Your message dated Mon, 19 May 2025 14:45:32 +0000
with message-id <[email protected]>
and subject line unblock connman
has caused the Debian Bug report #1106043,
regarding unblock: connman/1.44-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1106043: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106043
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:connman
User: [email protected]
Usertags: unblock
Please unblock package connman
[ Reason ]
To fix two security issues CVE-2025-32366 (Closes: #1102193) and
CVE-2025-32743 (Closes: #1103530). Patches are cherry-picked from
upstream and are fairly trivial.
[ Impact ]
Less security issues to Trixie's release that would need to be fixed
latter by security or LTS teams.
[ Tests ]
The package builds fine and is in unstable/Ubuntu since ~ a week without
any complain.
[ Risks ]
The risks are low since these patches come from upstream and are trivial.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock connman/1.44-3
diff -Nru connman-1.44/debian/changelog connman-1.44/debian/changelog
--- connman-1.44/debian/changelog 2025-04-12 17:40:21.000000000 +0200
+++ connman-1.44/debian/changelog 2025-05-13 09:06:57.000000000 +0200
@@ -1,3 +1,18 @@
+connman (1.44-3) unstable; urgency=medium
+
+ * Cherry-pick upstream patch fixing CVE-2025-32366 (Closes: #1102193)
+ * Set myself as Maintainer.
+ * Improve DEP3 headers of other patches.
+
+ -- Dylan Aïssi <[email protected]> Tue, 13 May 2025 09:06:57 +0200
+
+connman (1.44-2) unstable; urgency=medium
+
+ * Team upload.
+ * Cherry-pick upstream patch fixing CVE-2025-32743 (Closes: #1103530)
+
+ -- Dylan Aïssi <[email protected]> Tue, 06 May 2025 22:47:54 +0200
+
connman (1.44-1) unstable; urgency=medium
* Team upload.
diff -Nru connman-1.44/debian/control connman-1.44/debian/control
--- connman-1.44/debian/control 2025-04-12 17:40:21.000000000 +0200
+++ connman-1.44/debian/control 2025-05-13 09:06:57.000000000 +0200
@@ -1,7 +1,8 @@
Source: connman
-Maintainer: Vignesh Raman <[email protected]>
+Maintainer: Dylan Aïssi <[email protected]>
Uploaders: Alexander Sack <[email protected]>,
- Alf Gaida <[email protected]>
+ Alf Gaida <[email protected]>,
+ Vignesh Raman <[email protected]>
Section: net
Priority: optional
Build-Depends: debhelper-compat (= 13),
diff -Nru
connman-1.44/debian/patches/02-systemd-service-file-shutdown-problems.patch
connman-1.44/debian/patches/02-systemd-service-file-shutdown-problems.patch
--- connman-1.44/debian/patches/02-systemd-service-file-shutdown-problems.patch
2025-04-12 17:40:21.000000000 +0200
+++ connman-1.44/debian/patches/02-systemd-service-file-shutdown-problems.patch
2025-05-13 09:06:57.000000000 +0200
@@ -3,6 +3,7 @@
https://lintian.debian.org/tags/systemd-service-file-shutdown-problems.html
Forwarded: not needed
Last-Update: 2019-05-01
+Author: Alf Gaida <[email protected]>
--- a/src/connman-wait-online.service.in
+++ b/src/connman-wait-online.service.in
diff -Nru connman-1.44/debian/patches/CVE-2025-32366.patch
connman-1.44/debian/patches/CVE-2025-32366.patch
--- connman-1.44/debian/patches/CVE-2025-32366.patch 1970-01-01
01:00:00.000000000 +0100
+++ connman-1.44/debian/patches/CVE-2025-32366.patch 2025-05-13
09:06:57.000000000 +0200
@@ -0,0 +1,41 @@
+From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
+From: "신윤제(학부생-소프트웨어전공)" <[email protected]>
+Date: Mon, 12 May 2025 10:48:18 +0200
+Subject: dnsproxy: Address CVE-2025-32366 vulnerability
+
+In Connman parse_rr in dnsproxy.c has a memcpy length
+that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
+and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
+than the amount of remaining packet data in the current state of
+parsing. As a result, values of stack memory locations may be sent
+over the network in a response.
+
+This patch adds a check to ensure that (*end + *rdlen) does not exceed
+the valid range. If the condition is violated, the function returns
+-EINVAL.
+
+Fixes: CVE-2025-32366
+Bug-Debian: https://bugs.debian.org/1102193
+Origin: upstream,
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4
+Forwarded: not-needed
+---
+ src/dnsproxy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 7ee26d9ff..1dd2f7f5d 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -998,6 +998,9 @@ static int parse_rr(const unsigned char *buf, const
unsigned char *start,
+ if ((offset + *rdlen) > *response_size)
+ return -ENOBUFS;
+
++ if ((*end + *rdlen) > max)
++ return -EINVAL;
++
+ memcpy(response + offset, *end, *rdlen);
+
+ *end += *rdlen;
+--
+cgit 1.2.3-korg
+
diff -Nru connman-1.44/debian/patches/CVE-2025-32743.patch
connman-1.44/debian/patches/CVE-2025-32743.patch
--- connman-1.44/debian/patches/CVE-2025-32743.patch 1970-01-01
01:00:00.000000000 +0100
+++ connman-1.44/debian/patches/CVE-2025-32743.patch 2025-05-13
09:06:57.000000000 +0200
@@ -0,0 +1,46 @@
+From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001
+From: Praveen Kumar <[email protected]>
+Date: Thu, 24 Apr 2025 11:39:29 +0000
+Subject: dnsproxy: Fix NULL/empty lookup causing potential crash
+
+In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
+can be NULL or an empty string when the TC (Truncated) bit is set in
+a DNS response. This allows attackers to cause a denial of service
+(application crash) or possibly execute arbitrary code, because those
+lookup values lead to incorrect length calculations and incorrect
+memcpy operations.
+
+This patch includes a check to make sure loookup value is valid before
+using it. This helps avoid unexpected value when the input is empty or
+incorrect.
+
+Fixes: CVE-2025-32743
+Bug-Debian: https://bugs.debian.org/1103530
+Origin: upstream,
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f
+Forwarded: not-needed
+---
+ src/dnsproxy.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index f28a5d755..7ee26d9ff 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -1685,8 +1685,13 @@ static int ns_resolv(struct server_data *server, struct
request_data *req,
+ gpointer request, gpointer name)
+ {
+ int sk = -1;
++ int err;
+ const char *lookup = (const char *)name;
+- int err = ns_try_resolv_from_cache(req, request, lookup);
++
++ if (!lookup || strlen(lookup) == 0)
++ return -EINVAL;
++
++ err = ns_try_resolv_from_cache(req, request, lookup);
+
+ if (err > 0)
+ /* cache hit */
+--
+cgit 1.2.3-korg
+
diff -Nru connman-1.44/debian/patches/series connman-1.44/debian/patches/series
--- connman-1.44/debian/patches/series 2025-04-12 17:40:21.000000000 +0200
+++ connman-1.44/debian/patches/series 2025-05-13 09:06:57.000000000 +0200
@@ -1,2 +1,4 @@
01-init-script-lsb-headers.patch
02-systemd-service-file-shutdown-problems.patch
+CVE-2025-32743.patch
+CVE-2025-32366.patch
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
