* [Buildroot] [PATCH 1/2] package/libcoap: fix CVE-2023-30362
@ 2023-09-06 19:44 Daniel Lang
2023-09-06 19:44 ` [Buildroot] [PATCH 2/2] package/libcoap: ignore CVE-2023-35862 Daniel Lang
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Daniel Lang @ 2023-09-06 19:44 UTC (permalink / raw)
To: buildroot; +Cc: Joris Lijssens
Signed-off-by: Daniel Lang <dalang@gmx.at>
---
...0001-Backport-fix-for-CVE-2023-30362.patch | 59 +++++++++++++++++++
package/libcoap/libcoap.mk | 2 +
2 files changed, 61 insertions(+)
create mode 100644 package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch
diff --git a/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch b/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch
new file mode 100644
index 0000000000..c4e53d19a7
--- /dev/null
+++ b/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch
@@ -0,0 +1,59 @@
+From c63ecbdc6b38cc7e571a72964fe9ca63834dcc89 Mon Sep 17 00:00:00 2001
+From: Daniel Lang <ldaniell14260@gmail.com>
+Date: Wed, 6 Sep 2023 21:38:13 +0200
+Subject: [PATCH] Backport fix for CVE-2023-30362
+
+Upstream: https://github.com/obgm/libcoap/issues/1063#issuecomment-1626962307
+Signed-off-by: Daniel Lang <dalang@gmx.at>
+---
+ src/net.c | 34 +++++++++++++++++++++-------------
+ 1 file changed, 21 insertions(+), 13 deletions(-)
+
+diff --git a/src/net.c b/src/net.c
+index 98859443..e259ab00 100644
+--- a/src/net.c
++++ b/src/net.c
+@@ -1305,19 +1305,27 @@ coap_send_internal(coap_session_t *session, coap_pdu_t *pdu) {
+
+ /* Need to check that we are not seeing this proxy in the return loop */
+ if (pdu->data && opt == NULL) {
+- if (pdu->used_size + 1 <= pdu->max_size) {
+- char *a_match;
+- size_t data_len = pdu->used_size - (pdu->data - pdu->token);
+- pdu->data[data_len] = '\000';
+- a_match = strstr((char*)pdu->data, cp);
+- if (a_match && (a_match == (char*)pdu->data || a_match[-1] == ' ') &&
+- ((size_t)(a_match - (char*)pdu->data + len) == data_len ||
+- a_match[len] == ' ')) {
+- coap_log(LOG_WARNING, "Proxy loop detected '%s'\n",
+- (char*)pdu->data);
+- coap_delete_pdu(pdu);
+- return (coap_mid_t)COAP_DROPPED_RESPONSE;
+- }
++ char *a_match;
++ size_t data_len;
++
++ if (pdu->used_size + 1 > pdu->max_size) {
++ /* No space */
++ return (coap_mid_t)COAP_DROPPED_RESPONSE;
++ }
++ if (!coap_pdu_resize(pdu, pdu->used_size + 1)) {
++ /* Internal error */
++ return (coap_mid_t)COAP_DROPPED_RESPONSE;
++ }
++ data_len = pdu->used_size - (pdu->data - pdu->token);
++ pdu->data[data_len] = '\000';
++ a_match = strstr((char*)pdu->data, cp);
++ if (a_match && (a_match == (char*)pdu->data || a_match[-1] == ' ') &&
++ ((size_t)(a_match - (char*)pdu->data + len) == data_len ||
++ a_match[len] == ' ')) {
++ coap_log(LOG_WARNING, "Proxy loop detected '%s'\n",
++ (char*)pdu->data);
++ coap_delete_pdu(pdu);
++ return (coap_mid_t)COAP_DROPPED_RESPONSE;
+ }
+ }
+ if (pdu->used_size + len + 1 <= pdu->max_size) {
+--
+2.42.0
+
diff --git a/package/libcoap/libcoap.mk b/package/libcoap/libcoap.mk
index 4b536d8117..3773ad293c 100644
--- a/package/libcoap/libcoap.mk
+++ b/package/libcoap/libcoap.mk
@@ -14,6 +14,8 @@ LIBCOAP_DEPENDENCIES = host-pkgconf
LIBCOAP_CONF_OPTS = \
--disable-examples --disable-examples-source --without-tinydtls
LIBCOAP_AUTORECONF = YES
+# 0001-Backport-fix-for-CVE-2023-30362.patch
+LIBCOAP_IGNORE_CVES += CVE-2023-30362
ifeq ($(BR2_PACKAGE_GNUTLS),y)
LIBCOAP_DEPENDENCIES += gnutls
--
2.42.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 7+ messages in thread* [Buildroot] [PATCH 2/2] package/libcoap: ignore CVE-2023-35862
2023-09-06 19:44 [Buildroot] [PATCH 1/2] package/libcoap: fix CVE-2023-30362 Daniel Lang
@ 2023-09-06 19:44 ` Daniel Lang
2023-09-07 13:25 ` Thomas Petazzoni via buildroot
2023-09-26 6:10 ` Peter Korsgaard
2023-09-22 19:07 ` [Buildroot] [PATCH 1/2] package/libcoap: fix CVE-2023-30362 Arnout Vandecappelle via buildroot
2023-09-26 6:10 ` Peter Korsgaard
2 siblings, 2 replies; 7+ messages in thread
From: Daniel Lang @ 2023-09-06 19:44 UTC (permalink / raw)
To: buildroot; +Cc: Joris Lijssens
According to a collaborator [0] the affected code isn't in 4.3.1
[0]: https://github.com/obgm/libcoap/issues/1117
Signed-off-by: Daniel Lang <dalang@gmx.at>
---
package/libcoap/libcoap.mk | 2 ++
1 file changed, 2 insertions(+)
diff --git a/package/libcoap/libcoap.mk b/package/libcoap/libcoap.mk
index 3773ad293c..94bfc59702 100644
--- a/package/libcoap/libcoap.mk
+++ b/package/libcoap/libcoap.mk
@@ -16,6 +16,8 @@ LIBCOAP_CONF_OPTS = \
LIBCOAP_AUTORECONF = YES
# 0001-Backport-fix-for-CVE-2023-30362.patch
LIBCOAP_IGNORE_CVES += CVE-2023-30362
+# Doesn't affect 4.3.1, see https://github.com/obgm/libcoap/issues/1117
+LIBCOAP_IGNORE_CVES += CVE-2023-35862
ifeq ($(BR2_PACKAGE_GNUTLS),y)
LIBCOAP_DEPENDENCIES += gnutls
--
2.42.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH 2/2] package/libcoap: ignore CVE-2023-35862
2023-09-06 19:44 ` [Buildroot] [PATCH 2/2] package/libcoap: ignore CVE-2023-35862 Daniel Lang
@ 2023-09-07 13:25 ` Thomas Petazzoni via buildroot
2023-09-22 19:12 ` Arnout Vandecappelle via buildroot
2023-09-26 6:10 ` Peter Korsgaard
1 sibling, 1 reply; 7+ messages in thread
From: Thomas Petazzoni via buildroot @ 2023-09-07 13:25 UTC (permalink / raw)
To: Daniel Lang; +Cc: Joris Lijssens, buildroot
On Wed, 6 Sep 2023 21:44:19 +0200
Daniel Lang <dalang@gmx.at> wrote:
> According to a collaborator [0] the affected code isn't in 4.3.1
>
> [0]: https://github.com/obgm/libcoap/issues/1117
>
> Signed-off-by: Daniel Lang <dalang@gmx.at>
> ---
> package/libcoap/libcoap.mk | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/package/libcoap/libcoap.mk b/package/libcoap/libcoap.mk
> index 3773ad293c..94bfc59702 100644
> --- a/package/libcoap/libcoap.mk
> +++ b/package/libcoap/libcoap.mk
> @@ -16,6 +16,8 @@ LIBCOAP_CONF_OPTS = \
> LIBCOAP_AUTORECONF = YES
> # 0001-Backport-fix-for-CVE-2023-30362.patch
> LIBCOAP_IGNORE_CVES += CVE-2023-30362
> +# Doesn't affect 4.3.1, see https://github.com/obgm/libcoap/issues/1117
> +LIBCOAP_IGNORE_CVES += CVE-2023-35862
Then instead the NVD maintainers need to be reported this issue, so
that the NVD database gets fixed. At least for now that's how we've
tried to resolve such issues.
However, admittedly, the last bug reports I did to NVD people were
ignored, while in the past, they used to be taken into account quite
efficiently.
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH 2/2] package/libcoap: ignore CVE-2023-35862
2023-09-07 13:25 ` Thomas Petazzoni via buildroot
@ 2023-09-22 19:12 ` Arnout Vandecappelle via buildroot
0 siblings, 0 replies; 7+ messages in thread
From: Arnout Vandecappelle via buildroot @ 2023-09-22 19:12 UTC (permalink / raw)
To: Thomas Petazzoni, Daniel Lang; +Cc: buildroot, Joris Lijssens
On 07/09/2023 15:25, Thomas Petazzoni via buildroot wrote:
> On Wed, 6 Sep 2023 21:44:19 +0200
> Daniel Lang <dalang@gmx.at> wrote:
>
>> According to a collaborator [0] the affected code isn't in 4.3.1
>>
>> [0]: https://github.com/obgm/libcoap/issues/1117
>>
>> Signed-off-by: Daniel Lang <dalang@gmx.at>
>> ---
>> package/libcoap/libcoap.mk | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/package/libcoap/libcoap.mk b/package/libcoap/libcoap.mk
>> index 3773ad293c..94bfc59702 100644
>> --- a/package/libcoap/libcoap.mk
>> +++ b/package/libcoap/libcoap.mk
>> @@ -16,6 +16,8 @@ LIBCOAP_CONF_OPTS = \
>> LIBCOAP_AUTORECONF = YES
>> # 0001-Backport-fix-for-CVE-2023-30362.patch
>> LIBCOAP_IGNORE_CVES += CVE-2023-30362
>> +# Doesn't affect 4.3.1, see https://github.com/obgm/libcoap/issues/1117
>> +LIBCOAP_IGNORE_CVES += CVE-2023-35862
>
> Then instead the NVD maintainers need to be reported this issue, so
> that the NVD database gets fixed. At least for now that's how we've
> tried to resolve such issues.
The issue was never in any released version. So if the CPE entry is fixed in
NVD, it will be changed from
cpe:2.3:a:libcoap:libcoap:4.3.1:*:*:*:*:*:*:*
to
cpe:2.3:a:libcoap:libcoap:-:*:*:*:*:*:*:*
As I just wrote: we _have_ to treat the - conservatively and assume it's
matching. So even if NVD is corrected, we'll need the exclusion.
Of course, it would be much nicer _not_ to correct the NVD, because then we
can simply remove the exclusion after bumping to 4.3.3 :-)
In any case: applied to master, thanks.
Regards,
Arnout
>
> However, admittedly, the last bug reports I did to NVD people were
> ignored, while in the past, they used to be taken into account quite
> efficiently.
>
> Thomas
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH 2/2] package/libcoap: ignore CVE-2023-35862
2023-09-06 19:44 ` [Buildroot] [PATCH 2/2] package/libcoap: ignore CVE-2023-35862 Daniel Lang
2023-09-07 13:25 ` Thomas Petazzoni via buildroot
@ 2023-09-26 6:10 ` Peter Korsgaard
1 sibling, 0 replies; 7+ messages in thread
From: Peter Korsgaard @ 2023-09-26 6:10 UTC (permalink / raw)
To: Daniel Lang; +Cc: Joris Lijssens, buildroot
>>>>> "Daniel" == Daniel Lang <dalang@gmx.at> writes:
> According to a collaborator [0] the affected code isn't in 4.3.1
> [0]: https://github.com/obgm/libcoap/issues/1117
> Signed-off-by: Daniel Lang <dalang@gmx.at>
Committed to 2023.02.x, 2023.05.x and 2023.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH 1/2] package/libcoap: fix CVE-2023-30362
2023-09-06 19:44 [Buildroot] [PATCH 1/2] package/libcoap: fix CVE-2023-30362 Daniel Lang
2023-09-06 19:44 ` [Buildroot] [PATCH 2/2] package/libcoap: ignore CVE-2023-35862 Daniel Lang
@ 2023-09-22 19:07 ` Arnout Vandecappelle via buildroot
2023-09-26 6:10 ` Peter Korsgaard
2 siblings, 0 replies; 7+ messages in thread
From: Arnout Vandecappelle via buildroot @ 2023-09-22 19:07 UTC (permalink / raw)
To: Daniel Lang, buildroot; +Cc: Joris Lijssens
On 06/09/2023 21:44, Daniel Lang wrote:
> Signed-off-by: Daniel Lang <dalang@gmx.at>
> ---
> ...0001-Backport-fix-for-CVE-2023-30362.patch | 59 +++++++++++++++++++
> package/libcoap/libcoap.mk | 2 +
> 2 files changed, 61 insertions(+)
> create mode 100644 package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch
>
> diff --git a/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch b/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch
> new file mode 100644
> index 0000000000..c4e53d19a7
> --- /dev/null
> +++ b/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch
> @@ -0,0 +1,59 @@
> +From c63ecbdc6b38cc7e571a72964fe9ca63834dcc89 Mon Sep 17 00:00:00 2001
> +From: Daniel Lang <ldaniell14260@gmail.com>
I've set this to the actual author, Jon Shallow. BSD-2c doesn't require much,
but it _does_ require to mention the author.
With that, applied to master, thanks.
Regards,
Arnout
> +Date: Wed, 6 Sep 2023 21:38:13 +0200
> +Subject: [PATCH] Backport fix for CVE-2023-30362
> +
> +Upstream: https://github.com/obgm/libcoap/issues/1063#issuecomment-1626962307
> +Signed-off-by: Daniel Lang <dalang@gmx.at>
> +---
> + src/net.c | 34 +++++++++++++++++++++-------------
> + 1 file changed, 21 insertions(+), 13 deletions(-)
> +
> +diff --git a/src/net.c b/src/net.c
> +index 98859443..e259ab00 100644
> +--- a/src/net.c
> ++++ b/src/net.c
> +@@ -1305,19 +1305,27 @@ coap_send_internal(coap_session_t *session, coap_pdu_t *pdu) {
> +
> + /* Need to check that we are not seeing this proxy in the return loop */
> + if (pdu->data && opt == NULL) {
> +- if (pdu->used_size + 1 <= pdu->max_size) {
> +- char *a_match;
> +- size_t data_len = pdu->used_size - (pdu->data - pdu->token);
> +- pdu->data[data_len] = '\000';
> +- a_match = strstr((char*)pdu->data, cp);
> +- if (a_match && (a_match == (char*)pdu->data || a_match[-1] == ' ') &&
> +- ((size_t)(a_match - (char*)pdu->data + len) == data_len ||
> +- a_match[len] == ' ')) {
> +- coap_log(LOG_WARNING, "Proxy loop detected '%s'\n",
> +- (char*)pdu->data);
> +- coap_delete_pdu(pdu);
> +- return (coap_mid_t)COAP_DROPPED_RESPONSE;
> +- }
> ++ char *a_match;
> ++ size_t data_len;
> ++
> ++ if (pdu->used_size + 1 > pdu->max_size) {
> ++ /* No space */
> ++ return (coap_mid_t)COAP_DROPPED_RESPONSE;
> ++ }
> ++ if (!coap_pdu_resize(pdu, pdu->used_size + 1)) {
> ++ /* Internal error */
> ++ return (coap_mid_t)COAP_DROPPED_RESPONSE;
> ++ }
> ++ data_len = pdu->used_size - (pdu->data - pdu->token);
> ++ pdu->data[data_len] = '\000';
> ++ a_match = strstr((char*)pdu->data, cp);
> ++ if (a_match && (a_match == (char*)pdu->data || a_match[-1] == ' ') &&
> ++ ((size_t)(a_match - (char*)pdu->data + len) == data_len ||
> ++ a_match[len] == ' ')) {
> ++ coap_log(LOG_WARNING, "Proxy loop detected '%s'\n",
> ++ (char*)pdu->data);
> ++ coap_delete_pdu(pdu);
> ++ return (coap_mid_t)COAP_DROPPED_RESPONSE;
> + }
> + }
> + if (pdu->used_size + len + 1 <= pdu->max_size) {
> +--
> +2.42.0
> +
> diff --git a/package/libcoap/libcoap.mk b/package/libcoap/libcoap.mk
> index 4b536d8117..3773ad293c 100644
> --- a/package/libcoap/libcoap.mk
> +++ b/package/libcoap/libcoap.mk
> @@ -14,6 +14,8 @@ LIBCOAP_DEPENDENCIES = host-pkgconf
> LIBCOAP_CONF_OPTS = \
> --disable-examples --disable-examples-source --without-tinydtls
> LIBCOAP_AUTORECONF = YES
> +# 0001-Backport-fix-for-CVE-2023-30362.patch
> +LIBCOAP_IGNORE_CVES += CVE-2023-30362
>
> ifeq ($(BR2_PACKAGE_GNUTLS),y)
> LIBCOAP_DEPENDENCIES += gnutls
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [Buildroot] [PATCH 1/2] package/libcoap: fix CVE-2023-30362
2023-09-06 19:44 [Buildroot] [PATCH 1/2] package/libcoap: fix CVE-2023-30362 Daniel Lang
2023-09-06 19:44 ` [Buildroot] [PATCH 2/2] package/libcoap: ignore CVE-2023-35862 Daniel Lang
2023-09-22 19:07 ` [Buildroot] [PATCH 1/2] package/libcoap: fix CVE-2023-30362 Arnout Vandecappelle via buildroot
@ 2023-09-26 6:10 ` Peter Korsgaard
2 siblings, 0 replies; 7+ messages in thread
From: Peter Korsgaard @ 2023-09-26 6:10 UTC (permalink / raw)
To: Daniel Lang; +Cc: Joris Lijssens, buildroot
>>>>> "Daniel" == Daniel Lang <dalang@gmx.at> writes:
> Signed-off-by: Daniel Lang <dalang@gmx.at>
Committed to 2023.02.x, 2023.05.x and 2023.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2023-09-26 6:13 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-06 19:44 [Buildroot] [PATCH 1/2] package/libcoap: fix CVE-2023-30362 Daniel Lang
2023-09-06 19:44 ` [Buildroot] [PATCH 2/2] package/libcoap: ignore CVE-2023-35862 Daniel Lang
2023-09-07 13:25 ` Thomas Petazzoni via buildroot
2023-09-22 19:12 ` Arnout Vandecappelle via buildroot
2023-09-26 6:10 ` Peter Korsgaard
2023-09-22 19:07 ` [Buildroot] [PATCH 1/2] package/libcoap: fix CVE-2023-30362 Arnout Vandecappelle via buildroot
2023-09-26 6:10 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox