diff options
| -rw-r--r-- | gnu/local.mk | 1 | ||||
| -rw-r--r-- | gnu/packages/connman.scm | 7 | ||||
| -rw-r--r-- | gnu/packages/patches/connman-CVE-2021-33833.patch | 74 |
3 files changed, 4 insertions, 78 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 509970f044..f507fe566f 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -924,7 +924,6 @@ dist_patch_DATA = \ %D%/packages/patches/collectd-5.11.0-noinstallvar.patch \ %D%/packages/patches/combinatorial-blas-awpm.patch \ %D%/packages/patches/combinatorial-blas-io-fix.patch \ - %D%/packages/patches/connman-CVE-2021-33833.patch \ %D%/packages/patches/coreutils-ls.patch \ %D%/packages/patches/cpufrequtils-fix-aclocal.patch \ %D%/packages/patches/crawl-upgrade-saves.patch \ diff --git a/gnu/packages/connman.scm b/gnu/packages/connman.scm index ac3e7422e8..7268af4c8b 100644 --- a/gnu/packages/connman.scm +++ b/gnu/packages/connman.scm @@ -28,6 +28,7 @@ #:use-module (guix utils) #:use-module (gnu packages) #:use-module (gnu packages admin) + #:use-module (gnu packages compression) #:use-module (gnu packages enlightenment) #:use-module (gnu packages glib) #:use-module (gnu packages linux) @@ -44,15 +45,14 @@ (define-public connman (package (name "connman") - (version "1.39") + (version "1.40") (source (origin (method url-fetch) (uri (string-append "mirror://kernel.org/linux/network/connman/" "connman-" version ".tar.xz")) - (patches (search-patches "connman-CVE-2021-33833.patch")) (sha256 - (base32 "1wqs307vjphhh73qbqk25zxhhqwn1mdk6bpzl5qcd4blkcbafqlz")))) + (base32 "04nbxpaxykncp65fyh4lk778vn9145fbxhxa8hbkmailw9yawmqs")))) (build-system gnu-build-system) (arguments `(#:configure-flags @@ -76,6 +76,7 @@ ("gnutls" ,gnutls) ("iptables" ,iptables) ("libmnl" ,libmnl) + ("lz4" ,lz4) ; required by openconnect.pc ("readline" ,readline) ;; These inputs are needed for connman to include the interface to ;; these technologies so IF they are installed they can be used. diff --git a/gnu/packages/patches/connman-CVE-2021-33833.patch b/gnu/packages/patches/connman-CVE-2021-33833.patch deleted file mode 100644 index 3e1a19d961..0000000000 --- a/gnu/packages/patches/connman-CVE-2021-33833.patch +++ /dev/null @@ -1,74 +0,0 @@ -Fix CVE-2021-33833: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33833 - -Patch copied from upstream source repository: - -https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c - -From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001 -From: Valery Kashcheev <v.kascheev@omp.ru> -Date: Mon, 7 Jun 2021 18:58:24 +0200 -Subject: [PATCH] dnsproxy: Check the length of buffers before memcpy - -Fix using a stack-based buffer overflow attack by checking the length of -the ptr and uptr buffers. - -Fix debug message output. - -Fixes: CVE-2021-33833 ---- - src/dnsproxy.c | 20 +++++++++++--------- - 1 file changed, 11 insertions(+), 9 deletions(-) - -diff --git a/src/dnsproxy.c b/src/dnsproxy.c -index de52df5a..38dbdd71 100644 ---- a/src/dnsproxy.c -+++ b/src/dnsproxy.c -@@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end, - * tmp buffer. - */ - -- debug("pos %d ulen %d left %d name %s", pos, ulen, -- (int)(uncomp_len - (uptr - uncompressed)), uptr); -- -- ulen = strlen(name); -- if ((uptr + ulen + 1) > uncomp_end) { -+ ulen = strlen(name) + 1; -+ if ((uptr + ulen) > uncomp_end) - goto out; -- } -- strncpy(uptr, name, uncomp_len - (uptr - uncompressed)); -+ strncpy(uptr, name, ulen); -+ -+ debug("pos %d ulen %d left %d name %s", pos, ulen, -+ (int)(uncomp_end - (uptr + ulen)), uptr); - - uptr += ulen; -- *uptr++ = '\0'; - - ptr += pos; - -@@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end, - } else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) { - dlen = uptr[-2] << 8 | uptr[-1]; - -- if (ptr + dlen > end) { -+ if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) { - debug("data len %d too long", dlen); - goto out; - } -@@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end, - * refresh interval, retry interval, expiration - * limit and minimum ttl). They are 20 bytes long. - */ -+ if ((uptr + 20) > uncomp_end || (ptr + 20) > end) { -+ debug("soa record too long"); -+ goto out; -+ } - memcpy(uptr, ptr, 20); - uptr += 20; - ptr += 20; --- -2.32.0 - |