From: Ankur Tyagi <[email protected]> Details: https://nvd.nist.gov/vuln/detail/CVE-2024-53429
Backport the patch mentioned in the comment[1] which fixed this CVE. [1] https://github.com/open62541/open62541/issues/6825#issuecomment-2460650733 Signed-off-by: Ankur Tyagi <[email protected]> --- .../opcua/open62541/CVE-2024-53429.patch | 44 +++++++++++++++++++ .../opcua/open62541_1.3.8.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta-networking/recipes-protocols/opcua/open62541/CVE-2024-53429.patch diff --git a/meta-networking/recipes-protocols/opcua/open62541/CVE-2024-53429.patch b/meta-networking/recipes-protocols/opcua/open62541/CVE-2024-53429.patch new file mode 100644 index 0000000000..7afd7eb752 --- /dev/null +++ b/meta-networking/recipes-protocols/opcua/open62541/CVE-2024-53429.patch @@ -0,0 +1,44 @@ +From c69c42bb55f66e1721367dc9c98d0b4a63b14c25 Mon Sep 17 00:00:00 2001 +From: Julius Pfrommer <[email protected]> +Date: Tue, 22 Oct 2024 21:47:15 +0200 +Subject: [PATCH] refactor(core): Validate Variant ArrayLength against its + ArrayDimensions during binary decode + +This lead to the fuzzer complaing since we hade the check for _encode +but not for _decode. This is not a direct memory issue per se. But the +consistency check allows early discovery of problematic values and +can potentially remove bugs where the user relies on the array +dimensions and the array length to match. + +CVE: CVE-2024-53429 +Upstream-Status: Backport [https://github.com/open62541/open62541/commit/b9473527623125b5ca264dae4551f8cc414b3bc3] +(cherry picked from commit b9473527623125b5ca264dae4551f8cc414b3bc3) +Signed-off-by: Ankur Tyagi <[email protected]> +--- + src/ua_types_encoding_binary.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/ua_types_encoding_binary.c b/src/ua_types_encoding_binary.c +index 7b3a4f6b8..0272ba399 100644 +--- a/src/ua_types_encoding_binary.c ++++ b/src/ua_types_encoding_binary.c +@@ -1093,9 +1093,18 @@ DECODE_BINARY(Variant) { + } + + /* Decode array dimensions */ +- if(isArray && (encodingByte & (u8)UA_VARIANT_ENCODINGMASKTYPE_DIMENSIONS) > 0) ++ if(isArray && (encodingByte & (u8)UA_VARIANT_ENCODINGMASKTYPE_DIMENSIONS) > 0) { + ret |= Array_decodeBinary((void**)&dst->arrayDimensions, &dst->arrayDimensionsSize, + &UA_TYPES[UA_TYPES_INT32], ctx); ++ /* Validate array length against array dimensions */ ++ size_t totalSize = 1; ++ for(size_t i = 0; i < dst->arrayDimensionsSize; ++i) { ++ if(dst->arrayDimensions[i] == 0) ++ return UA_STATUSCODE_BADDECODINGERROR; ++ totalSize *= dst->arrayDimensions[i]; ++ } ++ UA_CHECK(totalSize == dst->arrayLength, ret = UA_STATUSCODE_BADDECODINGERROR); ++ } + + ctx->depth--; + return ret; diff --git a/meta-networking/recipes-protocols/opcua/open62541_1.3.8.bb b/meta-networking/recipes-protocols/opcua/open62541_1.3.8.bb index 19a50aee3a..ed859c9c92 100644 --- a/meta-networking/recipes-protocols/opcua/open62541_1.3.8.bb +++ b/meta-networking/recipes-protocols/opcua/open62541_1.3.8.bb @@ -19,6 +19,7 @@ SRC_URI = " \ git://github.com/OPCFoundation/UA-Nodeset;name=ua-nodeset;protocol=https;branch=v1.04;destsuffix=git/deps/ua-nodeset \ git://github.com/LiamBindle/MQTT-C.git;name=mqtt-c;protocol=https;branch=master;destsuffix=git/deps/mqtt-c \ file://0001-fix-build-do-not-install-git-files.patch \ + file://CVE-2024-53429.patch \ " S = "${WORKDIR}/git"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123285): https://lists.openembedded.org/g/openembedded-devel/message/123285 Mute This Topic: https://lists.openembedded.org/mt/117172370/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
