h9ijYrm/SJeTcI5dozhrYuBFT1ycaLm57/11HRgaqM67MCPU59iN93FT/J8yu28SKrQUA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9PR10MB5132.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(4636009)(366004)(8936002)(508600001)(6916009)(6512007)(85202003)(86362001)(8676002)(186003)(2616005)(83380400001)(85182001)(38070700005)(66446008)(6486002)(66574015)(38100700002)(2906002)(66946007)(26005)(316002)(64756008)(66556008)(66476007)(122000001)(71200400001)(6506007)(76116006)(91956017)(5660300002);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?q?T5pxTFbD2OyZyP9KzDG731uF1VqB?= =?utf-8?q?qi6qd9A8qU/sT1K8hrmYr1L0i0Vv+9xbQlytgjjy6e3/Lm7pfyYd0ZtM5ZSuScRKp?= =?utf-8?q?5Mjo70gJWWMntv5d1W7O+wz0qeewyZlDO847q+YmVW5EbnZkAHrLbXvdnf/AUZbOs?= =?utf-8?q?UIYWKSizlSYN4MiAtnh6PEV5IKfCS+vHaoUbb1a0pHhL37z6RDd5ZDcieGB2MhKyA?= =?utf-8?q?0IFdjUm5k1rUzjMZkUOR9N0wOc5hjrZy7bMP/1kRbL1EUSXC4q6aoWet6aQdOMAhd?= =?utf-8?q?0xeK1qjaUxsxBrxClBrFPIn75GF/a3s1wD3cL3r6woyKI8TyUQFe1iMXtPFBdZdEK?= =?utf-8?q?uxrb6TogxmW6heoMB9UrdSvH0WtsgSyI9sEuP/UiS8+DSh5NKzrmsn4NuRXm+fH7o?= =?utf-8?q?5ywUNuJaKuwoEpjeVshMOZG2Cmo/vxFIJG2BeB3CQ1m5jaLK3fGDe6nJbqZyWSvio?= =?utf-8?q?IN11X3HcPUX64OnIG/PlDsx0z6bpLQquBowpct1uvFDdIzw3QqIXjtmcAaveSLJwb?= =?utf-8?q?oHTx3KvHetdhI8rRjoeUpWfiUE3elNHRPU+RUTSXDRzJbUGKkCmHxYYAi1XfsbjHw?= =?utf-8?q?D1en5qRSS9eqxnHeqsnnE2qjANGAZ1jL9JM1Pi1MYQazjAF8ftL1pGARn2fAemzlp?= =?utf-8?q?l2MInP3e4i+yi2mE2kQlFMnlVwStdQ7ikOQ+rKDXDKc9j4uLPuSS7WyyjwvVZ7Nw2?= =?utf-8?q?hLfW3WLJ0tfV32+JFrSvA8btPbFA1yvP/MIhKyoWKPDLjhM3/JkHeJCNbiE8uNq0g?= =?utf-8?q?eKE8VB6hhEdw/oZ/OYJEjrdf24adASiZd40TUQeXqwlvZfW5IfjJtYYx8OY00+h2/?= =?utf-8?q?7GgXylNsPSMphDvyPYEcF7knc9uIVOIsn6pR87h27zgxoz6Y8pwztWAPeRmS/pGo6?= =?utf-8?q?d2gEhxR5rEQOf6xPbzqTzC3ouuGMwRt9YYhecBzLTiIsriJxHwTVklEiL2YeNqXbT?= =?utf-8?q?GMKv08+gCLCFGiAYYvgUc8M50xBHWHB/rWlvO6/u7Ajjdh8W4AZTZ0HSkUZ8bp4qe?= =?utf-8?q?RzBaLgnxltdLDZWIYrS/gF23whtZgFAZN/t+eI0KLflzhEMJfATSlRGstD14Xvcev?= =?utf-8?q?xq3Tf3yeUSF1MFavtly96zK+V1cRItgiizTNb2XxDlO+ymQzstY6Uh+iSqmA8czGB?= =?utf-8?q?J9c49E6ZnT7kNr0HHnniFKGq8+qMiQLwk539ySros9x/BkUASd6y20cDWwso2DzaB?= =?utf-8?q?whwJgxmuqz0oMhlnPNhk+jOMZwRpzpiVSuvhfyTGPIsCw1rBlVx9lh1zMJv3myyK9?= =?utf-8?q?Ib90N0bzVUKTW7nE4MJGs90EVEvAZLL+IMZAMDAFNlVTOnzH8aBgtZv6jLEzhMweF?= =?utf-8?q?3NMUgUB+ykogPN7KN/EM5L1pE0lj8vwFajgshCtqDfohneNIAbDALCAAL/21Jn+Sh?= =?utf-8?q?9VcRvFCyT5g3zG2qSKSq0051yGwjuejAqHUY4QzhBaiG0nw1q2thgsMxg782jBAtG?= =?utf-8?q?+TydptR2aqLVHf01o2iEkCFMj/JjFti4aS+AckU2Strl+ygDpGd3apfmW46WQjlVD?= =?utf-8?q?hWDPp04CqLSax1cKcr7VTY+GlVz5zy1XnMlwwW+WcXYHsm1K5Oe2TP5qraE+hTswG?= =?utf-8?q?0kszi/c9DLkWhvmcbU+xL0BMGbRTmp3XyL6DSagulGbnmkXUyV3qC0=3D?= Content-ID: <66626C62D7567F43B727627FB5A3ACC0@EURPRD10.PROD.OUTLOOK.COM> MIME-Version: 1.0 X-OriginatorOrg: lists.verisure.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: AM9PR10MB5132.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: f33c933c-4a7c-4209-3b0c-08d9c4831fd7 X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Dec 2021 13:09:30.3126 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 3055fa7f-a944-4927-801e-a62b63119e43 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: NJ0JyLYdpkSOh6EK4j9b3hCi5yBgY4qQKpeXYhtBk1B6bvr95z2y6Hh4mgLKAWOCXQulNPtbRT5ik+uvhZHctUbDXp3DGlsfJHfvi8oxySk= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4PR10MB5393 X-Proofpoint-GUID: 2ZxEI2Nl9EfInyyyQWS_akntzn56voQF X-Proofpoint-ORIG-GUID: 2ZxEI2Nl9EfInyyyQWS_akntzn56voQF X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.11.62.513 definitions=2021-12-21_04,2021-12-21_01,2021-12-02_01 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 21 Dec 2021 13:09:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/94466 Extract patch from the 0.9.71 release commit. Signed-off-by: Ernst Sjöstrand --- .../libmicrohttpd/CVE-2021-3466.patch | 152 ++++++++++++++++++ .../libmicrohttpd/libmicrohttpd_0.9.70.bb | 3 +- 2 files changed, 154 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch -- 2.34.0 diff --git a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch new file mode 100644 index 000000000..8c36c2263 --- /dev/null +++ b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch @@ -0,0 +1,152 @@ +From 86d9a61be6395220714b1a50d5144e65668961f6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ernst=20Sj=C3=B6strand?= +Date: Tue, 21 Dec 2021 11:05:22 +0000 +Subject: [PATCH] Fix buffer overflow in url parser and add test + +Fixes CVE-2021-3466 +--- + src/microhttpd/postprocessor.c | 18 ++++++-- + src/microhttpd/test_postprocessor.c | 66 +++++++++++++++++++++++++++++ + 2 files changed, 80 insertions(+), 4 deletions(-) + +diff --git a/src/microhttpd/postprocessor.c b/src/microhttpd/postprocessor.c +index b7f6b10..ebd1686 100644 +--- a/src/microhttpd/postprocessor.c ++++ b/src/microhttpd/postprocessor.c +@@ -137,8 +137,7 @@ struct MHD_PostProcessor + void *cls; + + /** +- * Encoding as given by the headers of the +- * connection. ++ * Encoding as given by the headers of the connection. + */ + const char *encoding; + +@@ -586,7 +585,7 @@ post_process_urlencoded (struct MHD_PostProcessor *pp, + pp->state = PP_Error; + break; + case PP_Callback: +- if ( (pp->buffer_pos + (end_key - start_key) > ++ if ( (pp->buffer_pos + (end_key - start_key) >= + pp->buffer_size) || + (pp->buffer_pos + (end_key - start_key) < + pp->buffer_pos) ) +@@ -636,6 +635,11 @@ post_process_urlencoded (struct MHD_PostProcessor *pp, + { + if (NULL == end_key) + end_key = &post_data[poff]; ++ if (pp->buffer_pos + (end_key - start_key) >= pp->buffer_size) ++ { ++ pp->state = PP_Error; ++ return MHD_NO; ++ } + memcpy (&kbuf[pp->buffer_pos], + start_key, + end_key - start_key); +@@ -663,6 +667,11 @@ post_process_urlencoded (struct MHD_PostProcessor *pp, + last_escape); + pp->must_ikvi = false; + } ++ if (PP_Error == pp->state) ++ { ++ /* State in error, returning failure */ ++ return MHD_NO; ++ } + return MHD_YES; + } + +@@ -1424,7 +1433,8 @@ MHD_destroy_post_processor (struct MHD_PostProcessor *pp) + the post-processing may have been interrupted + at any stage */ + if ( (pp->xbuf_pos > 0) || +- (pp->state != PP_Done) ) ++ ( (pp->state != PP_Done) && ++ (pp->state != PP_Init) ) ) + ret = MHD_NO; + else + ret = MHD_YES; +diff --git a/src/microhttpd/test_postprocessor.c b/src/microhttpd/test_postprocessor.c +index 2c37565..cba486d 100644 +--- a/src/microhttpd/test_postprocessor.c ++++ b/src/microhttpd/test_postprocessor.c +@@ -451,6 +451,71 @@ test_empty_value (void) + } + + ++static enum MHD_Result ++value_checker2 (void *cls, ++ enum MHD_ValueKind kind, ++ const char *key, ++ const char *filename, ++ const char *content_type, ++ const char *transfer_encoding, ++ const char *data, ++ uint64_t off, ++ size_t size) ++{ ++ return MHD_YES; ++} ++ ++ ++static int ++test_overflow () ++{ ++ struct MHD_Connection connection; ++ struct MHD_HTTP_Header header; ++ struct MHD_PostProcessor *pp; ++ size_t i; ++ size_t j; ++ size_t delta; ++ char *buf; ++ ++ memset (&connection, 0, sizeof (struct MHD_Connection)); ++ memset (&header, 0, sizeof (struct MHD_HTTP_Header)); ++ connection.headers_received = &header; ++ header.header = MHD_HTTP_HEADER_CONTENT_TYPE; ++ header.value = MHD_HTTP_POST_ENCODING_FORM_URLENCODED; ++ header.header_size = strlen (header.header); ++ header.value_size = strlen (header.value); ++ header.kind = MHD_HEADER_KIND; ++ for (i = 128; i < 1024 * 1024; i += 1024) ++ { ++ pp = MHD_create_post_processor (&connection, ++ 1024, ++ &value_checker2, ++ NULL); ++ buf = malloc (i); ++ if (NULL == buf) ++ return 1; ++ memset (buf, 'A', i); ++ buf[i / 2] = '='; ++ delta = 1 + (MHD_random_ () % (i - 1)); ++ j = 0; ++ while (j < i) ++ { ++ if (j + delta > i) ++ delta = i - j; ++ if (MHD_NO == ++ MHD_post_process (pp, ++ &buf[j], ++ delta)) ++ break; ++ j += delta; ++ } ++ free (buf); ++ MHD_destroy_post_processor (pp); ++ } ++ return 0; ++} ++ ++ + int + main (int argc, char *const *argv) + { +@@ -463,6 +528,7 @@ main (int argc, char *const *argv) + errorCount += test_multipart (); + errorCount += test_nested_multipart (); + errorCount += test_empty_value (); ++ errorCount += test_overflow (); + if (errorCount != 0) + fprintf (stderr, "Error (code: %u)\n", errorCount); + return errorCount != 0; /* 0 == pass */ diff --git a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb index 94976d2e9..9d5e85e1a 100644 --- a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb +++ b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb @@ -7,7 +7,8 @@ SECTION = "net" DEPENDS = "file" SRC_URI = "${GNU_MIRROR}/libmicrohttpd/${BPN}-${PV}.tar.gz \ -" + file://CVE-2021-3466.patch \ + " SRC_URI[md5sum] = "dcd6045ecb4ea18c120afedccbd1da74" SRC_URI[sha256sum] = "90d0a3d396f96f9bc41eb0f7e8187796049285fabef82604acd4879590977307"