[Buildroot] [PATCH v2 1/1] package/connman: security bump to version 1.45

[Buildroot] [PATCH v2 1/1] package/connman: security bump to version 1.45

[Dario Binacchi]

This bump includes the security fixes for CVE-2025-32366 and
CVE-2025-32743.

Release notes:
- Fix issue with setting MFP optional for PSK.
- Fix issue with comparison in timezone checking.
- Fix issue with dnsproxy and empty lookup.

Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-32366
https://www.cve.org/CVERecord?id=CVE-2025-32743

Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>

---

Changes v1 -> v2:
- Drop CONNMAN_IGNORE_CVES from connman.mk for CVE-2025-32366 and
  CVE-2025-32743.

 ...L-empty-lookup-causing-potential-cra.patch | 46 -------------------
 ...Address-CVE-2025-32366-vulnerability.patch | 41 -----------------
 package/connman/connman.hash                  |  2 +-
 package/connman/connman.mk                    |  8 +---
 4 files changed, 2 insertions(+), 95 deletions(-)
 delete mode 100644 package/connman/0001-dnsproxy-Fix-NULL-empty-lookup-causing-potential-cra.patch
 delete mode 100644 package/connman/0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch

diff --git a/package/connman/0001-dnsproxy-Fix-NULL-empty-lookup-causing-potential-cra.patch b/package/connman/0001-dnsproxy-Fix-NULL-empty-lookup-causing-potential-cra.patch
deleted file mode 100644
index 9c1274e43ce5..000000000000
--- a/package/connman/0001-dnsproxy-Fix-NULL-empty-lookup-causing-potential-cra.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001
-From: Praveen Kumar <praveen.kumar@windriver.com>
-Date: Thu, 24 Apr 2025 11:39:29 +0000
-Subject: [PATCH] dnsproxy: Fix NULL/empty lookup causing potential crash
-
-In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
-can be NULL or an empty string when the TC (Truncated) bit is set in
-a DNS response. This allows attackers to cause a denial of service
-(application crash) or possibly execute arbitrary code, because those
-lookup values lead to incorrect length calculations and incorrect
-memcpy operations.
-
-This patch includes a check to make sure loookup value is valid before
-using it. This helps avoid unexpected value when the input is empty or
-incorrect.
-
-Fixes: CVE-2025-32743
-
-Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
-Upstream: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f
----
- src/dnsproxy.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/dnsproxy.c b/src/dnsproxy.c
-index f28a5d7551a4..7ee26d9ff886 100644
---- a/src/dnsproxy.c
-+++ b/src/dnsproxy.c
-@@ -1685,8 +1685,13 @@ static int ns_resolv(struct server_data *server, struct request_data *req,
- 				gpointer request, gpointer name)
- {
- 	int sk = -1;
-+	int err;
- 	const char *lookup = (const char *)name;
--	int err = ns_try_resolv_from_cache(req, request, lookup);
-+
-+	if (!lookup || strlen(lookup) == 0)
-+		return -EINVAL;
-+
-+	err = ns_try_resolv_from_cache(req, request, lookup);
- 
- 	if (err > 0)
- 		/* cache hit */
--- 
-2.43.0
-
diff --git a/package/connman/0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch b/package/connman/0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch
deleted file mode 100644
index 9651b2dfe473..000000000000
--- a/package/connman/0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?=EC=8B=A0=EC=9C=A4=EC=A0=9C=28=ED=95=99=EB=B6=80=EC=83=9D-?=
- =?UTF-8?q?=EC=86=8C=ED=94=84=ED=8A=B8=EC=9B=A8=EC=96=B4=EC=A0=84=EA=B3=B5?=
- =?UTF-8?q?=29?= <ioerts@kookmin.ac.kr>
-Date: Mon, 12 May 2025 10:48:18 +0200
-Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability
-
-In Connman parse_rr in dnsproxy.c has a memcpy length
-that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
-and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
-than the amount of remaining packet data in the current state of
-parsing. As a result, values of stack memory locations may be sent
-over the network in a response.
-
-This patch adds a check to ensure that (*end + *rdlen) does not exceed
-the valid range. If the condition is violated, the function returns
--EINVAL.
-
-Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
-Upstream: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4
----
- src/dnsproxy.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/dnsproxy.c b/src/dnsproxy.c
-index 7ee26d9ff886..1dd2f7f5d47e 100644
---- a/src/dnsproxy.c
-+++ b/src/dnsproxy.c
-@@ -998,6 +998,9 @@ static int parse_rr(const unsigned char *buf, const unsigned char *start,
- 	if ((offset + *rdlen) > *response_size)
- 		return -ENOBUFS;
- 
-+	if ((*end + *rdlen) > max)
-+		return -EINVAL;
-+
- 	memcpy(response + offset, *end, *rdlen);
- 
- 	*end += *rdlen;
--- 
-2.43.0
-
diff --git a/package/connman/connman.hash b/package/connman/connman.hash
index 38af1847aef6..807f7144b1a2 100644
--- a/package/connman/connman.hash
+++ b/package/connman/connman.hash
@@ -1,4 +1,4 @@
 # From https://www.kernel.org/pub/linux/network/connman/sha256sums.asc
-sha256  2be2b00321632b775f9eff713acd04ef21e31fbf388f6ebf45512ff4289574ff  connman-1.44.tar.xz
+sha256  77128cce80865455c4f106b5901a575e2dfdb35a7d2e2e2996f16e85cba10913  connman-1.45.tar.xz
 # Locally computed
 sha256  b499eddebda05a8859e32b820a64577d91f1de2b52efa2a1575a2cb4000bc259  COPYING
diff --git a/package/connman/connman.mk b/package/connman/connman.mk
index c9637eadf5aa..695a81f1e547 100644
--- a/package/connman/connman.mk
+++ b/package/connman/connman.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-CONNMAN_VERSION = 1.44
+CONNMAN_VERSION = 1.45
 CONNMAN_SOURCE = connman-$(CONNMAN_VERSION).tar.xz
 CONNMAN_SITE = $(BR2_KERNEL_MIRROR)/linux/network/connman
 CONNMAN_DEPENDENCIES = libglib2 dbus
@@ -13,12 +13,6 @@ CONNMAN_LICENSE = GPL-2.0
 CONNMAN_LICENSE_FILES = COPYING
 CONNMAN_CPE_ID_VENDOR = intel
 
-# 0001-dnsproxy-Fix-NULL-empty-lookup-causing-potential-cra.patch
-CONNMAN_IGNORE_CVES += CVE-2025-32743
-
-# 0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch
-CONNMAN_IGNORE_CVES += CVE-2025-32366
-
 CONNMAN_CONF_OPTS = --with-dbusconfdir=/etc
 
 ifeq ($(BR2_INIT_SYSTEMD),y)
-- 
2.43.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/1] package/connman: security bump to version 1.45

[Julien Olivain via buildroot]

On 23/09/2025 11:02, Dario Binacchi wrote:
> This bump includes the security fixes for CVE-2025-32366 and
> CVE-2025-32743.
> 
> Release notes:
> - Fix issue with setting MFP optional for PSK.
> - Fix issue with comparison in timezone checking.
> - Fix issue with dnsproxy and empty lookup.
> 
> Fixes:
> https://www.cve.org/CVERecord?id=CVE-2025-32366
> https://www.cve.org/CVERecord?id=CVE-2025-32743
> 
> Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>

Applied to master, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot