Re: [PATCH] connman: Backports for security fixes (2) #poky

["VAUTRIN Emmanuel (Canal Plus Prestataire)" <Emmanuel.VAUTRIN@cpexterne.org>]

[-- Attachment #1: Type: text/plain, Size: 3837 bytes --]

Fixes
CVE: CVE-2022-32293

Commit b33cf2d113d0 ("connman: Backports for security fixes")
Signed-off-by: Emmanuel Vautrin <Emmanuel.VAUTRIN@cpexterne.org>
---
.../connman/connman/CVE-2022-32293_p3.patch   | 67 +++++++++++++++++++
.../connman/connman_1.41.bb                   |  1 +
2 files changed, 68 insertions(+)
create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch
new file mode 100644
index 000000000000..0fefe3e45408
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch
@@ -0,0 +1,67 @@
+From e6523511d736667e45877d588a64988e818a06fe Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@monom.org>
+Date: Wed, 7 Sep 2022 20:52:20 +0200
+Subject: [PATCH] wispr: Fix context refcounting in
+ wispr_portal_request_portal()
+
+The wispr_portal_request_portal() function is expected to read until
+there is no data. Hence, the wp_context refcount is supposed to be
+hold on while reading.
+
+Furthermore, we should not return early when we read the
+X-ConnMan-Status header. Instead we are supposed to go through the
+normal return path so that we cleanup any added routing entries. Thus,
+we also don't need to update the refcount in this code path as we
+handle it at the main return path.
+
+Fixes: 416bfaff9888 ("wispr: Update portal context references")
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e6523511d736667e45877d588a64988e818a06fe]
+---
+ src/wispr.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/wispr.c b/src/wispr.c
+index 9b27af5fff55..a7562e8462f3 100644
+--- a/src/wispr.c
++++ b/src/wispr.c
+@@ -537,7 +537,8 @@ static bool wispr_route_request(const char *address, int ai_family,
+ static void wispr_portal_request_portal(
+ struct connman_wispr_portal_context *wp_context)
+ {
+- DBG("");
++ DBG("wp_context %p %s", wp_context,
++ __connman_ipconfig_type2string(wp_context->type));
+
+ wispr_portal_context_ref(wp_context);
+ wp_context->request_id = g_web_request_get(wp_context->web,
+@@ -753,7 +754,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ if (length > 0) {
+ g_web_parser_feed_data(wp_context->wispr_parser,
+ chunk, length);
+- wispr_portal_context_unref(wp_context);
++ /* read more data */
+ return true;
+ }
+
+@@ -783,8 +784,6 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ if (g_web_result_get_header(result, "X-ConnMan-Status",
+ &str)) {
+ portal_manage_status(result, wp_context);
+- wispr_portal_context_unref(wp_context);
+- return false;
+ } else {
+ wispr_portal_context_ref(wp_context);
+ __connman_agent_request_browser(wp_context->service,
+@@ -996,7 +995,8 @@ int __connman_wispr_start(struct connman_service *service,
+ struct connman_wispr_portal *wispr_portal = NULL;
+ int index, err;
+
+- DBG("service %p", service);
++ DBG("service %p %s", service,
++ __connman_ipconfig_type2string(type));
+
+ if (!wispr_portal_hash)
+ return -EINVAL;
+--
+2.25.1
+
diff --git a/meta/recipes-connectivity/connman/connman_1.41.bb b/meta/recipes-connectivity/connman/connman_1.41.bb
index 79542b2175dc..73ba673fd0a4 100644
--- a/meta/recipes-connectivity/connman/connman_1.41.bb
+++ b/meta/recipes-connectivity/connman/connman_1.41.bb
@@ -7,6 +7,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
file://no-version-scripts.patch \
file://CVE-2022-32293_p1.patch \
file://CVE-2022-32293_p2.patch \
+           file://CVE-2022-32293_p3.patch \
file://CVE-2022-32292.patch \
"

--
2.25.1

[-- Attachment #2: Type: text/html, Size: 6442 bytes --]