Details: https://nvd.nist.gov/vuln/detail/CVE-2024-45970
Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../libiec61850/files/CVE-2024-45970.patch | 71 +++++++++++++++++++ .../libiec61850/libiec61850_1.5.1.bb | 1 + 2 files changed, 72 insertions(+) create mode 100644 meta-networking/recipes-connectivity/libiec61850/files/CVE-2024-45970.patch diff --git a/meta-networking/recipes-connectivity/libiec61850/files/CVE-2024-45970.patch b/meta-networking/recipes-connectivity/libiec61850/files/CVE-2024-45970.patch new file mode 100644 index 0000000000..81759438e1 --- /dev/null +++ b/meta-networking/recipes-connectivity/libiec61850/files/CVE-2024-45970.patch @@ -0,0 +1,71 @@ +From 554e77c542f1c09b689907d5e2ea8bff4b2ad969 Mon Sep 17 00:00:00 2001 +From: Michael Zillgith <[email protected]> +Date: Tue, 23 Jul 2024 18:50:15 +0100 +Subject: [PATCH] - fixed potential buffer overflows in MMS client file service + handling (LIB61850-449) + +CVE: CVE-2024-45970 +Upstream-Status: Backport [https://github.com/mz-automation/libiec61850/commit/ac925fae8e281ac6defcd630e9dd756264e9c5bc] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + src/mms/iso_mms/client/mms_client_files.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/src/mms/iso_mms/client/mms_client_files.c b/src/mms/iso_mms/client/mms_client_files.c +index 307ab534..1aa8dff2 100644 +--- a/src/mms/iso_mms/client/mms_client_files.c ++++ b/src/mms/iso_mms/client/mms_client_files.c +@@ -478,8 +478,13 @@ parseFileAttributes(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t* fileSi + break; + case 0x81: /* lastModified */ + { +- if (lastModified != NULL) { ++ if (lastModified != NULL) ++ { + char gtString[40]; ++ ++ if (length > sizeof(gtString) - 1) ++ return false; /* lastModified string too long */ ++ + memcpy(gtString, buffer + bufPos, length); + gtString[length] = 0; + *lastModified = Conversions_generalizedTimeToMsTime(gtString); +@@ -506,12 +511,14 @@ parseDirectoryEntry(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t invokeI + uint32_t fileSize = 0; + uint64_t lastModified = 0; + +- while (bufPos < maxBufPos) { ++ while (bufPos < maxBufPos) ++ { + uint8_t tag = buffer[bufPos++]; + int length; + + bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos); +- if (bufPos < 0) { ++ if (bufPos < 0) ++ { + if (DEBUG_MMS_CLIENT) + printf("MMS_CLIENT: invalid length field\n"); + return false; +@@ -525,12 +532,20 @@ parseDirectoryEntry(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t invokeI + tag = buffer[bufPos++]; + + bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos); +- if (bufPos < 0) { ++ if (bufPos < 0) ++ { + if (DEBUG_MMS_CLIENT) + printf("MMS_CLIENT: invalid length field\n"); + return false; + } + ++ if (length > (sizeof(fileNameMemory) - 1)) ++ { ++ if (DEBUG_MMS_CLIENT) ++ printf("MMS_CLIENT: filename too long\n"); ++ return false; ++ } ++ + memcpy(filename, buffer + bufPos, length); + filename[length] = 0; + diff --git a/meta-networking/recipes-connectivity/libiec61850/libiec61850_1.5.1.bb b/meta-networking/recipes-connectivity/libiec61850/libiec61850_1.5.1.bb index d36a3c9306..ce6f79e996 100644 --- a/meta-networking/recipes-connectivity/libiec61850/libiec61850_1.5.1.bb +++ b/meta-networking/recipes-connectivity/libiec61850/libiec61850_1.5.1.bb @@ -19,6 +19,7 @@ SRC_URI = "git://github.com/mz-automation/${BPN}.git;branch=v1.5;protocol=https file://0001-pyiec61850-don-t-break-CMAKE_INSTALL_PATH-by-trying-.patch \ file://0001-pyiec61850-Use-CMAKE_INSTALL_LIBDIR-from-GNUInstallD.patch \ file://CVE-2024-45969.patch \ + file://CVE-2024-45970.patch \ " S = "${WORKDIR}/git"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124001): https://lists.openembedded.org/g/openembedded-devel/message/124001 Mute This Topic: https://lists.openembedded.org/mt/117540994/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
