diff options
Diffstat (limited to 'gnu/packages')
-rw-r--r-- | gnu/packages/connman.scm | 5 | ||||
-rw-r--r-- | gnu/packages/patches/connman-CVE-2021-33833.patch | 74 |
2 files changed, 77 insertions, 2 deletions
diff --git a/gnu/packages/connman.scm b/gnu/packages/connman.scm index e6d97db0fd..74db5fc919 100644 --- a/gnu/packages/connman.scm +++ b/gnu/packages/connman.scm @@ -50,8 +50,9 @@ (method url-fetch) (uri (string-append "mirror://kernel.org/linux/network/connman/" "connman-" version ".tar.xz")) - (sha256 - (base32 "1wqs307vjphhh73qbqk25zxhhqwn1mdk6bpzl5qcd4blkcbafqlz")))) + (patches (search-patches "connman-CVE-2021-33833.patch")) + (sha256 + (base32 "1wqs307vjphhh73qbqk25zxhhqwn1mdk6bpzl5qcd4blkcbafqlz")))) (build-system gnu-build-system) (arguments `(#:configure-flags diff --git a/gnu/packages/patches/connman-CVE-2021-33833.patch b/gnu/packages/patches/connman-CVE-2021-33833.patch new file mode 100644 index 0000000000..3e1a19d961 --- /dev/null +++ b/gnu/packages/patches/connman-CVE-2021-33833.patch @@ -0,0 +1,74 @@ +Fix CVE-2021-33833: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33833 + +Patch copied from upstream source repository: + +https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c + +From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001 +From: Valery Kashcheev <v.kascheev@omp.ru> +Date: Mon, 7 Jun 2021 18:58:24 +0200 +Subject: [PATCH] dnsproxy: Check the length of buffers before memcpy + +Fix using a stack-based buffer overflow attack by checking the length of +the ptr and uptr buffers. + +Fix debug message output. + +Fixes: CVE-2021-33833 +--- + src/dnsproxy.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/src/dnsproxy.c b/src/dnsproxy.c +index de52df5a..38dbdd71 100644 +--- a/src/dnsproxy.c ++++ b/src/dnsproxy.c +@@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end, + * tmp buffer. + */ + +- debug("pos %d ulen %d left %d name %s", pos, ulen, +- (int)(uncomp_len - (uptr - uncompressed)), uptr); +- +- ulen = strlen(name); +- if ((uptr + ulen + 1) > uncomp_end) { ++ ulen = strlen(name) + 1; ++ if ((uptr + ulen) > uncomp_end) + goto out; +- } +- strncpy(uptr, name, uncomp_len - (uptr - uncompressed)); ++ strncpy(uptr, name, ulen); ++ ++ debug("pos %d ulen %d left %d name %s", pos, ulen, ++ (int)(uncomp_end - (uptr + ulen)), uptr); + + uptr += ulen; +- *uptr++ = '\0'; + + ptr += pos; + +@@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end, + } else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) { + dlen = uptr[-2] << 8 | uptr[-1]; + +- if (ptr + dlen > end) { ++ if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) { + debug("data len %d too long", dlen); + goto out; + } +@@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end, + * refresh interval, retry interval, expiration + * limit and minimum ttl). They are 20 bytes long. + */ ++ if ((uptr + 20) > uncomp_end || (ptr + 20) > end) { ++ debug("soa record too long"); ++ goto out; ++ } + memcpy(uptr, ptr, 20); + uptr += 20; + ptr += 20; +-- +2.32.0 + |