[oe-core][PATCH 4/5] avahi: fix CVE-2023-38472

[oe-core][PATCH 4/5] avahi: fix CVE-2023-38472

[mgupta1]

From: Meenali Gupta <meenali.gupta@windriver.com>

A vulnerability was found in Avahi. A reachable assertion exists
in the avahi_rdata_parse() function.

Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
---
 meta/recipes-connectivity/avahi/avahi_0.8.bb  |  1 +
 .../avahi/files/CVE-2023-38472.patch          | 46 +++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch

diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 9c903d6868..84eb1c554d 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -29,6 +29,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
            file://CVE-2023-38469.patch \
            file://CVE-2023-38470.patch \
            file://CVE-2023-38471.patch \
+           file://CVE-2023-38472.patch \
            "
 
 GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
new file mode 100644
index 0000000000..a1de8e2a5a
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
@@ -0,0 +1,46 @@
+From 8cf606779dc356768afc6b70e53f2808a9655143 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Thu, 19 Oct 2023 17:36:44 +0200
+Subject: [PATCH] avahi: core: make sure there is rdata to process before
+ parsing it
+
+Fixes #452
+
+Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40]
+CVE: CVE-2023-38472
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ avahi-client/client-test.c      | 3 +++
+ avahi-daemon/dbus-entry-group.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c
+index 7d04a6a..57750a4 100644
+--- a/avahi-client/client-test.c
++++ b/avahi-client/client-test.c
+@@ -258,6 +258,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+     printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL)));
+     printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6));
+
++    error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
++    assert(error != AVAHI_OK);
++
+     avahi_entry_group_commit (group);
+
+     domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
+diff --git a/avahi-daemon/dbus-entry-group.c b/avahi-daemon/dbus-entry-group.c
+index 4e879a5..aa23d4b 100644
+--- a/avahi-daemon/dbus-entry-group.c
++++ b/avahi-daemon/dbus-entry-group.c
+@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_group_impl(DBusConnection *c, DBusMessage
+         if (!(r = avahi_record_new_full (name, clazz, type, ttl)))
+             return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL);
+
+-        if (avahi_rdata_parse (r, rdata, size) < 0) {
++        if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) {
+             avahi_record_unref (r);
+             return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL);
+         }
+--
+2.40.0
-- 
2.40.0

Re: [oe-core][PATCH 4/5] avahi: fix CVE-2023-38472

[Alexandre Belloni]

Please version properly your patches, this should have been v2.

Also please resend the whole series because now, I have to go and
cherry-pick patches from v1 because 5/5 doesn't apply standalone.

You hsould not push this work on the maintainers.

On 16/11/2023 11:44:50+0000, Meenali Gupta via lists.openembedded.org wrote:
> From: Meenali Gupta <meenali.gupta@windriver.com>
> 
> A vulnerability was found in Avahi. A reachable assertion exists
> in the avahi_rdata_parse() function.
> 
> Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
> ---
>  meta/recipes-connectivity/avahi/avahi_0.8.bb  |  1 +
>  .../avahi/files/CVE-2023-38472.patch          | 46 +++++++++++++++++++
>  2 files changed, 47 insertions(+)
>  create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
> 
> diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
> index 9c903d6868..84eb1c554d 100644
> --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
> +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
> @@ -29,6 +29,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
>             file://CVE-2023-38469.patch \
>             file://CVE-2023-38470.patch \
>             file://CVE-2023-38471.patch \
> +           file://CVE-2023-38472.patch \
>             "
>  
>  GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/"
> diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
> new file mode 100644
> index 0000000000..a1de8e2a5a
> --- /dev/null
> +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
> @@ -0,0 +1,46 @@
> +From 8cf606779dc356768afc6b70e53f2808a9655143 Mon Sep 17 00:00:00 2001
> +From: Michal Sekletar <msekleta@redhat.com>
> +Date: Thu, 19 Oct 2023 17:36:44 +0200
> +Subject: [PATCH] avahi: core: make sure there is rdata to process before
> + parsing it
> +
> +Fixes #452
> +
> +Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40]
> +CVE: CVE-2023-38472
> +
> +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
> +---
> + avahi-client/client-test.c      | 3 +++
> + avahi-daemon/dbus-entry-group.c | 2 +-
> + 2 files changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c
> +index 7d04a6a..57750a4 100644
> +--- a/avahi-client/client-test.c
> ++++ b/avahi-client/client-test.c
> +@@ -258,6 +258,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
> +     printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL)));
> +     printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6));
> +
> ++    error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
> ++    assert(error != AVAHI_OK);
> ++
> +     avahi_entry_group_commit (group);
> +
> +     domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
> +diff --git a/avahi-daemon/dbus-entry-group.c b/avahi-daemon/dbus-entry-group.c
> +index 4e879a5..aa23d4b 100644
> +--- a/avahi-daemon/dbus-entry-group.c
> ++++ b/avahi-daemon/dbus-entry-group.c
> +@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_group_impl(DBusConnection *c, DBusMessage
> +         if (!(r = avahi_record_new_full (name, clazz, type, ttl)))
> +             return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL);
> +
> +-        if (avahi_rdata_parse (r, rdata, size) < 0) {
> ++        if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) {
> +             avahi_record_unref (r);
> +             return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL);
> +         }
> +--
> +2.40.0
> -- 
> 2.40.0
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#190784): https://lists.openembedded.org/g/openembedded-core/message/190784
> Mute This Topic: https://lists.openembedded.org/mt/102625030/3617179
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 


-- 
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [oe-core][PATCH 4/5] avahi: fix CVE-2023-38472

[Gupta, Meenali]

[-- Attachment #1: Type: text/plain, Size: 5314 bytes --]

Hi Alexandre,

Understood your point, will abide by your request.

Regards
Meenali
________________________________
From: Alexandre Belloni <alexandre.belloni@bootlin.com>
Sent: 16 November 2023 22:02
To: Gupta, Meenali <Meenali.Gupta@windriver.com>
Cc: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Subject: Re: [oe-core][PATCH 4/5] avahi: fix CVE-2023-38472

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know the content is safe.

Please version properly your patches, this should have been v2.

Also please resend the whole series because now, I have to go and
cherry-pick patches from v1 because 5/5 doesn't apply standalone.

You hsould not push this work on the maintainers.

On 16/11/2023 11:44:50+0000, Meenali Gupta via lists.openembedded.org wrote:
> From: Meenali Gupta <meenali.gupta@windriver.com>
>
> A vulnerability was found in Avahi. A reachable assertion exists
> in the avahi_rdata_parse() function.
>
> Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
> ---
>  meta/recipes-connectivity/avahi/avahi_0.8.bb  |  1 +
>  .../avahi/files/CVE-2023-38472.patch          | 46 +++++++++++++++++++
>  2 files changed, 47 insertions(+)
>  create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
>
> diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
> index 9c903d6868..84eb1c554d 100644
> --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
> +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
> @@ -29,6 +29,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
>             file://CVE-2023-38469.patch \
>             file://CVE-2023-38470.patch \
>             file://CVE-2023-38471.patch \
> +           file://CVE-2023-38472.patch \
>             "
>
>  GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/"
> diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
> new file mode 100644
> index 0000000000..a1de8e2a5a
> --- /dev/null
> +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
> @@ -0,0 +1,46 @@
> +From 8cf606779dc356768afc6b70e53f2808a9655143 Mon Sep 17 00:00:00 2001
> +From: Michal Sekletar <msekleta@redhat.com>
> +Date: Thu, 19 Oct 2023 17:36:44 +0200
> +Subject: [PATCH] avahi: core: make sure there is rdata to process before
> + parsing it
> +
> +Fixes #452
> +
> +Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40]
> +CVE: CVE-2023-38472
> +
> +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
> +---
> + avahi-client/client-test.c      | 3 +++
> + avahi-daemon/dbus-entry-group.c | 2 +-
> + 2 files changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c
> +index 7d04a6a..57750a4 100644
> +--- a/avahi-client/client-test.c
> ++++ b/avahi-client/client-test.c
> +@@ -258,6 +258,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
> +     printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL)));
> +     printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6));
> +
> ++    error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
> ++    assert(error != AVAHI_OK);
> ++
> +     avahi_entry_group_commit (group);
> +
> +     domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
> +diff --git a/avahi-daemon/dbus-entry-group.c b/avahi-daemon/dbus-entry-group.c
> +index 4e879a5..aa23d4b 100644
> +--- a/avahi-daemon/dbus-entry-group.c
> ++++ b/avahi-daemon/dbus-entry-group.c
> +@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_group_impl(DBusConnection *c, DBusMessage
> +         if (!(r = avahi_record_new_full (name, clazz, type, ttl)))
> +             return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL);
> +
> +-        if (avahi_rdata_parse (r, rdata, size) < 0) {
> ++        if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) {
> +             avahi_record_unref (r);
> +             return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL);
> +         }
> +--
> +2.40.0
> --
> 2.40.0
>

>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#190784): https://lists.openembedded.org/g/openembedded-core/message/190784
> Mute This Topic: https://lists.openembedded.org/mt/102625030/3617179
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>


--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[-- Attachment #2: Type: text/html, Size: 9238 bytes --]

[oe-core][PATCH 4/5] avahi fix CVE-2023-38472

[mgupta1]

From: Meenali Gupta <meenali.gupta@windriver.com>

A vulnerability was found in Avahi. A reachable assertion exists
in the avahi_rdata_parse() function.

Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
---
 meta/recipes-connectivity/avahi/avahi_0.8.bb  |  1 +
 .../avahi/files/CVE-2023-38472.patch          | 46 +++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch

diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 9c903d6868..84eb1c554d 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -29,6 +29,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
            file://CVE-2023-38469.patch \
            file://CVE-2023-38470.patch \
            file://CVE-2023-38471.patch \
+           file://CVE-2023-38472.patch \
            "
 
 GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
new file mode 100644
index 0000000000..a1de8e2a5a
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
@@ -0,0 +1,46 @@
+From 8cf606779dc356768afc6b70e53f2808a9655143 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Thu, 19 Oct 2023 17:36:44 +0200
+Subject: [PATCH] avahi: core: make sure there is rdata to process before
+ parsing it
+
+Fixes #452
+
+Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40]
+CVE: CVE-2023-38472
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ avahi-client/client-test.c      | 3 +++
+ avahi-daemon/dbus-entry-group.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c
+index 7d04a6a..57750a4 100644
+--- a/avahi-client/client-test.c
++++ b/avahi-client/client-test.c
+@@ -258,6 +258,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+     printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL)));
+     printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6));
+
++    error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
++    assert(error != AVAHI_OK);
++
+     avahi_entry_group_commit (group);
+
+     domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
+diff --git a/avahi-daemon/dbus-entry-group.c b/avahi-daemon/dbus-entry-group.c
+index 4e879a5..aa23d4b 100644
+--- a/avahi-daemon/dbus-entry-group.c
++++ b/avahi-daemon/dbus-entry-group.c
+@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_group_impl(DBusConnection *c, DBusMessage
+         if (!(r = avahi_record_new_full (name, clazz, type, ttl)))
+             return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL);
+
+-        if (avahi_rdata_parse (r, rdata, size) < 0) {
++        if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) {
+             avahi_record_unref (r);
+             return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL);
+         }
+--
+2.40.0
-- 
2.40.0