* [dunfell 00/12] Patch review May 30th
@ 2021-05-30 18:34 Armin Kuster
2021-05-30 18:34 ` [dunfell 01/12] exiv2: Fix CVE-2021-29457 Armin Kuster
` (11 more replies)
0 siblings, 12 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw
To: openembedded-devel
Please have comments back by Monday. Some have already been posted on the ML.
The following changes since commit 11eae114522a6befa06c7f4021a83bc016133543:
linuxptp: Fix cross build (2021-05-14 10:03:51 -0700)
are available in the Git repository at:
git://git.openembedded.org/meta-openembedded-contrib stable/dunfell-nut
http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/dunfell-nut
Alexander Vickberg (1):
hostapd: fix building with CONFIG_TLS=internal
Mikko Rapeli (1):
ebtables: use bitbake optimization levels
Sana Kazi (1):
dnsmasq: Add fixes for CVEs reported for dnsmasq
akash.hadke (1):
opencv: Add fix for CVE-2019-5063 and CVE-2019-5064
wangmy (8):
exiv2: Fix CVE-2021-29457
exiv2: Fix CVE-2021-29458
exiv2: Fix CVE-2021-29463
exiv2: Fix CVE-2021-3482
exiv2: Fix CVE-2021-29464
exiv2: Fix CVE-2021-29470
exiv2: Fix CVE-2021-29473
libsdl: Fix CVE-2019-13616
.../ebtables_optimizations.patch | 19 +
.../ebtables/ebtables_2.0.10-4.bb | 1 +
.../recipes-support/dnsmasq/dnsmasq_2.81.bb | 7 +-
.../dnsmasq/files/CVE-2020-25681.patch | 370 +++++++++++
.../dnsmasq/files/CVE-2020-25684.patch | 98 +++
.../dnsmasq/files/CVE-2020-25685-1.patch | 587 ++++++++++++++++++
.../dnsmasq/files/CVE-2020-25685-2.patch | 175 ++++++
.../dnsmasq/files/CVE-2020-25686-1.patch | 332 ++++++++++
.../dnsmasq/files/CVE-2020-25686-2.patch | 63 ++
...001-Prepare-for-CVE-2021-30004.patch.patch | 45 ++
.../hostapd/hostapd_2.9.bb | 1 +
.../libsdl/libsdl-1.2.15/CVE-2019-13616.patch | 27 +
.../recipes-graphics/libsdl/libsdl_1.2.15.bb | 1 +
.../exiv2/exiv2/CVE-2021-29457.patch | 26 +
.../exiv2/exiv2/CVE-2021-29458.patch | 37 ++
.../exiv2/exiv2/CVE-2021-29463.patch | 120 ++++
.../exiv2/exiv2/CVE-2021-29464.patch | 72 +++
.../exiv2/exiv2/CVE-2021-29470.patch | 32 +
.../exiv2/exiv2/CVE-2021-29473.patch | 21 +
.../exiv2/exiv2/CVE-2021-3482.patch | 54 ++
meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 9 +-
.../opencv/CVE-2019-5063_and_2019-5064.patch | 78 +++
.../recipes-support/opencv/opencv_4.1.0.bb | 1 +
23 files changed, 2174 insertions(+), 2 deletions(-)
create mode 100644 meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables_optimizations.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch
create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch
create mode 100644 meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-13616.patch
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch
create mode 100644 meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch
--
2.17.1
^ permalink raw reply [flat|nested] 13+ messages in thread
* [dunfell 01/12] exiv2: Fix CVE-2021-29457
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 02/12] exiv2: Fix CVE-2021-29458 Armin Kuster
` (10 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw
To: openembedded-devel
From: wangmy <wangmy@fujitsu.com>
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29457
The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to gain code execution, if they can
trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/commit/0230620e6ea5e2da0911318e07ce6e66d1ebdf22]
CVE: CVE-2021-29457
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5be72693096cef671bf54bf1dd6ee8125614d064)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../exiv2/exiv2/CVE-2021-29457.patch | 26 +++++++++++++++++++
meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 3 ++-
2 files changed, 28 insertions(+), 1 deletion(-)
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch
new file mode 100644
index 0000000000..e5d069487c
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch
@@ -0,0 +1,26 @@
+From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001
+From: Pydera <pydera@mailbox.org>
+Date: Thu, 8 Apr 2021 17:36:16 +0200
+Subject: [PATCH] Fix out of buffer access in #1529
+
+---
+ src/jp2image.cpp | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 88ab9b2d6..12025f966 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -776,9 +776,10 @@ static void boxes_check(size_t b,size_t m)
+ #endif
+ box.length = (uint32_t) (io_->size() - io_->tell() + 8);
+ }
+- if (box.length == 1)
++ if (box.length < 8)
+ {
+- // FIXME. Special case. the real box size is given in another place.
++ // box is broken, so there is nothing we can do here
++ throw Error(kerCorruptedMetadata);
+ }
+
+ // Read whole box : Box header + Box data (not fixed size - can be null).
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index ed1e8de5c2..a13db42edd 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -9,7 +9,8 @@ SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994
# Once patch is obsolete (project should be aware due to PRs), dos2unix can be removed either
inherit dos2unix
-SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch"
+SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
+ file://CVE-2021-29457.patch"
S = "${WORKDIR}/${BPN}-${PV}-Source"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 02/12] exiv2: Fix CVE-2021-29458
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
2021-05-30 18:34 ` [dunfell 01/12] exiv2: Fix CVE-2021-29457 Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 03/12] exiv2: Fix CVE-2021-29463 Armin Kuster
` (9 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw
To: openembedded-devel
From: wangmy <wangmy@fujitsu.com>
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29458
The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2,
if they can trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1536/commits/06d2db6e5fd2fcca9c060e95fc97f8a5b5d4c22d]
CVE: CVE-2021-29458
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f0d83c14d9064ce1ee19b92d95c8daf790fe7488)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../exiv2/exiv2/CVE-2021-29458.patch | 37 +++++++++++++++++++
meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 3 +-
2 files changed, 39 insertions(+), 1 deletion(-)
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch
new file mode 100644
index 0000000000..285f6fe4ce
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch
@@ -0,0 +1,37 @@
+From 9b7a19f957af53304655ed1efe32253a1b11a8d0 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Fri, 9 Apr 2021 13:37:48 +0100
+Subject: [PATCH] Fix integer overflow.
+---
+ src/crwimage_int.cpp | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
+index aefaf22..2e3e507 100644
+--- a/src/crwimage_int.cpp
++++ b/src/crwimage_int.cpp
+@@ -559,7 +559,7 @@ namespace Exiv2 {
+ void CiffComponent::setValue(DataBuf buf)
+ {
+ if (isAllocated_) {
+- delete pData_;
++ delete[] pData_;
+ pData_ = 0;
+ size_ = 0;
+ }
+@@ -1167,7 +1167,11 @@ namespace Exiv2 {
+ pCrwMapping->crwDir_);
+ if (edX != edEnd || edY != edEnd || edO != edEnd) {
+ uint32_t size = 28;
+- if (cc && cc->size() > size) size = cc->size();
++ if (cc) {
++ if (cc->size() < size)
++ throw Error(kerCorruptedMetadata);
++ size = cc->size();
++ }
+ DataBuf buf(size);
+ std::memset(buf.pData_, 0x0, buf.size_);
+ if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8);
+--
+2.25.1
+
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index a13db42edd..1dc909eeb0 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -10,7 +10,8 @@ SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994
# Once patch is obsolete (project should be aware due to PRs), dos2unix can be removed either
inherit dos2unix
SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
- file://CVE-2021-29457.patch"
+ file://CVE-2021-29457.patch \
+ file://CVE-2021-29458.patch"
S = "${WORKDIR}/${BPN}-${PV}-Source"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 03/12] exiv2: Fix CVE-2021-29463
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
2021-05-30 18:34 ` [dunfell 01/12] exiv2: Fix CVE-2021-29457 Armin Kuster
2021-05-30 18:34 ` [dunfell 02/12] exiv2: Fix CVE-2021-29458 Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 04/12] exiv2: Fix CVE-2021-3482 Armin Kuster
` (8 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw
To: openembedded-devel
From: wangmy <wangmy@fujitsu.com>
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29463
The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2,
if they can trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/commit/783b3a6ff15ed6f82a8f8e6c8a6f3b84a9b04d4b]
CVE: CVE-2021-29463
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8e63ac6c86852a12408c2415be073c71420758ff)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../exiv2/exiv2/CVE-2021-29463.patch | 120 ++++++++++++++++++
meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 3 +-
2 files changed, 122 insertions(+), 1 deletion(-)
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch
new file mode 100644
index 0000000000..5ab64a7d3e
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch
@@ -0,0 +1,120 @@
+From 783b3a6ff15ed6f82a8f8e6c8a6f3b84a9b04d4b Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Mon, 19 Apr 2021 18:06:00 +0100
+Subject: [PATCH] Improve bound checking in WebPImage::doWriteMetadata()
+
+---
+ src/webpimage.cpp | 41 ++++++++++++++++++++++++++++++-----------
+ 1 file changed, 30 insertions(+), 11 deletions(-)
+
+diff --git a/src/webpimage.cpp b/src/webpimage.cpp
+index 4ddec544c..fee110bca 100644
+--- a/src/webpimage.cpp
++++ b/src/webpimage.cpp
+@@ -145,7 +145,7 @@ namespace Exiv2 {
+ DataBuf chunkId(WEBP_TAG_SIZE+1);
+ chunkId.pData_ [WEBP_TAG_SIZE] = '\0';
+
+- io_->read(data, WEBP_TAG_SIZE * 3);
++ readOrThrow(*io_, data, WEBP_TAG_SIZE * 3, Exiv2::kerCorruptedMetadata);
+ uint64_t filesize = Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian);
+
+ /* Set up header */
+@@ -185,13 +185,20 @@ namespace Exiv2 {
+ case we have any exif or xmp data, also check
+ for any chunks with alpha frame/layer set */
+ while ( !io_->eof() && (uint64_t) io_->tell() < filesize) {
+- io_->read(chunkId.pData_, WEBP_TAG_SIZE);
+- io_->read(size_buff, WEBP_TAG_SIZE);
+- long size = Exiv2::getULong(size_buff, littleEndian);
++ readOrThrow(*io_, chunkId.pData_, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata);
++ readOrThrow(*io_, size_buff, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata);
++ const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian);
++
++ // Check that `size_u32` is safe to cast to `long`.
++ enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()),
++ Exiv2::kerCorruptedMetadata);
++ const long size = static_cast<long>(size_u32);
+ DataBuf payload(size);
+- io_->read(payload.pData_, payload.size_);
+- byte c;
+- if ( payload.size_ % 2 ) io_->read(&c,1);
++ readOrThrow(*io_, payload.pData_, payload.size_, Exiv2::kerCorruptedMetadata);
++ if ( payload.size_ % 2 ) {
++ byte c;
++ readOrThrow(*io_, &c, 1, Exiv2::kerCorruptedMetadata);
++ }
+
+ /* Chunk with information about features
+ used in the file. */
+@@ -199,6 +206,7 @@ namespace Exiv2 {
+ has_vp8x = true;
+ }
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X) && !has_size) {
++ enforce(size >= 10, Exiv2::kerCorruptedMetadata);
+ has_size = true;
+ byte size_buf[WEBP_TAG_SIZE];
+
+@@ -227,6 +235,7 @@ namespace Exiv2 {
+ }
+ #endif
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8) && !has_size) {
++ enforce(size >= 10, Exiv2::kerCorruptedMetadata);
+ has_size = true;
+ byte size_buf[2];
+
+@@ -244,11 +253,13 @@ namespace Exiv2 {
+
+ /* Chunk with with lossless image data. */
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_alpha) {
++ enforce(size >= 5, Exiv2::kerCorruptedMetadata);
+ if ((payload.pData_[4] & WEBP_VP8X_ALPHA_BIT) == WEBP_VP8X_ALPHA_BIT) {
+ has_alpha = true;
+ }
+ }
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_size) {
++ enforce(size >= 5, Exiv2::kerCorruptedMetadata);
+ has_size = true;
+ byte size_buf_w[2];
+ byte size_buf_h[3];
+@@ -276,11 +287,13 @@ namespace Exiv2 {
+
+ /* Chunk with animation frame. */
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_alpha) {
++ enforce(size >= 6, Exiv2::kerCorruptedMetadata);
+ if ((payload.pData_[5] & 0x2) == 0x2) {
+ has_alpha = true;
+ }
+ }
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_size) {
++ enforce(size >= 12, Exiv2::kerCorruptedMetadata);
+ has_size = true;
+ byte size_buf[WEBP_TAG_SIZE];
+
+@@ -309,16 +322,22 @@ namespace Exiv2 {
+
+ io_->seek(12, BasicIo::beg);
+ while ( !io_->eof() && (uint64_t) io_->tell() < filesize) {
+- io_->read(chunkId.pData_, 4);
+- io_->read(size_buff, 4);
++ readOrThrow(*io_, chunkId.pData_, 4, Exiv2::kerCorruptedMetadata);
++ readOrThrow(*io_, size_buff, 4, Exiv2::kerCorruptedMetadata);
++
++ const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian);
+
+- long size = Exiv2::getULong(size_buff, littleEndian);
++ // Check that `size_u32` is safe to cast to `long`.
++ enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()),
++ Exiv2::kerCorruptedMetadata);
++ const long size = static_cast<long>(size_u32);
+
+ DataBuf payload(size);
+- io_->read(payload.pData_, size);
++ readOrThrow(*io_, payload.pData_, size, Exiv2::kerCorruptedMetadata);
+ if ( io_->tell() % 2 ) io_->seek(+1,BasicIo::cur); // skip pad
+
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X)) {
++ enforce(size >= 1, Exiv2::kerCorruptedMetadata);
+ if (has_icc){
+ payload.pData_[0] |= WEBP_VP8X_ICC_BIT;
+ } else {
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index 1dc909eeb0..fb8d126198 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -11,7 +11,8 @@ SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994
inherit dos2unix
SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
file://CVE-2021-29457.patch \
- file://CVE-2021-29458.patch"
+ file://CVE-2021-29458.patch \
+ file://CVE-2021-29463.patch"
S = "${WORKDIR}/${BPN}-${PV}-Source"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 04/12] exiv2: Fix CVE-2021-3482
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
` (2 preceding siblings ...)
2021-05-30 18:34 ` [dunfell 03/12] exiv2: Fix CVE-2021-29463 Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 05/12] exiv2: Fix CVE-2021-29464 Armin Kuster
` (7 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw
To: openembedded-devel
From: wangmy <wangmy@fujitsu.com>
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3482
Improper input validation of the rawData.size property in Jp2Image::readMetadata() in jp2image.cpp
can lead to a heap-based buffer overflow via a crafted JPG image containing malicious EXIF data.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1523/commits/22ea582c6b74ada30bec3a6b15de3c3e52f2b4da]
CVE: CVE-2021-3482
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9e7c2c9713dc2824af2a33b0a3feb4f29e7f0269)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../exiv2/exiv2/CVE-2021-3482.patch | 54 +++++++++++++++++++
meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 3 +-
2 files changed, 56 insertions(+), 1 deletion(-)
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch
new file mode 100644
index 0000000000..e7c5e1b656
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch
@@ -0,0 +1,54 @@
+From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001
+From: Robin Mills <robin@clanmills.com>
+Date: Mon, 5 Apr 2021 20:33:25 +0100
+Subject: [PATCH] fix_1522_jp2image_exif_asan
+
+---
+ src/jp2image.cpp | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index eb31cea4a..88ab9b2d6 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -28,6 +28,7 @@
+ #include "image.hpp"
+ #include "image_int.hpp"
+ #include "basicio.hpp"
++#include "enforce.hpp"
+ #include "error.hpp"
+ #include "futils.hpp"
+ #include "types.hpp"
+@@ -353,7 +354,7 @@ static void boxes_check(size_t b,size_t m)
+ if (io_->error()) throw Error(kerFailedToReadImageData);
+ if (bufRead != rawData.size_) throw Error(kerInputDataReadFailed);
+
+- if (rawData.size_ > 0)
++ if (rawData.size_ > 8) // "II*\0long"
+ {
+ // Find the position of Exif header in bytes array.
+ long pos = ( (rawData.pData_[0] == rawData.pData_[1])
+@@ -497,6 +498,7 @@ static void boxes_check(size_t b,size_t m)
+ position = io_->tell();
+ box.length = getLong((byte*)&box.length, bigEndian);
+ box.type = getLong((byte*)&box.type, bigEndian);
++ enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata);
+
+ if (bPrint) {
+ out << Internal::stringFormat("%8ld | %8ld | ", (size_t)(position - sizeof(box)),
+@@ -581,12 +583,13 @@ static void boxes_check(size_t b,size_t m)
+ throw Error(kerInputDataReadFailed);
+
+ if (bPrint) {
+- out << Internal::binaryToString(makeSlice(rawData, 0, 40));
++ out << Internal::binaryToString(
++ makeSlice(rawData, 0, rawData.size_>40?40:rawData.size_));
+ out.flush();
+ }
+ lf(out, bLF);
+
+- if (bIsExif && bRecursive && rawData.size_ > 0) {
++ if (bIsExif && bRecursive && rawData.size_ > 8) { // "II*\0long"
+ if ((rawData.pData_[0] == rawData.pData_[1]) &&
+ (rawData.pData_[0] == 'I' || rawData.pData_[0] == 'M')) {
+ BasicIo::AutoPtr p = BasicIo::AutoPtr(new MemIo(rawData.pData_, rawData.size_));
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index fb8d126198..8c4c81799b 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -12,7 +12,8 @@ inherit dos2unix
SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
file://CVE-2021-29457.patch \
file://CVE-2021-29458.patch \
- file://CVE-2021-29463.patch"
+ file://CVE-2021-29463.patch \
+ file://CVE-2021-3482.patch"
S = "${WORKDIR}/${BPN}-${PV}-Source"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 05/12] exiv2: Fix CVE-2021-29464
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
` (3 preceding siblings ...)
2021-05-30 18:34 ` [dunfell 04/12] exiv2: Fix CVE-2021-3482 Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 06/12] exiv2: Fix CVE-2021-29470 Armin Kuster
` (6 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw
To: openembedded-devel
From: wangmy <wangmy@fujitsu.com>
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29464
The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to gain code execution, if they can
trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/commit/f9308839198aca5e68a65194f151a1de92398f54]
CVE: CVE-2021-29464
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8c9470bdfaa1d33347ffaf25b3e18d2163667e18)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../exiv2/exiv2/CVE-2021-29464.patch | 72 +++++++++++++++++++
meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 1 +
2 files changed, 73 insertions(+)
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch
new file mode 100644
index 0000000000..f0c482450c
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch
@@ -0,0 +1,72 @@
+From 61734d8842cb9cc59437463e3bac54d6231d9487 Mon Sep 17 00:00:00 2001
+From: Wang Mingyu <wangmy@fujitsu.com>
+Date: Tue, 18 May 2021 10:52:54 +0900
+Subject: [PATCH] modify
+
+Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
+---
+ src/jp2image.cpp | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 52723a4..0ac4f50 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -643,11 +643,11 @@ static void boxes_check(size_t b,size_t m)
+ void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf)
+ {
+ DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
+- int outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
+- int inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
++ long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
++ long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
+ Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_;
+- int32_t length = getLong((byte*)&pBox->length, bigEndian);
+- int32_t count = sizeof (Jp2BoxHeader);
++ uint32_t length = getLong((byte*)&pBox->length, bigEndian);
++ uint32_t count = sizeof (Jp2BoxHeader);
+ char* p = (char*) boxBuf.pData_;
+ bool bWroteColor = false ;
+
+@@ -664,6 +664,7 @@ static void boxes_check(size_t b,size_t m)
+ #ifdef EXIV2_DEBUG_MESSAGES
+ std::cout << "Jp2Image::encodeJp2Header subbox: "<< toAscii(subBox.type) << " length = " << subBox.length << std::endl;
+ #endif
++ enforce(subBox.length <= length - count, Exiv2::kerCorruptedMetadata);
+ count += subBox.length;
+ newBox.type = subBox.type;
+ } else {
+@@ -672,12 +673,13 @@ static void boxes_check(size_t b,size_t m)
+ count = length;
+ }
+
+- int32_t newlen = subBox.length;
++ uint32_t newlen = subBox.length;
+ if ( newBox.type == kJp2BoxTypeColorHeader ) {
+ bWroteColor = true ;
+ if ( ! iccProfileDefined() ) {
+ const char* pad = "\x01\x00\x00\x00\x00\x00\x10\x00\x00\x05\x1cuuid";
+ uint32_t psize = 15;
++ enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata);
+ ul2Data((byte*)&newBox.length,psize ,bigEndian);
+ ul2Data((byte*)&newBox.type ,newBox.type,bigEndian);
+ ::memcpy(output.pData_+outlen ,&newBox ,sizeof(newBox));
+@@ -686,6 +688,7 @@ static void boxes_check(size_t b,size_t m)
+ } else {
+ const char* pad = "\0x02\x00\x00";
+ uint32_t psize = 3;
++ enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata);
+ ul2Data((byte*)&newBox.length,psize+iccProfile_.size_,bigEndian);
+ ul2Data((byte*)&newBox.type,newBox.type,bigEndian);
+ ::memcpy(output.pData_+outlen ,&newBox ,sizeof(newBox) );
+@@ -694,6 +697,7 @@ static void boxes_check(size_t b,size_t m)
+ newlen = psize + iccProfile_.size_;
+ }
+ } else {
++ enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata);
+ ::memcpy(output.pData_+outlen,boxBuf.pData_+inlen,subBox.length);
+ }
+
+--
+2.25.1
+
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index 8c4c81799b..024f4c794a 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -13,6 +13,7 @@ SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.pat
file://CVE-2021-29457.patch \
file://CVE-2021-29458.patch \
file://CVE-2021-29463.patch \
+ file://CVE-2021-29464.patch \
file://CVE-2021-3482.patch"
S = "${WORKDIR}/${BPN}-${PV}-Source"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 06/12] exiv2: Fix CVE-2021-29470
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
` (4 preceding siblings ...)
2021-05-30 18:34 ` [dunfell 05/12] exiv2: Fix CVE-2021-29464 Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 07/12] exiv2: Fix CVE-2021-29473 Armin Kuster
` (5 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw
To: openembedded-devel
From: wangmy <wangmy@fujitsu.com>
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29470
The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2,
if they can trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1581/commits/6628a69c036df2aa036290e6cd71767c159c79ed]
CVE: CVE-2021-29470
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bb1400efda77a7289ca20782172bfbe1f457f161)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../exiv2/exiv2/CVE-2021-29470.patch | 32 +++++++++++++++++++
meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 1 +
2 files changed, 33 insertions(+)
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch
new file mode 100644
index 0000000000..eedf9d79aa
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch
@@ -0,0 +1,32 @@
+From 6628a69c036df2aa036290e6cd71767c159c79ed Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 21 Apr 2021 12:06:04 +0100
+Subject: [PATCH] Add more bounds checks in Jp2Image::encodeJp2Header
+---
+ src/jp2image.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index b424225..349a9f0 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -645,13 +645,16 @@ static void boxes_check(size_t b,size_t m)
+ DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
+ long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
+ long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
++ enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
+ Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_;
+ uint32_t length = getLong((byte*)&pBox->length, bigEndian);
++ enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
+ uint32_t count = sizeof (Jp2BoxHeader);
+ char* p = (char*) boxBuf.pData_;
+ bool bWroteColor = false ;
+
+ while ( count < length || !bWroteColor ) {
++ enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
+ Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
+
+ // copy data. pointer could be into a memory mapped file which we will decode!
+--
+2.25.1
+
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index 024f4c794a..2419bab352 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -14,6 +14,7 @@ SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.pat
file://CVE-2021-29458.patch \
file://CVE-2021-29463.patch \
file://CVE-2021-29464.patch \
+ file://CVE-2021-29470.patch \
file://CVE-2021-3482.patch"
S = "${WORKDIR}/${BPN}-${PV}-Source"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 07/12] exiv2: Fix CVE-2021-29473
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
` (5 preceding siblings ...)
2021-05-30 18:34 ` [dunfell 06/12] exiv2: Fix CVE-2021-29470 Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 08/12] libsdl: Fix CVE-2019-13616 Armin Kuster
` (4 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw
To: openembedded-devel
From: wangmy <wangmy@fujitsu.com>
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29473
The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2,
if they can trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1587/commits/e6a0982f7cd9282052b6e3485a458d60629ffa0b]
CVE: CVE-2021-29473
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a9aecd2c32fc8f238f62ef70813e032b6b52c2f2)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../exiv2/exiv2/CVE-2021-29473.patch | 21 +++++++++++++++++++
meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 1 +
2 files changed, 22 insertions(+)
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch
new file mode 100644
index 0000000000..4afedf8e59
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch
@@ -0,0 +1,21 @@
+From e6a0982f7cd9282052b6e3485a458d60629ffa0b Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Fri, 23 Apr 2021 11:44:44 +0100
+Subject: [PATCH] Add bounds check in Jp2Image::doWriteMetadata().
+
+---
+ src/jp2image.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 1694fed27..ca8c9ddbb 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -908,6 +908,7 @@ static void boxes_check(size_t b,size_t m)
+
+ case kJp2BoxTypeUuid:
+ {
++ enforce(boxBuf.size_ >= 24, Exiv2::kerCorruptedMetadata);
+ if(memcmp(boxBuf.pData_ + 8, kJp2UuidExif, 16) == 0)
+ {
+ #ifdef EXIV2_DEBUG_MESSAGES
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index 2419bab352..d5d9e62ff2 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -15,6 +15,7 @@ SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.pat
file://CVE-2021-29463.patch \
file://CVE-2021-29464.patch \
file://CVE-2021-29470.patch \
+ file://CVE-2021-29473.patch \
file://CVE-2021-3482.patch"
S = "${WORKDIR}/${BPN}-${PV}-Source"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 08/12] libsdl: Fix CVE-2019-13616
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
` (6 preceding siblings ...)
2021-05-30 18:34 ` [dunfell 07/12] exiv2: Fix CVE-2021-29473 Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 09/12] hostapd: fix building with CONFIG_TLS=internal Armin Kuster
` (3 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw
To: openembedded-devel
From: wangmy <wangmy@fujitsu.com>
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13616
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read
in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c.
Upstream-Status: Backport [https://github.com/libsdl-org/SDL/commit/97fefd050976bbbfca9608499f6a7d9fb86e70db]
CVE: CVE-2019-13616
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../libsdl/libsdl-1.2.15/CVE-2019-13616.patch | 27 +++++++++++++++++++
.../recipes-graphics/libsdl/libsdl_1.2.15.bb | 1 +
2 files changed, 28 insertions(+)
create mode 100644 meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-13616.patch
diff --git a/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-13616.patch b/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-13616.patch
new file mode 100644
index 0000000000..2db67966cf
--- /dev/null
+++ b/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-13616.patch
@@ -0,0 +1,27 @@
+From 97fefd050976bbbfca9608499f6a7d9fb86e70db Mon Sep 17 00:00:00 2001
+From: Sam Lantinga <slouken@libsdl.org>
+Date: Tue, 30 Jul 2019 11:00:00 -0700
+Subject: [PATCH] Fixed bug 4538 - validate image size when loading BMP files
+---
+ src/video/SDL_bmp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
+index 8eadc5f..5b5e12c 100644
+--- a/src/video/SDL_bmp.c
++++ b/src/video/SDL_bmp.c
+@@ -143,6 +143,11 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
+ (void) biYPelsPerMeter;
+ (void) biClrImportant;
+
++ if (biWidth <= 0 || biHeight == 0) {
++ SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight);
++ was_error = SDL_TRUE;
++ goto done;
++ }
+ if (biHeight < 0) {
+ topDown = SDL_TRUE;
+ biHeight = -biHeight;
+--
+2.25.1
+
diff --git a/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb b/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb
index 7a01908322..d91a1856b4 100644
--- a/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb
+++ b/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb
@@ -27,6 +27,7 @@ SRC_URI = "http://www.libsdl.org/release/SDL-${PV}.tar.gz \
file://CVE-2019-7637.patch \
file://CVE-2019-7638.patch \
file://CVE-2019-7576.patch \
+ file://CVE-2019-13616.patch \
"
UPSTREAM_CHECK_REGEX = "SDL-(?P<pver>\d+(\.\d+)+)\.tar"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 09/12] hostapd: fix building with CONFIG_TLS=internal
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
` (7 preceding siblings ...)
2021-05-30 18:34 ` [dunfell 08/12] libsdl: Fix CVE-2019-13616 Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 10/12] opencv: Add fix for CVE-2019-5063 and CVE-2019-5064 Armin Kuster
` (2 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw
To: openembedded-devel
From: Alexander Vickberg <wickbergster@gmail.com>
The patch recently added for CVE-2021-30004 broke compilation with
CONFIG_TLS=internal. This adds the necessary function to let it
compile again.
Signed-off-by: Alexander Vickberg <wickbergster@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d6ef4170747d6668fa940328334055eef3e1e1d6)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...001-Prepare-for-CVE-2021-30004.patch.patch | 45 +++++++++++++++++++
.../hostapd/hostapd_2.9.bb | 1 +
2 files changed, 46 insertions(+)
create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch
new file mode 100644
index 0000000000..1bedb4f753
--- /dev/null
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch
@@ -0,0 +1,45 @@
+From 14fab0772db19297c82dd1b8612c9335369dce41 Mon Sep 17 00:00:00 2001
+From: Alexander Vickberg <wickbergster@gmail.com>
+Date: Mon, 17 May 2021 17:54:13 +0200
+Subject: [PATCH] Prepare for CVE-2021-30004.patch
+
+Without this building fails for CONFIG_TLS=internal
+
+Signed-off-by: Alexander Vickberg <wickbergster@gmail.com>
+---
+ src/tls/asn1.h | 6 ++++++
+ src/utils/includes.h | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/src/tls/asn1.h b/src/tls/asn1.h
+index 6bd7df5..77b94ef 100644
+--- a/src/tls/asn1.h
++++ b/src/tls/asn1.h
+@@ -66,6 +66,12 @@ void asn1_oid_to_str(const struct asn1_oid *oid, char *buf, size_t len);
+ unsigned long asn1_bit_string_to_long(const u8 *buf, size_t len);
+ int asn1_oid_equal(const struct asn1_oid *a, const struct asn1_oid *b);
+
++static inline bool asn1_is_null(const struct asn1_hdr *hdr)
++{
++ return hdr->class == ASN1_CLASS_UNIVERSAL &&
++ hdr->tag == ASN1_TAG_NULL;
++}
++
+ extern struct asn1_oid asn1_sha1_oid;
+ extern struct asn1_oid asn1_sha256_oid;
+
+diff --git a/src/utils/includes.h b/src/utils/includes.h
+index 75513fc..741fc9c 100644
+--- a/src/utils/includes.h
++++ b/src/utils/includes.h
+@@ -18,6 +18,7 @@
+
+ #include <stdlib.h>
+ #include <stddef.h>
++#include <stdbool.h>
+ #include <stdio.h>
+ #include <stdarg.h>
+ #include <string.h>
+--
+2.25.1
+
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
index e586018685..a9780bc6db 100644
--- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
@@ -11,6 +11,7 @@ SRC_URI = " \
file://defconfig \
file://init \
file://hostapd.service \
+ file://0001-Prepare-for-CVE-2021-30004.patch.patch \
file://CVE-2019-16275.patch \
file://CVE-2019-5061.patch \
file://CVE-2021-0326.patch \
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 10/12] opencv: Add fix for CVE-2019-5063 and CVE-2019-5064
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
` (8 preceding siblings ...)
2021-05-30 18:34 ` [dunfell 09/12] hostapd: fix building with CONFIG_TLS=internal Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 11/12] ebtables: use bitbake optimization levels Armin Kuster
2021-05-30 18:34 ` [dunfell 12/12] dnsmasq: Add fixes for CVEs reported for dnsmasq Armin Kuster
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw
To: openembedded-devel
From: "akash.hadke" <akash.hadke@kpit.com>
Added fix for below CVE's
CVE-2019-5063
CVE-2019-5064
Link: https://github.com/opencv/opencv/commit/f42d5399aac80d371b17d689851406669c9b9111.patch
Signed-off-by: akash hadke <akash.hadke@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../opencv/CVE-2019-5063_and_2019-5064.patch | 78 +++++++++++++++++++
.../recipes-support/opencv/opencv_4.1.0.bb | 1 +
2 files changed, 79 insertions(+)
create mode 100644 meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch
diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch b/meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch
new file mode 100644
index 0000000000..b4d5e6dc44
--- /dev/null
+++ b/meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch
@@ -0,0 +1,78 @@
+From f42d5399aac80d371b17d689851406669c9b9111 Mon Sep 17 00:00:00 2001
+From: Alexander Alekhin <alexander.alekhin@intel.com>
+Date: Thu, 7 Nov 2019 14:01:51 +0300
+Subject: [PATCH] core(persistence): add more checks for implementation
+ limitations
+
+Signed-off-by: akash hadke <akash.hadke@kpit.com>
+---
+ modules/core/src/persistence_json.cpp | 8 ++++++++
+ modules/core/src/persistence_xml.cpp | 6 ++++--
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+---
+CVE: CVE-2019-5063
+CVE: CVE-2019-5064
+Upstream-Status: Backport [https://github.com/opencv/opencv/commit/f42d5399aac80d371b17d689851406669c9b9111.patch]
+---
+diff --git a/modules/core/src/persistence_json.cpp b/modules/core/src/persistence_json.cpp
+index 89914e6534f..2efdf17d3f5 100644
+--- a/modules/core/src/persistence_json.cpp
++++ b/modules/core/src/persistence_json.cpp
+@@ -578,10 +578,14 @@ class JSONParser : public FileStorageParser
+ sz = (int)(ptr - beg);
+ if( sz > 0 )
+ {
++ if (i + sz >= CV_FS_MAX_LEN)
++ CV_PARSE_ERROR_CPP("string is too long");
+ memcpy(buf + i, beg, sz);
+ i += sz;
+ }
+ ptr++;
++ if (i + 1 >= CV_FS_MAX_LEN)
++ CV_PARSE_ERROR_CPP("string is too long");
+ switch ( *ptr )
+ {
+ case '\\':
+@@ -605,6 +609,8 @@ class JSONParser : public FileStorageParser
+ sz = (int)(ptr - beg);
+ if( sz > 0 )
+ {
++ if (i + sz >= CV_FS_MAX_LEN)
++ CV_PARSE_ERROR_CPP("string is too long");
+ memcpy(buf + i, beg, sz);
+ i += sz;
+ }
+@@ -620,6 +626,8 @@ class JSONParser : public FileStorageParser
+ sz = (int)(ptr - beg);
+ if( sz > 0 )
+ {
++ if (i + sz >= CV_FS_MAX_LEN)
++ CV_PARSE_ERROR_CPP("string is too long");
+ memcpy(buf + i, beg, sz);
+ i += sz;
+ }
+diff --git a/modules/core/src/persistence_xml.cpp b/modules/core/src/persistence_xml.cpp
+index 89876dd3da8..52b53744254 100644
+--- a/modules/core/src/persistence_xml.cpp
++++ b/modules/core/src/persistence_xml.cpp
+@@ -627,6 +627,8 @@ class XMLParser : public FileStorageParser
+ c = '\"';
+ else
+ {
++ if (len + 2 + i >= CV_FS_MAX_LEN)
++ CV_PARSE_ERROR_CPP("string is too long");
+ memcpy( strbuf + i, ptr-1, len + 2 );
+ i += len + 2;
+ }
+@@ -635,9 +637,9 @@ class XMLParser : public FileStorageParser
+ CV_PERSISTENCE_CHECK_END_OF_BUFFER_BUG_CPP();
+ }
+ }
++ if (i + 1 >= CV_FS_MAX_LEN)
++ CV_PARSE_ERROR_CPP("Too long string literal");
+ strbuf[i++] = c;
+- if( i >= CV_FS_MAX_LEN )
+- CV_PARSE_ERROR_CPP( "Too long string literal" );
+ }
+ elem->setValue(FileNode::STRING, strbuf, i);
+ }
diff --git a/meta-oe/recipes-support/opencv/opencv_4.1.0.bb b/meta-oe/recipes-support/opencv/opencv_4.1.0.bb
index de708fd06d..19d5d0c891 100644
--- a/meta-oe/recipes-support/opencv/opencv_4.1.0.bb
+++ b/meta-oe/recipes-support/opencv/opencv_4.1.0.bb
@@ -54,6 +54,7 @@ SRC_URI = "git://github.com/opencv/opencv.git;name=opencv \
file://CVE-2019-14493.patch \
file://CVE-2019-15939.patch \
file://CVE-2019-19624.patch \
+ file://CVE-2019-5063_and_2019-5064.patch \
"
PV = "4.1.0"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 11/12] ebtables: use bitbake optimization levels
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
` (9 preceding siblings ...)
2021-05-30 18:34 ` [dunfell 10/12] opencv: Add fix for CVE-2019-5063 and CVE-2019-5064 Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 12/12] dnsmasq: Add fixes for CVEs reported for dnsmasq Armin Kuster
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw
To: openembedded-devel
From: Mikko Rapeli <mikko.rapeli@bmw.de>
Don't overwrite with O3 optimization. Reduces ebtables
binary package size from 416241 to 412145 bytes, and
enables further optimizations with e.g. -Os flags
via bitbake distro wide settings.
Only ebtables versions up to 2.0.10-4 and dunfell are affected.
The version 2.0.11 from hardknott and master branch use system
wide flags already.
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../ebtables_optimizations.patch | 19 +++++++++++++++++++
.../ebtables/ebtables_2.0.10-4.bb | 1 +
2 files changed, 20 insertions(+)
create mode 100644 meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables_optimizations.patch
diff --git a/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables_optimizations.patch b/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables_optimizations.patch
new file mode 100644
index 0000000000..21d4cfd822
--- /dev/null
+++ b/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables_optimizations.patch
@@ -0,0 +1,19 @@
+ebtables: use optimizations from bitbake
+
+Enables building with O2 or Os to create smaller binaries.
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
+
+--- a/Makefile 2021-04-16 12:43:40.475431286 +0000
++++ b/Makefile 2021-04-16 12:45:23.654597711 +0000
+@@ -18,7 +18,7 @@ SYSCONFIGDIR:=/etc/sysconfig
+ DESTDIR:=
+
+ CFLAGS:=-Wall -Wunused -Werror
+-CFLAGS_SH_LIB:=-fPIC -O3
++CFLAGS_SH_LIB:=-fPIC
+ CC:=gcc
+
+ ifeq ($(shell uname -m),sparc64)
diff --git a/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb b/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb
index 276784009f..8b6dcea439 100644
--- a/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb
+++ b/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb
@@ -31,6 +31,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/ebtables/ebtables-v${PV}.tar.gz \
file://0007-extensions-Use-stdint-types.patch \
file://0008-ethernetdb.h-Remove-C-specific-compiler-hint-macro-_.patch \
file://0009-ebtables-Allow-RETURN-target-rules-in-user-defined-c.patch \
+ file://ebtables_optimizations.patch \
"
SRC_URI_append_libc-musl = " file://0010-Adjust-header-include-sequence.patch"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 12/12] dnsmasq: Add fixes for CVEs reported for dnsmasq
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
` (10 preceding siblings ...)
2021-05-30 18:34 ` [dunfell 11/12] ebtables: use bitbake optimization levels Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw
To: openembedded-devel
From: Sana Kazi <Sana.Kazi@kpit.com>
Applied single patch for below listed CVEs:
CVE-2020-25681
CVE-2020-25682
CVE-2020-25683
CVE-2020-25687
as they are fixed by single commit
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a
Link: https://www.openwall.com/lists/oss-security/2021/01/19/1
Also, applied patch for below listed CVEs:
CVE-2020-25684
CVE-2020-25685
CVE-2020-25686
all CVEs applicable to v2.81
Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
Signed-off-by: Nisha Parrakat <nishaparrakat@gmail.com>
[Refreshed patches]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../recipes-support/dnsmasq/dnsmasq_2.81.bb | 7 +-
.../dnsmasq/files/CVE-2020-25681.patch | 370 +++++++++++
.../dnsmasq/files/CVE-2020-25684.patch | 98 +++
.../dnsmasq/files/CVE-2020-25685-1.patch | 587 ++++++++++++++++++
.../dnsmasq/files/CVE-2020-25685-2.patch | 175 ++++++
.../dnsmasq/files/CVE-2020-25686-1.patch | 332 ++++++++++
.../dnsmasq/files/CVE-2020-25686-2.patch | 63 ++
7 files changed, 1631 insertions(+), 1 deletion(-)
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
index 92415386c2..a1dc0f3a0a 100644
--- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
@@ -4,5 +4,10 @@ SRC_URI[dnsmasq-2.81.md5sum] = "e43808177a773014b5892ccba238f7a8"
SRC_URI[dnsmasq-2.81.sha256sum] = "3c28c68c6c2967c3a96e9b432c0c046a5df17a426d3a43cffe9e693cf05804d0"
SRC_URI += "\
file://lua.patch \
+ file://CVE-2020-25681.patch \
+ file://CVE-2020-25684.patch \
+ file://CVE-2020-25685-1.patch \
+ file://CVE-2020-25685-2.patch \
+ file://CVE-2020-25686-1.patch \
+ file://CVE-2020-25686-2.patch \
"
-
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch
new file mode 100644
index 0000000000..6756157700
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch
@@ -0,0 +1,370 @@
+From 4e96a4be685c9e4445f6ee79ad0b36b9119b502a Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 11 Nov 2020 23:25:04 +0000
+Subject: [PATCH] Fix remote buffer overflow CERT VU#434904
+
+The problem is in the sort_rrset() function and allows a remote
+attacker to overwrite memory. Any dnsmasq instance with DNSSEC
+enabled is vulnerable.
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+---
+ CHANGELOG | 7 +-
+ src/dnssec.c | 273 ++++++++++++++++++++++++++++-----------------------
+ 2 files changed, 158 insertions(+), 122 deletions(-)
+
+CVE: CVE-2020-25681
+CVE: CVE-2020-25682
+CVE: CVE-2020-25683
+CVE: CVE-2020-25687
+Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a]
+Comment: Refreshed first two hunks
+
+Index: dnsmasq-2.81/src/dnssec.c
+===================================================================
+--- dnsmasq-2.81.orig/src/dnssec.c
++++ dnsmasq-2.81/src/dnssec.c
+@@ -223,138 +223,144 @@ static int check_date_range(unsigned lon
+ && serial_compare_32(curtime, date_end) == SERIAL_LT;
+ }
+
+-/* Return bytes of canonicalised rdata, when the return value is zero, the remaining
+- data, pointed to by *p, should be used raw. */
+-static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end, char *buff, int bufflen,
+- unsigned char **p, u16 **desc)
++/* Return bytes of canonicalised rrdata one by one.
++ Init state->ip with the RR, and state->end with the end of same.
++ Init state->op to NULL.
++ Init state->desc to RR descriptor.
++ Init state->buff with a MAXDNAME * 2 buffer.
++
++ After each call which returns 1, state->op points to the next byte of data.
++ On returning 0, the end has been reached.
++*/
++struct rdata_state {
++ u16 *desc;
++ size_t c;
++ unsigned char *end, *ip, *op;
++ char *buff;
++};
++
++static int get_rdata(struct dns_header *header, size_t plen, struct rdata_state *state)
+ {
+- int d = **desc;
++ int d;
+
+- /* No more data needs mangling */
+- if (d == (u16)-1)
++ if (state->op && state->c != 1)
+ {
+- /* If there's more data than we have space for, just return what fits,
+- we'll get called again for more chunks */
+- if (end - *p > bufflen)
+- {
+- memcpy(buff, *p, bufflen);
+- *p += bufflen;
+- return bufflen;
+- }
+-
+- return 0;
++ state->op++;
++ state->c--;
++ return 1;
+ }
+-
+- (*desc)++;
+-
+- if (d == 0 && extract_name(header, plen, p, buff, 1, 0))
+- /* domain-name, canonicalise */
+- return to_wire(buff);
+- else
+- {
+- /* plain data preceding a domain-name, don't run off the end of the data */
+- if ((end - *p) < d)
+- d = end - *p;
+-
+- if (d != 0)
++
++ while (1)
++ {
++ d = *(state->desc);
++ if (d == (u16)-1)
+ {
+- memcpy(buff, *p, d);
+- *p += d;
++ /* all the bytes to the end. */
++ if ((state->c = state->end - state->ip) != 0)
++ {
++ state->op = state->ip;
++ state->ip = state->end;;
++ }
++ else
++ return 0;
++ }
++ else
++ {
++ state->desc++;
++
++ if (d == (u16)0)
++ {
++ /* domain-name, canonicalise */
++ int len;
++
++ if (!extract_name(header, plen, &state->ip, state->buff, 1, 0) ||
++ (len = to_wire(state->buff)) == 0)
++ continue;
++
++ state->c = len;
++ state->op = (unsigned char *)state->buff;
++ }
++ else
++ {
++ /* plain data preceding a domain-name, don't run off the end of the data */
++ if ((state->end - state->ip) < d)
++ d = state->end - state->ip;
++
++ if (d == 0)
++ continue;
++
++ state->op = state->ip;
++ state->c = d;
++ state->ip += d;
++ }
+ }
+
+- return d;
++ return 1;
+ }
+ }
+
+-/* Bubble sort the RRset into the canonical order.
+- Note that the byte-streams from two RRs may get unsynced: consider
+- RRs which have two domain-names at the start and then other data.
+- The domain-names may have different lengths in each RR, but sort equal
+-
+- ------------
+- |abcde|fghi|
+- ------------
+- |abcd|efghi|
+- ------------
+-
+- leaving the following bytes as deciding the order. Hence the nasty left1 and left2 variables.
+-*/
++/* Bubble sort the RRset into the canonical order. */
+
+ static int sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int rrsetidx,
+ unsigned char **rrset, char *buff1, char *buff2)
+ {
+- int swap, quit, i, j;
++ int swap, i, j;
+
+ do
+ {
+ for (swap = 0, i = 0; i < rrsetidx-1; i++)
+ {
+- int rdlen1, rdlen2, left1, left2, len1, len2, len, rc;
+- u16 *dp1, *dp2;
+- unsigned char *end1, *end2;
++ int rdlen1, rdlen2;
++ struct rdata_state state1, state2;
++
+ /* Note that these have been determined to be OK previously,
+ so we don't need to check for NULL return here. */
+- unsigned char *p1 = skip_name(rrset[i], header, plen, 10);
+- unsigned char *p2 = skip_name(rrset[i+1], header, plen, 10);
+-
+- p1 += 8; /* skip class, type, ttl */
+- GETSHORT(rdlen1, p1);
+- end1 = p1 + rdlen1;
+-
+- p2 += 8; /* skip class, type, ttl */
+- GETSHORT(rdlen2, p2);
+- end2 = p2 + rdlen2;
+-
+- dp1 = dp2 = rr_desc;
+-
+- for (quit = 0, left1 = 0, left2 = 0, len1 = 0, len2 = 0; !quit;)
++ state1.ip = skip_name(rrset[i], header, plen, 10);
++ state2.ip = skip_name(rrset[i+1], header, plen, 10);
++ state1.op = state2.op = NULL;
++ state1.buff = buff1;
++ state2.buff = buff2;
++ state1.desc = state2.desc = rr_desc;
++
++ state1.ip += 8; /* skip class, type, ttl */
++ GETSHORT(rdlen1, state1.ip);
++ if (!CHECK_LEN(header, state1.ip, plen, rdlen1))
++ return rrsetidx; /* short packet */
++ state1.end = state1.ip + rdlen1;
++ state2.ip += 8; /* skip class, type, ttl */
++ GETSHORT(rdlen2, state2.ip);
++ if (!CHECK_LEN(header, state2.ip, plen, rdlen2))
++ return rrsetidx; /* short packet */
++ state2.end = state2.ip + rdlen2;
++
++ while (1)
+ {
+- if (left1 != 0)
+- memmove(buff1, buff1 + len1 - left1, left1);
+-
+- if ((len1 = get_rdata(header, plen, end1, buff1 + left1, (MAXDNAME * 2) - left1, &p1, &dp1)) == 0)
+- {
+- quit = 1;
+- len1 = end1 - p1;
+- memcpy(buff1 + left1, p1, len1);
++ int ok1, ok2;
++ ok1 = get_rdata(header, plen, &state1);
++ ok2 = get_rdata(header, plen, &state2);
++
++ if (!ok1 && !ok2)
++ {
++ /* Two RRs are equal, remove one copy. RFC 4034, para 6.3 */
++ for (j = i+1; j < rrsetidx-1; j++)
++ rrset[j] = rrset[j+1];
++ rrsetidx--;
++ i--;
++ break;
+ }
+- len1 += left1;
+-
+- if (left2 != 0)
+- memmove(buff2, buff2 + len2 - left2, left2);
+-
+- if ((len2 = get_rdata(header, plen, end2, buff2 + left2, (MAXDNAME *2) - left2, &p2, &dp2)) == 0)
+- {
+- quit = 1;
+- len2 = end2 - p2;
+- memcpy(buff2 + left2, p2, len2);
+- }
+- len2 += left2;
+-
+- if (len1 > len2)
+- left1 = len1 - len2, left2 = 0, len = len2;
+- else
+- left2 = len2 - len1, left1 = 0, len = len1;
+-
+- rc = (len == 0) ? 0 : memcmp(buff1, buff2, len);
+-
+- if (rc > 0 || (rc == 0 && quit && len1 > len2))
++ else if (ok1 && (!ok2 || *state1.op > *state2.op))
+ {
+ unsigned char *tmp = rrset[i+1];
+ rrset[i+1] = rrset[i];
+ rrset[i] = tmp;
+- swap = quit = 1;
+- }
+- else if (rc == 0 && quit && len1 == len2)
+- {
+- /* Two RRs are equal, remove one copy. RFC 4034, para 6.3 */
+- for (j = i+1; j < rrsetidx-1; j++)
+- rrset[j] = rrset[j+1];
+- rrsetidx--;
+- i--;
++ swap = 1;
++ break;
+ }
+- else if (rc < 0)
+- quit = 1;
++ else if (ok2 && (!ok1 || *state2.op > *state1.op))
++ break;
++
++ /* arrive here when bytes are equal, go round the loop again
++ and compare the next ones. */
+ }
+ }
+ } while (swap);
+@@ -569,12 +575,15 @@ static int validate_rrset(time_t now, st
+ wire_len = to_wire(keyname);
+ hash->update(ctx, (unsigned int)wire_len, (unsigned char*)keyname);
+ from_wire(keyname);
++
++#define RRBUFLEN 300 /* Most RRs are smaller than this. */
+
+ for (i = 0; i < rrsetidx; ++i)
+ {
+- int seg;
+- unsigned char *end, *cp;
+- u16 len, *dp;
++ int j;
++ struct rdata_state state;
++ u16 len;
++ unsigned char rrbuf[RRBUFLEN];
+
+ p = rrset[i];
+
+@@ -586,12 +595,11 @@ static int validate_rrset(time_t now, st
+ /* if more labels than in RRsig name, hash *.<no labels in rrsig labels field> 4035 5.3.2 */
+ if (labels < name_labels)
+ {
+- int k;
+- for (k = name_labels - labels; k != 0; k--)
++ for (j = name_labels - labels; j != 0; j--)
+ {
+ while (*name_start != '.' && *name_start != 0)
+ name_start++;
+- if (k != 1 && *name_start == '.')
++ if (j != 1 && *name_start == '.')
+ name_start++;
+ }
+
+@@ -612,24 +620,44 @@ static int validate_rrset(time_t now, st
+ if (!CHECK_LEN(header, p, plen, rdlen))
+ return STAT_BOGUS;
+
+- end = p + rdlen;
+-
+- /* canonicalise rdata and calculate length of same, use name buffer as workspace.
+- Note that name buffer is twice MAXDNAME long in DNSSEC mode. */
+- cp = p;
+- dp = rr_desc;
+- for (len = 0; (seg = get_rdata(header, plen, end, name, MAXDNAME * 2, &cp, &dp)) != 0; len += seg);
+- len += end - cp;
+- len = htons(len);
++ /* canonicalise rdata and calculate length of same, use
++ name buffer as workspace for get_rdata. */
++ state.ip = p;
++ state.op = NULL;
++ state.desc = rr_desc;
++ state.buff = name;
++ state.end = p + rdlen;
++
++ for (j = 0; get_rdata(header, plen, &state); j++)
++ if (j < RRBUFLEN)
++ rrbuf[j] = *state.op;
++
++ len = htons((u16)j);
+ hash->update(ctx, 2, (unsigned char *)&len);
++
++ /* If the RR is shorter than RRBUFLEN (most of them, in practice)
++ then we can just digest it now. If it exceeds RRBUFLEN we have to
++ go back to the start and do it in chunks. */
++ if (j >= RRBUFLEN)
++ {
++ state.ip = p;
++ state.op = NULL;
++ state.desc = rr_desc;
++
++ for (j = 0; get_rdata(header, plen, &state); j++)
++ {
++ rrbuf[j] = *state.op;
++
++ if (j == RRBUFLEN - 1)
++ {
++ hash->update(ctx, RRBUFLEN, rrbuf);
++ j = -1;
++ }
++ }
++ }
+
+- /* Now canonicalise again and digest. */
+- cp = p;
+- dp = rr_desc;
+- while ((seg = get_rdata(header, plen, end, name, MAXDNAME * 2, &cp, &dp)))
+- hash->update(ctx, seg, (unsigned char *)name);
+- if (cp != end)
+- hash->update(ctx, end - cp, cp);
++ if (j != 0)
++ hash->update(ctx, j, rrbuf);
+ }
+
+ hash->digest(ctx, hash->digest_size, digest);
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch
new file mode 100644
index 0000000000..f7ff4b27cc
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch
@@ -0,0 +1,98 @@
+From 257ac0c5f7732cbc6aa96fdd3b06602234593aca Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 12 Nov 2020 18:49:23 +0000
+Subject: [PATCH] Check destination of DNS UDP query replies.
+
+At any time, dnsmasq will have a set of sockets open, bound to
+random ports, on which it sends queries to upstream nameservers.
+This patch fixes the existing problem that a reply for ANY in-flight
+query would be accepted via ANY open port, which increases the
+chances of an attacker flooding answers "in the blind" in an
+attempt to poison the DNS cache. CERT VU#434904 refers.
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+---
+ CHANGELOG | 6 +++++-
+ src/forward.c | 37 ++++++++++++++++++++++++++++---------
+ 2 files changed, 33 insertions(+), 10 deletions(-)
+
+CVE: CVE-2020-25684
+Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=257ac0c5f7732cbc6aa96fdd3b06602234593aca]
+Comment: No change in any hunk
+
+Index: dnsmasq-2.81/src/forward.c
+===================================================================
+--- dnsmasq-2.81.orig/src/forward.c
++++ dnsmasq-2.81/src/forward.c
+@@ -16,7 +16,7 @@
+
+ #include "dnsmasq.h"
+
+-static struct frec *lookup_frec(unsigned short id, void *hash);
++static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash);
+ static struct frec *lookup_frec_by_sender(unsigned short id,
+ union mysockaddr *addr,
+ void *hash);
+@@ -805,7 +805,7 @@ void reply_query(int fd, int family, tim
+ crc = questions_crc(header, n, daemon->namebuff);
+ #endif
+
+- if (!(forward = lookup_frec(ntohs(header->id), hash)))
++ if (!(forward = lookup_frec(ntohs(header->id), fd, family, hash)))
+ return;
+
+ #ifdef HAVE_DUMPFILE
+@@ -2338,14 +2338,25 @@ struct frec *get_new_frec(time_t now, in
+ }
+
+ /* crc is all-ones if not known. */
+-static struct frec *lookup_frec(unsigned short id, void *hash)
++static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash)
+ {
+ struct frec *f;
+
+ for(f = daemon->frec_list; f; f = f->next)
+ if (f->sentto && f->new_id == id &&
+ (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0))
+- return f;
++ {
++ /* sent from random port */
++ if (family == AF_INET && f->rfd4 && f->rfd4->fd == fd)
++ return f;
++
++ if (family == AF_INET6 && f->rfd6 && f->rfd6->fd == fd)
++ return f;
++
++ /* sent to upstream from bound socket. */
++ if (f->sentto->sfd && f->sentto->sfd->fd == fd)
++ return f;
++ }
+
+ return NULL;
+ }
+@@ -2406,12 +2417,20 @@ void server_gone(struct server *server)
+ static unsigned short get_id(void)
+ {
+ unsigned short ret = 0;
++ struct frec *f;
+
+- do
+- ret = rand16();
+- while (lookup_frec(ret, NULL));
+-
+- return ret;
++ while (1)
++ {
++ ret = rand16();
++
++ /* ensure id is unique. */
++ for (f = daemon->frec_list; f; f = f->next)
++ if (f->sentto && f->new_id == ret)
++ break;
++
++ if (!f)
++ return ret;
++ }
+ }
+
+
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch
new file mode 100644
index 0000000000..5eb582c671
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch
@@ -0,0 +1,587 @@
+From 2d765867c597db18be9d876c9c17e2c0fe1953cd Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 12 Nov 2020 22:06:07 +0000
+Subject: [PATCH] Use SHA-256 to provide security against DNS cache poisoning.
+
+Use the SHA-256 hash function to verify that DNS answers
+received are for the questions originally asked. This replaces
+the slightly insecure SHA-1 (when compiled with DNSSEC) or
+the very insecure CRC32 (otherwise). Refer: CERT VU#434904.
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+---
+ CHANGELOG | 5 +
+ Makefile | 3 +-
+ bld/Android.mk | 2 +-
+ src/dnsmasq.h | 11 +-
+ src/dnssec.c | 31 -----
+ src/forward.c | 43 ++-----
+ src/hash_questions.c | 281 +++++++++++++++++++++++++++++++++++++++++++
+ src/rfc1035.c | 49 --------
+ 8 files changed, 301 insertions(+), 124 deletions(-)
+ create mode 100644 src/hash_questions.c
+
+CVE: CVE-2020-25685
+Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b]
+Comment: No change in any hunk
+
+Index: dnsmasq-2.81/Makefile
+===================================================================
+--- dnsmasq-2.81.orig/Makefile
++++ dnsmasq-2.81/Makefile
+@@ -77,7 +77,8 @@ objs = cache.o rfc1035.o util.o option.o
+ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
+ dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
+ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
+- poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o metrics.o
++ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \
++ metrics.o hash_questions.o
+
+ hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
+ dns-protocol.h radv-protocol.h ip6addr.h metrics.h
+Index: dnsmasq-2.81/bld/Android.mk
+===================================================================
+--- dnsmasq-2.81.orig/bld/Android.mk
++++ dnsmasq-2.81/bld/Android.mk
+@@ -11,7 +11,7 @@ LOCAL_SRC_FILES := bpf.c cache.c dbus.c
+ radv.c slaac.c auth.c ipset.c domain.c \
+ dnssec.c dnssec-openssl.c blockdata.c tables.c \
+ loop.c inotify.c poll.c rrfilter.c edns0.c arp.c \
+- crypto.c dump.c ubus.c
++ crypto.c dump.c ubus.c metrics.c hash_questions.c
+
+ LOCAL_MODULE := dnsmasq
+
+Index: dnsmasq-2.81/src/dnsmasq.h
+===================================================================
+--- dnsmasq-2.81.orig/src/dnsmasq.h
++++ dnsmasq-2.81/src/dnsmasq.h
+@@ -654,11 +654,7 @@ struct hostsfile {
+ #define FREC_TEST_PKTSZ 256
+ #define FREC_HAS_EXTRADATA 512
+
+-#ifdef HAVE_DNSSEC
+-#define HASH_SIZE 20 /* SHA-1 digest size */
+-#else
+-#define HASH_SIZE sizeof(int)
+-#endif
++#define HASH_SIZE 32 /* SHA-256 digest size */
+
+ struct frec {
+ union mysockaddr source;
+@@ -1218,7 +1214,6 @@ int check_for_bogus_wildcard(struct dns_
+ struct bogus_addr *baddr, time_t now);
+ int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bogus_addr *baddr);
+ int check_for_local_domain(char *name, time_t now);
+-unsigned int questions_crc(struct dns_header *header, size_t plen, char *name);
+ size_t resize_packet(struct dns_header *header, size_t plen,
+ unsigned char *pheader, size_t hlen);
+ int add_resource_record(struct dns_header *header, char *limit, int *truncp,
+@@ -1243,9 +1238,11 @@ int dnssec_validate_reply(time_t now, st
+ int check_unsigned, int *neganswer, int *nons, int *nsec_ttl);
+ int dnskey_keytag(int alg, int flags, unsigned char *key, int keylen);
+ size_t filter_rrsigs(struct dns_header *header, size_t plen);
+-unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name);
+ int setup_timestamp(void);
+
++/* hash_questions.c */
++unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name);
++
+ /* crypto.c */
+ const struct nettle_hash *hash_find(char *name);
+ int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp);
+Index: dnsmasq-2.81/src/dnssec.c
+===================================================================
+--- dnsmasq-2.81.orig/src/dnssec.c
++++ dnsmasq-2.81/src/dnssec.c
+@@ -2084,35 +2084,4 @@ size_t dnssec_generate_query(struct dns_
+ return ret;
+ }
+
+-unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name)
+-{
+- int q;
+- unsigned int len;
+- unsigned char *p = (unsigned char *)(header+1);
+- const struct nettle_hash *hash;
+- void *ctx;
+- unsigned char *digest;
+-
+- if (!(hash = hash_find("sha1")) || !hash_init(hash, &ctx, &digest))
+- return NULL;
+-
+- for (q = ntohs(header->qdcount); q != 0; q--)
+- {
+- if (!extract_name(header, plen, &p, name, 1, 4))
+- break; /* bad packet */
+-
+- len = to_wire(name);
+- hash->update(ctx, len, (unsigned char *)name);
+- /* CRC the class and type as well */
+- hash->update(ctx, 4, p);
+-
+- p += 4;
+- if (!CHECK_LEN(header, p, plen, 0))
+- break; /* bad packet */
+- }
+-
+- hash->digest(ctx, hash->digest_size, digest);
+- return digest;
+-}
+-
+ #endif /* HAVE_DNSSEC */
+Index: dnsmasq-2.81/src/forward.c
+===================================================================
+--- dnsmasq-2.81.orig/src/forward.c
++++ dnsmasq-2.81/src/forward.c
+@@ -256,19 +256,16 @@ static int forward_query(int udpfd, unio
+ union all_addr *addrp = NULL;
+ unsigned int flags = 0;
+ struct server *start = NULL;
+-#ifdef HAVE_DNSSEC
+ void *hash = hash_questions(header, plen, daemon->namebuff);
++#ifdef HAVE_DNSSEC
+ int do_dnssec = 0;
+-#else
+- unsigned int crc = questions_crc(header, plen, daemon->namebuff);
+- void *hash = &crc;
+ #endif
+ unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
+ unsigned char *oph = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL);
+ (void)do_bit;
+
+ /* may be no servers available. */
+- if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))))
++ if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash)))
+ {
+ /* If we didn't get an answer advertising a maximal packet in EDNS,
+ fall back to 1280, which should work everywhere on IPv6.
+@@ -769,9 +766,6 @@ void reply_query(int fd, int family, tim
+ size_t nn;
+ struct server *server;
+ void *hash;
+-#ifndef HAVE_DNSSEC
+- unsigned int crc;
+-#endif
+
+ /* packet buffer overwritten */
+ daemon->srv_save = NULL;
+@@ -798,12 +792,7 @@ void reply_query(int fd, int family, tim
+ if (difftime(now, server->pktsz_reduced) > UDP_TEST_TIME)
+ server->edns_pktsz = daemon->edns_pktsz;
+
+-#ifdef HAVE_DNSSEC
+ hash = hash_questions(header, n, daemon->namebuff);
+-#else
+- hash = &crc;
+- crc = questions_crc(header, n, daemon->namebuff);
+-#endif
+
+ if (!(forward = lookup_frec(ntohs(header->id), fd, family, hash)))
+ return;
+@@ -1115,8 +1104,7 @@ void reply_query(int fd, int family, tim
+ log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, daemon->keyname, (union all_addr *)&(server->addr.in6.sin6_addr),
+ querystr("dnssec-query", querytype));
+
+- if ((hash = hash_questions(header, nn, daemon->namebuff)))
+- memcpy(new->hash, hash, HASH_SIZE);
++ memcpy(new->hash, hash_questions(header, nn, daemon->namebuff), HASH_SIZE);
+ new->new_id = get_id();
+ header->id = htons(new->new_id);
+ /* Save query for retransmission */
+@@ -1969,15 +1957,9 @@ unsigned char *tcp_request(int confd, ti
+ if (!flags && last_server)
+ {
+ struct server *firstsendto = NULL;
+-#ifdef HAVE_DNSSEC
+- unsigned char *newhash, hash[HASH_SIZE];
+- if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff)))
+- memcpy(hash, newhash, HASH_SIZE);
+- else
+- memset(hash, 0, HASH_SIZE);
+-#else
+- unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
+-#endif
++ unsigned char hash[HASH_SIZE];
++ memcpy(hash, hash_questions(header, (unsigned int)size, daemon->namebuff), HASH_SIZE);
++
+ /* Loop round available servers until we succeed in connecting to one.
+ Note that this code subtly ensures that consecutive queries on this connection
+ which can go to the same server, do so. */
+@@ -2116,20 +2098,11 @@ unsigned char *tcp_request(int confd, ti
+ /* If the crc of the question section doesn't match the crc we sent, then
+ someone might be attempting to insert bogus values into the cache by
+ sending replies containing questions and bogus answers. */
+-#ifdef HAVE_DNSSEC
+- newhash = hash_questions(header, (unsigned int)m, daemon->namebuff);
+- if (!newhash || memcmp(hash, newhash, HASH_SIZE) != 0)
++ if (memcmp(hash, hash_questions(header, (unsigned int)m, daemon->namebuff), HASH_SIZE) != 0)
+ {
+ m = 0;
+ break;
+ }
+-#else
+- if (crc != questions_crc(header, (unsigned int)m, daemon->namebuff))
+- {
+- m = 0;
+- break;
+- }
+-#endif
+
+ m = process_reply(header, now, last_server, (unsigned int)m,
+ option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer,
+@@ -2344,7 +2317,7 @@ static struct frec *lookup_frec(unsigned
+
+ for(f = daemon->frec_list; f; f = f->next)
+ if (f->sentto && f->new_id == id &&
+- (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0))
++ (memcmp(hash, f->hash, HASH_SIZE) == 0))
+ {
+ /* sent from random port */
+ if (family == AF_INET && f->rfd4 && f->rfd4->fd == fd)
+Index: dnsmasq-2.81/src/hash_questions.c
+===================================================================
+--- /dev/null
++++ dnsmasq-2.81/src/hash_questions.c
+@@ -0,0 +1,281 @@
++/* Copyright (c) 2012-2020 Simon Kelley
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; version 2 dated June, 1991, or
++ (at your option) version 3 dated 29 June, 2007.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++
++
++/* Hash the question section. This is used to safely detect query
++ retransmission and to detect answers to questions we didn't ask, which
++ might be poisoning attacks. Note that we decode the name rather
++ than CRC the raw bytes, since replies might be compressed differently.
++ We ignore case in the names for the same reason.
++
++ The hash used is SHA-256. If we're building with DNSSEC support,
++ we use the Nettle cypto library. If not, we prefer not to
++ add a dependency on Nettle, and use a stand-alone implementaion.
++*/
++
++#include "dnsmasq.h"
++
++#ifdef HAVE_DNSSEC
++unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name)
++{
++ int q;
++ unsigned char *p = (unsigned char *)(header+1);
++ const struct nettle_hash *hash;
++ void *ctx;
++ unsigned char *digest;
++
++ if (!(hash = hash_find("sha256")) || !hash_init(hash, &ctx, &digest))
++ {
++ /* don't think this can ever happen. */
++ static unsigned char dummy[HASH_SIZE];
++ static int warned = 0;
++
++ if (warned)
++ my_syslog(LOG_ERR, _("Failed to create SHA-256 hash object"));
++ warned = 1;
++
++ return dummy;
++ }
++
++ for (q = ntohs(header->qdcount); q != 0; q--)
++ {
++ char *cp, c;
++
++ if (!extract_name(header, plen, &p, name, 1, 4))
++ break; /* bad packet */
++
++ for (cp = name; (c = *cp); cp++)
++ if (c >= 'A' && c <= 'Z')
++ *cp += 'a' - 'A';
++
++ hash->update(ctx, cp - name, (unsigned char *)name);
++ /* CRC the class and type as well */
++ hash->update(ctx, 4, p);
++
++ p += 4;
++ if (!CHECK_LEN(header, p, plen, 0))
++ break; /* bad packet */
++ }
++
++ hash->digest(ctx, hash->digest_size, digest);
++ return digest;
++}
++
++#else /* HAVE_DNSSEC */
++
++#define SHA256_BLOCK_SIZE 32 // SHA256 outputs a 32 byte digest
++typedef unsigned char BYTE; // 8-bit byte
++typedef unsigned int WORD; // 32-bit word, change to "long" for 16-bit machines
++
++typedef struct {
++ BYTE data[64];
++ WORD datalen;
++ unsigned long long bitlen;
++ WORD state[8];
++} SHA256_CTX;
++
++static void sha256_init(SHA256_CTX *ctx);
++static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len);
++static void sha256_final(SHA256_CTX *ctx, BYTE hash[]);
++
++
++unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name)
++{
++ int q;
++ unsigned char *p = (unsigned char *)(header+1);
++ SHA256_CTX ctx;
++ static BYTE digest[SHA256_BLOCK_SIZE];
++
++ sha256_init(&ctx);
++
++ for (q = ntohs(header->qdcount); q != 0; q--)
++ {
++ char *cp, c;
++
++ if (!extract_name(header, plen, &p, name, 1, 4))
++ break; /* bad packet */
++
++ for (cp = name; (c = *cp); cp++)
++ if (c >= 'A' && c <= 'Z')
++ *cp += 'a' - 'A';
++
++ sha256_update(&ctx, (BYTE *)name, cp - name);
++ /* CRC the class and type as well */
++ sha256_update(&ctx, (BYTE *)p, 4);
++
++ p += 4;
++ if (!CHECK_LEN(header, p, plen, 0))
++ break; /* bad packet */
++ }
++
++ sha256_final(&ctx, digest);
++ return (unsigned char *)digest;
++}
++
++/* Code from here onwards comes from https://github.com/B-Con/crypto-algorithms
++ and was written by Brad Conte (brad@bradconte.com), to whom all credit is given.
++
++ This code is in the public domain, and the copyright notice at the head of this
++ file does not apply to it.
++*/
++
++
++/****************************** MACROS ******************************/
++#define ROTLEFT(a,b) (((a) << (b)) | ((a) >> (32-(b))))
++#define ROTRIGHT(a,b) (((a) >> (b)) | ((a) << (32-(b))))
++
++#define CH(x,y,z) (((x) & (y)) ^ (~(x) & (z)))
++#define MAJ(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
++#define EP0(x) (ROTRIGHT(x,2) ^ ROTRIGHT(x,13) ^ ROTRIGHT(x,22))
++#define EP1(x) (ROTRIGHT(x,6) ^ ROTRIGHT(x,11) ^ ROTRIGHT(x,25))
++#define SIG0(x) (ROTRIGHT(x,7) ^ ROTRIGHT(x,18) ^ ((x) >> 3))
++#define SIG1(x) (ROTRIGHT(x,17) ^ ROTRIGHT(x,19) ^ ((x) >> 10))
++
++/**************************** VARIABLES *****************************/
++static const WORD k[64] = {
++ 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5,
++ 0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174,
++ 0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da,
++ 0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967,
++ 0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85,
++ 0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070,
++ 0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3,
++ 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
++};
++
++/*********************** FUNCTION DEFINITIONS ***********************/
++static void sha256_transform(SHA256_CTX *ctx, const BYTE data[])
++{
++ WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64];
++
++ for (i = 0, j = 0; i < 16; ++i, j += 4)
++ m[i] = (data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]);
++ for ( ; i < 64; ++i)
++ m[i] = SIG1(m[i - 2]) + m[i - 7] + SIG0(m[i - 15]) + m[i - 16];
++
++ a = ctx->state[0];
++ b = ctx->state[1];
++ c = ctx->state[2];
++ d = ctx->state[3];
++ e = ctx->state[4];
++ f = ctx->state[5];
++ g = ctx->state[6];
++ h = ctx->state[7];
++
++ for (i = 0; i < 64; ++i)
++ {
++ t1 = h + EP1(e) + CH(e,f,g) + k[i] + m[i];
++ t2 = EP0(a) + MAJ(a,b,c);
++ h = g;
++ g = f;
++ f = e;
++ e = d + t1;
++ d = c;
++ c = b;
++ b = a;
++ a = t1 + t2;
++ }
++
++ ctx->state[0] += a;
++ ctx->state[1] += b;
++ ctx->state[2] += c;
++ ctx->state[3] += d;
++ ctx->state[4] += e;
++ ctx->state[5] += f;
++ ctx->state[6] += g;
++ ctx->state[7] += h;
++}
++
++static void sha256_init(SHA256_CTX *ctx)
++{
++ ctx->datalen = 0;
++ ctx->bitlen = 0;
++ ctx->state[0] = 0x6a09e667;
++ ctx->state[1] = 0xbb67ae85;
++ ctx->state[2] = 0x3c6ef372;
++ ctx->state[3] = 0xa54ff53a;
++ ctx->state[4] = 0x510e527f;
++ ctx->state[5] = 0x9b05688c;
++ ctx->state[6] = 0x1f83d9ab;
++ ctx->state[7] = 0x5be0cd19;
++}
++
++static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len)
++{
++ WORD i;
++
++ for (i = 0; i < len; ++i)
++ {
++ ctx->data[ctx->datalen] = data[i];
++ ctx->datalen++;
++ if (ctx->datalen == 64) {
++ sha256_transform(ctx, ctx->data);
++ ctx->bitlen += 512;
++ ctx->datalen = 0;
++ }
++ }
++}
++
++static void sha256_final(SHA256_CTX *ctx, BYTE hash[])
++{
++ WORD i;
++
++ i = ctx->datalen;
++
++ // Pad whatever data is left in the buffer.
++ if (ctx->datalen < 56)
++ {
++ ctx->data[i++] = 0x80;
++ while (i < 56)
++ ctx->data[i++] = 0x00;
++ }
++ else
++ {
++ ctx->data[i++] = 0x80;
++ while (i < 64)
++ ctx->data[i++] = 0x00;
++ sha256_transform(ctx, ctx->data);
++ memset(ctx->data, 0, 56);
++ }
++
++ // Append to the padding the total message's length in bits and transform.
++ ctx->bitlen += ctx->datalen * 8;
++ ctx->data[63] = ctx->bitlen;
++ ctx->data[62] = ctx->bitlen >> 8;
++ ctx->data[61] = ctx->bitlen >> 16;
++ ctx->data[60] = ctx->bitlen >> 24;
++ ctx->data[59] = ctx->bitlen >> 32;
++ ctx->data[58] = ctx->bitlen >> 40;
++ ctx->data[57] = ctx->bitlen >> 48;
++ ctx->data[56] = ctx->bitlen >> 56;
++ sha256_transform(ctx, ctx->data);
++
++ // Since this implementation uses little endian byte ordering and SHA uses big endian,
++ // reverse all the bytes when copying the final state to the output hash.
++ for (i = 0; i < 4; ++i)
++ {
++ hash[i] = (ctx->state[0] >> (24 - i * 8)) & 0x000000ff;
++ hash[i + 4] = (ctx->state[1] >> (24 - i * 8)) & 0x000000ff;
++ hash[i + 8] = (ctx->state[2] >> (24 - i * 8)) & 0x000000ff;
++ hash[i + 12] = (ctx->state[3] >> (24 - i * 8)) & 0x000000ff;
++ hash[i + 16] = (ctx->state[4] >> (24 - i * 8)) & 0x000000ff;
++ hash[i + 20] = (ctx->state[5] >> (24 - i * 8)) & 0x000000ff;
++ hash[i + 24] = (ctx->state[6] >> (24 - i * 8)) & 0x000000ff;
++ hash[i + 28] = (ctx->state[7] >> (24 - i * 8)) & 0x000000ff;
++ }
++}
++
++#endif
+Index: dnsmasq-2.81/src/rfc1035.c
+===================================================================
+--- dnsmasq-2.81.orig/src/rfc1035.c
++++ dnsmasq-2.81/src/rfc1035.c
+@@ -333,55 +333,6 @@ unsigned char *skip_section(unsigned cha
+ return ansp;
+ }
+
+-/* CRC the question section. This is used to safely detect query
+- retransmission and to detect answers to questions we didn't ask, which
+- might be poisoning attacks. Note that we decode the name rather
+- than CRC the raw bytes, since replies might be compressed differently.
+- We ignore case in the names for the same reason. Return all-ones
+- if there is not question section. */
+-#ifndef HAVE_DNSSEC
+-unsigned int questions_crc(struct dns_header *header, size_t plen, char *name)
+-{
+- int q;
+- unsigned int crc = 0xffffffff;
+- unsigned char *p1, *p = (unsigned char *)(header+1);
+-
+- for (q = ntohs(header->qdcount); q != 0; q--)
+- {
+- if (!extract_name(header, plen, &p, name, 1, 4))
+- return crc; /* bad packet */
+-
+- for (p1 = (unsigned char *)name; *p1; p1++)
+- {
+- int i = 8;
+- char c = *p1;
+-
+- if (c >= 'A' && c <= 'Z')
+- c += 'a' - 'A';
+-
+- crc ^= c << 24;
+- while (i--)
+- crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1;
+- }
+-
+- /* CRC the class and type as well */
+- for (p1 = p; p1 < p+4; p1++)
+- {
+- int i = 8;
+- crc ^= *p1 << 24;
+- while (i--)
+- crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1;
+- }
+-
+- p += 4;
+- if (!CHECK_LEN(header, p, plen, 0))
+- return crc; /* bad packet */
+- }
+-
+- return crc;
+-}
+-#endif
+-
+ size_t resize_packet(struct dns_header *header, size_t plen, unsigned char *pheader, size_t hlen)
+ {
+ unsigned char *ansp = skip_questions(header, plen);
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch
new file mode 100644
index 0000000000..302c42ccca
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch
@@ -0,0 +1,175 @@
+From 2024f9729713fd657d65e64c2e4e471baa0a3e5b Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Wed, 25 Nov 2020 17:18:55 +0100
+Subject: [PATCH] Support hash function from nettle (only)
+
+Unlike COPTS=-DHAVE_DNSSEC, allow usage of just sha256 function from
+nettle, but keep DNSSEC disabled at build time. Skips use of internal
+hash implementation without support for validation built-in.
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+---
+ Makefile | 8 +++++---
+ bld/pkg-wrapper | 41 ++++++++++++++++++++++-------------------
+ src/config.h | 8 ++++++++
+ src/crypto.c | 7 +++++++
+ src/dnsmasq.h | 2 +-
+ src/hash_questions.c | 2 +-
+ 6 files changed, 44 insertions(+), 24 deletions(-)
+
+CVE: CVE-2020-25685
+Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b]
+Comment: Refreshed a hunk from pkg-wrapper and second hunk from Makefile
+
+Index: dnsmasq-2.81/Makefile
+===================================================================
+--- dnsmasq-2.81.orig/Makefile
++++ dnsmasq-2.81/Makefile
+@@ -53,7 +53,7 @@ top?=$(CURDIR)
+
+ dbus_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1`
+ dbus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1`
+-ubus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy -lubox -lubus`
++ubus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy '-lubox -lubus'`
+ idn_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --cflags libidn`
+ idn_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --libs libidn`
+ idn2_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --cflags libidn2`
+@@ -62,8 +62,10 @@ ct_cflags = `echo $(COPTS) | $(top)/
+ ct_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack`
+ lua_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua`
+ lua_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua`
+-nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed`
+-nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed`
++nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags 'nettle hogweed' \
++ HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle`
++nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs 'nettle hogweed' \
++ HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle`
+ gmp_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp`
+ sunos_libs = `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi`
+ version = -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
+Index: dnsmasq-2.81/bld/pkg-wrapper
+===================================================================
+--- dnsmasq-2.81.orig/bld/pkg-wrapper
++++ dnsmasq-2.81/bld/pkg-wrapper
+@@ -1,35 +1,37 @@
+ #!/bin/sh
+
+-search=$1
+-shift
+-pkg=$1
+-shift
+-op=$1
+-shift
+-
+ in=`cat`
+
+-if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \
+- echo $in | grep $search >/dev/null 2>&1; then
++search()
++{
++ grep "^\#[[:space:]]*define[[:space:]]*$1" config.h >/dev/null 2>&1 || \
++ echo $in | grep $1 >/dev/null 2>&1
++}
++
++while [ "$#" -gt 0 ]; do
++ search=$1
++ pkg=$2
++ op=$3
++ lib=$4
++ shift 4
++if search "$search"; then
++
+ # Nasty, nasty, in --copy, arg 2 (if non-empty) is another config to search for, used with NO_GMP
+ if [ $op = "--copy" ]; then
+ if [ -z "$pkg" ]; then
+- pkg="$*"
+- elif grep "^\#[[:space:]]*define[[:space:]]*$pkg" config.h >/dev/null 2>&1 || \
+- echo $in | grep $pkg >/dev/null 2>&1; then
++ pkg="$lib"
++ elif search "$pkg"; then
+ pkg=""
+ else
+- pkg="$*"
++ pkg="$lib"
+ fi
+- elif grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \
+- echo $in | grep ${search}_STATIC >/dev/null 2>&1; then
+- pkg=`$pkg --static $op $*`
++ elif search "${search}_STATIC"; then
++ pkg=`$pkg --static $op $lib`
+ else
+- pkg=`$pkg $op $*`
++ pkg=`$pkg $op $lib`
+ fi
+
+- if grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \
+- echo $in | grep ${search}_STATIC >/dev/null 2>&1; then
++ if search "${search}_STATIC"; then
+ if [ $op = "--libs" ] || [ $op = "--copy" ]; then
+ echo "-Wl,-Bstatic $pkg -Wl,-Bdynamic"
+ else
+@@ -40,3 +42,4 @@ if grep "^\#[[:space:]]*define[[:space:]
+ fi
+ fi
+
++done
+Index: dnsmasq-2.81/src/config.h
+===================================================================
+--- dnsmasq-2.81.orig/src/config.h
++++ dnsmasq-2.81/src/config.h
+@@ -118,6 +118,9 @@ HAVE_AUTH
+ define this to include the facility to act as an authoritative DNS
+ server for one or more zones.
+
++HAVE_NETTLEHASH
++ include just hash function from nettle, but no DNSSEC.
++
+ HAVE_DNSSEC
+ include DNSSEC validator.
+
+@@ -185,6 +188,7 @@ RESOLVFILE
+ /* #define HAVE_IDN */
+ /* #define HAVE_LIBIDN2 */
+ /* #define HAVE_CONNTRACK */
++/* #define HAVE_NETTLEHASH */
+ /* #define HAVE_DNSSEC */
+
+
+@@ -418,6 +422,10 @@ static char *compile_opts =
+ "no-"
+ #endif
+ "auth "
++#if !defined(HAVE_NETTLEHASH) && !defined(HAVE_DNSSEC)
++"no-"
++#endif
++"nettlehash "
+ #ifndef HAVE_DNSSEC
+ "no-"
+ #endif
+Index: dnsmasq-2.81/src/dnsmasq.h
+===================================================================
+--- dnsmasq-2.81.orig/src/dnsmasq.h
++++ dnsmasq-2.81/src/dnsmasq.h
+@@ -161,6 +161,9 @@ extern int capget(cap_user_header_t head
+ # include <nettle/nettle-meta.h>
+ #endif
+
++#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH)
++# include <nettle/nettle-meta.h>
++#endif
+ /* daemon is function in the C library.... */
+ #define daemon dnsmasq_daemon
+
+Index: dnsmasq-2.81/src/hash_questions.c
+===================================================================
+--- dnsmasq-2.81.orig/src/hash_questions.c
++++ dnsmasq-2.81/src/hash_questions.c
+@@ -28,7 +28,7 @@
+
+ #include "dnsmasq.h"
+
+-#ifdef HAVE_DNSSEC
++#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH)
+ unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name)
+ {
+ int q;
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch
new file mode 100644
index 0000000000..fd9d0a9b16
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch
@@ -0,0 +1,332 @@
+From 15b60ddf935a531269bb8c68198de012a4967156 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 18 Nov 2020 18:34:55 +0000
+Subject: [PATCH] Handle multiple identical near simultaneous DNS queries
+ better.
+
+Previously, such queries would all be forwarded
+independently. This is, in theory, inefficent but in practise
+not a problem, _except_ that is means that an answer for any
+of the forwarded queries will be accepted and cached.
+An attacker can send a query multiple times, and for each repeat,
+another {port, ID} becomes capable of accepting the answer he is
+sending in the blind, to random IDs and ports. The chance of a
+succesful attack is therefore multiplied by the number of repeats
+of the query. The new behaviour detects repeated queries and
+merely stores the clients sending repeats so that when the
+first query completes, the answer can be sent to all the
+clients who asked. Refer: CERT VU#434904.
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+---
+ CHANGELOG | 16 +++++-
+ src/dnsmasq.h | 19 ++++---
+ src/forward.c | 142 ++++++++++++++++++++++++++++++++++++++++++--------
+ 3 files changed, 147 insertions(+), 30 deletions(-)
+
+CVE: CVE-2020-25686
+Upstream-Status: Backport [http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=15b60ddf935a531269bb8c68198de012a4967156]
+Comment: No change in any hunk
+
+Index: dnsmasq-2.81/src/dnsmasq.h
+===================================================================
+--- dnsmasq-2.81.orig/src/dnsmasq.h
++++ dnsmasq-2.81/src/dnsmasq.h
+@@ -655,19 +655,24 @@ struct hostsfile {
+ #define FREC_DO_QUESTION 64
+ #define FREC_ADDED_PHEADER 128
+ #define FREC_TEST_PKTSZ 256
+-#define FREC_HAS_EXTRADATA 512
++#define FREC_HAS_EXTRADATA 512
++#define FREC_HAS_PHEADER 1024
+
+ #define HASH_SIZE 32 /* SHA-256 digest size */
+
+ struct frec {
+- union mysockaddr source;
+- union all_addr dest;
++ struct frec_src {
++ union mysockaddr source;
++ union all_addr dest;
++ unsigned int iface, log_id;
++ unsigned short orig_id;
++ struct frec_src *next;
++ } frec_src;
+ struct server *sentto; /* NULL means free */
+ struct randfd *rfd4;
+ struct randfd *rfd6;
+- unsigned int iface;
+- unsigned short orig_id, new_id;
+- int log_id, fd, forwardall, flags;
++ unsigned short new_id;
++ int fd, forwardall, flags;
+ time_t time;
+ unsigned char *hash[HASH_SIZE];
+ #ifdef HAVE_DNSSEC
+@@ -1085,6 +1090,8 @@ extern struct daemon {
+ int back_to_the_future;
+ #endif
+ struct frec *frec_list;
++ struct frec_src *free_frec_src;
++ int frec_src_count;
+ struct serverfd *sfds;
+ struct irec *interfaces;
+ struct listener *listeners;
+Index: dnsmasq-2.81/src/forward.c
+===================================================================
+--- dnsmasq-2.81.orig/src/forward.c
++++ dnsmasq-2.81/src/forward.c
+@@ -20,6 +20,8 @@ static struct frec *lookup_frec(unsigned
+ static struct frec *lookup_frec_by_sender(unsigned short id,
+ union mysockaddr *addr,
+ void *hash);
++static struct frec *lookup_frec_by_query(void *hash, unsigned int flags);
++
+ static unsigned short get_id(void);
+ static void free_frec(struct frec *f);
+
+@@ -255,6 +257,7 @@ static int forward_query(int udpfd, unio
+ int type = SERV_DO_DNSSEC, norebind = 0;
+ union all_addr *addrp = NULL;
+ unsigned int flags = 0;
++ unsigned int fwd_flags = 0;
+ struct server *start = NULL;
+ void *hash = hash_questions(header, plen, daemon->namebuff);
+ #ifdef HAVE_DNSSEC
+@@ -263,7 +266,18 @@ static int forward_query(int udpfd, unio
+ unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
+ unsigned char *oph = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL);
+ (void)do_bit;
+-
++
++ if (header->hb4 & HB4_CD)
++ fwd_flags |= FREC_CHECKING_DISABLED;
++ if (ad_reqd)
++ fwd_flags |= FREC_AD_QUESTION;
++ if (oph)
++ fwd_flags |= FREC_HAS_PHEADER;
++#ifdef HAVE_DNSSEC
++ if (do_bit)
++ fwd_flags |= FREC_DO_QUESTION;
++#endif
++
+ /* may be no servers available. */
+ if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash)))
+ {
+@@ -336,6 +350,39 @@ static int forward_query(int udpfd, unio
+ }
+ else
+ {
++ /* Query from new source, but the same query may be in progress
++ from another source. If so, just add this client to the
++ list that will get the reply.
++
++ Note that is the EDNS client subnet option is in use, we can't do this,
++ as the clients (and therefore query EDNS options) will be different
++ for each query. The EDNS subnet code has checks to avoid
++ attacks in this case. */
++ if (!option_bool(OPT_CLIENT_SUBNET) && (forward = lookup_frec_by_query(hash, fwd_flags)))
++ {
++ /* Note whine_malloc() zeros memory. */
++ if (!daemon->free_frec_src &&
++ daemon->frec_src_count < daemon->ftabsize &&
++ (daemon->free_frec_src = whine_malloc(sizeof(struct frec_src))))
++ daemon->frec_src_count++;
++
++ /* If we've been spammed with many duplicates, just drop the query. */
++ if (daemon->free_frec_src)
++ {
++ struct frec_src *new = daemon->free_frec_src;
++ daemon->free_frec_src = new->next;
++ new->next = forward->frec_src.next;
++ forward->frec_src.next = new;
++ new->orig_id = ntohs(header->id);
++ new->source = *udpaddr;
++ new->dest = *dst_addr;
++ new->log_id = daemon->log_id;
++ new->iface = dst_iface;
++ }
++
++ return 1;
++ }
++
+ if (gotname)
+ flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
+
+@@ -343,22 +390,22 @@ static int forward_query(int udpfd, unio
+ do_dnssec = type & SERV_DO_DNSSEC;
+ #endif
+ type &= ~SERV_DO_DNSSEC;
+-
++
+ if (daemon->servers && !flags)
+ forward = get_new_frec(now, NULL, NULL);
+ /* table full - flags == 0, return REFUSED */
+
+ if (forward)
+ {
+- forward->source = *udpaddr;
+- forward->dest = *dst_addr;
+- forward->iface = dst_iface;
+- forward->orig_id = ntohs(header->id);
++ forward->frec_src.source = *udpaddr;
++ forward->frec_src.orig_id = ntohs(header->id);
++ forward->frec_src.dest = *dst_addr;
++ forward->frec_src.iface = dst_iface;
+ forward->new_id = get_id();
+ forward->fd = udpfd;
+ memcpy(forward->hash, hash, HASH_SIZE);
+ forward->forwardall = 0;
+- forward->flags = 0;
++ forward->flags = fwd_flags;
+ if (norebind)
+ forward->flags |= FREC_NOREBIND;
+ if (header->hb4 & HB4_CD)
+@@ -413,9 +460,9 @@ static int forward_query(int udpfd, unio
+ unsigned char *pheader;
+
+ /* If a query is retried, use the log_id for the retry when logging the answer. */
+- forward->log_id = daemon->log_id;
++ forward->frec_src.log_id = daemon->log_id;
+
+- plen = add_edns0_config(header, plen, ((unsigned char *)header) + PACKETSZ, &forward->source, now, &subnet);
++ plen = add_edns0_config(header, plen, ((unsigned char *)header) + PACKETSZ, &forward->frec_src.source, now, &subnet);
+
+ if (subnet)
+ forward->flags |= FREC_HAS_SUBNET;
+@@ -552,7 +599,7 @@ static int forward_query(int udpfd, unio
+ return 1;
+
+ /* could not send on, prepare to return */
+- header->id = htons(forward->orig_id);
++ header->id = htons(forward->frec_src.orig_id);
+ free_frec(forward); /* cancel */
+ }
+
+@@ -804,8 +851,8 @@ void reply_query(int fd, int family, tim
+
+ /* log_query gets called indirectly all over the place, so
+ pass these in global variables - sorry. */
+- daemon->log_display_id = forward->log_id;
+- daemon->log_source_addr = &forward->source;
++ daemon->log_display_id = forward->frec_src.log_id;
++ daemon->log_source_addr = &forward->frec_src.source;
+
+ if (daemon->ignore_addr && RCODE(header) == NOERROR &&
+ check_for_ignored_address(header, n, daemon->ignore_addr))
+@@ -1077,6 +1124,7 @@ void reply_query(int fd, int family, tim
+ new->sentto = server;
+ new->rfd4 = NULL;
+ new->rfd6 = NULL;
++ new->frec_src.next = NULL;
+ new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_HAS_EXTRADATA);
+ new->forwardall = 0;
+
+@@ -1212,9 +1260,11 @@ void reply_query(int fd, int family, tim
+
+ if ((nn = process_reply(header, now, forward->sentto, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer,
+ forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION,
+- forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source)))
++ forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->frec_src.source)))
+ {
+- header->id = htons(forward->orig_id);
++ struct frec_src *src;
++
++ header->id = htons(forward->frec_src.orig_id);
+ header->hb4 |= HB4_RA; /* recursion if available */
+ #ifdef HAVE_DNSSEC
+ /* We added an EDNSO header for the purpose of getting DNSSEC RRs, and set the value of the UDP payload size
+@@ -1230,13 +1280,26 @@ void reply_query(int fd, int family, tim
+ }
+ #endif
+
++ for (src = &forward->frec_src; src; src = src->next)
++ {
++ header->id = htons(src->orig_id);
++
+ #ifdef HAVE_DUMPFILE
+- dump_packet(DUMP_REPLY, daemon->packet, (size_t)nn, NULL, &forward->source);
++ dump_packet(DUMP_REPLY, daemon->packet, (size_t)nn, NULL, &src->source);
+ #endif
+-
+- send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
+- &forward->source, &forward->dest, forward->iface);
++
++ send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
++ &src->source, &src->dest, src->iface);
++
++ if (option_bool(OPT_EXTRALOG) && src != &forward->frec_src)
++ {
++ daemon->log_display_id = src->log_id;
++ daemon->log_source_addr = &src->source;
++ log_query(F_UPSTREAM, "query", NULL, "duplicate");
++ }
++ }
+ }
++
+ free_frec(forward); /* cancel */
+ }
+ }
+@@ -2198,6 +2261,17 @@ void free_rfd(struct randfd *rfd)
+
+ static void free_frec(struct frec *f)
+ {
++ struct frec_src *src, *tmp;
++
++ /* add back to freelist of not the record builtin to every frec. */
++ for (src = f->frec_src.next; src; src = tmp)
++ {
++ tmp = src->next;
++ src->next = daemon->free_frec_src;
++ daemon->free_frec_src = src;
++ }
++
++ f->frec_src.next = NULL;
+ free_rfd(f->rfd4);
+ f->rfd4 = NULL;
+ f->sentto = NULL;
+@@ -2339,17 +2413,39 @@ static struct frec *lookup_frec_by_sende
+ void *hash)
+ {
+ struct frec *f;
++ struct frec_src *src;
++
++ for (f = daemon->frec_list; f; f = f->next)
++ if (f->sentto &&
++ !(f->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) &&
++ memcmp(hash, f->hash, HASH_SIZE) == 0)
++ for (src = &f->frec_src; src; src = src->next)
++ if (src->orig_id == id &&
++ sockaddr_isequal(&src->source, addr))
++ return f;
++
++ return NULL;
++}
++
++static struct frec *lookup_frec_by_query(void *hash, unsigned int flags)
++{
++ struct frec *f;
++
++ /* FREC_DNSKEY and FREC_DS_QUERY are never set in flags, so the test below
++ ensures that no frec created for internal DNSSEC query can be returned here. */
++
++#define FLAGMASK (FREC_CHECKING_DISABLED | FREC_AD_QUESTION | FREC_DO_QUESTION \
++ | FREC_HAS_PHEADER | FREC_DNSKEY_QUERY | FREC_DS_QUERY)
+
+ for(f = daemon->frec_list; f; f = f->next)
+ if (f->sentto &&
+- f->orig_id == id &&
+- memcmp(hash, f->hash, HASH_SIZE) == 0 &&
+- sockaddr_isequal(&f->source, addr))
++ (f->flags & FLAGMASK) == flags &&
++ memcmp(hash, f->hash, HASH_SIZE) == 0)
+ return f;
+-
++
+ return NULL;
+ }
+-
++
+ /* Send query packet again, if we can. */
+ void resend_query()
+ {
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch
new file mode 100644
index 0000000000..a6ffd37260
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch
@@ -0,0 +1,63 @@
+From 6a6e06fbb0d4690507ceaf2bb6f0d8910f3d4914 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 4 Dec 2020 18:35:11 +0000
+Subject: [PATCH] Small cleanups in frec_src datastucture handling.
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+---
+ src/forward.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+CVE: CVE-2020-25686
+Upstream-Status: Backport [http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=6a6e06fbb0d4690507ceaf2bb6f0d8910f3d4914]
+Comment: No change in any hunk
+
+Index: dnsmasq-2.81/src/forward.c
+===================================================================
+--- dnsmasq-2.81.orig/src/forward.c
++++ dnsmasq-2.81/src/forward.c
+@@ -364,7 +364,10 @@ static int forward_query(int udpfd, unio
+ if (!daemon->free_frec_src &&
+ daemon->frec_src_count < daemon->ftabsize &&
+ (daemon->free_frec_src = whine_malloc(sizeof(struct frec_src))))
+- daemon->frec_src_count++;
++ {
++ daemon->frec_src_count++;
++ daemon->free_frec_src->next = NULL;
++ }
+
+ /* If we've been spammed with many duplicates, just drop the query. */
+ if (daemon->free_frec_src)
+@@ -401,6 +404,7 @@ static int forward_query(int udpfd, unio
+ forward->frec_src.orig_id = ntohs(header->id);
+ forward->frec_src.dest = *dst_addr;
+ forward->frec_src.iface = dst_iface;
++ forward->frec_src.next = NULL;
+ forward->new_id = get_id();
+ forward->fd = udpfd;
+ memcpy(forward->hash, hash, HASH_SIZE);
+@@ -2261,16 +2265,16 @@ void free_rfd(struct randfd *rfd)
+
+ static void free_frec(struct frec *f)
+ {
+- struct frec_src *src, *tmp;
+-
+- /* add back to freelist of not the record builtin to every frec. */
+- for (src = f->frec_src.next; src; src = tmp)
++ struct frec_src *last;
++
++ /* add back to freelist if not the record builtin to every frec. */
++ for (last = f->frec_src.next; last && last->next; last = last->next) ;
++ if (last)
+ {
+- tmp = src->next;
+- src->next = daemon->free_frec_src;
+- daemon->free_frec_src = src;
++ last->next = daemon->free_frec_src;
++ daemon->free_frec_src = f->frec_src.next;
+ }
+-
++
+ f->frec_src.next = NULL;
+ free_rfd(f->rfd4);
+ f->rfd4 = NULL;
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
end of thread, other threads:[~2021-05-30 18:34 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
2021-05-30 18:34 ` [dunfell 01/12] exiv2: Fix CVE-2021-29457 Armin Kuster
2021-05-30 18:34 ` [dunfell 02/12] exiv2: Fix CVE-2021-29458 Armin Kuster
2021-05-30 18:34 ` [dunfell 03/12] exiv2: Fix CVE-2021-29463 Armin Kuster
2021-05-30 18:34 ` [dunfell 04/12] exiv2: Fix CVE-2021-3482 Armin Kuster
2021-05-30 18:34 ` [dunfell 05/12] exiv2: Fix CVE-2021-29464 Armin Kuster
2021-05-30 18:34 ` [dunfell 06/12] exiv2: Fix CVE-2021-29470 Armin Kuster
2021-05-30 18:34 ` [dunfell 07/12] exiv2: Fix CVE-2021-29473 Armin Kuster
2021-05-30 18:34 ` [dunfell 08/12] libsdl: Fix CVE-2019-13616 Armin Kuster
2021-05-30 18:34 ` [dunfell 09/12] hostapd: fix building with CONFIG_TLS=internal Armin Kuster
2021-05-30 18:34 ` [dunfell 10/12] opencv: Add fix for CVE-2019-5063 and CVE-2019-5064 Armin Kuster
2021-05-30 18:34 ` [dunfell 11/12] ebtables: use bitbake optimization levels Armin Kuster
2021-05-30 18:34 ` [dunfell 12/12] dnsmasq: Add fixes for CVEs reported for dnsmasq Armin Kuster
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).