diff options
| author | Marius Bakke <marius@gnu.org> | 2021-06-19 17:38:47 +0200 |
|---|---|---|
| committer | Marius Bakke <marius@gnu.org> | 2021-06-19 17:38:47 +0200 |
| commit | 6f9a80b331ae41d142a49fbeb94b90ee587b6155 (patch) | |
| tree | 2da042a6ccf5368c73d6e3d54c2ee02a62d284e4 /gnu/packages/patches/connman-CVE-2021-33833.patch | |
| parent | 6500c9a5b364616e38a7e03aa4516fc2d7cee876 (diff) | |
| parent | dece03e2b98fc1c2428c2448ce5792f813eb79bf (diff) | |
| download | guix-patches-6f9a80b331ae41d142a49fbeb94b90ee587b6155.tar guix-patches-6f9a80b331ae41d142a49fbeb94b90ee587b6155.tar.gz | |
Merge branch 'master' into core-updates
Note: this merge actually changes the 'curl' and 'python-attrs' derivations,
as part of solving caf4a7a2770ef4d05a6e18f40d602e51da749ddc and
12964df69a99de6190422c752fef65ef813f3b6b respectively.
4604d43c0e (gnu: gnutls@3.6.16: Fix cross-compilation.) was ignored because it
cannot currently be tested.
Conflicts:
gnu/local.mk
gnu/packages/aidc.scm
gnu/packages/boost.scm
gnu/packages/curl.scm
gnu/packages/nettle.scm
gnu/packages/networking.scm
gnu/packages/python-xyz.scm
gnu/packages/tls.scm
Diffstat (limited to 'gnu/packages/patches/connman-CVE-2021-33833.patch')
| -rw-r--r-- | gnu/packages/patches/connman-CVE-2021-33833.patch | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/gnu/packages/patches/connman-CVE-2021-33833.patch b/gnu/packages/patches/connman-CVE-2021-33833.patch new file mode 100644 index 0000000000..3e1a19d961 --- /dev/null +++ b/gnu/packages/patches/connman-CVE-2021-33833.patch @@ -0,0 +1,74 @@ +Fix CVE-2021-33833: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33833 + +Patch copied from upstream source repository: + +https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c + +From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001 +From: Valery Kashcheev <v.kascheev@omp.ru> +Date: Mon, 7 Jun 2021 18:58:24 +0200 +Subject: [PATCH] dnsproxy: Check the length of buffers before memcpy + +Fix using a stack-based buffer overflow attack by checking the length of +the ptr and uptr buffers. + +Fix debug message output. + +Fixes: CVE-2021-33833 +--- + src/dnsproxy.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/src/dnsproxy.c b/src/dnsproxy.c +index de52df5a..38dbdd71 100644 +--- a/src/dnsproxy.c ++++ b/src/dnsproxy.c +@@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end, + * tmp buffer. + */ + +- debug("pos %d ulen %d left %d name %s", pos, ulen, +- (int)(uncomp_len - (uptr - uncompressed)), uptr); +- +- ulen = strlen(name); +- if ((uptr + ulen + 1) > uncomp_end) { ++ ulen = strlen(name) + 1; ++ if ((uptr + ulen) > uncomp_end) + goto out; +- } +- strncpy(uptr, name, uncomp_len - (uptr - uncompressed)); ++ strncpy(uptr, name, ulen); ++ ++ debug("pos %d ulen %d left %d name %s", pos, ulen, ++ (int)(uncomp_end - (uptr + ulen)), uptr); + + uptr += ulen; +- *uptr++ = '\0'; + + ptr += pos; + +@@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end, + } else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) { + dlen = uptr[-2] << 8 | uptr[-1]; + +- if (ptr + dlen > end) { ++ if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) { + debug("data len %d too long", dlen); + goto out; + } +@@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end, + * refresh interval, retry interval, expiration + * limit and minimum ttl). They are 20 bytes long. + */ ++ if ((uptr + 20) > uncomp_end || (ptr + 20) > end) { ++ debug("soa record too long"); ++ goto out; ++ } + memcpy(uptr, ptr, 20); + uptr += 20; + ptr += 20; +-- +2.32.0 + |