Hi Ross and Steve, Please consider this patch for the Kirkstone branch.
As discussed again with Meenali, I will be sending patches to remaining branches. Thanks & Regards, Vijay On Fri, Nov 17, 2023 at 10:13 PM Randy MacLeod <randy.macl...@windriver.com> wrote: > Add Hari who will inform WR developers on his team once the CVE > co-ordination scheme is available. > Add Marta. > > On 2023-11-17 9:11 a.m., Meenali Gupta via lists.openembedded.org wrote: > > Hi Ross, > > As discussed with Vijay, we'll cooperate on this CVE fixes. > > Marta, > > > Do you have a wiki page set-up? > > > I see: > > https://wiki.yoctoproject.org/wiki/Synchronization_CVEs > > and it mentions, but does not point to, "A synchronization wiki page". > > > > ../Randy > > > > Regards > Meenali > ------------------------------ > *From:* Vijay Anusuri <vanus...@mvista.com> <vanus...@mvista.com> > *Sent:* 16 November 2023 21:31 > *To:* jpuhl...@mvista.com <jpuhl...@mvista.com> <jpuhl...@mvista.com>; > Ross Burton <ross.bur...@arm.com> <ross.bur...@arm.com>; Gupta, Meenali > <meenali.gu...@windriver.com> <meenali.gu...@windriver.com> > *Cc:* openembedded-core@lists.openembedded.org > <openembedded-core@lists.openembedded.org> > <openembedded-core@lists.openembedded.org> > *Subject:* Re: [OE-core][kirkstone][PATCH] avahi: Fix for multiple CVE's > > *CAUTION: This email comes from a non Wind River email account!* > Do not click links or open attachments unless you recognize the sender and > know the content is safe. > Hi Ross, > > As discussed with Meenali, I agreed she was going to do this work. > She has already submitted patches for multiple branches ( master, > mickledore and kirkstone ). > > For CVE-2023-38469, we need to include 2 commits to fix the CVE. Meenali > will send the v2 patch for CVE-2023-38469 which will include 2 patches for > all the branches. > > Thank you Meenali for your timely response. > > Thanks & Regards, > Vijay > > On Thu, Nov 16, 2023 at 7:56 PM Jeremy Puhlman via lists.openembedded.org > <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPwKv5R-0$> > <jpuhlman=mvista....@lists.openembedded.org> wrote: > > > > On 11/16/2023 3:22 AM, Ross Burton wrote: > > Hi Vijay and Meenali, > > > > Hopefully this will show everyone - especially WR and Montavista - that > we need to communicate better when working on CVEs. In the short term at > least, Marta proposed a wiki page which can be updated via a tool and when > someone is working on an issue that can be marked to avoid duplication of > effort. Would that be acceptable to both of your companies? > > Yeah, I think something like that would be great on our end, provided > its automated and the data can be extracted, so it can be consolidated > in internal CVE tracking that we are currently required to. > > > > > I’ve not checked that the fixes are identical, but apparently I need to > remind everyone that we take fixes in *master first* and then backport to > the releases in order. > There should also be an agree upon change decoration to indicate > non-applicability/differently addressed in earlier releases. > > With 4 year LTS releases many issues are just not going to be applicable > to master. Also there may well be very good reasons to fix a given set > of CVEs in > completely different ways, but making sure they are addressed in both is > important. Setting aside this example, in almost all cases on master > moving to the fixed version, is almost always the right answer, where as > on say dunfell, moving to the new version may have too many knock on > effects to make sense. > In this instance, Khem has already indicated moving to the new release > may make sense for both kirkstone and master. > > > > > Luckily the avahi recipe is fairly untouched so this should be trivial. > Can you both discuss and agree who is going to do this? > Vijay can you work with Meenali to consolidate this patch. > > > > Ross > > > >> On 16 Nov 2023, at 04:05, Vijay Anusuri via lists.openembedded.org > <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPwKv5R-0$> > <vanusuri=mvista....@lists.openembedded.org> wrote: > >> > >> From: Vijay Anusuri <vanus...@mvista.com> > >> > >> Patches to fix: > >> CVE-2023-38469 > >> CVE-2023-38470 > >> CVE-2023-38471 > >> CVE-2023-38472 > >> CVE-2023-38473 > >> > >> Upstream-Status: Backport [ > https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf > <https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPSO96cKo$> > >> & > >> > https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237 > <https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPlqjXgoU$> > >> & > >> > https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c > <https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPRzxTKP8$> > >> & > >> > https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09 > <https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPwzmpbVo$> > >> & > >> > https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40 > <https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPOROFOvo$> > >> & > >> > https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797 > <https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPLLeXBTg$> > ] > >> > >> Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > >> --- > >> meta/recipes-connectivity/avahi/avahi_0.8.bb > <https://urldefense.com/v3/__http://avahi_0.8.bb__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPSo_Ck9E$> > | 6 + > >> .../avahi/files/CVE-2023-38469-1.patch | 47 ++++++++ > >> .../avahi/files/CVE-2023-38469-2.patch | 65 +++++++++++ > >> .../avahi/files/CVE-2023-38470.patch | 56 +++++++++ > >> .../avahi/files/CVE-2023-38471.patch | 72 ++++++++++++ > >> .../avahi/files/CVE-2023-38472.patch | 47 ++++++++ > >> .../avahi/files/CVE-2023-38473.patch | 108 ++++++++++++++++++ > >> 7 files changed, 401 insertions(+) > >> create mode 100644 > meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch > >> create mode 100644 > meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch > >> create mode 100644 > meta/recipes-connectivity/avahi/files/CVE-2023-38470.patch > >> create mode 100644 > meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch > >> create mode 100644 > meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch > >> create mode 100644 > meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch > >> > >> diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb > <https://urldefense.com/v3/__http://avahi_0.8.bb__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPSo_Ck9E$> > b/meta/recipes-connectivity/avahi/avahi_0.8.bb > <https://urldefense.com/v3/__http://avahi_0.8.bb__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPSo_Ck9E$> > >> index b5c966c102..772fb43939 100644 > >> --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb > <https://urldefense.com/v3/__http://avahi_0.8.bb__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPSo_Ck9E$> > >> +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb > <https://urldefense.com/v3/__http://avahi_0.8.bb__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPSo_Ck9E$> > >> @@ -26,6 +26,12 @@ SRC_URI = " > https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV} > <https://urldefense.com/v3/__https://github.com/lathiat/avahi/releases/download/v$*7BPV*7D/avahi-$*7BPV*7D__;JSUlJQ!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHP0Am2ovI$> > >> file://0001-Fix-opening-etc-resolv.conf-error.patch \ > >> file://handle-hup.patch \ > >> file://local-ping.patch \ > >> + file://CVE-2023-38469-1.patch \ > >> + file://CVE-2023-38469-2.patch \ > >> + file://CVE-2023-38470.patch \ > >> + file://CVE-2023-38471.patch \ > >> + file://CVE-2023-38472.patch \ > >> + file://CVE-2023-38473.patch \ > >> " > >> > >> UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/ > <https://urldefense.com/v3/__https://github.com/lathiat/avahi/releases/__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHP0Xuk60k$> > " > >> diff --git > a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch > b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch > >> new file mode 100644 > >> index 0000000000..99c717daf3 > >> --- /dev/null > >> +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch > >> @@ -0,0 +1,47 @@ > >> +From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001 > >> +From: Evgeny Vereshchagin <evv...@ya.ru> > >> +Date: Mon, 23 Oct 2023 20:29:31 +0000 > >> +Subject: [PATCH] core: reject overly long TXT resource records > >> + > >> +Closes https://github.com/lathiat/avahi/issues/455 > <https://urldefense.com/v3/__https://github.com/lathiat/avahi/issues/455__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHP-9siEVs$> > >> + > >> +CVE-2023-38469 > >> + > >> +Upstream-Status: Backport [ > https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf > <https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPSO96cKo$> > ] > >> +CVE: CVE-2023-38469 > >> +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > >> +--- > >> + avahi-core/rr.c | 9 ++++++++- > >> + 1 file changed, 8 insertions(+), 1 deletion(-) > >> + > >> +diff --git a/avahi-core/rr.c b/avahi-core/rr.c > >> +index 2bb89244..9c04ebbd 100644 > >> +--- a/avahi-core/rr.c > >> ++++ b/avahi-core/rr.c > >> +@@ -32,6 +32,7 @@ > >> + #include <avahi-common/malloc.h> > >> + #include <avahi-common/defs.h> > >> + > >> ++#include "dns.h" > >> + #include "rr.h" > >> + #include "log.h" > >> + #include "util.h" > >> +@@ -689,11 +690,17 @@ int avahi_record_is_valid(AvahiRecord *r) { > >> + case AVAHI_DNS_TYPE_TXT: { > >> + > >> + AvahiStringList *strlst; > >> ++ size_t used = 0; > >> + > >> +- for (strlst = r->data.txt.string_list; strlst; strlst = > strlst->next) > >> ++ for (strlst = r->data.txt.string_list; strlst; strlst = > strlst->next) { > >> + if (strlst->size > 255 || strlst->size <= 0) > >> + return 0; > >> + > >> ++ used += 1+strlst->size; > >> ++ if (used > AVAHI_DNS_RDATA_MAX) > >> ++ return 0; > >> ++ } > >> ++ > >> + return 1; > >> + } > >> + } > >> diff --git > a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch > b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch > >> new file mode 100644 > >> index 0000000000..b83a70e29b > >> --- /dev/null > >> +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch > >> @@ -0,0 +1,65 @@ > >> +From c6cab87df290448a63323c8ca759baa516166237 Mon Sep 17 00:00:00 2001 > >> +From: Evgeny Vereshchagin <evv...@ya.ru> > >> +Date: Wed, 25 Oct 2023 18:15:42 +0000 > >> +Subject: [PATCH] tests: pass overly long TXT resource records > >> + > >> +to make sure they don't crash avahi any more. > >> + > >> +It reproduces https://github.com/lathiat/avahi/issues/455 > <https://urldefense.com/v3/__https://github.com/lathiat/avahi/issues/455__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHP-9siEVs$> > >> + > >> +Upstream-Status: Backport [ > https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237 > <https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPlqjXgoU$> > ] > >> +CVE: CVE-2023-38469 > >> +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > >> +--- > >> + avahi-client/client-test.c | 14 ++++++++++++++ > >> + 1 file changed, 14 insertions(+) > >> + > >> +diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c > >> +index 7d04a6a..66e3574 100644 > >> +--- a/avahi-client/client-test.c > >> ++++ b/avahi-client/client-test.c > >> +@@ -22,6 +22,7 @@ > >> + #endif > >> + > >> + #include <stdio.h> > >> ++#include <string.h> > >> + #include <assert.h> > >> + > >> + #include <avahi-client/client.h> > >> +@@ -33,6 +34,8 @@ > >> + #include <avahi-common/malloc.h> > >> + #include <avahi-common/timeval.h> > >> + > >> ++#include <avahi-core/dns.h> > >> ++ > >> + static const AvahiPoll *poll_api = NULL; > >> + static AvahiSimplePoll *simple_poll = NULL; > >> + > >> +@@ -222,6 +225,9 @@ int main (AVAHI_GCC_UNUSED int argc, > AVAHI_GCC_UNUSED char *argv[]) { > >> + uint32_t cookie; > >> + struct timeval tv; > >> + AvahiAddress a; > >> ++ uint8_t rdata[AVAHI_DNS_RDATA_MAX+1]; > >> ++ AvahiStringList *txt = NULL; > >> ++ int r; > >> + > >> + simple_poll = avahi_simple_poll_new(); > >> + poll_api = avahi_simple_poll_get(simple_poll); > >> +@@ -258,6 +264,14 @@ int main (AVAHI_GCC_UNUSED int argc, > AVAHI_GCC_UNUSED char *argv[]) { > >> + printf("%s\n", avahi_strerror(avahi_entry_group_add_service > (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", > "_http._tcp", NULL, NULL, 80, "foo=bar", NULL))); > >> + printf("add_record: %d\n", avahi_entry_group_add_record (group, > AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, > "\5booya", 6)); > >> + > >> ++ memset(rdata, 1, sizeof(rdata)); > >> ++ r = avahi_string_list_parse(rdata, sizeof(rdata), &txt); > >> ++ assert(r >= 0); > >> ++ assert(avahi_string_list_serialize(txt, NULL, 0) == > sizeof(rdata)); > >> ++ error = avahi_entry_group_add_service_strlst(group, > AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", "_qotd._tcp", NULL, NULL, > 123, txt); > >> ++ assert(error == AVAHI_ERR_INVALID_RECORD); > >> ++ avahi_string_list_free(txt); > >> ++ > >> + avahi_entry_group_commit (group); > >> + > >> + domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, > AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, > avahi_domain_browser_callback, (char*) "omghai3u"); > >> +-- > >> +2.25.1 > >> + > >> diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470.patch > b/meta/recipes-connectivity/avahi/files/CVE-2023-38470.patch > >> new file mode 100644 > >> index 0000000000..1cbb00dcab > >> --- /dev/null > >> +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470.patch > >> @@ -0,0 +1,56 @@ > >> +From 94cb6489114636940ac683515417990b55b5d66c Mon Sep 17 00:00:00 2001 > >> +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemen...@redhat.com> > >> +Date: Tue, 11 Apr 2023 15:29:59 +0200 > >> +Subject: [PATCH] Ensure each label is at least one byte long > >> + > >> +The only allowed exception is single dot, where it should return empty > >> +string. > >> + > >> +Fixes #454. > >> + > >> +Upstream-Status: Backport [ > https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c > <https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPRzxTKP8$> > ] > >> +CVE: CVE-2023-38470 > >> +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > >> +--- > >> + avahi-common/domain-test.c | 14 ++++++++++++++ > >> + avahi-common/domain.c | 2 +- > >> + 2 files changed, 15 insertions(+), 1 deletion(-) > >> + > >> +diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c > >> +index cf763eca6..3acc1c1e4 100644 > >> +--- a/avahi-common/domain-test.c > >> ++++ b/avahi-common/domain-test.c > >> +@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, > AVAHI_GCC_UNUSED char *argv[]) { > >> + printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f > oo.")); > >> + avahi_free(s); > >> + > >> ++ printf("%s\n", s = avahi_normalize_name_strdup(".")); > >> ++ avahi_free(s); > >> ++ > >> ++ s = > avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}." > >> ++ "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}" > >> ++ ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`" > >> ++ "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?." > >> ++ "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}." > >> ++ "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?" > >> ++ "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM." > >> ++ "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?." > >> ++ "}.?.?.?.}.=.?.?.}"); > >> ++ assert(s == NULL); > >> ++ > >> + printf("%i\n", avahi_domain_equal("\\065aa > bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff")); > >> + printf("%i\n", avahi_domain_equal("A", "a")); > >> + > >> +diff --git a/avahi-common/domain.c b/avahi-common/domain.c > >> +index 3b1ab6834..e66d2416c 100644 > >> +--- a/avahi-common/domain.c > >> ++++ b/avahi-common/domain.c > >> +@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s, char > *ret_s, size_t size) { > >> + } > >> + > >> + if (!empty) { > >> +- if (size < 1) > >> ++ if (size < 2) > >> + return NULL; > >> + > >> + *(r++) = '.'; > >> diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch > b/meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch > >> new file mode 100644 > >> index 0000000000..8242646da1 > >> --- /dev/null > >> +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch > >> @@ -0,0 +1,72 @@ > >> +From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001 > >> +From: Michal Sekletar <msekl...@redhat.com> > >> +Date: Mon, 23 Oct 2023 13:38:35 +0200 > >> +Subject: [PATCH] core: extract host name using avahi_unescape_label() > >> + > >> +Previously we could create invalid escape sequence when we split the > >> +string on dot. For example, from valid host name "foo\\.bar" we have > >> +created invalid name "foo\\" and tried to set that as the host name > >> +which crashed the daemon. > >> + > >> +Fixes #453 > >> + > >> +CVE-2023-38471 > >> + > >> +Upstream-Status: Backport [ > https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09 > <https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPwzmpbVo$> > ] > >> +CVE: CVE-2023-38471 > >> +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > >> +--- > >> + avahi-core/server.c | 27 +++++++++++++++++++++------ > >> + 1 file changed, 21 insertions(+), 6 deletions(-) > >> + > >> +diff --git a/avahi-core/server.c b/avahi-core/server.c > >> +index c32637af8..f6a21bb77 100644 > >> +--- a/avahi-core/server.c > >> ++++ b/avahi-core/server.c > >> +@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) { > >> + } > >> + > >> + int avahi_server_set_host_name(AvahiServer *s, const char *host_name) > { > >> +- char *hn = NULL; > >> ++ char label_escaped[AVAHI_LABEL_MAX*4+1]; > >> ++ char label[AVAHI_LABEL_MAX]; > >> ++ char *hn = NULL, *h; > >> ++ size_t len; > >> ++ > >> + assert(s); > >> + > >> + AVAHI_CHECK_VALIDITY(s, !host_name || > avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME); > >> +@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, > const char *host_name) { > >> + else > >> + hn = avahi_normalize_name_strdup(host_name); > >> + > >> +- hn[strcspn(hn, ".")] = 0; > >> ++ h = hn; > >> ++ if (!avahi_unescape_label((const char **)&hn, label, > sizeof(label))) { > >> ++ avahi_free(h); > >> ++ return AVAHI_ERR_INVALID_HOST_NAME; > >> ++ } > >> ++ > >> ++ avahi_free(h); > >> ++ > >> ++ h = label_escaped; > >> ++ len = sizeof(label_escaped); > >> ++ if (!avahi_escape_label(label, strlen(label), &h, &len)) > >> ++ return AVAHI_ERR_INVALID_HOST_NAME; > >> + > >> +- if (avahi_domain_equal(s->host_name, hn) && s->state != > AVAHI_SERVER_COLLISION) { > >> +- avahi_free(hn); > >> ++ if (avahi_domain_equal(s->host_name, label_escaped) && s->state > != AVAHI_SERVER_COLLISION) > >> + return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); > >> +- } > >> + > >> + withdraw_host_rrs(s); > >> + > >> + avahi_free(s->host_name); > >> +- s->host_name = hn; > >> ++ s->host_name = avahi_strdup(label_escaped); > >> ++ if (!s->host_name) > >> ++ return AVAHI_ERR_NO_MEMORY; > >> + > >> + update_fqdn(s); > >> + > >> diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch > b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch > >> new file mode 100644 > >> index 0000000000..43b26c1132 > >> --- /dev/null > >> +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch > >> @@ -0,0 +1,47 @@ > >> +From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001 > >> +From: Michal Sekletar <msekl...@redhat.com> > >> +Date: Thu, 19 Oct 2023 17:36:44 +0200 > >> +Subject: [PATCH] core: make sure there is rdata to process before > parsing it > >> + > >> +Fixes #452 > >> + > >> +CVE-2023-38472 > >> + > >> +Upstream-Status: Backport [ > https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40 > <https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPOROFOvo$> > ] > >> +CVE: CVE-2023-38472 > >> +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > >> +--- > >> + avahi-client/client-test.c | 3 +++ > >> + avahi-daemon/dbus-entry-group.c | 2 +- > >> + 2 files changed, 4 insertions(+), 1 deletion(-) > >> + > >> +diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c > >> +index 66e3574..9a015d7 100644 > >> +--- a/avahi-client/client-test.c > >> ++++ b/avahi-client/client-test.c > >> +@@ -272,6 +272,9 @@ int main (AVAHI_GCC_UNUSED int argc, > AVAHI_GCC_UNUSED char *argv[]) { > >> + assert(error == AVAHI_ERR_INVALID_RECORD); > >> + avahi_string_list_free(txt); > >> + > >> ++ error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, > AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0); > >> ++ assert(error != AVAHI_OK); > >> ++ > >> + avahi_entry_group_commit (group); > >> + > >> + domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, > AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, > avahi_domain_browser_callback, (char*) "omghai3u"); > >> +diff --git a/avahi-daemon/dbus-entry-group.c > b/avahi-daemon/dbus-entry-group.c > >> +index 4e879a5..aa23d4b 100644 > >> +--- a/avahi-daemon/dbus-entry-group.c > >> ++++ b/avahi-daemon/dbus-entry-group.c > >> +@@ -340,7 +340,7 @@ DBusHandlerResult > avahi_dbus_msg_entry_group_impl(DBusConnection *c, DBusMessage > >> + if (!(r = avahi_record_new_full (name, clazz, type, ttl))) > >> + return avahi_dbus_respond_error(c, m, > AVAHI_ERR_NO_MEMORY, NULL); > >> + > >> +- if (avahi_rdata_parse (r, rdata, size) < 0) { > >> ++ if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) { > >> + avahi_record_unref (r); > >> + return avahi_dbus_respond_error(c, m, > AVAHI_ERR_INVALID_RDATA, NULL); > >> + } > >> +-- > >> +2.25.1 > >> + > >> diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch > b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch > >> new file mode 100644 > >> index 0000000000..7b33d564f8 > >> --- /dev/null > >> +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch > >> @@ -0,0 +1,108 @@ > >> +From b448c9f771bada14ae8de175695a9729f8646797 Mon Sep 17 00:00:00 2001 > >> +From: Michal Sekletar <msekl...@redhat.com> > >> +Date: Wed, 11 Oct 2023 17:45:44 +0200 > >> +Subject: [PATCH] common: derive alternative host name from its > unescaped > >> + version > >> + > >> +Normalization of input makes sure we don't have to deal with special > >> +cases like unescaped dot at the end of label. > >> + > >> +Fixes #451 #487 > >> +CVE-2023-38473 > >> + > >> +Upstream-Status: Backport [ > https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797 > <https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPLLeXBTg$> > ] > >> +CVE: CVE-2023-38473 > >> +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > >> +--- > >> + avahi-common/alternative-test.c | 3 +++ > >> + avahi-common/alternative.c | 27 +++++++++++++++++++-------- > >> + 2 files changed, 22 insertions(+), 8 deletions(-) > >> + > >> +diff --git a/avahi-common/alternative-test.c > b/avahi-common/alternative-test.c > >> +index 9255435ec..681fc15b8 100644 > >> +--- a/avahi-common/alternative-test.c > >> ++++ b/avahi-common/alternative-test.c > >> +@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED > char *argv[]) { > >> + const char* const test_strings[] = { > >> + > "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", > >> + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü", > >> ++ ").", > >> ++ "\\.", > >> ++ > "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\", > >> + "gurke", > >> + "-", > >> + " #", > >> +diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c > >> +index b3d39f0ed..a094e6d76 100644 > >> +--- a/avahi-common/alternative.c > >> ++++ b/avahi-common/alternative.c > >> +@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) { > >> + } > >> + > >> + char *avahi_alternative_host_name(const char *s) { > >> ++ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1]; > >> ++ char *alt, *r, *ret; > >> + const char *e; > >> +- char *r; > >> ++ size_t len; > >> + > >> + assert(s); > >> + > >> + if (!avahi_is_valid_host_name(s)) > >> + return NULL; > >> + > >> +- if ((e = strrchr(s, '-'))) { > >> ++ if (!avahi_unescape_label(&s, label, sizeof(label))) > >> ++ return NULL; > >> ++ > >> ++ if ((e = strrchr(label, '-'))) { > >> + const char *p; > >> + > >> + e++; > >> +@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) { > >> + > >> + if (e) { > >> + char *c, *m; > >> +- size_t l; > >> + int n; > >> + > >> + n = atoi(e)+1; > >> + if (!(m = avahi_strdup_printf("%i", n))) > >> + return NULL; > >> + > >> +- l = e-s-1; > >> ++ len = e-label-1; > >> + > >> +- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1) > >> +- l = AVAHI_LABEL_MAX-1-strlen(m)-1; > >> ++ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1) > >> ++ len = AVAHI_LABEL_MAX-1-strlen(m)-1; > >> + > >> +- if (!(c = avahi_strndup(s, l))) { > >> ++ if (!(c = avahi_strndup(label, len))) { > >> + avahi_free(m); > >> + return NULL; > >> + } > >> +@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) { > >> + } else { > >> + char *c; > >> + > >> +- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2))) > >> ++ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2))) > >> + return NULL; > >> + > >> + drop_incomplete_utf8(c); > >> +@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) { > >> + avahi_free(c); > >> + } > >> + > >> ++ alt = alternative; > >> ++ len = sizeof(alternative); > >> ++ ret = avahi_escape_label(r, strlen(r), &alt, &len); > >> ++ > >> ++ avahi_free(r); > >> ++ r = avahi_strdup(ret); > >> ++ > >> + assert(avahi_is_valid_host_name(r)); > >> + > >> + return r; > >> -- > >> 2.25.1 > >> > >> > >> > >> > > > > > > > > -- > Jeremy Puhlman > jpuhl...@mvista.com > > > > > > > > > > -- > # Randy MacLeod > # Wind River Linux > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#190887): https://lists.openembedded.org/g/openembedded-core/message/190887 Mute This Topic: https://lists.openembedded.org/mt/102621335/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
