| Message ID | 20240310175327.3201-1-asharma@mvista.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-oe,dunfell] c-ares: Backport fix for CVE-2024-25629 | expand |
On Sun, 2024-03-10 at 10:55 -0700, Ashish Sharma via lists.openembedded.org wrote: > Upstream-Status: Backport from debian > [https://git.launchpad.net/ubuntu/+source/c-ares/commit/?h=applied/ub > untu/jammy-devel&id=3701814ad9f8570e0142f4b2bf79a32472fe89d6] This should be Backport from https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183 Is there any difference between the two patches? Same for the commit message in patch. > CVE: CVE-2024-25629 > Signed-off-by: Ashish Sharma <asharma@mvista.com> > --- > .../c-ares/c-ares/CVE-2024-25629.patch | 31 > +++++++++++++++++++ > .../recipes-support/c-ares/c-ares_1.18.1.bb | 1 + > 2 files changed, 32 insertions(+) > create mode 100644 meta-oe/recipes-support/c-ares/c-ares/CVE-2024- > 25629.patch > > diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2024- > 25629.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2024- > 25629.patch > new file mode 100644 > index 000000000..76f8b7c3b > --- /dev/null > +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2024-25629.patch > @@ -0,0 +1,31 @@ > +From a804c04ddc8245fc8adf0e92368709639125e183 Mon Sep 17 00:00:00 > 2001 > +From: Brad House <brad@brad-house.com> > +Date: Thu, 22 Feb 2024 16:23:33 -0500 > +Subject: [PATCH] Merge pull request from GHSA-mg26-v6qh-x48q > + > +Upstream-Status: Backport from debian > [https://git.launchpad.net/ubuntu/+source/c-ares/commit/?h=applied/ub > untu/jammy-devel&id=3701814ad9f8570e0142f4b2bf79a32472fe89d6] > +CVE: CVE-2024-25629 > +Signed-off-by: Ashish Sharma <asharma@mvista.com> > + > + src/lib/ares__read_line.c | 8 ++++++++ > + 1 file changed, 8 insertions(+) > + > +Index: c-ares-1.18.1/src/lib/ares__read_line.c > +=================================================================== > +--- c-ares-1.18.1.orig/src/lib/ares__read_line.c > ++++ c-ares-1.18.1/src/lib/ares__read_line.c > +@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf > + if (!fgets(*buf + offset, bytestoread, fp)) > + return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : > ARES_EOF; > + len = offset + strlen(*buf + offset); > ++ > ++ /* Probably means there was an embedded NULL as the first > character in > ++ * the line, throw away line */ > ++ if (len == 0) { > ++ offset = 0; > ++ continue; > ++ } > ++ > + if ((*buf)[len - 1] == '\n') > + { > + (*buf)[len - 1] = 0; > diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb b/meta- > oe/recipes-support/c-ares/c-ares_1.18.1.bb > index 2aa789760..b5936e1ad 100644 > --- a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb > +++ b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb > @@ -10,6 +10,7 @@ SRC_URI = "git://github.com/c-ares/c- > ares.git;branch=main;protocol=https \ > file://CVE-2023-31130.patch \ > file://CVE-2023-31147.patch \ > file://CVE-2023-32067.patch \ > + file://CVE-2024-25629.patch \ > " > SRCREV = "2aa086f822aad5017a6f2061ef656f237a62d0ed" > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#109259): > https://lists.openembedded.org/g/openembedded-devel/message/109259 > Mute This Topic: https://lists.openembedded.org/mt/104848216/3616702 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: > https://lists.openembedded.org/g/openembedded-devel/unsub [ > anuj.mittal@intel.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2024-25629.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2024-25629.patch new file mode 100644 index 000000000..76f8b7c3b --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2024-25629.patch @@ -0,0 +1,31 @@ +From a804c04ddc8245fc8adf0e92368709639125e183 Mon Sep 17 00:00:00 2001 +From: Brad House <brad@brad-house.com> +Date: Thu, 22 Feb 2024 16:23:33 -0500 +Subject: [PATCH] Merge pull request from GHSA-mg26-v6qh-x48q + +Upstream-Status: Backport from debian [https://git.launchpad.net/ubuntu/+source/c-ares/commit/?h=applied/ubuntu/jammy-devel&id=3701814ad9f8570e0142f4b2bf79a32472fe89d6] +CVE: CVE-2024-25629 +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + src/lib/ares__read_line.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +Index: c-ares-1.18.1/src/lib/ares__read_line.c +=================================================================== +--- c-ares-1.18.1.orig/src/lib/ares__read_line.c ++++ c-ares-1.18.1/src/lib/ares__read_line.c +@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf + if (!fgets(*buf + offset, bytestoread, fp)) + return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF; + len = offset + strlen(*buf + offset); ++ ++ /* Probably means there was an embedded NULL as the first character in ++ * the line, throw away line */ ++ if (len == 0) { ++ offset = 0; ++ continue; ++ } ++ + if ((*buf)[len - 1] == '\n') + { + (*buf)[len - 1] = 0; diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb index 2aa789760..b5936e1ad 100644 --- a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb +++ b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb @@ -10,6 +10,7 @@ SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https \ file://CVE-2023-31130.patch \ file://CVE-2023-31147.patch \ file://CVE-2023-32067.patch \ + file://CVE-2024-25629.patch \ " SRCREV = "2aa086f822aad5017a6f2061ef656f237a62d0ed"
Upstream-Status: Backport from debian [https://git.launchpad.net/ubuntu/+source/c-ares/commit/?h=applied/ubuntu/jammy-devel&id=3701814ad9f8570e0142f4b2bf79a32472fe89d6] CVE: CVE-2024-25629 Signed-off-by: Ashish Sharma <asharma@mvista.com> --- .../c-ares/c-ares/CVE-2024-25629.patch | 31 +++++++++++++++++++ .../recipes-support/c-ares/c-ares_1.18.1.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta-oe/recipes-support/c-ares/c-ares/CVE-2024-25629.patch