From: Meenali Gupta <[email protected]> A vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function.
Signed-off-by: Meenali Gupta <[email protected]> Signed-off-by: Steve Sakoman <[email protected]> --- meta/recipes-connectivity/avahi/avahi_0.8.bb | 1 + .../avahi/files/CVE-2023-38473.patch | 108 ++++++++++++++++++ 2 files changed, 109 insertions(+) create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb index 23801a7e54..af5284a252 100644 --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb @@ -30,6 +30,7 @@ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV} file://CVE-2023-38470.patch \ file://CVE-2023-38469.patch \ file://CVE-2023-38472.patch \ + file://CVE-2023-38473.patch \ " UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"; diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch new file mode 100644 index 0000000000..8a372a072a --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch @@ -0,0 +1,108 @@ +From b448c9f771bada14ae8de175695a9729f8646797 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar <[email protected]> +Date: Wed, 11 Oct 2023 17:45:44 +0200 +Subject: [PATCH]common: derive alternative host name from its + unescaped version + +Normalization of input makes sure we don't have to deal with special +cases like unescaped dot at the end of label. + +Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797] +CVE: CVE-2023-38473 + +Signed-off-by: Meenali Gupta <[email protected]> +--- + avahi-common/alternative-test.c | 3 +++ + avahi-common/alternative.c | 27 +++++++++++++++++++-------- + 2 files changed, 22 insertions(+), 8 deletions(-) + +diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c +index 9255435..681fc15 100644 +--- a/avahi-common/alternative-test.c ++++ b/avahi-common/alternative-test.c +@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + const char* const test_strings[] = { + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü", ++ ").", ++ "\\.", ++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\", + "gurke", + "-", + " #", +diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c +index b3d39f0..a094e6d 100644 +--- a/avahi-common/alternative.c ++++ b/avahi-common/alternative.c +@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) { + } + + char *avahi_alternative_host_name(const char *s) { ++ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1]; ++ char *alt, *r, *ret; + const char *e; +- char *r; ++ size_t len; + + assert(s); + + if (!avahi_is_valid_host_name(s)) + return NULL; + +- if ((e = strrchr(s, '-'))) { ++ if (!avahi_unescape_label(&s, label, sizeof(label))) ++ return NULL; ++ ++ if ((e = strrchr(label, '-'))) { + const char *p; + + e++; +@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) { + + if (e) { + char *c, *m; +- size_t l; + int n; + + n = atoi(e)+1; + if (!(m = avahi_strdup_printf("%i", n))) + return NULL; + +- l = e-s-1; ++ len = e-label-1; + +- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1) +- l = AVAHI_LABEL_MAX-1-strlen(m)-1; ++ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1) ++ len = AVAHI_LABEL_MAX-1-strlen(m)-1; + +- if (!(c = avahi_strndup(s, l))) { ++ if (!(c = avahi_strndup(label, len))) { + avahi_free(m); + return NULL; + } +@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) { + } else { + char *c; + +- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2))) ++ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2))) + return NULL; + + drop_incomplete_utf8(c); +@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) { + avahi_free(c); + } + ++ alt = alternative; ++ len = sizeof(alternative); ++ ret = avahi_escape_label(r, strlen(r), &alt, &len); ++ ++ avahi_free(r); ++ r = avahi_strdup(ret); ++ + assert(avahi_is_valid_host_name(r)); + + return r; +-- +2.40.0 -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#191007): https://lists.openembedded.org/g/openembedded-core/message/191007 Mute This Topic: https://lists.openembedded.org/mt/102742403/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
