guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

branch master updated: gnu: connman: Fix CVE-2021-33833.

From: guix-commits
Subject: branch master updated: gnu: connman: Fix CVE-2021-33833.
Date: Sun, 13 Jun 2021 14:45:37 -0400 
This is an automated email from the git hooks/post-receive script.

lfam pushed a commit to branch master
in repository guix.

The following commit(s) were added to refs/heads/master by this push:
     new ee48e78  gnu: connman: Fix CVE-2021-33833.
ee48e78 is described below

commit ee48e784b9c5f77338224114fd1e27a1a63103aa
Author: Leo Famulari <leo@famulari.name>
AuthorDate: Sun Jun 13 14:44:16 2021 -0400

    gnu: connman: Fix CVE-2021-33833.
    
    * gnu/packages/patches/connman-CVE-2021-33833.patch: New file.
    * gnu/local.mk (dist_patch_DATA): Add it.
    * gnu/packages/connman.scm (connman)[source]: Use it.
---
 gnu/local.mk                                      |  1 +
 gnu/packages/connman.scm                          |  5 +-
 gnu/packages/patches/connman-CVE-2021-33833.patch | 74 +++++++++++++++++++++++
 3 files changed, 78 insertions(+), 2 deletions(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index 94a65ea..fdbf227 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -920,6 +920,7 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/collectd-5.11.0-noinstallvar.patch              \
   %D%/packages/patches/combinatorial-blas-awpm.patch           \
   %D%/packages/patches/combinatorial-blas-io-fix.patch         \
+  %D%/packages/patches/connman-CVE-2021-33833.patch            \
   %D%/packages/patches/coreutils-ls.patch                      \
   %D%/packages/patches/cpufrequtils-fix-aclocal.patch          \
   %D%/packages/patches/crawl-upgrade-saves.patch               \
diff --git a/gnu/packages/connman.scm b/gnu/packages/connman.scm
index e6d97db..74db5fc 100644
--- a/gnu/packages/connman.scm
+++ b/gnu/packages/connman.scm
@@ -50,8 +50,9 @@
         (method url-fetch)
         (uri (string-append "mirror://kernel.org/linux/network/connman/"
                             "connman-" version ".tar.xz"))
-    (sha256
-     (base32 "1wqs307vjphhh73qbqk25zxhhqwn1mdk6bpzl5qcd4blkcbafqlz"))))
+        (patches (search-patches "connman-CVE-2021-33833.patch"))
+        (sha256
+         (base32 "1wqs307vjphhh73qbqk25zxhhqwn1mdk6bpzl5qcd4blkcbafqlz"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
diff --git a/gnu/packages/patches/connman-CVE-2021-33833.patch 
b/gnu/packages/patches/connman-CVE-2021-33833.patch
new file mode 100644
index 0000000..3e1a19d
--- /dev/null
+++ b/gnu/packages/patches/connman-CVE-2021-33833.patch
@@ -0,0 +1,74 @@
+Fix CVE-2021-33833:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33833
+
+Patch copied from upstream source repository:
+
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c
+
+From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001
+From: Valery Kashcheev <v.kascheev@omp.ru>
+Date: Mon, 7 Jun 2021 18:58:24 +0200
+Subject: [PATCH] dnsproxy: Check the length of buffers before memcpy
+
+Fix using a stack-based buffer overflow attack by checking the length of
+the ptr and uptr buffers.
+
+Fix debug message output.
+
+Fixes: CVE-2021-33833
+---
+ src/dnsproxy.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index de52df5a..38dbdd71 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char 
*start, char *end,
+                * tmp buffer.
+                */
+ 
+-              debug("pos %d ulen %d left %d name %s", pos, ulen,
+-                      (int)(uncomp_len - (uptr - uncompressed)), uptr);
+-
+-              ulen = strlen(name);
+-              if ((uptr + ulen + 1) > uncomp_end) {
++              ulen = strlen(name) + 1;
++              if ((uptr + ulen) > uncomp_end)
+                       goto out;
+-              }
+-              strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
++              strncpy(uptr, name, ulen);
++
++              debug("pos %d ulen %d left %d name %s", pos, ulen,
++                      (int)(uncomp_end - (uptr + ulen)), uptr);
+ 
+               uptr += ulen;
+-              *uptr++ = '\0';
+ 
+               ptr += pos;
+ 
+@@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char 
*start, char *end,
+               } else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) {
+                       dlen = uptr[-2] << 8 | uptr[-1];
+ 
+-                      if (ptr + dlen > end) {
++                      if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) {
+                               debug("data len %d too long", dlen);
+                               goto out;
+                       }
+@@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char 
*start, char *end,
+                        * refresh interval, retry interval, expiration
+                        * limit and minimum ttl). They are 20 bytes long.
+                        */
++                      if ((uptr + 20) > uncomp_end || (ptr + 20) > end) {
++                              debug("soa record too long");
++                              goto out;
++                      }
+                       memcpy(uptr, ptr, 20);
+                       uptr += 20;
+                       ptr += 20;
+-- 
+2.32.0
+
reply via email to
[Prev in Thread] Current Thread [Next in Thread]