Bug#1106043: unblock: connman/1.44-3

Mon, 19 May 2025 01:15:20 -0700 

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: conn...@packages.debian.org
Control: affects -1 + src:connman
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package connman

[ Reason ]
To fix two security issues CVE-2025-32366 (Closes: #1102193) and CVE-2025-32743 (Closes: #1103530). Patches are cherry-picked from upstream and are fairly trivial. 


[ Impact ]
Less security issues to Trixie's release that would need to be fixed latter by security or LTS teams. 

[ Tests ]
The package builds fine and is in unstable/Ubuntu since ~ a week without any complain. 

[ Risks ]
The risks are low since these patches come from upstream and are trivial.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing




unblock connman/1.44-3
diff -Nru connman-1.44/debian/changelog connman-1.44/debian/changelog
--- connman-1.44/debian/changelog       2025-04-12 17:40:21.000000000 +0200
+++ connman-1.44/debian/changelog       2025-05-13 09:06:57.000000000 +0200
@@ -1,3 +1,18 @@
+connman (1.44-3) unstable; urgency=medium
+
+  * Cherry-pick upstream patch fixing CVE-2025-32366 (Closes: #1102193)
+  * Set myself as Maintainer.
+  * Improve DEP3 headers of other patches.
+
+ -- Dylan Aïssi <dai...@debian.org>  Tue, 13 May 2025 09:06:57 +0200
+
+connman (1.44-2) unstable; urgency=medium
+
+  * Team upload.
+  * Cherry-pick upstream patch fixing CVE-2025-32743 (Closes: #1103530)
+
+ -- Dylan Aïssi <dai...@debian.org>  Tue, 06 May 2025 22:47:54 +0200
+
 connman (1.44-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru connman-1.44/debian/control connman-1.44/debian/control
--- connman-1.44/debian/control 2025-04-12 17:40:21.000000000 +0200
+++ connman-1.44/debian/control 2025-05-13 09:06:57.000000000 +0200
@@ -1,7 +1,8 @@
 Source: connman
-Maintainer: Vignesh Raman <vignesh.ra...@collabora.com>
+Maintainer: Dylan Aïssi <dai...@debian.org>
 Uploaders: Alexander Sack <a...@debian.org>,
-           Alf Gaida <aga...@siduction.org>
+           Alf Gaida <aga...@siduction.org>,
+           Vignesh Raman <vignesh.ra...@collabora.com>
 Section: net
 Priority: optional
 Build-Depends: debhelper-compat (= 13),
diff -Nru 
connman-1.44/debian/patches/02-systemd-service-file-shutdown-problems.patch 
connman-1.44/debian/patches/02-systemd-service-file-shutdown-problems.patch
--- connman-1.44/debian/patches/02-systemd-service-file-shutdown-problems.patch 
2025-04-12 17:40:21.000000000 +0200
+++ connman-1.44/debian/patches/02-systemd-service-file-shutdown-problems.patch 
2025-05-13 09:06:57.000000000 +0200
@@ -3,6 +3,7 @@
  https://lintian.debian.org/tags/systemd-service-file-shutdown-problems.html
 Forwarded: not needed
 Last-Update: 2019-05-01
+Author: Alf Gaida <aga...@siduction.org>
 
 --- a/src/connman-wait-online.service.in
 +++ b/src/connman-wait-online.service.in
diff -Nru connman-1.44/debian/patches/CVE-2025-32366.patch 
connman-1.44/debian/patches/CVE-2025-32366.patch
--- connman-1.44/debian/patches/CVE-2025-32366.patch    1970-01-01 
01:00:00.000000000 +0100
+++ connman-1.44/debian/patches/CVE-2025-32366.patch    2025-05-13 
09:06:57.000000000 +0200
@@ -0,0 +1,41 @@
+From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
+From: "신윤제(학부생-소프트웨어전공)" <ioe...@kookmin.ac.kr>
+Date: Mon, 12 May 2025 10:48:18 +0200
+Subject: dnsproxy: Address CVE-2025-32366 vulnerability
+
+In Connman parse_rr in dnsproxy.c has a memcpy length
+that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
+and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
+than the amount of remaining packet data in the current state of
+parsing. As a result, values of stack memory locations may be sent
+over the network in a response.
+
+This patch adds a check to ensure that (*end + *rdlen) does not exceed
+the valid range. If the condition is violated, the function returns
+-EINVAL.
+
+Fixes: CVE-2025-32366
+Bug-Debian: https://bugs.debian.org/1102193
+Origin: upstream, 
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4
+Forwarded: not-needed
+---
+ src/dnsproxy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 7ee26d9ff..1dd2f7f5d 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -998,6 +998,9 @@ static int parse_rr(const unsigned char *buf, const 
unsigned char *start,
+       if ((offset + *rdlen) > *response_size)
+               return -ENOBUFS;
+ 
++      if ((*end + *rdlen) > max)
++              return -EINVAL;
++
+       memcpy(response + offset, *end, *rdlen);
+ 
+       *end += *rdlen;
+-- 
+cgit 1.2.3-korg
+
diff -Nru connman-1.44/debian/patches/CVE-2025-32743.patch 
connman-1.44/debian/patches/CVE-2025-32743.patch
--- connman-1.44/debian/patches/CVE-2025-32743.patch    1970-01-01 
01:00:00.000000000 +0100
+++ connman-1.44/debian/patches/CVE-2025-32743.patch    2025-05-13 
09:06:57.000000000 +0200
@@ -0,0 +1,46 @@
+From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001
+From: Praveen Kumar <praveen.ku...@windriver.com>
+Date: Thu, 24 Apr 2025 11:39:29 +0000
+Subject: dnsproxy: Fix NULL/empty lookup causing potential crash
+
+In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
+can be NULL or an empty string when the TC (Truncated) bit is set in
+a DNS response. This allows attackers to cause a denial of service
+(application crash) or possibly execute arbitrary code, because those
+lookup values lead to incorrect length calculations and incorrect
+memcpy operations.
+
+This patch includes a check to make sure loookup value is valid before
+using it. This helps avoid unexpected value when the input is empty or
+incorrect.
+
+Fixes: CVE-2025-32743
+Bug-Debian: https://bugs.debian.org/1103530
+Origin: upstream, 
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f
+Forwarded: not-needed
+---
+ src/dnsproxy.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index f28a5d755..7ee26d9ff 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -1685,8 +1685,13 @@ static int ns_resolv(struct server_data *server, struct 
request_data *req,
+                               gpointer request, gpointer name)
+ {
+       int sk = -1;
++      int err;
+       const char *lookup = (const char *)name;
+-      int err = ns_try_resolv_from_cache(req, request, lookup);
++
++      if (!lookup || strlen(lookup) == 0)
++              return -EINVAL;
++
++      err = ns_try_resolv_from_cache(req, request, lookup);
+ 
+       if (err > 0)
+               /* cache hit */
+-- 
+cgit 1.2.3-korg
+
diff -Nru connman-1.44/debian/patches/series connman-1.44/debian/patches/series
--- connman-1.44/debian/patches/series  2025-04-12 17:40:21.000000000 +0200
+++ connman-1.44/debian/patches/series  2025-05-13 09:06:57.000000000 +0200
@@ -1,2 +1,4 @@
 01-init-script-lsb-headers.patch
 02-systemd-service-file-shutdown-problems.patch
+CVE-2025-32743.patch
+CVE-2025-32366.patch

Reply via email to