Re: [oe-core][PATCH 4/5] avahi: fix CVE-2023-38472

Fri, 17 Nov 2023 06:08:30 -0800 

Hi Alexandre,

Understood your point, will abide by your request.

Regards
Meenali
________________________________
From: Alexandre Belloni <[email protected]>
Sent: 16 November 2023 22:02
To: Gupta, Meenali <[email protected]>
Cc: [email protected] 
<[email protected]>
Subject: Re: [oe-core][PATCH 4/5] avahi: fix CVE-2023-38472

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

Please version properly your patches, this should have been v2.

Also please resend the whole series because now, I have to go and
cherry-pick patches from v1 because 5/5 doesn't apply standalone.

You hsould not push this work on the maintainers.

On 16/11/2023 11:44:50+0000, Meenali Gupta via lists.openembedded.org wrote:
> From: Meenali Gupta <[email protected]>
>
> A vulnerability was found in Avahi. A reachable assertion exists
> in the avahi_rdata_parse() function.
>
> Signed-off-by: Meenali Gupta <[email protected]>
> ---
>  meta/recipes-connectivity/avahi/avahi_0.8.bb  |  1 +
>  .../avahi/files/CVE-2023-38472.patch          | 46 +++++++++++++++++++
>  2 files changed, 47 insertions(+)
>  create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
>
> diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb 
> b/meta/recipes-connectivity/avahi/avahi_0.8.bb
> index 9c903d6868..84eb1c554d 100644
> --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
> +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
> @@ -29,6 +29,7 @@ SRC_URI = 
> "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
>             file://CVE-2023-38469.patch \
>             file://CVE-2023-38470.patch \
>             file://CVE-2023-38471.patch \
> +           file://CVE-2023-38472.patch \
>             "
>
>  GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/";
> diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch 
> b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
> new file mode 100644
> index 0000000000..a1de8e2a5a
> --- /dev/null
> +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
> @@ -0,0 +1,46 @@
> +From 8cf606779dc356768afc6b70e53f2808a9655143 Mon Sep 17 00:00:00 2001
> +From: Michal Sekletar <[email protected]>
> +Date: Thu, 19 Oct 2023 17:36:44 +0200
> +Subject: [PATCH] avahi: core: make sure there is rdata to process before
> + parsing it
> +
> +Fixes #452
> +
> +Upstream-Status: Backport 
> [https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40]
> +CVE: CVE-2023-38472
> +
> +Signed-off-by: Meenali Gupta <[email protected]>
> +---
> + avahi-client/client-test.c      | 3 +++
> + avahi-daemon/dbus-entry-group.c | 2 +-
> + 2 files changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c
> +index 7d04a6a..57750a4 100644
> +--- a/avahi-client/client-test.c
> ++++ b/avahi-client/client-test.c
> +@@ -258,6 +258,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED 
> char *argv[]) {
> +     printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, 
> AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, 
> NULL, 80, "foo=bar", NULL)));
> +     printf("add_record: %d\n", avahi_entry_group_add_record (group, 
> AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 
> 6));
> +
> ++    error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, 
> AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
> ++    assert(error != AVAHI_OK);
> ++
> +     avahi_entry_group_commit (group);
> +
> +     domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, 
> AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, 
> avahi_domain_browser_callback, (char*) "omghai3u");
> +diff --git a/avahi-daemon/dbus-entry-group.c 
> b/avahi-daemon/dbus-entry-group.c
> +index 4e879a5..aa23d4b 100644
> +--- a/avahi-daemon/dbus-entry-group.c
> ++++ b/avahi-daemon/dbus-entry-group.c
> +@@ -340,7 +340,7 @@ DBusHandlerResult 
> avahi_dbus_msg_entry_group_impl(DBusConnection *c, DBusMessage
> +         if (!(r = avahi_record_new_full (name, clazz, type, ttl)))
> +             return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, 
> NULL);
> +
> +-        if (avahi_rdata_parse (r, rdata, size) < 0) {
> ++        if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) {
> +             avahi_record_unref (r);
> +             return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, 
> NULL);
> +         }
> +--
> +2.40.0
> --
> 2.40.0
>

>
> 
>


--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190850): 
https://lists.openembedded.org/g/openembedded-core/message/190850
Mute This Topic: https://lists.openembedded.org/mt/102625030/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to