* [Buildroot] [PATCH 0/2] package/connman: fix CVE-2023-28488
@ 2023-08-18 20:05 Clement Ramirez
2023-08-18 20:05 ` [Buildroot] [PATCH 1/2] " Clement Ramirez
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Clement Ramirez @ 2023-08-18 20:05 UTC (permalink / raw)
To: buildroot; +Cc: Clement Ramirez, Martin Bark
Hi,
This patch series is designed to fix the CVE-2023-28488:
- The first commit backports the CVE-2023-28488 patch fix onto the 1.41
connman version.
- The second commit bumps connman to 1.42 and removes the previous
deprecated patches that introduced fixes now present in the 1.42.
This way the first commit can be used to fix the CVE in LTS releases,
and the second one for future releases of Buildroot.
Clement Ramirez (2):
package/connman: fix CVE-2023-28488
package/connman: security bump version to 1.42
.checkpackageignore | 3 -
...-gweb-Fix-OOB-write-in-received_data.patch | 36 ----
...-reference-counter-to-portal-context.patch | 142 --------------
...spr-Update-portal-context-references.patch | 175 ------------------
package/connman/connman.hash | 2 +-
package/connman/connman.mk | 9 +-
6 files changed, 2 insertions(+), 365 deletions(-)
delete mode 100644 package/connman/0001-gweb-Fix-OOB-write-in-received_data.patch
delete mode 100644 package/connman/0002-wispr-Add-reference-counter-to-portal-context.patch
delete mode 100644 package/connman/0003-wispr-Update-portal-context-references.patch
--
2.34.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH 1/2] package/connman: fix CVE-2023-28488
2023-08-18 20:05 [Buildroot] [PATCH 0/2] package/connman: fix CVE-2023-28488 Clement Ramirez
@ 2023-08-18 20:05 ` Clement Ramirez
2023-08-18 20:05 ` [Buildroot] [PATCH 2/2] package/connman: security bump version to 1.42 Clement Ramirez
2023-08-20 9:14 ` [Buildroot] [PATCH 0/2] package/connman: fix CVE-2023-28488 Yann E. MORIN
2 siblings, 0 replies; 4+ messages in thread
From: Clement Ramirez @ 2023-08-18 20:05 UTC (permalink / raw)
To: buildroot; +Cc: Clement Ramirez, Martin Bark
client.c in gdhcp in ConnMan through 1.41 could be used by
network-adjacent attackers (operating a crafted DHCP server) to cause a
stack-based buffer overflow and denial of service, terminating the
connman process.n process. (see [0] and [1] for details)
[0] https://nvd.nist.gov/vuln/detail/CVE-2023-28488
[1] https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138
Signed-off-by: Clement Ramirez <ramirez.clement3@gmail.com>
---
.checkpackageignore | 1 +
...ify-and-sanitize-packet-length-first.patch | 62 +++++++++++++++++++
package/connman/connman.mk | 3 +
3 files changed, 66 insertions(+)
create mode 100644 package/connman/0004-gdhcp-Verify-and-sanitize-packet-length-first.patch
diff --git a/.checkpackageignore b/.checkpackageignore
index dfc1ba9001..54525e5d90 100644
--- a/.checkpackageignore
+++ b/.checkpackageignore
@@ -266,6 +266,7 @@ package/collectd/0001-src-netlink.c-remove-REG_NOERROR.patch Upstream
package/connman/0001-gweb-Fix-OOB-write-in-received_data.patch Upstream
package/connman/0002-wispr-Add-reference-counter-to-portal-context.patch Upstream
package/connman/0003-wispr-Update-portal-context-references.patch Upstream
+package/connman/0004-gdhcp-Verify-and-sanitize-packet-length-first.patch Upstream
package/connman/S45connman Variables
package/copas/0001-Do-not-load-coxpcall-for-LuaJIT.patch Upstream
package/coremark-pro/coremark-pro.sh.in Shellcheck
diff --git a/package/connman/0004-gdhcp-Verify-and-sanitize-packet-length-first.patch b/package/connman/0004-gdhcp-Verify-and-sanitize-packet-length-first.patch
new file mode 100644
index 0000000000..d5d81f17bf
--- /dev/null
+++ b/package/connman/0004-gdhcp-Verify-and-sanitize-packet-length-first.patch
@@ -0,0 +1,62 @@
+From 996d39df6f6c0f9d1e9968af8024bb0cde31d1e8 Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@monom.org>
+Date: Tue, 11 Apr 2023 08:12:56 +0200
+Subject: gdhcp: Verify and sanitize packet length first
+
+Avoid overwriting the read packet length after the initial test. Thus
+move all the length checks which depends on the total length first
+and do not use the total lenght from the IP packet afterwards.
+
+Fixes CVE-2023-28488
+
+Reported by Polina Smirnova <moe.hwr@gmail.com>
+
+[Retrieved from:
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138]
+Signed-off-by: Clement Ramirez <ramirez.clement3@gmail.com>
+---
+ gdhcp/client.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/gdhcp/client.c b/gdhcp/client.c
+index 3016dfc2..28fa6066 100644
+--- a/gdhcp/client.c
++++ b/gdhcp/client.c
+@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes)
+ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
+ struct sockaddr_in *dst_addr)
+ {
+- int bytes;
+ struct ip_udp_dhcp_packet packet;
+ uint16_t check;
++ int bytes, tot_len;
+
+ memset(&packet, 0, sizeof(packet));
+
+@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
+ if (bytes < 0)
+ return -1;
+
+- if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
+- return -1;
+-
+- if (bytes < ntohs(packet.ip.tot_len))
++ tot_len = ntohs(packet.ip.tot_len);
++ if (bytes > tot_len) {
++ /* ignore any extra garbage bytes */
++ bytes = tot_len;
++ } else if (bytes < tot_len) {
+ /* packet is bigger than sizeof(packet), we did partial read */
+ return -1;
++ }
+
+- /* ignore any extra garbage bytes */
+- bytes = ntohs(packet.ip.tot_len);
++ if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
++ return -1;
+
+ if (!sanity_check(&packet, bytes))
+ return -1;
+--
+2.34.1
+
diff --git a/package/connman/connman.mk b/package/connman/connman.mk
index fbd7318e4e..40ce99fa40 100644
--- a/package/connman/connman.mk
+++ b/package/connman/connman.mk
@@ -20,6 +20,9 @@ CONNMAN_IGNORE_CVES += CVE-2022-32292
# 0003-wispr-Update-portal-context-references.patch
CONNMAN_IGNORE_CVES += CVE-2022-32293
+# 0004-gdhcp-Verify-and-sanitize-packet-length-first.patch
+CONNMAN_IGNORE_CVES += CVE-2023-28488
+
CONNMAN_CONF_OPTS = --with-dbusconfdir=/etc
ifeq ($(BR2_INIT_SYSTEMD),y)
--
2.34.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH 2/2] package/connman: security bump version to 1.42
2023-08-18 20:05 [Buildroot] [PATCH 0/2] package/connman: fix CVE-2023-28488 Clement Ramirez
2023-08-18 20:05 ` [Buildroot] [PATCH 1/2] " Clement Ramirez
@ 2023-08-18 20:05 ` Clement Ramirez
2023-08-20 9:14 ` [Buildroot] [PATCH 0/2] package/connman: fix CVE-2023-28488 Yann E. MORIN
2 siblings, 0 replies; 4+ messages in thread
From: Clement Ramirez @ 2023-08-18 20:05 UTC (permalink / raw)
To: buildroot; +Cc: Clement Ramirez, Martin Bark
The 1.42 version of connman comes with the following CVEs fixes :
- CVE-2022-32292
- CVE-2022-32293
- CVE-2023-28488
These CVEs have been fixed with several patches (links in [0])
introduced by 2 commits (SHAs in [1]), but are now deprecated
due to this version bump ('git tag --contains ...' shows that
the commits listed in [0] are on the 1.42 tag).
[0] https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312bd
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=416bfaff988882c553c672e5bfc2d4f648d29e8a
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138
[1] 2f2b4c80f4 package/connman: fix CVE-2022-3229{2,3}
f31635b7fe package/connman: fix CVE-2023-28488
Signed-off-by: Clement Ramirez <ramirez.clement3@gmail.com>
---
.checkpackageignore | 4 -
...-gweb-Fix-OOB-write-in-received_data.patch | 36 ----
...-reference-counter-to-portal-context.patch | 142 --------------
...spr-Update-portal-context-references.patch | 175 ------------------
...ify-and-sanitize-packet-length-first.patch | 62 -------
package/connman/connman.hash | 2 +-
package/connman/connman.mk | 12 +-
7 files changed, 2 insertions(+), 431 deletions(-)
delete mode 100644 package/connman/0001-gweb-Fix-OOB-write-in-received_data.patch
delete mode 100644 package/connman/0002-wispr-Add-reference-counter-to-portal-context.patch
delete mode 100644 package/connman/0003-wispr-Update-portal-context-references.patch
delete mode 100644 package/connman/0004-gdhcp-Verify-and-sanitize-packet-length-first.patch
diff --git a/.checkpackageignore b/.checkpackageignore
index 54525e5d90..e5c06b1e0a 100644
--- a/.checkpackageignore
+++ b/.checkpackageignore
@@ -263,10 +263,6 @@ package/chrony/S49chrony Indent Shellcheck Variables
package/cmake/0001-rename-cmake-rootfile.patch Upstream
package/cmocka/0001-Don-t-redefine-uintptr_t.patch Upstream
package/collectd/0001-src-netlink.c-remove-REG_NOERROR.patch Upstream
-package/connman/0001-gweb-Fix-OOB-write-in-received_data.patch Upstream
-package/connman/0002-wispr-Add-reference-counter-to-portal-context.patch Upstream
-package/connman/0003-wispr-Update-portal-context-references.patch Upstream
-package/connman/0004-gdhcp-Verify-and-sanitize-packet-length-first.patch Upstream
package/connman/S45connman Variables
package/copas/0001-Do-not-load-coxpcall-for-LuaJIT.patch Upstream
package/coremark-pro/coremark-pro.sh.in Shellcheck
diff --git a/package/connman/0001-gweb-Fix-OOB-write-in-received_data.patch b/package/connman/0001-gweb-Fix-OOB-write-in-received_data.patch
deleted file mode 100644
index d1a9d8f8fe..0000000000
--- a/package/connman/0001-gweb-Fix-OOB-write-in-received_data.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001
-From: Nathan Crandall <ncrandall@tesla.com>
-Date: Tue, 12 Jul 2022 08:56:34 +0200
-Subject: gweb: Fix OOB write in received_data()
-
-There is a mismatch of handling binary vs. C-string data with memchr
-and strlen, resulting in pos, count, and bytes_read to become out of
-sync and result in a heap overflow. Instead, do not treat the buffer
-as an ASCII C-string. We calculate the count based on the return value
-of memchr, instead of strlen.
-
-Fixes: CVE-2022-32292
-
-[Retrieved from:
-https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312bd]
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- gweb/gweb.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/gweb/gweb.c b/gweb/gweb.c
-index 12fcb1d8..13c6c5f2 100644
---- a/gweb/gweb.c
-+++ b/gweb/gweb.c
-@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond,
- }
-
- *pos = '\0';
-- count = strlen((char *) ptr);
-+ count = pos - ptr;
- if (count > 0 && ptr[count - 1] == '\r') {
- ptr[--count] = '\0';
- bytes_read--;
---
-cgit
-
diff --git a/package/connman/0002-wispr-Add-reference-counter-to-portal-context.patch b/package/connman/0002-wispr-Add-reference-counter-to-portal-context.patch
deleted file mode 100644
index c2cebdfdcc..0000000000
--- a/package/connman/0002-wispr-Add-reference-counter-to-portal-context.patch
+++ /dev/null
@@ -1,142 +0,0 @@
-From 72343929836de80727a27d6744c869dff045757c Mon Sep 17 00:00:00 2001
-From: Daniel Wagner <wagi@monom.org>
-Date: Tue, 5 Jul 2022 08:32:12 +0200
-Subject: wispr: Add reference counter to portal context
-
-Track the connman_wispr_portal_context live time via a
-refcounter. This only adds the infrastructure to do proper reference
-counting.
-
-Fixes: CVE-2022-32293
-
-[Retrieved from:
-https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c]
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- src/wispr.c | 52 ++++++++++++++++++++++++++++++++++++++++++----------
- 1 file changed, 42 insertions(+), 10 deletions(-)
-
-diff --git a/src/wispr.c b/src/wispr.c
-index a07896ca..bde7e63b 100644
---- a/src/wispr.c
-+++ b/src/wispr.c
-@@ -56,6 +56,7 @@ struct wispr_route {
- };
-
- struct connman_wispr_portal_context {
-+ int refcount;
- struct connman_service *service;
- enum connman_ipconfig_type type;
- struct connman_wispr_portal *wispr_portal;
-@@ -97,6 +98,11 @@ static char *online_check_ipv4_url = NULL;
- static char *online_check_ipv6_url = NULL;
- static bool enable_online_to_ready_transition = false;
-
-+#define wispr_portal_context_ref(wp_context) \
-+ wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__)
-+#define wispr_portal_context_unref(wp_context) \
-+ wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__)
-+
- static void connman_wispr_message_init(struct connman_wispr_message *msg)
- {
- DBG("");
-@@ -162,9 +168,6 @@ static void free_connman_wispr_portal_context(
- {
- DBG("context %p", wp_context);
-
-- if (!wp_context)
-- return;
--
- if (wp_context->wispr_portal) {
- if (wp_context->wispr_portal->ipv4_context == wp_context)
- wp_context->wispr_portal->ipv4_context = NULL;
-@@ -201,9 +204,38 @@ static void free_connman_wispr_portal_context(
- g_free(wp_context);
- }
-
-+static struct connman_wispr_portal_context *
-+wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context,
-+ const char *file, int line, const char *caller)
-+{
-+ DBG("%p ref %d by %s:%d:%s()", wp_context,
-+ wp_context->refcount + 1, file, line, caller);
-+
-+ __sync_fetch_and_add(&wp_context->refcount, 1);
-+
-+ return wp_context;
-+}
-+
-+static void wispr_portal_context_unref_debug(
-+ struct connman_wispr_portal_context *wp_context,
-+ const char *file, int line, const char *caller)
-+{
-+ if (!wp_context)
-+ return;
-+
-+ DBG("%p ref %d by %s:%d:%s()", wp_context,
-+ wp_context->refcount - 1, file, line, caller);
-+
-+ if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1)
-+ return;
-+
-+ free_connman_wispr_portal_context(wp_context);
-+}
-+
- static struct connman_wispr_portal_context *create_wispr_portal_context(void)
- {
-- return g_try_new0(struct connman_wispr_portal_context, 1);
-+ return wispr_portal_context_ref(
-+ g_new0(struct connman_wispr_portal_context, 1));
- }
-
- static void free_connman_wispr_portal(gpointer data)
-@@ -215,8 +247,8 @@ static void free_connman_wispr_portal(gpointer data)
- if (!wispr_portal)
- return;
-
-- free_connman_wispr_portal_context(wispr_portal->ipv4_context);
-- free_connman_wispr_portal_context(wispr_portal->ipv6_context);
-+ wispr_portal_context_unref(wispr_portal->ipv4_context);
-+ wispr_portal_context_unref(wispr_portal->ipv6_context);
-
- g_free(wispr_portal);
- }
-@@ -452,7 +484,7 @@ static void portal_manage_status(GWebResult *result,
- connman_info("Client-Timezone: %s", str);
-
- if (!enable_online_to_ready_transition)
-- free_connman_wispr_portal_context(wp_context);
-+ wispr_portal_context_unref(wp_context);
-
- __connman_service_ipconfig_indicate_state(service,
- CONNMAN_SERVICE_STATE_ONLINE, type);
-@@ -616,7 +648,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service,
- return;
- }
-
-- free_connman_wispr_portal_context(wp_context);
-+ wispr_portal_context_unref(wp_context);
- return;
- }
-
-@@ -952,7 +984,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context)
-
- if (wp_context->token == 0) {
- err = -EINVAL;
-- free_connman_wispr_portal_context(wp_context);
-+ wispr_portal_context_unref(wp_context);
- }
- } else if (wp_context->timeout == 0) {
- wp_context->timeout = g_idle_add(no_proxy_callback, wp_context);
-@@ -1001,7 +1033,7 @@ int __connman_wispr_start(struct connman_service *service,
-
- /* If there is already an existing context, we wipe it */
- if (wp_context)
-- free_connman_wispr_portal_context(wp_context);
-+ wispr_portal_context_unref(wp_context);
-
- wp_context = create_wispr_portal_context();
- if (!wp_context)
---
-cgit
-
diff --git a/package/connman/0003-wispr-Update-portal-context-references.patch b/package/connman/0003-wispr-Update-portal-context-references.patch
deleted file mode 100644
index 61c4e21f94..0000000000
--- a/package/connman/0003-wispr-Update-portal-context-references.patch
+++ /dev/null
@@ -1,175 +0,0 @@
-From 416bfaff988882c553c672e5bfc2d4f648d29e8a Mon Sep 17 00:00:00 2001
-From: Daniel Wagner <wagi@monom.org>
-Date: Tue, 5 Jul 2022 09:11:09 +0200
-Subject: wispr: Update portal context references
-
-Maintain proper portal context references to avoid UAF.
-
-Fixes: CVE-2022-32293
-
-[Retrieved from:
-https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=416bfaff988882c553c672e5bfc2d4f648d29e8a]
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- src/wispr.c | 34 ++++++++++++++++++++++------------
- 1 file changed, 22 insertions(+), 12 deletions(-)
-
-diff --git a/src/wispr.c b/src/wispr.c
-index bde7e63b..84bed33f 100644
---- a/src/wispr.c
-+++ b/src/wispr.c
-@@ -105,8 +105,6 @@ static bool enable_online_to_ready_transition = false;
-
- static void connman_wispr_message_init(struct connman_wispr_message *msg)
- {
-- DBG("");
--
- msg->has_error = false;
- msg->current_element = NULL;
-
-@@ -166,8 +164,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context)
- static void free_connman_wispr_portal_context(
- struct connman_wispr_portal_context *wp_context)
- {
-- DBG("context %p", wp_context);
--
- if (wp_context->wispr_portal) {
- if (wp_context->wispr_portal->ipv4_context == wp_context)
- wp_context->wispr_portal->ipv4_context = NULL;
-@@ -483,9 +479,6 @@ static void portal_manage_status(GWebResult *result,
- &str))
- connman_info("Client-Timezone: %s", str);
-
-- if (!enable_online_to_ready_transition)
-- wispr_portal_context_unref(wp_context);
--
- __connman_service_ipconfig_indicate_state(service,
- CONNMAN_SERVICE_STATE_ONLINE, type);
-
-@@ -546,14 +539,17 @@ static void wispr_portal_request_portal(
- {
- DBG("");
-
-+ wispr_portal_context_ref(wp_context);
- wp_context->request_id = g_web_request_get(wp_context->web,
- wp_context->status_url,
- wispr_portal_web_result,
- wispr_route_request,
- wp_context);
-
-- if (wp_context->request_id == 0)
-+ if (wp_context->request_id == 0) {
- wispr_portal_error(wp_context);
-+ wispr_portal_context_unref(wp_context);
-+ }
- }
-
- static bool wispr_input(const guint8 **data, gsize *length,
-@@ -618,13 +614,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service,
- return;
-
- if (!authentication_done) {
-- wispr_portal_error(wp_context);
- free_wispr_routes(wp_context);
-+ wispr_portal_error(wp_context);
-+ wispr_portal_context_unref(wp_context);
- return;
- }
-
- /* Restarting the test */
- __connman_service_wispr_start(service, wp_context->type);
-+ wispr_portal_context_unref(wp_context);
- }
-
- static void wispr_portal_request_wispr_login(struct connman_service *service,
-@@ -700,11 +698,13 @@ static bool wispr_manage_message(GWebResult *result,
-
- wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN;
-
-+ wispr_portal_context_ref(wp_context);
- if (__connman_agent_request_login_input(wp_context->service,
- wispr_portal_request_wispr_login,
-- wp_context) != -EINPROGRESS)
-+ wp_context) != -EINPROGRESS) {
- wispr_portal_error(wp_context);
-- else
-+ wispr_portal_context_unref(wp_context);
-+ } else
- return true;
-
- break;
-@@ -753,6 +753,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
- if (length > 0) {
- g_web_parser_feed_data(wp_context->wispr_parser,
- chunk, length);
-+ wispr_portal_context_unref(wp_context);
- return true;
- }
-
-@@ -770,6 +771,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
-
- switch (status) {
- case 000:
-+ wispr_portal_context_ref(wp_context);
- __connman_agent_request_browser(wp_context->service,
- wispr_portal_browser_reply_cb,
- wp_context->status_url, wp_context);
-@@ -781,11 +783,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
- if (g_web_result_get_header(result, "X-ConnMan-Status",
- &str)) {
- portal_manage_status(result, wp_context);
-+ wispr_portal_context_unref(wp_context);
- return false;
-- } else
-+ } else {
-+ wispr_portal_context_ref(wp_context);
- __connman_agent_request_browser(wp_context->service,
- wispr_portal_browser_reply_cb,
- wp_context->redirect_url, wp_context);
-+ }
-
- break;
- case 300:
-@@ -798,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
- !g_web_result_get_header(result, "Location",
- &redirect)) {
-
-+ wispr_portal_context_ref(wp_context);
- __connman_agent_request_browser(wp_context->service,
- wispr_portal_browser_reply_cb,
- wp_context->status_url, wp_context);
-@@ -808,6 +814,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
-
- wp_context->redirect_url = g_strdup(redirect);
-
-+ wispr_portal_context_ref(wp_context);
- wp_context->request_id = g_web_request_get(wp_context->web,
- redirect, wispr_portal_web_result,
- wispr_route_request, wp_context);
-@@ -820,6 +827,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
-
- break;
- case 505:
-+ wispr_portal_context_ref(wp_context);
- __connman_agent_request_browser(wp_context->service,
- wispr_portal_browser_reply_cb,
- wp_context->status_url, wp_context);
-@@ -832,6 +840,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
- wp_context->request_id = 0;
- done:
- wp_context->wispr_msg.message_type = -1;
-+ wispr_portal_context_unref(wp_context);
- return false;
- }
-
-@@ -890,6 +899,7 @@ static void proxy_callback(const char *proxy, void *user_data)
- xml_wispr_parser_callback, wp_context);
-
- wispr_portal_request_portal(wp_context);
-+ wispr_portal_context_unref(wp_context);
- }
-
- static gboolean no_proxy_callback(gpointer user_data)
---
-cgit
-
diff --git a/package/connman/0004-gdhcp-Verify-and-sanitize-packet-length-first.patch b/package/connman/0004-gdhcp-Verify-and-sanitize-packet-length-first.patch
deleted file mode 100644
index d5d81f17bf..0000000000
--- a/package/connman/0004-gdhcp-Verify-and-sanitize-packet-length-first.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 996d39df6f6c0f9d1e9968af8024bb0cde31d1e8 Mon Sep 17 00:00:00 2001
-From: Daniel Wagner <wagi@monom.org>
-Date: Tue, 11 Apr 2023 08:12:56 +0200
-Subject: gdhcp: Verify and sanitize packet length first
-
-Avoid overwriting the read packet length after the initial test. Thus
-move all the length checks which depends on the total length first
-and do not use the total lenght from the IP packet afterwards.
-
-Fixes CVE-2023-28488
-
-Reported by Polina Smirnova <moe.hwr@gmail.com>
-
-[Retrieved from:
-https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138]
-Signed-off-by: Clement Ramirez <ramirez.clement3@gmail.com>
----
- gdhcp/client.c | 16 +++++++++-------
- 1 file changed, 9 insertions(+), 7 deletions(-)
-
-diff --git a/gdhcp/client.c b/gdhcp/client.c
-index 3016dfc2..28fa6066 100644
---- a/gdhcp/client.c
-+++ b/gdhcp/client.c
-@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes)
- static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
- struct sockaddr_in *dst_addr)
- {
-- int bytes;
- struct ip_udp_dhcp_packet packet;
- uint16_t check;
-+ int bytes, tot_len;
-
- memset(&packet, 0, sizeof(packet));
-
-@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
- if (bytes < 0)
- return -1;
-
-- if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
-- return -1;
--
-- if (bytes < ntohs(packet.ip.tot_len))
-+ tot_len = ntohs(packet.ip.tot_len);
-+ if (bytes > tot_len) {
-+ /* ignore any extra garbage bytes */
-+ bytes = tot_len;
-+ } else if (bytes < tot_len) {
- /* packet is bigger than sizeof(packet), we did partial read */
- return -1;
-+ }
-
-- /* ignore any extra garbage bytes */
-- bytes = ntohs(packet.ip.tot_len);
-+ if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
-+ return -1;
-
- if (!sanity_check(&packet, bytes))
- return -1;
---
-2.34.1
-
diff --git a/package/connman/connman.hash b/package/connman/connman.hash
index 6fc5edf29a..ea87f1ea17 100644
--- a/package/connman/connman.hash
+++ b/package/connman/connman.hash
@@ -1,4 +1,4 @@
# From https://www.kernel.org/pub/linux/network/connman/sha256sums.asc
-sha256 79fb40f4fdd5530c45aa8e592fb16ba23d3674f3a98cf10b89a6576f198de589 connman-1.41.tar.xz
+sha256 a3e6bae46fc081ef2e9dae3caa4f7649de892c3de622c20283ac0ca81423c2aa connman-1.42.tar.xz
# Locally computed
sha256 b499eddebda05a8859e32b820a64577d91f1de2b52efa2a1575a2cb4000bc259 COPYING
diff --git a/package/connman/connman.mk b/package/connman/connman.mk
index 40ce99fa40..142a6583ad 100644
--- a/package/connman/connman.mk
+++ b/package/connman/connman.mk
@@ -4,7 +4,7 @@
#
################################################################################
-CONNMAN_VERSION = 1.41
+CONNMAN_VERSION = 1.42
CONNMAN_SOURCE = connman-$(CONNMAN_VERSION).tar.xz
CONNMAN_SITE = $(BR2_KERNEL_MIRROR)/linux/network/connman
CONNMAN_DEPENDENCIES = libglib2 dbus
@@ -13,16 +13,6 @@ CONNMAN_LICENSE = GPL-2.0
CONNMAN_LICENSE_FILES = COPYING
CONNMAN_CPE_ID_VENDOR = intel
-# 0001-gweb-Fix-OOB-write-in-received_data.patch
-CONNMAN_IGNORE_CVES += CVE-2022-32292
-
-# 0002-wispr-Add-reference-counter-to-portal-context.patch
-# 0003-wispr-Update-portal-context-references.patch
-CONNMAN_IGNORE_CVES += CVE-2022-32293
-
-# 0004-gdhcp-Verify-and-sanitize-packet-length-first.patch
-CONNMAN_IGNORE_CVES += CVE-2023-28488
-
CONNMAN_CONF_OPTS = --with-dbusconfdir=/etc
ifeq ($(BR2_INIT_SYSTEMD),y)
--
2.34.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH 0/2] package/connman: fix CVE-2023-28488
2023-08-18 20:05 [Buildroot] [PATCH 0/2] package/connman: fix CVE-2023-28488 Clement Ramirez
2023-08-18 20:05 ` [Buildroot] [PATCH 1/2] " Clement Ramirez
2023-08-18 20:05 ` [Buildroot] [PATCH 2/2] package/connman: security bump version to 1.42 Clement Ramirez
@ 2023-08-20 9:14 ` Yann E. MORIN
2 siblings, 0 replies; 4+ messages in thread
From: Yann E. MORIN @ 2023-08-20 9:14 UTC (permalink / raw)
To: Clement Ramirez; +Cc: Martin Bark, buildroot
Clément, Al,
On 2023-08-18 22:05 +0200, Clement Ramirez spake thusly:
> This patch series is designed to fix the CVE-2023-28488:
> - The first commit backports the CVE-2023-28488 patch fix onto the 1.41
> connman version.
> - The second commit bumps connman to 1.42 and removes the previous
> deprecated patches that introduced fixes now present in the 1.42.
> This way the first commit can be used to fix the CVE in LTS releases,
> and the second one for future releases of Buildroot.
Since the oldest maintenance branch we have already uses connman 1.41,
we can just backport the version bump to get all the security fixes.
So I squashed the two commits ogether,
Applied to master, thanks.
Regards,
Yann E. MORIN.
> Clement Ramirez (2):
> package/connman: fix CVE-2023-28488
> package/connman: security bump version to 1.42
>
> .checkpackageignore | 3 -
> ...-gweb-Fix-OOB-write-in-received_data.patch | 36 ----
> ...-reference-counter-to-portal-context.patch | 142 --------------
> ...spr-Update-portal-context-references.patch | 175 ------------------
> package/connman/connman.hash | 2 +-
> package/connman/connman.mk | 9 +-
> 6 files changed, 2 insertions(+), 365 deletions(-)
> delete mode 100644 package/connman/0001-gweb-Fix-OOB-write-in-received_data.patch
> delete mode 100644 package/connman/0002-wispr-Add-reference-counter-to-portal-context.patch
> delete mode 100644 package/connman/0003-wispr-Update-portal-context-references.patch
>
> --
> 2.34.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-08-20 9:14 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-08-18 20:05 [Buildroot] [PATCH 0/2] package/connman: fix CVE-2023-28488 Clement Ramirez
2023-08-18 20:05 ` [Buildroot] [PATCH 1/2] " Clement Ramirez
2023-08-18 20:05 ` [Buildroot] [PATCH 2/2] package/connman: security bump version to 1.42 Clement Ramirez
2023-08-20 9:14 ` [Buildroot] [PATCH 0/2] package/connman: fix CVE-2023-28488 Yann E. MORIN
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox