* [Buildroot] [PATCH 1/1] package/rabbitmq-c: fix CVE-2023-35789
@ 2023-10-28 19:41 Fabrice Fontaine
2023-10-30 19:03 ` Peter Korsgaard
0 siblings, 1 reply; 2+ messages in thread
From: Fabrice Fontaine @ 2023-10-28 19:41 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine, Joris Lijssens
An issue was discovered in the C AMQP client library (aka rabbitmq-c)
through 0.13.0 for RabbitMQ. Credentials can only be entered on the
command line (e.g., for amqp-publish or amqp-consume) and are thus
visible to local attackers by listing a process and its arguments.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...-to-read-username-password-from-file.patch | 130 ++++++++++++++++++
package/rabbitmq-c/rabbitmq-c.mk | 3 +
2 files changed, 133 insertions(+)
create mode 100644 package/rabbitmq-c/0001-Add-option-to-read-username-password-from-file.patch
diff --git a/package/rabbitmq-c/0001-Add-option-to-read-username-password-from-file.patch b/package/rabbitmq-c/0001-Add-option-to-read-username-password-from-file.patch
new file mode 100644
index 0000000000..347063cfb3
--- /dev/null
+++ b/package/rabbitmq-c/0001-Add-option-to-read-username-password-from-file.patch
@@ -0,0 +1,130 @@
+From 463054383fbeef889b409a7f843df5365288e2a0 Mon Sep 17 00:00:00 2001
+From: Christian Kastner <ckk@kvr.at>
+Date: Tue, 13 Jun 2023 14:21:52 +0200
+Subject: [PATCH] Add option to read username/password from file (#781)
+
+* Add option to read username/password from file
+
+Upstream: https://github.com/alanxz/rabbitmq-c/commit/463054383fbeef889b409a7f843df5365288e2a0
+Signed-off-by: Fabrice Fontaine <fontaine.fabrce@gmail.com>
+---
+ tools/common.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 66 insertions(+)
+
+diff --git a/tools/common.c b/tools/common.c
+index 73b47e25..7efe557b 100644
+--- a/tools/common.c
++++ b/tools/common.c
+@@ -18,6 +18,11 @@
+ #include "compat.h"
+ #endif
+
++/* For when reading auth data from a file */
++#define MAXAUTHTOKENLEN 128
++#define USERNAMEPREFIX "username:"
++#define PASSWORDPREFIX "password:"
++
+ void die(const char *fmt, ...) {
+ va_list ap;
+ va_start(ap, fmt);
+@@ -125,6 +130,7 @@ static char *amqp_vhost;
+ static char *amqp_username;
+ static char *amqp_password;
+ static int amqp_heartbeat = 0;
++static char *amqp_authfile;
+ #ifdef WITH_SSL
+ static int amqp_ssl = 0;
+ static char *amqp_cacert = "/etc/ssl/certs/cacert.pem";
+@@ -147,6 +153,8 @@ struct poptOption connect_options[] = {
+ "the password to login with", "password"},
+ {"heartbeat", 0, POPT_ARG_INT, &amqp_heartbeat, 0,
+ "heartbeat interval, set to 0 to disable", "heartbeat"},
++ {"authfile", 0, POPT_ARG_STRING, &amqp_authfile, 0,
++ "path to file containing username/password for authentication", "file"},
+ #ifdef WITH_SSL
+ {"ssl", 0, POPT_ARG_NONE, &amqp_ssl, 0, "connect over SSL/TLS", NULL},
+ {"cacert", 0, POPT_ARG_STRING, &amqp_cacert, 0,
+@@ -158,6 +166,50 @@ struct poptOption connect_options[] = {
+ #endif /* WITH_SSL */
+ {NULL, '\0', 0, NULL, 0, NULL, NULL}};
+
++void read_authfile(const char *path) {
++ size_t n;
++ FILE *fp = NULL;
++ char token[MAXAUTHTOKENLEN];
++
++ if ((amqp_username = malloc(MAXAUTHTOKENLEN)) == NULL ||
++ (amqp_password = malloc(MAXAUTHTOKENLEN)) == NULL) {
++ die("Out of memory");
++ } else if ((fp = fopen(path, "r")) == NULL) {
++ die("Could not read auth data file %s", path);
++ }
++
++ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL ||
++ strncmp(token, USERNAMEPREFIX, strlen(USERNAMEPREFIX))) {
++ die("Malformed auth file (missing username)");
++ }
++ strncpy(amqp_username, &token[strlen(USERNAMEPREFIX)], MAXAUTHTOKENLEN);
++ /* Missing newline means token was cut off */
++ n = strlen(amqp_username);
++ if (amqp_username[n - 1] != '\n') {
++ die("Username too long");
++ } else {
++ amqp_username[n - 1] = '\0';
++ }
++
++ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL ||
++ strncmp(token, PASSWORDPREFIX, strlen(PASSWORDPREFIX))) {
++ die("Malformed auth file (missing password)");
++ }
++ strncpy(amqp_password, &token[strlen(PASSWORDPREFIX)], MAXAUTHTOKENLEN);
++ /* Missing newline means token was cut off */
++ n = strlen(amqp_password);
++ if (amqp_password[n - 1] != '\n') {
++ die("Password too long");
++ } else {
++ amqp_password[n - 1] = '\0';
++ }
++
++ (void)fgetc(fp);
++ if (!feof(fp)) {
++ die("Malformed auth file (trailing data)");
++ }
++}
++
+ static void init_connection_info(struct amqp_connection_info *ci) {
+ ci->user = NULL;
+ ci->password = NULL;
+@@ -237,6 +289,8 @@ static void init_connection_info(struct amqp_connection_info *ci) {
+ if (amqp_username) {
+ if (amqp_url) {
+ die("--username and --url options cannot be used at the same time");
++ } else if (amqp_authfile) {
++ die("--username and --authfile options cannot be used at the same time");
+ }
+
+ ci->user = amqp_username;
+@@ -245,11 +299,23 @@ static void init_connection_info(struct amqp_connection_info *ci) {
+ if (amqp_password) {
+ if (amqp_url) {
+ die("--password and --url options cannot be used at the same time");
++ } else if (amqp_authfile) {
++ die("--password and --authfile options cannot be used at the same time");
+ }
+
+ ci->password = amqp_password;
+ }
+
++ if (amqp_authfile) {
++ if (amqp_url) {
++ die("--authfile and --url options cannot be used at the same time");
++ }
++
++ read_authfile(amqp_authfile);
++ ci->user = amqp_username;
++ ci->password = amqp_password;
++ }
++
+ if (amqp_vhost) {
+ if (amqp_url) {
+ die("--vhost and --url options cannot be used at the same time");
diff --git a/package/rabbitmq-c/rabbitmq-c.mk b/package/rabbitmq-c/rabbitmq-c.mk
index 18ecaa3098..fad6655e4e 100644
--- a/package/rabbitmq-c/rabbitmq-c.mk
+++ b/package/rabbitmq-c/rabbitmq-c.mk
@@ -14,6 +14,9 @@ RABBITMQ_C_CONF_OPTS = \
-DBUILD_API_DOCS=OFF \
-DBUILD_TOOLS_DOCS=OFF
+# 0001-Add-option-to-read-username-password-from-file.patch
+RABBITMQ_C_IGNORE_CVES += CVE-2023-35789
+
# BUILD_SHARED_LIBS is handled in pkg-cmake.mk as it is a generic cmake variable
ifeq ($(BR2_SHARED_STATIC_LIBS),y)
RABBITMQ_C_CONF_OPTS += -DBUILD_STATIC_LIBS=ON
--
2.42.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/rabbitmq-c: fix CVE-2023-35789
2023-10-28 19:41 [Buildroot] [PATCH 1/1] package/rabbitmq-c: fix CVE-2023-35789 Fabrice Fontaine
@ 2023-10-30 19:03 ` Peter Korsgaard
0 siblings, 0 replies; 2+ messages in thread
From: Peter Korsgaard @ 2023-10-30 19:03 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Joris Lijssens, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> An issue was discovered in the C AMQP client library (aka rabbitmq-c)
> through 0.13.0 for RabbitMQ. Credentials can only be entered on the
> command line (e.g., for amqp-publish or amqp-consume) and are thus
> visible to local attackers by listing a process and its arguments.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2023.02.x and 2023.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-10-30 19:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-28 19:41 [Buildroot] [PATCH 1/1] package/rabbitmq-c: fix CVE-2023-35789 Fabrice Fontaine
2023-10-30 19:03 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox