From 495b231e8e0da5046b6b1803d372fe33d0b14be9 Mon Sep 17 00:00:00 2001 From: Martin Borg Date: Wed, 28 Feb 2018 09:33:50 +0100 Subject: Drop CVE patches that have been fixed in upstream poky/rocko Signed-off-by: Martin Borg --- .../bind/bind/0001-fix-back-port-issue.patch | 29 - recipes-connectivity/bind/bind/CVE-2016-9444.patch | 186 ----- recipes-connectivity/bind/bind/CVE-2017-3135.patch | 30 - recipes-connectivity/bind/bind/CVE-2017-3136.patch | 47 -- recipes-connectivity/bind/bind_%.bbappend | 7 - recipes-core/glibc/glibc/CVE-2017-1000366.patch | 53 -- recipes-core/glibc/glibc/CVE-2017-12132.patch | 866 --------------------- recipes-core/glibc/glibc/CVE-2017-8804.patch | 225 ------ recipes-core/glibc/glibc_%.bbappend | 8 - recipes-core/systemd/systemd/CVE-2017-9445.patch | 56 -- recipes-core/systemd/systemd_%.bbappend | 6 - recipes-devtools/dpkg/dpkg/CVE-2017-8283.patch | 190 ----- .../dpkg/dpkg/test-case-for-CVE-2017-8283.patch | 83 -- recipes-devtools/dpkg/dpkg_%.bbappend | 6 - .../dnsmasq/dnsmasq/0001-CVE-2017-14491.patch | 269 ------- .../dnsmasq/dnsmasq/0002-CVE-2017-14491.patch | 73 -- .../dnsmasq/dnsmasq/CVE-2017-14492.patch | 57 -- .../dnsmasq/dnsmasq/CVE-2017-14493.patch | 55 -- .../dnsmasq/dnsmasq/CVE-2017-14494.patch | 55 -- .../dnsmasq/dnsmasq/CVE-2017-14495.patch | 69 -- .../dnsmasq/dnsmasq/CVE-2017-14496.patch | 94 --- recipes-networking/dnsmasq/dnsmasq_%.bbappend | 11 - 22 files changed, 2475 deletions(-) delete mode 100644 recipes-connectivity/bind/bind/0001-fix-back-port-issue.patch delete mode 100644 recipes-connectivity/bind/bind/CVE-2016-9444.patch delete mode 100644 recipes-connectivity/bind/bind/CVE-2017-3135.patch delete mode 100644 recipes-connectivity/bind/bind/CVE-2017-3136.patch delete mode 100644 recipes-connectivity/bind/bind_%.bbappend delete mode 100644 recipes-core/glibc/glibc/CVE-2017-1000366.patch delete mode 100644 recipes-core/glibc/glibc/CVE-2017-12132.patch delete mode 100644 recipes-core/glibc/glibc/CVE-2017-8804.patch delete mode 100644 recipes-core/glibc/glibc_%.bbappend delete mode 100644 recipes-core/systemd/systemd/CVE-2017-9445.patch delete mode 100644 recipes-core/systemd/systemd_%.bbappend delete mode 100644 recipes-devtools/dpkg/dpkg/CVE-2017-8283.patch delete mode 100644 recipes-devtools/dpkg/dpkg/test-case-for-CVE-2017-8283.patch delete mode 100644 recipes-devtools/dpkg/dpkg_%.bbappend delete mode 100644 recipes-networking/dnsmasq/dnsmasq/0001-CVE-2017-14491.patch delete mode 100644 recipes-networking/dnsmasq/dnsmasq/0002-CVE-2017-14491.patch delete mode 100644 recipes-networking/dnsmasq/dnsmasq/CVE-2017-14492.patch delete mode 100644 recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch delete mode 100644 recipes-networking/dnsmasq/dnsmasq/CVE-2017-14494.patch delete mode 100644 recipes-networking/dnsmasq/dnsmasq/CVE-2017-14495.patch delete mode 100644 recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch delete mode 100644 recipes-networking/dnsmasq/dnsmasq_%.bbappend diff --git a/recipes-connectivity/bind/bind/0001-fix-back-port-issue.patch b/recipes-connectivity/bind/bind/0001-fix-back-port-issue.patch deleted file mode 100644 index a874469..0000000 --- a/recipes-connectivity/bind/bind/0001-fix-back-port-issue.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 6bed6ea11b1880e0a078bd02c1d31d21f0540583 Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Thu, 29 Dec 2016 10:48:46 +1100 -Subject: [PATCH] fix back port issue - -This patch is needed for CVE-2016-9444 fix. -Upstream-Status: Backport [backport from v9_10_6_patch: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;h=6bed6ea11b1880e0a078bd02c1d31d21f0540583] - -Signed-off-by: Sona Sarmadi ---- - lib/dns/message.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/dns/message.c b/lib/dns/message.c -index fe8e5d0..5b8166a 100644 ---- a/lib/dns/message.c -+++ b/lib/dns/message.c -@@ -1639,7 +1639,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, - ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) && - !preserve_order && - !auth_signed(section)) -- DO_ERROR(DNS_R_FORMERR); -+ DO_FORMERR; - - if (seen_problem) - return (DNS_R_RECOVERABLE); --- -1.9.1 - diff --git a/recipes-connectivity/bind/bind/CVE-2016-9444.patch b/recipes-connectivity/bind/bind/CVE-2016-9444.patch deleted file mode 100644 index 2c1e125..0000000 --- a/recipes-connectivity/bind/bind/CVE-2016-9444.patch +++ /dev/null @@ -1,186 +0,0 @@ -From 254d55749ccb1129e7d021a51d0c3b7d3da26ee1 Mon Sep 17 00:00:00 2001 -From: Sona Sarmadi -Date: Tue, 12 Sep 2017 14:13:28 +0200 -Subject: [PATCH] CVE-2016-9444 - -An unusually-formed DS record response could cause an assertion failure - -CVE: CVE-2016-9444 -Upstream-Status: Backport [backport from remotes/origin/v9_10_6_patch -https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=04c7ee66b1eda851737cc7582a2a88193a0b4118] - -Signed-off-by: Sona Sarmadi ---- - CHANGES | 4 +++ - lib/dns/message.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++--- - lib/dns/resolver.c | 21 ++++++--------- - 3 files changed, 85 insertions(+), 16 deletions(-) - -diff --git a/CHANGES b/CHANGES -index 97d2e60..5760ca5 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -1,3 +1,7 @@ -+4517. [security] Named could mishandle authority sections that were -+ missing RRSIGs triggering an assertion failure. -+ (CVE-2016-9444) [RT # 43632] -+ - 4504. [security] Allow the maximum number of records in a zone to - be specified. This provides a control for issues - raised in CVE-2016-6170. [RT #42143] -diff --git a/lib/dns/message.c b/lib/dns/message.c -index 0dd4c77..2e37dac 100644 ---- a/lib/dns/message.c -+++ b/lib/dns/message.c -@@ -1171,6 +1171,63 @@ update(dns_section_t section, dns_rdataclass_t rdclass) { - return (ISC_FALSE); - } - -+/* -+ * Check to confirm that all DNSSEC records (DS, NSEC, NSEC3) have -+ * covering RRSIGs. -+ */ -+static isc_boolean_t -+auth_signed(dns_namelist_t *section) { -+ dns_name_t *name; -+ -+ for (name = ISC_LIST_HEAD(*section); -+ name != NULL; -+ name = ISC_LIST_NEXT(name, link)) -+ { -+ int auth_dnssec = 0, auth_rrsig = 0; -+ dns_rdataset_t *rds; -+ -+ for (rds = ISC_LIST_HEAD(name->list); -+ rds != NULL; -+ rds = ISC_LIST_NEXT(rds, link)) -+ { -+ switch (rds->type) { -+ case dns_rdatatype_ds: -+ auth_dnssec |= 0x1; -+ break; -+ case dns_rdatatype_nsec: -+ auth_dnssec |= 0x2; -+ break; -+ case dns_rdatatype_nsec3: -+ auth_dnssec |= 0x4; -+ break; -+ case dns_rdatatype_rrsig: -+ break; -+ default: -+ continue; -+ } -+ -+ switch (rds->covers) { -+ case dns_rdatatype_ds: -+ auth_rrsig |= 0x1; -+ break; -+ case dns_rdatatype_nsec: -+ auth_rrsig |= 0x2; -+ break; -+ case dns_rdatatype_nsec3: -+ auth_rrsig |= 0x4; -+ break; -+ default: -+ break; -+ } -+ } -+ -+ if (auth_dnssec != auth_rrsig) -+ return (ISC_FALSE); -+ } -+ -+ return (ISC_TRUE); -+} -+ - static isc_result_t - getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, - dns_section_t sectionid, unsigned int options) -@@ -1196,12 +1253,12 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, - best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT); - seen_problem = ISC_FALSE; - -+ section = &msg->sections[sectionid]; -+ - for (count = 0; count < msg->counts[sectionid]; count++) { - int recstart = source->current; - isc_boolean_t skip_name_search, skip_type_search; - -- section = &msg->sections[sectionid]; -- - skip_name_search = ISC_FALSE; - skip_type_search = ISC_FALSE; - free_rdataset = ISC_FALSE; -@@ -1364,7 +1421,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, - goto cleanup; - rdata->rdclass = rdclass; - issigzero = ISC_FALSE; -- if (rdtype == dns_rdatatype_rrsig && -+ if (rdtype == dns_rdatatype_rrsig && - rdata->flags == 0) { - covers = dns_rdata_covers(rdata); - if (covers == 0) -@@ -1575,6 +1632,19 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, - INSIST(free_rdataset == ISC_FALSE); - } - -+ /* -+ * If any of DS, NSEC or NSEC3 appeared in the -+ * authority section of a query response without -+ * a covering RRSIG, FORMERR -+ */ -+ if (sectionid == DNS_SECTION_AUTHORITY && -+ msg->opcode == dns_opcode_query && -+ ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) && -+ ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) && -+ !preserve_order && -+ !auth_signed(section)) -+ DO_ERROR(DNS_R_FORMERR); -+ - if (seen_problem) - return (DNS_R_RECOVERABLE); - return (ISC_R_SUCCESS); -diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index b8fa6b3..017b4ba 100644 ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -5435,16 +5435,13 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, - rdataset->type, - &noqname); - if (tresult == ISC_R_SUCCESS && -- noqname != NULL) { -- tresult = -- dns_rdataset_addnoqname( -+ noqname != NULL) -+ (void) dns_rdataset_addnoqname( - rdataset, noqname); -- RUNTIME_CHECK(tresult == -- ISC_R_SUCCESS); -- } - } -- if ((fctx->options & DNS_FETCHOPT_PREFETCH) != 0) -- options = DNS_DBADD_PREFETCH; -+ if ((fctx->options & -+ DNS_FETCHOPT_PREFETCH) != 0) -+ options = DNS_DBADD_PREFETCH; - addedrdataset = ardataset; - result = dns_db_addrdataset(fctx->cache, node, - NULL, now, rdataset, -@@ -5584,11 +5581,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, - tresult = findnoqname(fctx, name, - rdataset->type, &noqname); - if (tresult == ISC_R_SUCCESS && -- noqname != NULL) { -- tresult = dns_rdataset_addnoqname( -- rdataset, noqname); -- RUNTIME_CHECK(tresult == ISC_R_SUCCESS); -- } -+ noqname != NULL) -+ (void) dns_rdataset_addnoqname( -+ rdataset, noqname); - } - - /* --- -1.9.1 - diff --git a/recipes-connectivity/bind/bind/CVE-2017-3135.patch b/recipes-connectivity/bind/bind/CVE-2017-3135.patch deleted file mode 100644 index 8cb2340..0000000 --- a/recipes-connectivity/bind/bind/CVE-2017-3135.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 6106ed6841b253c78c6120be24c8722d6310a9b9 Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Tue, 31 Jan 2017 11:20:03 +1100 -Subject: [PATCH] add a REQUIRE to catch the NULL pointer dereference that - triggered CVE-2017-3135 - -CVE: CVE-2017-3135 -Upstream-Status: Backport [backport from remotes/origin/v9_10] - -(cherry picked from commit 1d8995d226d8bca96b8ba286316018be4b7835f2) -Signed-off-by: Sona Sarmadi ---- - lib/dns/rdataset.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c -index 1870394..79bcecb 100644 ---- a/lib/dns/rdataset.c -+++ b/lib/dns/rdataset.c -@@ -338,6 +338,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name, - */ - - REQUIRE(DNS_RDATASET_VALID(rdataset)); -+ REQUIRE(rdataset->methods != NULL); - REQUIRE(countp != NULL); - REQUIRE((order == NULL) == (order_arg == NULL)); - REQUIRE(cctx != NULL && cctx->mctx != NULL); --- -1.9.1 - diff --git a/recipes-connectivity/bind/bind/CVE-2017-3136.patch b/recipes-connectivity/bind/bind/CVE-2017-3136.patch deleted file mode 100644 index c47a6f7..0000000 --- a/recipes-connectivity/bind/bind/CVE-2017-3136.patch +++ /dev/null @@ -1,47 +0,0 @@ -From cdb44bbabefa96fceb9bca540f5112493756d593 Mon Sep 17 00:00:00 2001 -From: Sona Sarmadi -Date: Wed, 27 Sep 2017 09:45:10 +0200 -Subject: [PATCH] Dns64 with break-dnssec yes; can result in a assertion - failure. - -From 764240ca07ab1b796226d5402ccd9fbfa77ec32a Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Wed, 15 Feb 2017 12:18:51 +1100 - -(cherry picked from commit 3bce12e4b6d37f570ffc7747b499f8b90e8521ac) - -CVE: CVE-2017-3136 -Upstream-Status: Backport [backport from remotes/origin/v9_10] - -Signed-off-by: Sona Sarmadi ---- - CHANGES | 3 +++ - bin/named/query.c | 1 + - 2 files changed, 4 insertions(+) - -diff --git a/CHANGES b/CHANGES -index ec11967..ba27df0 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -1,3 +1,6 @@ -+4575. [security] Dns64 with break-dnssec yes; can result in a -+ assertion failure. (CVE-2017-3136) [RT #44653] -+ - 4517. [security] Named could mishandle authority sections that were - missing RRSIGs triggering an assertion failure. - (CVE-2016-9444) [RT # 43632] -diff --git a/bin/named/query.c b/bin/named/query.c -index 1398776..48822ff 100644 ---- a/bin/named/query.c -+++ b/bin/named/query.c -@@ -8149,6 +8149,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) - result = query_dns64(client, &fname, rdataset, - sigrdataset, dbuf, - DNS_SECTION_ANSWER); -+ noqname = NULL; - dns_rdataset_disassociate(rdataset); - dns_message_puttemprdataset(client->message, &rdataset); - if (result == ISC_R_NOMORE) { --- -1.9.1 - diff --git a/recipes-connectivity/bind/bind_%.bbappend b/recipes-connectivity/bind/bind_%.bbappend deleted file mode 100644 index 0461313..0000000 --- a/recipes-connectivity/bind/bind_%.bbappend +++ /dev/null @@ -1,7 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "file://CVE-2016-9444.patch \ - file://0001-fix-back-port-issue.patch \ - file://CVE-2017-3135.patch \ - file://CVE-2017-3136.patch \ - " diff --git a/recipes-core/glibc/glibc/CVE-2017-1000366.patch b/recipes-core/glibc/glibc/CVE-2017-1000366.patch deleted file mode 100644 index 8ba9c5c..0000000 --- a/recipes-core/glibc/glibc/CVE-2017-1000366.patch +++ /dev/null @@ -1,53 +0,0 @@ -From f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d Mon Sep 17 00:00:00 2001 -From: Florian Weimer -Date: Mon, 19 Jun 2017 17:09:55 +0200 -Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1 - programs [BZ #21624] - -LD_LIBRARY_PATH can only be used to reorder system search paths, which -is not useful functionality. - -This makes an exploitable unbounded alloca in _dl_init_paths unreachable -for AT_SECURE=1 programs. - -CVE: CVE-2017-1000366 -Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=3c7cd21290cabdadd72984fb69bc51e64ff1002d] - -Signed-off-by: Sona Sarmadi ---- - ChangeLog | 7 +++++++ - elf/rtld.c | 3 ++- - 2 files changed, 9 insertions(+), 1 deletion(-) - -diff --git a/ChangeLog b/ChangeLog -index f140ee6..7bfdf45 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,10 @@ -+2017-06-19 Florian Weimer -+ -+ [BZ #21624] -+ CVE-2017-1000366 -+ * elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for -+ __libc_enable_secure. -+ - 2017-02-05 Siddhesh Poyarekar - - * version.h (RELEASE): Set to "stable" -diff --git a/elf/rtld.c b/elf/rtld.c -index a036ece..2fc33a6 100644 ---- a/elf/rtld.c -+++ b/elf/rtld.c -@@ -2418,7 +2418,8 @@ process_envvars (enum mode *modep) - - case 12: - /* The library search path. */ -- if (memcmp (envline, "LIBRARY_PATH", 12) == 0) -+ if (!__libc_enable_secure -+ && memcmp (envline, "LIBRARY_PATH", 12) == 0) - { - library_path = &envline[13]; - break; --- -1.9.1 - diff --git a/recipes-core/glibc/glibc/CVE-2017-12132.patch b/recipes-core/glibc/glibc/CVE-2017-12132.patch deleted file mode 100644 index dc184db..0000000 --- a/recipes-core/glibc/glibc/CVE-2017-12132.patch +++ /dev/null @@ -1,866 +0,0 @@ -From 44cf81c6c008316876cfcc8208ae982621949e0e Mon Sep 17 00:00:00 2001 -From: Sona Sarmadi -Date: Mon, 11 Sep 2017 10:55:45 +0200 -Subject: [PATCH] glibc: CVE-2017-12132 - -From e14a27723cc3a154d67f3f26e719d08c0ba9ad25 Mon Sep 17 00:00:00 2001 -From: Florian Weimer -Date: Thu, 13 Apr 2017 13:09:38 +0200 -Subject: [PATCH] resolv: Reduce EDNS payload size to 1200 bytes [BZ #21361] - -This hardens the stub resolver against fragmentation-based attacks. - -CVE: CVE-2017-12132 -Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=e14a27723cc3a154d67f3f26e719d08c0ba9ad25] - -Signed-off-by: Sona Sarmadi ---- - ChangeLog | 21 ++ - include/resolv.h | 3 - - resolv/Makefile | 2 + - resolv/res_mkquery.c | 28 ++- - resolv/res_query.c | 23 ++- - resolv/resolv-internal.h | 18 ++ - resolv/tst-resolv-edns.c | 501 +++++++++++++++++++++++++++++++++++++++++++++++ - support/resolv_test.c | 56 +++++- - support/resolv_test.h | 11 ++ - 9 files changed, 650 insertions(+), 13 deletions(-) - create mode 100644 resolv/tst-resolv-edns.c - -diff --git a/ChangeLog b/ChangeLog -index 7bfdf45..a0c2f51 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,24 @@ -+2017-04-13 Florian Weimer -+ -+ [BZ #21361] -+ Limit EDNS buffer size to 1200 bytes. -+ * include/resolv.h (__res_nopt): Remove declaration. -+ * resolv/Makefile (tests): tst-resolv-edns. -+ (tst-resolv-edns): Link with -lresolv, -lpthread. -+ * resolv/res_mkquery.c (__res_ntop): Limit EDNS buffer size to the -+ interval [512, 1200]. -+ * resolv/res_query.c (__libc_res_nquery): Use 1200 buffer size if -+ we can resize the buffer. -+ * resolv/resolv-internal.h (RESOLV_EDNS_BUFFER_SIZE): Define. -+ (__res_nopt): Declare. -+ * resolv/tst-resolv-edns.c: New file. -+ * resolv/resolv_test.h (struct resolv_edns_info): Define. -+ (struct resolv_response_context): Add edns member. -+ * resolv/resolv_test.c (struct query_info): Add edns member. -+ (parse_query): Extract EDNS information from the query. -+ (server_thread_udp_process_one): Propagate EDNS data. -+ (server_thread_tcp_client): Likewise. -+ - 2017-06-19 Florian Weimer - - [BZ #21624] -diff --git a/include/resolv.h b/include/resolv.h -index 95dcd3c..e8f477c 100644 ---- a/include/resolv.h -+++ b/include/resolv.h -@@ -37,8 +37,6 @@ extern void res_pquery (const res_state __statp, const unsigned char *__msg, - extern int res_ourserver_p (const res_state __statp, - const struct sockaddr_in6 *__inp); - extern void __res_iclose (res_state statp, bool free_addr); --extern int __res_nopt(res_state statp, int n0, unsigned char *buf, int buflen, -- int anslen); - libc_hidden_proto (__res_ninit) - libc_hidden_proto (__res_maybe_init) - libc_hidden_proto (__res_nclose) -@@ -91,7 +89,6 @@ libresolv_hidden_proto (__res_nameinquery) - libresolv_hidden_proto (__res_queriesmatch) - libresolv_hidden_proto (__res_nsend) - libresolv_hidden_proto (__b64_ntop) --libresolv_hidden_proto (__res_nopt) - libresolv_hidden_proto (__dn_count_labels) - libresolv_hidden_proto (__p_secstodate) - -diff --git a/resolv/Makefile b/resolv/Makefile -index fdc37ed..01086d5 100644 ---- a/resolv/Makefile -+++ b/resolv/Makefile -@@ -46,6 +46,7 @@ tests += \ - tst-res_hconf_reorder \ - tst-res_use_inet6 \ - tst-resolv-basic \ -+ tst-resolv-edns \ - tst-resolv-network \ - tst-resolv-search \ - -@@ -124,6 +125,7 @@ $(objpfx)tst-bug18665-tcp: $(objpfx)libresolv.so $(shared-thread-library) - $(objpfx)tst-bug18665: $(objpfx)libresolv.so $(shared-thread-library) - $(objpfx)tst-res_use_inet6: $(objpfx)libresolv.so $(shared-thread-library) - $(objpfx)tst-resolv-basic: $(objpfx)libresolv.so $(shared-thread-library) -+$(objpfx)tst-resolv-edns: $(objpfx)libresolv.so $(shared-thread-library) - $(objpfx)tst-resolv-network: $(objpfx)libresolv.so $(shared-thread-library) - $(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library) - $(objpfx)tst-resolv-search: $(objpfx)libresolv.so $(shared-thread-library) -diff --git a/resolv/res_mkquery.c b/resolv/res_mkquery.c -index d80b531..5a0bb10 100644 ---- a/resolv/res_mkquery.c -+++ b/resolv/res_mkquery.c -@@ -69,7 +69,7 @@ - #include - #include - #include --#include -+#include - #include - #include - #include -@@ -243,7 +243,30 @@ __res_nopt(res_state statp, - *cp++ = 0; /* "." */ - - NS_PUT16(T_OPT, cp); /* TYPE */ -- NS_PUT16(MIN(anslen, 0xffff), cp); /* CLASS = UDP payload size */ -+ -+ /* Lowering the advertised buffer size based on the actual -+ answer buffer size is desirable because the server will -+ minimize the reply to fit into the UDP packet (and A -+ non-minimal response might not fit the buffer). -+ -+ The RESOLV_EDNS_BUFFER_SIZE limit could still result in TCP -+ fallback and a non-minimal response which has to be -+ hard-truncated in the stub resolver, but this is price to -+ pay for avoiding fragmentation. (This issue does not -+ affect the nss_dns functions because they use the stub -+ resolver in such a way that it allocates a properly sized -+ response buffer.) */ -+ { -+ uint16_t buffer_size; -+ if (anslen < 512) -+ buffer_size = 512; -+ else if (anslen > RESOLV_EDNS_BUFFER_SIZE) -+ buffer_size = RESOLV_EDNS_BUFFER_SIZE; -+ else -+ buffer_size = anslen; -+ NS_PUT16 (buffer_size, cp); -+ } -+ - *cp++ = NOERROR; /* extended RCODE */ - *cp++ = 0; /* EDNS version */ - -@@ -261,4 +284,3 @@ __res_nopt(res_state statp, - - return cp - buf; - } --libresolv_hidden_def (__res_nopt) -diff --git a/resolv/res_query.c b/resolv/res_query.c -index 07dc6f6..57156d0 100644 ---- a/resolv/res_query.c -+++ b/resolv/res_query.c -@@ -77,6 +77,7 @@ - #include - #include - #include -+#include - - /* Options. Leave them on. */ - /* #undef DEBUG */ -@@ -146,7 +147,10 @@ __libc_res_nquery(res_state statp, - if ((oflags & RES_F_EDNS0ERR) == 0 - && (statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0) - { -- n = __res_nopt(statp, n, query1, bufsize, anslen / 2); -+ /* Use RESOLV_EDNS_BUFFER_SIZE because the receive -+ buffer can be reallocated. */ -+ n = __res_nopt (statp, n, query1, bufsize, -+ RESOLV_EDNS_BUFFER_SIZE); - if (n < 0) - goto unspec_nomem; - } -@@ -167,8 +171,10 @@ __libc_res_nquery(res_state statp, - if (n > 0 - && (oflags & RES_F_EDNS0ERR) == 0 - && (statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0) -- n = __res_nopt(statp, n, query2, bufsize - nused - n, -- anslen / 2); -+ /* Use RESOLV_EDNS_BUFFER_SIZE because the receive -+ buffer can be reallocated. */ -+ n = __res_nopt (statp, n, query2, bufsize, -+ RESOLV_EDNS_BUFFER_SIZE); - nquery2 = n; - } - -@@ -182,7 +188,16 @@ __libc_res_nquery(res_state statp, - if (n > 0 - && (oflags & RES_F_EDNS0ERR) == 0 - && (statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0) -- n = __res_nopt(statp, n, query1, bufsize, anslen); -+ { -+ /* Use RESOLV_EDNS_BUFFER_SIZE if the receive buffer -+ can be reallocated. */ -+ size_t advertise; -+ if (answerp == NULL) -+ advertise = anslen; -+ else -+ advertise = RESOLV_EDNS_BUFFER_SIZE; -+ n = __res_nopt (statp, n, query1, bufsize, advertise); -+ } - - nquery1 = n; - } -diff --git a/resolv/resolv-internal.h b/resolv/resolv-internal.h -index 99fc17c..76fbe2f 100644 ---- a/resolv/resolv-internal.h -+++ b/resolv/resolv-internal.h -@@ -32,4 +32,22 @@ res_use_inet6 (void) - return _res.options & DEPRECATED_RES_USE_INET6; - } - -+enum -+ { -+ /* The advertized EDNS buffer size. The value 1200 is derived -+ from the IPv6 minimum MTU (1280 bytes) minus some arbitrary -+ space for tunneling overhead. If the DNS server does not react -+ to ICMP Fragmentation Needed But DF Set messages, this should -+ avoid all UDP fragments on current networks. Avoiding UDP -+ fragments is desirable because it prevents fragmentation-based -+ spoofing attacks because the randomness in a DNS packet is -+ concentrated in the first fragment (with the headers) and does -+ not protect subsequent fragments. */ -+ RESOLV_EDNS_BUFFER_SIZE = 1200, -+ }; -+ -+/* Add an OPT record to a DNS query. */ -+int __res_nopt (res_state, int n0, unsigned char *buf, int buflen, -+ int anslen) attribute_hidden; -+ - #endif /* _RESOLV_INTERNAL_H */ -diff --git a/resolv/tst-resolv-edns.c b/resolv/tst-resolv-edns.c -new file mode 100644 -index 0000000..f17dbc3 ---- /dev/null -+++ b/resolv/tst-resolv-edns.c -@@ -0,0 +1,501 @@ -+/* Test EDNS handling in the stub resolver. -+ Copyright (C) 2016-2017 Free Software Foundation, Inc. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ . */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+/* Data produced by a test query. */ -+struct response_data -+{ -+ char *qname; -+ uint16_t qtype; -+ struct resolv_edns_info edns; -+}; -+ -+/* Global array used by put_response and get_response to record -+ response data. The test DNS server returns the index of the array -+ element which contains the actual response data. This enables the -+ test case to return arbitrary amounts of data with the limited -+ number of bits which fit into an IP addres. -+ -+ The volatile specifier is needed because the test case accesses -+ these variables from a callback function called from a function -+ which is marked as __THROW (i.e., a leaf function which actually is -+ not). */ -+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; -+static struct response_data ** volatile response_data_array; -+volatile static size_t response_data_count; -+ -+/* Extract information from the query, store it in a struct -+ response_data object, and return its index in the -+ response_data_array. */ -+static unsigned int -+put_response (const struct resolv_response_context *ctx, -+ const char *qname, uint16_t qtype) -+{ -+ xpthread_mutex_lock (&mutex); -+ ++response_data_count; -+ /* We only can represent 2**24 indexes in 10.0.0.0/8. */ -+ TEST_VERIFY (response_data_count < (1 << 24)); -+ response_data_array = xrealloc -+ (response_data_array, sizeof (*response_data_array) * response_data_count); -+ unsigned int index = response_data_count - 1; -+ struct response_data *data = xmalloc (sizeof (*data)); -+ *data = (struct response_data) -+ { -+ .qname = xstrdup (qname), -+ .qtype = qtype, -+ .edns = ctx->edns, -+ }; -+ response_data_array[index] = data; -+ xpthread_mutex_unlock (&mutex); -+ return index; -+} -+ -+/* Verify the index into the response_data array and return the data -+ at it. */ -+static struct response_data * -+get_response (unsigned int index) -+{ -+ xpthread_mutex_lock (&mutex); -+ TEST_VERIFY_EXIT (index < response_data_count); -+ struct response_data *result = response_data_array[index]; -+ xpthread_mutex_unlock (&mutex); -+ return result; -+} -+ -+/* Deallocate all response data. */ -+static void -+free_response_data (void) -+{ -+ xpthread_mutex_lock (&mutex); -+ size_t count = response_data_count; -+ struct response_data **array = response_data_array; -+ for (unsigned int i = 0; i < count; ++i) -+ { -+ struct response_data *data = array[i]; -+ free (data->qname); -+ free (data); -+ } -+ free (array); -+ response_data_array = NULL; -+ response_data_count = 0; -+ xpthread_mutex_unlock (&mutex); -+} -+ -+#define EDNS_PROBE_EXAMPLE "edns-probe.example" -+ -+static void -+response (const struct resolv_response_context *ctx, -+ struct resolv_response_builder *b, -+ const char *qname, uint16_t qclass, uint16_t qtype) -+{ -+ TEST_VERIFY_EXIT (qname != NULL); -+ -+ /* The "tcp." prefix can be used to request TCP fallback. */ -+ const char *qname_compare = qname; -+ bool force_tcp; -+ if (strncmp ("tcp.", qname_compare, strlen ("tcp.")) == 0) -+ { -+ force_tcp = true; -+ qname_compare += strlen ("tcp."); -+ } -+ else -+ force_tcp = false; -+ -+ enum {edns_probe} requested_qname; -+ if (strcmp (qname_compare, EDNS_PROBE_EXAMPLE) == 0) -+ requested_qname = edns_probe; -+ else -+ { -+ support_record_failure (); -+ printf ("error: unexpected QNAME: %s\n", qname); -+ return; -+ } -+ TEST_VERIFY_EXIT (qclass == C_IN); -+ struct resolv_response_flags flags = {.tc = force_tcp && !ctx->tcp}; -+ resolv_response_init (b, flags); -+ resolv_response_add_question (b, qname, qclass, qtype); -+ if (flags.tc) -+ return; -+ -+ if (test_verbose) -+ printf ("info: edns=%d payload_size=%d\n", -+ ctx->edns.active, ctx->edns.payload_size); -+ -+ /* Encode the response_data object in multiple address records. -+ Each record carries two bytes of payload data, and an index. */ -+ resolv_response_section (b, ns_s_an); -+ switch (requested_qname) -+ { -+ case edns_probe: -+ { -+ unsigned int index = put_response (ctx, qname, qtype); -+ switch (qtype) -+ { -+ case T_A: -+ { -+ uint32_t addr = htonl (0x0a000000 | index); -+ resolv_response_open_record (b, qname, qclass, qtype, 0); -+ resolv_response_add_data (b, &addr, sizeof (addr)); -+ resolv_response_close_record (b); -+ } -+ break; -+ case T_AAAA: -+ { -+ char addr[16] -+ = {0x20, 0x01, 0xd, 0xb8, 0, 0, 0, 0, 0, 0, 0, 0, 0, -+ index >> 16, index >> 8, index}; -+ resolv_response_open_record (b, qname, qclass, qtype, 0); -+ resolv_response_add_data (b, &addr, sizeof (addr)); -+ resolv_response_close_record (b); -+ } -+ } -+ } -+ break; -+ } -+} -+ -+/* Update *DATA with data from ADDRESS of SIZE. Set the corresponding -+ flag in SHADOW for each byte written. */ -+static struct response_data * -+decode_address (const void *address, size_t size) -+{ -+ switch (size) -+ { -+ case 4: -+ TEST_VERIFY (memcmp (address, "\x0a", 1) == 0); -+ break; -+ case 16: -+ TEST_VERIFY (memcmp (address, "\x20\x01\x0d\xb8", 4) == 0); -+ break; -+ default: -+ FAIL_EXIT1 ("unexpected address size %zu", size); -+ } -+ const unsigned char *addr = address; -+ unsigned int index = addr[size - 3] * 256 * 256 -+ + addr[size - 2] * 256 -+ + addr[size - 1]; -+ return get_response (index); -+} -+ -+static struct response_data * -+decode_hostent (struct hostent *e) -+{ -+ TEST_VERIFY_EXIT (e != NULL); -+ TEST_VERIFY_EXIT (e->h_addr_list[0] != NULL); -+ TEST_VERIFY (e->h_addr_list[1] == NULL); -+ return decode_address (e->h_addr_list[0], e->h_length); -+} -+ -+static struct response_data * -+decode_addrinfo (struct addrinfo *ai, int family) -+{ -+ struct response_data *data = NULL; -+ while (ai != NULL) -+ { -+ if (ai->ai_family == family) -+ { -+ struct response_data *new_data; -+ switch (family) -+ { -+ case AF_INET: -+ { -+ struct sockaddr_in *pin = (struct sockaddr_in *) ai->ai_addr; -+ new_data = decode_address (&pin->sin_addr.s_addr, 4); -+ } -+ break; -+ case AF_INET6: -+ { -+ struct sockaddr_in6 *pin = (struct sockaddr_in6 *) ai->ai_addr; -+ new_data = decode_address (&pin->sin6_addr.s6_addr, 16); -+ } -+ break; -+ default: -+ FAIL_EXIT1 ("invalid address family %d", ai->ai_family); -+ } -+ if (data == NULL) -+ data = new_data; -+ else -+ /* Check pointer equality because this should be the same -+ response (same index). */ -+ TEST_VERIFY (data == new_data); -+ } -+ ai = ai->ai_next; -+ } -+ TEST_VERIFY_EXIT (data != NULL); -+ return data; -+} -+ -+/* Updated by the main test loop in accordance with what is set in -+ _res.options. */ -+static bool use_edns; -+static bool use_dnssec; -+ -+/* Verify the decoded response data against the flags above. */ -+static void -+verify_response_data_payload (struct response_data *data, -+ size_t expected_payload) -+{ -+ bool edns = use_edns || use_dnssec; -+ TEST_VERIFY (data->edns.active == edns); -+ if (!edns) -+ expected_payload = 0; -+ if (data->edns.payload_size != expected_payload) -+ { -+ support_record_failure (); -+ printf ("error: unexpected payload size %d (edns=%d)\n", -+ (int) data->edns.payload_size, edns); -+ } -+ uint16_t expected_flags = 0; -+ if (use_dnssec) -+ expected_flags |= 0x8000; /* DO flag. */ -+ if (data->edns.flags != expected_flags) -+ { -+ support_record_failure (); -+ printf ("error: unexpected EDNS flags 0x%04x (edns=%d)\n", -+ (int) data->edns.flags, edns); -+ } -+} -+ -+/* Same as verify_response_data_payload, but use the default -+ payload. */ -+static void -+verify_response_data (struct response_data *data) -+{ -+ verify_response_data_payload (data, 1200); -+} -+ -+static void -+check_hostent (struct hostent *e) -+{ -+ TEST_VERIFY_EXIT (e != NULL); -+ verify_response_data (decode_hostent (e)); -+} -+ -+static void -+do_ai (int family) -+{ -+ struct addrinfo hints = { .ai_family = family }; -+ struct addrinfo *ai; -+ int ret = getaddrinfo (EDNS_PROBE_EXAMPLE, "80", &hints, &ai); -+ TEST_VERIFY_EXIT (ret == 0); -+ switch (family) -+ { -+ case AF_INET: -+ case AF_INET6: -+ verify_response_data (decode_addrinfo (ai, family)); -+ break; -+ case AF_UNSPEC: -+ verify_response_data (decode_addrinfo (ai, AF_INET)); -+ verify_response_data (decode_addrinfo (ai, AF_INET6)); -+ break; -+ default: -+ FAIL_EXIT1 ("invalid address family %d", family); -+ } -+ freeaddrinfo (ai); -+} -+ -+enum res_op -+{ -+ res_op_search, -+ res_op_query, -+ res_op_querydomain, -+ res_op_nsearch, -+ res_op_nquery, -+ res_op_nquerydomain, -+ -+ res_op_last = res_op_nquerydomain, -+}; -+ -+static const char * -+res_op_string (enum res_op op) -+{ -+ switch (op) -+ { -+ case res_op_search: -+ return "res_search"; -+ case res_op_query: -+ return "res_query"; -+ case res_op_querydomain: -+ return "res_querydomain"; -+ case res_op_nsearch: -+ return "res_nsearch"; -+ case res_op_nquery: -+ return "res_nquery"; -+ case res_op_nquerydomain: -+ return "res_nquerydomain"; -+ } -+ FAIL_EXIT1 ("invalid res_op value %d", (int) op); -+} -+ -+/* Call libresolv function OP to look up PROBE_NAME, with an answer -+ buffer of SIZE bytes. Check that the advertised UDP buffer size is -+ in fact EXPECTED_BUFFER_SIZE. */ -+static void -+do_res_search (const char *probe_name, enum res_op op, size_t size, -+ size_t expected_buffer_size) -+{ -+ if (test_verbose) -+ printf ("info: testing %s with buffer size %zu\n", -+ res_op_string (op), size); -+ unsigned char *buffer = xmalloc (size); -+ int ret = -1; -+ switch (op) -+ { -+ case res_op_search: -+ ret = res_search (probe_name, C_IN, T_A, buffer, size); -+ break; -+ case res_op_query: -+ ret = res_query (probe_name, C_IN, T_A, buffer, size); -+ break; -+ case res_op_nsearch: -+ ret = res_nsearch (&_res, probe_name, C_IN, T_A, buffer, size); -+ break; -+ case res_op_nquery: -+ ret = res_nquery (&_res, probe_name, C_IN, T_A, buffer, size); -+ break; -+ case res_op_querydomain: -+ case res_op_nquerydomain: -+ { -+ char *example_stripped = xstrdup (probe_name); -+ char *dot_example = strstr (example_stripped, ".example"); -+ if (dot_example != NULL && strcmp (dot_example, ".example") == 0) -+ { -+ /* Truncate the domain name. */ -+ *dot_example = '\0'; -+ if (op == res_op_querydomain) -+ ret = res_querydomain -+ (example_stripped, "example", C_IN, T_A, buffer, size); -+ else -+ ret = res_nquerydomain -+ (&_res, example_stripped, "example", C_IN, T_A, buffer, size); -+ } -+ else -+ FAIL_EXIT1 ("invalid probe name: %s", probe_name); -+ free (example_stripped); -+ } -+ break; -+ } -+ TEST_VERIFY_EXIT (ret > 12); -+ unsigned char *end = buffer + ret; -+ -+ HEADER *hd = (HEADER *) buffer; -+ TEST_VERIFY (ntohs (hd->qdcount) == 1); -+ TEST_VERIFY (ntohs (hd->ancount) == 1); -+ /* Skip over the header. */ -+ unsigned char *p = buffer + sizeof (*hd); -+ /* Skip over the question. */ -+ ret = dn_skipname (p, end); -+ TEST_VERIFY_EXIT (ret > 0); -+ p += ret; -+ TEST_VERIFY_EXIT (end - p >= 4); -+ p += 4; -+ /* Skip over the RNAME and the RR header, but stop at the RDATA -+ length. */ -+ ret = dn_skipname (p, end); -+ TEST_VERIFY_EXIT (ret > 0); -+ p += ret; -+ TEST_VERIFY_EXIT (end - p >= 2 + 2 + 4 + 2 + 4); -+ p += 2 + 2 + 4; -+ /* The IP address should be 4 bytes long. */ -+ TEST_VERIFY_EXIT (p[0] == 0); -+ TEST_VERIFY_EXIT (p[1] == 4); -+ /* Extract the address information. */ -+ p += 2; -+ struct response_data *data = decode_address (p, 4); -+ -+ verify_response_data_payload (data, expected_buffer_size); -+ -+ free (buffer); -+} -+ -+static void -+run_test (const char *probe_name) -+{ -+ if (test_verbose) -+ printf ("\ninfo: * use_edns=%d use_dnssec=%d\n", -+ use_edns, use_dnssec); -+ check_hostent (gethostbyname (probe_name)); -+ check_hostent (gethostbyname2 (probe_name, AF_INET)); -+ check_hostent (gethostbyname2 (probe_name, AF_INET6)); -+ do_ai (AF_UNSPEC); -+ do_ai (AF_INET); -+ do_ai (AF_INET6); -+ -+ for (int op = 0; op <= res_op_last; ++op) -+ { -+ do_res_search (probe_name, op, 301, 512); -+ do_res_search (probe_name, op, 511, 512); -+ do_res_search (probe_name, op, 512, 512); -+ do_res_search (probe_name, op, 513, 513); -+ do_res_search (probe_name, op, 657, 657); -+ do_res_search (probe_name, op, 1199, 1199); -+ do_res_search (probe_name, op, 1200, 1200); -+ do_res_search (probe_name, op, 1201, 1200); -+ do_res_search (probe_name, op, 65535, 1200); -+ } -+} -+ -+static int -+do_test (void) -+{ -+ for (int do_edns = 0; do_edns < 2; ++do_edns) -+ for (int do_dnssec = 0; do_dnssec < 2; ++do_dnssec) -+ for (int do_tcp = 0; do_tcp < 2; ++do_tcp) -+ { -+ struct resolv_test *aux = resolv_test_start -+ ((struct resolv_redirect_config) -+ { -+ .response_callback = response, -+ }); -+ -+ use_edns = do_edns; -+ if (do_edns) -+ _res.options |= RES_USE_EDNS0; -+ use_dnssec = do_dnssec; -+ if (do_dnssec) -+ _res.options |= RES_USE_DNSSEC; -+ -+ char *probe_name = xstrdup (EDNS_PROBE_EXAMPLE); -+ if (do_tcp) -+ { -+ char *n = xasprintf ("tcp.%s", probe_name); -+ free (probe_name); -+ probe_name = n; -+ } -+ -+ run_test (probe_name); -+ -+ free (probe_name); -+ resolv_test_end (aux); -+ } -+ -+ free_response_data (); -+ return 0; -+} -+ -+#include -diff --git a/support/resolv_test.c b/support/resolv_test.c -index 2d0ea3c..6b3554f 100644 ---- a/support/resolv_test.c -+++ b/support/resolv_test.c -@@ -428,6 +428,7 @@ struct query_info - char qname[MAXDNAME]; - uint16_t qclass; - uint16_t qtype; -+ struct resolv_edns_info edns; - }; - - /* Update *INFO from the specified DNS packet. */ -@@ -435,10 +436,26 @@ static void - parse_query (struct query_info *info, - const unsigned char *buffer, size_t length) - { -- if (length < 12) -+ HEADER hd; -+ _Static_assert (sizeof (hd) == 12, "DNS header size"); -+ if (length < sizeof (hd)) - FAIL_EXIT1 ("malformed DNS query: too short: %zu bytes", length); -- -- int ret = dn_expand (buffer, buffer + length, buffer + 12, -+ memcpy (&hd, buffer, sizeof (hd)); -+ -+ if (ntohs (hd.qdcount) != 1) -+ FAIL_EXIT1 ("malformed DNS query: wrong question count: %d", -+ (int) ntohs (hd.qdcount)); -+ if (ntohs (hd.ancount) != 0) -+ FAIL_EXIT1 ("malformed DNS query: wrong answer count: %d", -+ (int) ntohs (hd.ancount)); -+ if (ntohs (hd.nscount) != 0) -+ FAIL_EXIT1 ("malformed DNS query: wrong authority count: %d", -+ (int) ntohs (hd.nscount)); -+ if (ntohs (hd.arcount) > 1) -+ FAIL_EXIT1 ("malformed DNS query: wrong additional count: %d", -+ (int) ntohs (hd.arcount)); -+ -+ int ret = dn_expand (buffer, buffer + length, buffer + sizeof (hd), - info->qname, sizeof (info->qname)); - if (ret < 0) - FAIL_EXIT1 ("malformed DNS query: cannot uncompress QNAME"); -@@ -456,6 +473,37 @@ parse_query (struct query_info *info, - memcpy (&qtype_qclass, buffer + 12 + ret, sizeof (qtype_qclass)); - info->qclass = ntohs (qtype_qclass.qclass); - info->qtype = ntohs (qtype_qclass.qtype); -+ -+ memset (&info->edns, 0, sizeof (info->edns)); -+ if (ntohs (hd.arcount) > 0) -+ { -+ /* Parse EDNS record. */ -+ struct __attribute__ ((packed, aligned (1))) -+ { -+ uint8_t root; -+ uint16_t rtype; -+ uint16_t payload; -+ uint8_t edns_extended_rcode; -+ uint8_t edns_version; -+ uint16_t flags; -+ uint16_t rdatalen; -+ } rr; -+ _Static_assert (sizeof (rr) == 11, "EDNS record size"); -+ -+ if (remaining < 4 + sizeof (rr)) -+ FAIL_EXIT1 ("mailformed DNS query: no room for EDNS record"); -+ memcpy (&rr, buffer + 12 + ret + 4, sizeof (rr)); -+ if (rr.root != 0) -+ FAIL_EXIT1 ("malformed DNS query: invalid OPT RNAME: %d\n", rr.root); -+ if (rr.rtype != htons (41)) -+ FAIL_EXIT1 ("malformed DNS query: invalid OPT type: %d\n", -+ ntohs (rr.rtype)); -+ info->edns.active = true; -+ info->edns.extended_rcode = rr.edns_extended_rcode; -+ info->edns.version = rr.edns_version; -+ info->edns.flags = ntohs (rr.flags); -+ info->edns.payload_size = ntohs (rr.payload); -+ } - } - - -@@ -585,6 +633,7 @@ server_thread_udp_process_one (struct resolv_test *obj, int server_index) - .query_length = length, - .server_index = server_index, - .tcp = false, -+ .edns = qinfo.edns, - }; - struct resolv_response_builder *b = response_builder_allocate (query, length); - obj->config.response_callback -@@ -820,6 +869,7 @@ server_thread_tcp_client (void *arg) - .query_length = query_length, - .server_index = closure->server_index, - .tcp = true, -+ .edns = qinfo.edns, - }; - struct resolv_response_builder *b = response_builder_allocate - (query_buffer, query_length); -diff --git a/support/resolv_test.h b/support/resolv_test.h -index 7a9f1f7..6498751 100644 ---- a/support/resolv_test.h -+++ b/support/resolv_test.h -@@ -25,6 +25,16 @@ - - __BEGIN_DECLS - -+/* Information about EDNS properties of a DNS query. */ -+struct resolv_edns_info -+{ -+ bool active; -+ uint8_t extended_rcode; -+ uint8_t version; -+ uint16_t flags; -+ uint16_t payload_size; -+}; -+ - /* This struct provides context information when the response callback - specified in struct resolv_redirect_config is invoked. */ - struct resolv_response_context -@@ -33,6 +43,7 @@ struct resolv_response_context - size_t query_length; - int server_index; - bool tcp; -+ struct resolv_edns_info edns; - }; - - /* This opaque struct is used to construct responses from within the --- -1.9.1 - diff --git a/recipes-core/glibc/glibc/CVE-2017-8804.patch b/recipes-core/glibc/glibc/CVE-2017-8804.patch deleted file mode 100644 index ae21ad0..0000000 --- a/recipes-core/glibc/glibc/CVE-2017-8804.patch +++ /dev/null @@ -1,225 +0,0 @@ -From 45619a54f7d751a2a7dec7d7ee323e1545b881af Mon Sep 17 00:00:00 2001 -From: Sona Sarmadi -Date: Mon, 11 Sep 2017 13:35:44 +0200 -Subject: [PATCH] CVE-2017-8804 - -The xdr_bytes and xdr_string functions in the glibc or libc6 2.25 mishandle -failures of buffer deserialization, which allows remote attackers to cause -a denial of service (virtual memory allocation, or memory consumption if an -overcommit setting is not used) via a crafted UDP packet to port 111, a -related issue to CVE-2017-8779. - -CVE: CVE-2017-8804 -Upstream-Status: Backport [https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html] - -Signed-off-by: Sona Sarmadi ---- - NEWS | 3 ++ - sunrpc/Makefile | 10 ++++++- - sunrpc/tst-xdrmem3.c | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++ - sunrpc/xdr.c | 41 ++++++++++++++++++++------ - 4 files changed, 127 insertions(+), 10 deletions(-) - create mode 100644 sunrpc/tst-xdrmem3.c - -diff --git a/NEWS b/NEWS -index ec15dde..29e795a 100644 ---- a/NEWS -+++ b/NEWS -@@ -211,6 +211,9 @@ Security related changes: - question type which is outside the range of valid question type values. - (CVE-2015-5180) - -+* The xdr_bytes and xdr_string routines free the internally allocated buffer -+ if deserialization of the buffer contents fails for any reason. -+ - The following bugs are resolved with this release: - - [4099] stdio: Overly agressive caching by stream i/o functions. -diff --git a/sunrpc/Makefile b/sunrpc/Makefile -index 0c1e612..12ec2e7 100644 ---- a/sunrpc/Makefile -+++ b/sunrpc/Makefile -@@ -93,9 +93,16 @@ rpcgen-objs = rpc_main.o rpc_hout.o rpc_cout.o rpc_parse.o \ - extra-objs = $(rpcgen-objs) $(addprefix cross-,$(rpcgen-objs)) - others += rpcgen - --tests = tst-xdrmem tst-xdrmem2 test-rpcent -+tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-xdrmem3 - xtests := tst-getmyaddr - -+tests-special += $(objpfx)mtrace-tst-xdrmem3.out -+generated += mtrace-tst-xdrmem3.out tst-xdrmem3.mtrace -+tst-xdrmem3-ENV = MALLOC_TRACE=$(objpfx)tst-xdrmem3.mtrace -+$(objpfx)mtrace-tst-xdrmem3.out: $(objpfx)tst-xdrmem3.out -+ $(common-objpfx)malloc/mtrace $(objpfx)tst-xdrmem3.mtrace > $@; \ -+ $(evaluate-test) -+ - ifeq ($(have-thread-library),yes) - xtests += thrsvc - endif -@@ -155,6 +162,7 @@ BUILD_CPPFLAGS += $(sunrpc-CPPFLAGS) - $(objpfx)tst-getmyaddr: $(common-objpfx)linkobj/libc.so - $(objpfx)tst-xdrmem: $(common-objpfx)linkobj/libc.so - $(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so -+(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so - - $(objpfx)rpcgen: $(addprefix $(objpfx),$(rpcgen-objs)) - -diff --git a/sunrpc/tst-xdrmem3.c b/sunrpc/tst-xdrmem3.c -new file mode 100644 -index 0000000..b3c72ae ---- /dev/null -+++ b/sunrpc/tst-xdrmem3.c -@@ -0,0 +1,83 @@ -+/* Test xdr_bytes, xdr_string behavior on deserialization failure. -+ Copyright (C) 2017 Free Software Foundation, Inc. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ . */ -+ -+#include -+#include -+#include -+#include -+ -+static int -+do_test (void) -+{ -+ mtrace (); -+ -+ /* If do_own_buffer, allocate the buffer and pass it to the -+ deserialization routine. Otherwise the routine is requested to -+ allocate the buffer. */ -+ for (int do_own_buffer = 0; do_own_buffer < 2; ++do_own_buffer) -+ { -+ /* Length 16 MiB, but only 2 bytes of data in the packet. */ -+ unsigned char buf[] = "\x01\x00\x00\x00\xff"; -+ XDR xdrs; -+ char *result; -+ unsigned int result_len; -+ -+ /* Test xdr_bytes. */ -+ xdrmem_create (&xdrs, (char *) buf, sizeof (buf), XDR_DECODE); -+ result_len = 0; -+ if (do_own_buffer) -+ { -+ char *own_buffer = xmalloc (10); -+ result = own_buffer; -+ TEST_VERIFY (!xdr_bytes (&xdrs, &result, &result_len, 10)); -+ TEST_VERIFY (result == own_buffer); -+ free (own_buffer); -+ } -+ else -+ { -+ result = NULL; -+ TEST_VERIFY (!xdr_bytes (&xdrs, &result, &result_len, -1)); -+ TEST_VERIFY (result == NULL); -+ } -+ TEST_VERIFY (result_len == 16 * 1024 * 1024); -+ xdr_destroy (&xdrs); -+ -+ /* Test xdr_string. */ -+ xdrmem_create (&xdrs, (char *) buf, sizeof (buf), XDR_DECODE); -+ if (do_own_buffer) -+ { -+ char *own_buffer = xmalloc (10); -+ result = own_buffer; -+ TEST_VERIFY (!xdr_string (&xdrs, &result, 10)); -+ TEST_VERIFY (result == own_buffer); -+ free (own_buffer); -+ } -+ else -+ { -+ result = NULL; -+ TEST_VERIFY (!xdr_string (&xdrs, &result, -1)); -+ TEST_VERIFY (result == NULL); -+ } -+ xdr_destroy (&xdrs); -+ } -+ -+ return 0; -+} -+ -+#include -+ -diff --git a/sunrpc/xdr.c b/sunrpc/xdr.c -index bfabf33..857f7c8 100644 ---- a/sunrpc/xdr.c -+++ b/sunrpc/xdr.c -@@ -620,14 +620,24 @@ xdr_bytes (XDR *xdrs, char **cpp, u_int *sizep, u_int maxsize) - } - if (sp == NULL) - { -- *cpp = sp = (char *) mem_alloc (nodesize); -+ sp = (char *) mem_alloc (nodesize); -+ if (sp == NULL) -+ { -+ (void) __fxprintf (NULL, "%s: %s", __func__, -+ _("out of memory\n")); -+ return FALSE; -+ } - } -- if (sp == NULL) -+ if (!xdr_opaque (xdrs, sp, nodesize)) - { -- (void) __fxprintf (NULL, "%s: %s", __func__, _("out of memory\n")); -+ if (sp != *cpp) -+ /* *cpp was NULL, so this function allocated a new -+ buffer. */ -+ free (sp); - return FALSE; - } -- /* fall into ... */ -+ *cpp = sp; -+ return TRUE; - - case XDR_ENCODE: - return xdr_opaque (xdrs, sp, nodesize); -@@ -781,14 +791,27 @@ xdr_string (XDR *xdrs, char **cpp, u_int maxsize) - { - case XDR_DECODE: - if (sp == NULL) -- *cpp = sp = (char *) mem_alloc (nodesize); -- if (sp == NULL) - { -- (void) __fxprintf (NULL, "%s: %s", __func__, _("out of memory\n")); -- return FALSE; -+ sp = (char *) mem_alloc (nodesize); -+ if (sp == NULL) -+ { -+ (void) __fxprintf (NULL, "%s: %s", __func__, -+ _("out of memory\n")); -+ return FALSE; -+ } - } - sp[size] = 0; -- /* fall into ... */ -+ -+ if (!xdr_opaque (xdrs, sp, size)) -+ { -+ if (sp != *cpp) -+ /* *cpp was NULL, so this function allocated a new -+ buffer. */ -+ free (sp); -+ return FALSE; -+ } -+ *cpp = sp; -+ return TRUE; - - case XDR_ENCODE: - return xdr_opaque (xdrs, sp, size); --- -1.9.1 - diff --git a/recipes-core/glibc/glibc_%.bbappend b/recipes-core/glibc/glibc_%.bbappend deleted file mode 100644 index f2c9a31..0000000 --- a/recipes-core/glibc/glibc_%.bbappend +++ /dev/null @@ -1,8 +0,0 @@ -# look for files in the layer first -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "file://CVE-2017-1000366.patch \ - file://CVE-2017-12132.patch \ - file://CVE-2017-8804.patch \ - " - diff --git a/recipes-core/systemd/systemd/CVE-2017-9445.patch b/recipes-core/systemd/systemd/CVE-2017-9445.patch deleted file mode 100644 index 031901d..0000000 --- a/recipes-core/systemd/systemd/CVE-2017-9445.patch +++ /dev/null @@ -1,56 +0,0 @@ -From db848813bae4d28c524b3b6a7dad135e426659ce Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Sun, 18 Jun 2017 16:07:57 -0400 -Subject: [PATCH] resolved: simplify alloc size calculation - -The allocation size was calculated in a complicated way, and for values -close to the page size we would actually allocate less than requested. - -Reported by Chris Coulson . - -CVE-2017-9445 - -CVE: CVE-2017-8872 -Upstream-Status: Backport - -Signed-off-by: Sona Sarmadi ---- - src/resolve/resolved-dns-packet.c | 8 +------- - src/resolve/resolved-dns-packet.h | 2 -- - 2 files changed, 1 insertion(+), 9 deletions(-) - -diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c -index 240ee44..821b66e 100644 ---- a/src/resolve/resolved-dns-packet.c -+++ b/src/resolve/resolved-dns-packet.c -@@ -47,13 +47,7 @@ int dns_packet_new(DnsPacket **ret, DnsProtocol protocol, size_t mtu) { - - assert(ret); - -- if (mtu <= UDP_PACKET_HEADER_SIZE) -- a = DNS_PACKET_SIZE_START; -- else -- a = mtu - UDP_PACKET_HEADER_SIZE; -- -- if (a < DNS_PACKET_HEADER_SIZE) -- a = DNS_PACKET_HEADER_SIZE; -+ a = MAX(mtu, DNS_PACKET_HEADER_SIZE); - - /* round up to next page size */ - a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket)); -diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h -index 2c92392..3abcaf8 100644 ---- a/src/resolve/resolved-dns-packet.h -+++ b/src/resolve/resolved-dns-packet.h -@@ -66,8 +66,6 @@ struct DnsPacketHeader { - /* With EDNS0 we can use larger packets, default to 4096, which is what is commonly used */ - #define DNS_PACKET_UNICAST_SIZE_LARGE_MAX 4096 - --#define DNS_PACKET_SIZE_START 512 -- - struct DnsPacket { - int n_ref; - DnsProtocol protocol; --- -1.9.1 - diff --git a/recipes-core/systemd/systemd_%.bbappend b/recipes-core/systemd/systemd_%.bbappend deleted file mode 100644 index e07dbe1..0000000 --- a/recipes-core/systemd/systemd_%.bbappend +++ /dev/null @@ -1,6 +0,0 @@ -# look for files in the layer first -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "file://CVE-2017-9445.patch \ - " - diff --git a/recipes-devtools/dpkg/dpkg/CVE-2017-8283.patch b/recipes-devtools/dpkg/dpkg/CVE-2017-8283.patch deleted file mode 100644 index b4c8df1..0000000 --- a/recipes-devtools/dpkg/dpkg/CVE-2017-8283.patch +++ /dev/null @@ -1,190 +0,0 @@ -From 67f2bc55ec79926f3334eb2956a62719f824e85b Mon Sep 17 00:00:00 2001 -From: Sona Sarmadi -Date: Thu, 14 Dec 2017 10:21:01 +0100 -Subject: [PATCH] build: Detect the required GNU patch - -This makes sure the perl module is using a directory traversal resistant -patch implementation, currently that's only GNU patch. - -CVE: CVE-2017-8283 -Upstream-Status: Backport [remotes/origin/1.18.x: 8ba04d41c839318b5a024f6c5298848d3b54c723] - -Signed-off-by: Sona Sarmadi ---- - configure.ac | 1 + - debian/changelog | 5 +++++ - m4/dpkg-progs.m4 | 15 +++++++++++++++ - scripts/Dpkg.pm | 13 ++++++++++++- - scripts/Dpkg/Source/Patch.pm | 9 +++++---- - scripts/Makefile.am | 4 +++- - 6 files changed, 41 insertions(+), 6 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 3123d0c..0112d4d 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -61,6 +61,7 @@ AC_PROG_CC - DPKG_C_C99 - AC_PROG_CXX - DPKG_CXX_CXX11 -+DPKG_PROG_PATCH - AC_CHECK_PROGS([DOXYGEN], [doxygen]) - AC_CHECK_PROG([HAVE_DOT], [dot], [YES], [NO]) - DPKG_PROG_PO4A -diff --git a/debian/changelog b/debian/changelog -index 695c55d..4b5b36b 100644 ---- a/debian/changelog -+++ b/debian/changelog -@@ -1,3 +1,8 @@ -+ - Check that the detected patch is a GNU patch, so that we get a directory -+ traversal resistant patch implementation. This fixes CVE-2017-8283 by -+ delegating those checks to patch(1), so that we trap blank-indented -+ diff hunks trying to escape from the source tree. -+ - dpkg (1.18.10) unstable; urgency=medium - - [ Guillem Jover ] -diff --git a/m4/dpkg-progs.m4 b/m4/dpkg-progs.m4 -index c59f595..577d50d 100644 ---- a/m4/dpkg-progs.m4 -+++ b/m4/dpkg-progs.m4 -@@ -49,3 +49,18 @@ AC_ARG_VAR([TAR], [GNU tar program]) - AC_CHECK_PROGS([TAR], [gnutar gtar tar], [tar]) - AC_DEFINE_UNQUOTED([TAR], ["$TAR"], [GNU tar program]) - ])# DPKG_DEB_PROG_TAR -+ -+# DPKG_PROG_PATCH -+# --------------- -+# Specify GNU patch program name to use by dpkg-source. On GNU systems this -+# is usually simply patch, on BSD systems this is usually gpatch. -+# Even though most invocations would work with other patch implementations, -+# currently only GNU patch is directory traversal resistant. -+AC_DEFUN([DPKG_PROG_PATCH], [ -+ AC_ARG_VAR([PATCH], [GNU patch program]) -+ AC_CHECK_PROGS([PATCH], [gpatch patch], [patch]) -+ AS_IF([! $PATCH --version 2>/dev/null | grep -q '^GNU patch'], [ -+ AC_MSG_ERROR([cannot find a GNU patch program]) -+ ]) -+ AC_DEFINE_UNQUOTED([PATCH], ["$PATCH"], [GNU patch program]) -+])# DPKG_PROG_PATCH -diff --git a/scripts/Dpkg.pm b/scripts/Dpkg.pm -index deecfb3..4905ab8 100644 ---- a/scripts/Dpkg.pm -+++ b/scripts/Dpkg.pm -@@ -29,10 +29,11 @@ this system installation. - use strict; - use warnings; - --our $VERSION = '1.01'; -+our $VERSION = '1.03'; - our @EXPORT_OK = qw( - $PROGNAME - $PROGVERSION -+ $PROGPATCH - $CONFDIR - $ADMINDIR - $LIBDIR -@@ -60,6 +61,11 @@ Contains the name of the current program. - - Contains the version of the dpkg suite. - -+=item $Dpkg::PROGPATCH -+ -+Contains the name of the system GNU patch program (or another implementation -+that is directory traversal resistant). -+ - =item $Dpkg::CONFDIR - - Contains the path to the dpkg system configuration directory. -@@ -84,6 +90,7 @@ our ($PROGNAME) = $0 =~ m{(?:.*/)?([^/]*)}; - - # The following lines are automatically fixed at install time - our $PROGVERSION = '1.18.x'; -+our $PROGPATCH = $ENV{DPKG_PROGPATCH} // 'patch'; - our $CONFDIR = '/etc/dpkg'; - our $ADMINDIR = '/var/lib/dpkg'; - our $LIBDIR = '.'; -@@ -100,6 +107,10 @@ our $pkgdatadir = $DATADIR; - - =head1 CHANGES - -+=head2 Version 1.03 (dpkg 1.18.10) -+ -+New variable: $PROGPATCH. -+ - =head2 Version 1.01 (dpkg 1.17.0) - - New variables: $PROGNAME, $PROGVERSION, $CONFDIR, $ADMINDIR, $LIBDIR and -diff --git a/scripts/Dpkg/Source/Patch.pm b/scripts/Dpkg/Source/Patch.pm -index ee5e114..22e9d21 100644 ---- a/scripts/Dpkg/Source/Patch.pm -+++ b/scripts/Dpkg/Source/Patch.pm -@@ -30,6 +30,7 @@ use File::Compare; - use Fcntl ':mode'; - use Time::HiRes qw(stat); - -+use Dpkg; - use Dpkg::Gettext; - use Dpkg::ErrorHandling; - use Dpkg::IPC; -@@ -582,7 +583,7 @@ sub apply { - $self->ensure_open('r'); - my ($stdout, $stderr) = ('', ''); - spawn( -- exec => [ 'patch', @{$opts{options}} ], -+ exec => [ $Dpkg::PROGPATCH, @{$opts{options}} ], - chdir => $destdir, - env => { LC_ALL => 'C', LANG => 'C', PATCH_GET => '0' }, - delete_env => [ 'POSIXLY_CORRECT' ], # ensure expected patch behaviour -@@ -595,7 +596,7 @@ sub apply { - if ($?) { - print { *STDOUT } $stdout; - print { *STDERR } $stderr; -- subprocerr('LC_ALL=C patch ' . join(' ', @{$opts{options}}) . -+ subprocerr("LC_ALL=C $Dpkg::PROGPATCH " . join(' ', @{$opts{options}}) . - ' < ' . $self->get_filename()); - } - $self->close(); -@@ -632,7 +633,7 @@ sub check_apply { - # Apply the patch - $self->ensure_open('r'); - my $patch_pid = spawn( -- exec => [ 'patch', @{$opts{options}} ], -+ exec => [ $Dpkg::PROGPATCH, @{$opts{options}} ], - chdir => $destdir, - env => { LC_ALL => 'C', LANG => 'C', PATCH_GET => '0' }, - delete_env => [ 'POSIXLY_CORRECT' ], # ensure expected patch behaviour -@@ -642,7 +643,7 @@ sub check_apply { - ); - wait_child($patch_pid, nocheck => 1); - my $exit = WEXITSTATUS($?); -- subprocerr('patch --dry-run') unless WIFEXITED($?); -+ subprocerr("$Dpkg::PROGPATCH --dry-run") unless WIFEXITED($?); - $self->close(); - return ($exit == 0); - } -diff --git a/scripts/Makefile.am b/scripts/Makefile.am -index 7b1ac36..84059c1 100644 ---- a/scripts/Makefile.am -+++ b/scripts/Makefile.am -@@ -127,6 +127,7 @@ do_perl_subst = $(AM_V_GEN) \ - -e "s:\$$ADMINDIR[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]:\$$ADMINDIR='$(admindir)':" \ - -e "s:\$$LIBDIR[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]:\$$LIBDIR='$(pkglibdir)':" \ - -e "s:\$$DATADIR[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]:\$$DATADIR='$(pkgdatadir)':" \ -+ -e "s:our \$$PROGPATCH = .*;:our \$$PROGPATCH = '$(PATCH)';:" \ - -e "s:\$$PROGVERSION[[:space:]]*=[[:space:]]*['\"][^'\"]*[\"']:\$$PROGVERSION='$(PACKAGE_VERSION)':" - - do_shell_subst = $(AM_V_GEN) \ -@@ -187,7 +188,8 @@ coverage-clean: - rm -rf cover_db - - TEST_ENV_VARS = \ -- DPKG_DATADIR=$(srcdir)/.. \ -+ DPKG_PROGPATCH=$(PATCH) \ -+ DPKG_DATADIR=$(srcdir)/.. \ - DPKG_ORIGINS_DIR=$(srcdir)/t/origins - TEST_COVERAGE = $(PERL_COVERAGE) - --- -1.9.1 - diff --git a/recipes-devtools/dpkg/dpkg/test-case-for-CVE-2017-8283.patch b/recipes-devtools/dpkg/dpkg/test-case-for-CVE-2017-8283.patch deleted file mode 100644 index 5632d8f..0000000 --- a/recipes-devtools/dpkg/dpkg/test-case-for-CVE-2017-8283.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 57a3daba4d3dee1c33571e84f160aa1c67aece4c Mon Sep 17 00:00:00 2001 -From: Sona Sarmadi -Date: Thu, 14 Dec 2017 10:40:42 +0100 -Subject: [PATCH] Dpkg::Source::Patch: Indented patch test-case - -POSIX specifies that a diff hunk can be indented by spaces or tabs -(while the original patch(1) by Larry Wall also accepts 'X'), as long -as the amount of spaces is consistent for all subsequent lines. And as -we are not checking for this condition at all, any such indented hunk -can avoid the sanity checks performed by Dpkg::Source::Patch. - -On systems using GNU patch >= 2.7.5, this should, in principle, not be -a problem anymore, as that implementation protects against directory -traversal issue. But on other systems where the patch implementation -does not perform such checks (such as the BSDs) this is an issue, so -check for this in the test-suite. - -Those are arguably all security issues in these various patch -implementations, but given that we are performing sanity checks and that -those implementations are currently very lax, it seems prudent to do the -heavy lifting ourselves and also take the possible blame too. - -Ref: test-case for CVE-2017-8283 -Upstream-Status: Backport - -Signed-off-by: Sona Sarmadi ---- - debian/changelog | 3 +++ - scripts/Makefile.am | 1 + - scripts/t/Dpkg_Source_Patch.t | 6 +++++- - 3 files changed, 9 insertions(+), 1 deletion(-) - -diff --git a/debian/changelog b/debian/changelog -index 4b5b36b..596a59e 100644 ---- a/debian/changelog -+++ b/debian/changelog -@@ -2,6 +2,9 @@ - traversal resistant patch implementation. This fixes CVE-2017-8283 by - delegating those checks to patch(1), so that we trap blank-indented - diff hunks trying to escape from the source tree. -+ * Test suite: -+ - Add a test case for blank-indented patches which were the cause for -+ CVE-2017-8283. - - dpkg (1.18.10) unstable; urgency=medium - -diff --git a/scripts/Makefile.am b/scripts/Makefile.am -index 84059c1..6ce0ad6 100644 ---- a/scripts/Makefile.am -+++ b/scripts/Makefile.am -@@ -275,6 +275,7 @@ test_data = \ - t/Dpkg_Shlibs/spacesyms-o-map.pl \ - t/Dpkg_Source_Patch/c-style.patch \ - t/Dpkg_Source_Patch/ghost-hunk.patch \ -+ t/Dpkg_Source_Patch/indent-header.patch \ - t/Dpkg_Source_Patch/index-+++.patch \ - t/Dpkg_Source_Patch/index-alone.patch \ - t/Dpkg_Source_Patch/index-inert.patch \ -diff --git a/scripts/t/Dpkg_Source_Patch.t b/scripts/t/Dpkg_Source_Patch.t -index 258a9aa..30be77a 100644 ---- a/scripts/t/Dpkg_Source_Patch.t -+++ b/scripts/t/Dpkg_Source_Patch.t -@@ -16,7 +16,7 @@ - use strict; - use warnings; - --use Test::More tests => 9; -+use Test::More tests => 10; - - use File::Path qw(make_path); - -@@ -67,4 +67,8 @@ test_patch_escape('partial', 'symlink', 'partial.patch', - test_patch_escape('ghost-hunk', 'symlink', 'ghost-hunk.patch', - 'Patch cannot escape using a disabling hunk'); - -+# This is CVE-2017-8283 -+test_patch_escape('indent-header', 'symlink', 'indent-header.patch', -+ 'Patch cannot escape indented hunks'); -+ - 1; --- -1.9.1 - diff --git a/recipes-devtools/dpkg/dpkg_%.bbappend b/recipes-devtools/dpkg/dpkg_%.bbappend deleted file mode 100644 index 65d380e..0000000 --- a/recipes-devtools/dpkg/dpkg_%.bbappend +++ /dev/null @@ -1,6 +0,0 @@ -# look for files in the layer first -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "file://CVE-2017-8283.patch \ - file://test-case-for-CVE-2017-8283.patch \ - " diff --git a/recipes-networking/dnsmasq/dnsmasq/0001-CVE-2017-14491.patch b/recipes-networking/dnsmasq/dnsmasq/0001-CVE-2017-14491.patch deleted file mode 100644 index 1eda591..0000000 --- a/recipes-networking/dnsmasq/dnsmasq/0001-CVE-2017-14491.patch +++ /dev/null @@ -1,269 +0,0 @@ -From 0549c73b7ea6b22a3c49beb4d432f185a81efcbc Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Mon, 25 Sep 2017 18:17:11 +0100 -Subject: [PATCH] Security fix, CVE-2017-14491 DNS heap buffer overflow. - -Fix heap overflow in DNS code. This is a potentially serious -security hole. It allows an attacker who can make DNS -requests to dnsmasq, and who controls the contents of -a domain, which is thereby queried, to overflow -(by 2 bytes) a heap buffer and either crash, or -even take control of, dnsmasq. - -CVE: CVE-2017-14491 -Upstream-Status: Backport [src/dnsmasq.h patch failed, modified manually] - -Signed-off-by: Sona Sarmadi - -diff -Nurp a/CHANGELOG b/CHANGELOG ---- a/CHANGELOG 2016-05-18 16:51:54.000000000 +0200 -+++ b/CHANGELOG 2017-10-04 09:38:20.445498463 +0200 -@@ -123,6 +123,18 @@ version 2.75 - dhcp-script is configured. Thanks to Adrian Davey for - reporting the bug and testing the fix. - -+ Fix heap overflow in DNS code. This is a potentially serious -+ security hole. It allows an attacker who can make DNS -+ requests to dnsmasq, and who controls the contents of -+ a domain, which is thereby queried, to overflow -+ (by 2 bytes) a heap buffer and either crash, or -+ even take control of, dnsmasq. -+ CVE-2017-14491 applies. -+ Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana -+ and Kevin Hamacher of the Google Security Team for -+ finding this. -+ -+ - - version 2.74 - Fix reversion in 2.73 where --conf-file would attempt to -diff -Nurp a/src/dnsmasq.h b/src/dnsmasq.h ---- a/src/dnsmasq.h 2016-05-18 16:51:54.000000000 +0200 -+++ b/src/dnsmasq.h 2017-10-04 09:39:39.366156718 +0200 -@@ -1161,7 +1161,7 @@ u32 rand32(void); - u64 rand64(void); - int legal_hostname(char *c); - char *canonicalise(char *s, int *nomem); --unsigned char *do_rfc1035_name(unsigned char *p, char *sval); -+unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit); - void *safe_malloc(size_t size); - void safe_pipe(int *fd, int read_noblock); - void *whine_malloc(size_t size); -diff -Nurp a/src/dnssec.c b/src/dnssec.c ---- a/src/dnssec.c 2016-05-18 16:51:54.000000000 +0200 -+++ b/src/dnssec.c 2017-10-04 09:38:20.445498463 +0200 -@@ -2227,7 +2227,7 @@ size_t dnssec_generate_query(struct dns_ - - p = (unsigned char *)(header+1); - -- p = do_rfc1035_name(p, name); -+ p = do_rfc1035_name(p, name, NULL); - *p++ = 0; - PUTSHORT(type, p); - PUTSHORT(class, p); -diff -Nurp a/src/option.c b/src/option.c ---- a/src/option.c 2016-05-18 16:51:54.000000000 +0200 -+++ b/src/option.c 2017-10-04 09:38:20.449498294 +0200 -@@ -1378,7 +1378,7 @@ static int parse_dhcp_opt(char *errstr, - } - - p = newp; -- end = do_rfc1035_name(p + len, dom); -+ end = do_rfc1035_name(p + len, dom, NULL); - *end++ = 0; - len = end - p; - free(dom); -diff -Nurp a/src/rfc1035.c b/src/rfc1035.c ---- a/src/rfc1035.c 2016-05-18 16:51:54.000000000 +0200 -+++ b/src/rfc1035.c 2017-10-04 09:38:20.449498294 +0200 -@@ -1049,6 +1049,7 @@ int check_for_ignored_address(struct dns - return 0; - } - -+ - int add_resource_record(struct dns_header *header, char *limit, int *truncp, int nameoffset, unsigned char **pp, - unsigned long ttl, int *offset, unsigned short type, unsigned short class, char *format, ...) - { -@@ -1058,12 +1059,21 @@ int add_resource_record(struct dns_heade - unsigned short usval; - long lval; - char *sval; -+#define CHECK_LIMIT(size) \ -+ if (limit && p + (size) > (unsigned char*)limit) \ -+ { \ -+ va_end(ap); \ -+ goto truncated; \ -+ } - - if (truncp && *truncp) - return 0; -- -+ - va_start(ap, format); /* make ap point to 1st unamed argument */ -- -+ -+ /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */ -+ CHECK_LIMIT(12); -+ - if (nameoffset > 0) - { - PUTSHORT(nameoffset | 0xc000, p); -@@ -1072,7 +1082,13 @@ int add_resource_record(struct dns_heade - { - char *name = va_arg(ap, char *); - if (name) -- p = do_rfc1035_name(p, name); -+ p = do_rfc1035_name(p, name, limit); -+ if (!p) -+ { -+ va_end(ap); -+ goto truncated; -+ } -+ - if (nameoffset < 0) - { - PUTSHORT(-nameoffset | 0xc000, p); -@@ -1093,6 +1109,7 @@ int add_resource_record(struct dns_heade - { - #ifdef HAVE_IPV6 - case '6': -+ CHECK_LIMIT(IN6ADDRSZ); - sval = va_arg(ap, char *); - memcpy(p, sval, IN6ADDRSZ); - p += IN6ADDRSZ; -@@ -1100,36 +1117,47 @@ int add_resource_record(struct dns_heade - #endif - - case '4': -+ CHECK_LIMIT(INADDRSZ); - sval = va_arg(ap, char *); - memcpy(p, sval, INADDRSZ); - p += INADDRSZ; - break; - - case 'b': -+ CHECK_LIMIT(1); - usval = va_arg(ap, int); - *p++ = usval; - break; - - case 's': -+ CHECK_LIMIT(2); - usval = va_arg(ap, int); - PUTSHORT(usval, p); - break; - - case 'l': -+ CHECK_LIMIT(4); - lval = va_arg(ap, long); - PUTLONG(lval, p); - break; - - case 'd': -- /* get domain-name answer arg and store it in RDATA field */ -- if (offset) -- *offset = p - (unsigned char *)header; -- p = do_rfc1035_name(p, va_arg(ap, char *)); -- *p++ = 0; -+ /* get domain-name answer arg and store it in RDATA field */ -+ if (offset) -+ *offset = p - (unsigned char *)header; -+ p = do_rfc1035_name(p, va_arg(ap, char *), limit); -+ if (!p) -+ { -+ va_end(ap); -+ goto truncated; -+ } -+ CHECK_LIMIT(1); -+ *p++ = 0; - break; - - case 't': - usval = va_arg(ap, int); -+ CHECK_LIMIT(usval); - sval = va_arg(ap, char *); - if (usval != 0) - memcpy(p, sval, usval); -@@ -1141,20 +1169,24 @@ int add_resource_record(struct dns_heade - usval = sval ? strlen(sval) : 0; - if (usval > 255) - usval = 255; -+ CHECK_LIMIT(usval + 1); - *p++ = (unsigned char)usval; - memcpy(p, sval, usval); - p += usval; - break; - } - -+#undef CHECK_LIMIT - va_end(ap); /* clean up variable argument pointer */ - - j = p - sav - 2; -- PUTSHORT(j, sav); /* Now, store real RDLength */ -+ /* this has already been checked against limit before */ -+ PUTSHORT(j, sav); /* Now, store real RDLength */ - - /* check for overflow of buffer */ - if (limit && ((unsigned char *)limit - p) < 0) - { -+truncated: - if (truncp) - *truncp = 1; - return 0; -diff -Nurp a/src/rfc2131.c b/src/rfc2131.c ---- a/src/rfc2131.c 2016-05-18 16:51:54.000000000 +0200 -+++ b/src/rfc2131.c 2017-10-04 09:38:20.449498294 +0200 -@@ -2419,10 +2419,10 @@ static void do_options(struct dhcp_conte - - if (fqdn_flags & 0x04) - { -- p = do_rfc1035_name(p, hostname); -+ p = do_rfc1035_name(p, hostname, NULL); - if (domain) - { -- p = do_rfc1035_name(p, domain); -+ p = do_rfc1035_name(p, domain, NULL); - *p++ = 0; - } - } -diff -Nurp a/src/rfc3315.c b/src/rfc3315.c ---- a/src/rfc3315.c 2016-05-18 16:51:54.000000000 +0200 -+++ b/src/rfc3315.c 2017-10-04 09:38:20.449498294 +0200 -@@ -1472,10 +1472,10 @@ static struct dhcp_netid *add_options(st - if ((p = expand(len + 2))) - { - *(p++) = state->fqdn_flags; -- p = do_rfc1035_name(p, state->hostname); -+ p = do_rfc1035_name(p, state->hostname, NULL); - if (state->send_domain) - { -- p = do_rfc1035_name(p, state->send_domain); -+ p = do_rfc1035_name(p, state->send_domain, NULL); - *p = 0; - } - } -diff -Nurp a/src/util.c b/src/util.c ---- a/src/util.c 2016-05-18 16:51:54.000000000 +0200 -+++ b/src/util.c 2017-10-04 09:38:20.453498124 +0200 -@@ -218,15 +218,20 @@ char *canonicalise(char *in, int *nomem) - return ret; - } - --unsigned char *do_rfc1035_name(unsigned char *p, char *sval) -+unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit) - { - int j; - - while (sval && *sval) - { -+ if (limit && p + 1 > (unsigned char*)limit) -+ return p; -+ - unsigned char *cp = p++; - for (j = 0; *sval && (*sval != '.'); sval++, j++) - { -+ if (limit && p + 1 > (unsigned char*)limit) -+ return p; - #ifdef HAVE_DNSSEC - if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE) - *p++ = (*(++sval))-1; diff --git a/recipes-networking/dnsmasq/dnsmasq/0002-CVE-2017-14491.patch b/recipes-networking/dnsmasq/dnsmasq/0002-CVE-2017-14491.patch deleted file mode 100644 index 6f27667..0000000 --- a/recipes-networking/dnsmasq/dnsmasq/0002-CVE-2017-14491.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 62cb936cb7ad5f219715515ae7d32dd281a5aa1f Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Tue, 26 Sep 2017 22:00:11 +0100 -Subject: [PATCH] Security fix, CVE-2017-14491, DNS heap buffer overflow. - -Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc -Handles case when RR name is not a pointer to the question, -only occurs for some auth-mode replies, therefore not -detected by fuzzing (?) - -CVE: CVE-2017-14491 -Upstream-Status: Backport - -Signed-off-by: Sona Sarmadi ---- - src/rfc1035.c | 27 +++++++++++++++------------ - 1 file changed, 15 insertions(+), 12 deletions(-) - -diff --git a/src/rfc1035.c b/src/rfc1035.c -index 27af023..56ab88b 100644 ---- a/src/rfc1035.c -+++ b/src/rfc1035.c -@@ -1086,32 +1086,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int - - va_start(ap, format); /* make ap point to 1st unamed argument */ - -- /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */ -- CHECK_LIMIT(12); -- - if (nameoffset > 0) - { -+ CHECK_LIMIT(2); - PUTSHORT(nameoffset | 0xc000, p); - } - else - { - char *name = va_arg(ap, char *); -- if (name) -- p = do_rfc1035_name(p, name, limit); -- if (!p) -- { -- va_end(ap); -- goto truncated; -- } -- -+ if (name && !(p = do_rfc1035_name(p, name, limit))) -+ { -+ va_end(ap); -+ goto truncated; -+ } -+ - if (nameoffset < 0) - { -+ CHECK_LIMIT(2); - PUTSHORT(-nameoffset | 0xc000, p); - } - else -- *p++ = 0; -+ { -+ CHECK_LIMIT(1); -+ *p++ = 0; -+ } - } - -+ /* type (2) + class (2) + ttl (4) + rdlen (2) */ -+ CHECK_LIMIT(10); -+ - PUTSHORT(type, p); - PUTSHORT(class, p); - PUTLONG(ttl, p); /* TTL */ --- -1.7.10.4 - diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14492.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14492.patch deleted file mode 100644 index 5b66944..0000000 --- a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14492.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 24036ea507862c7b7898b68289c8130f85599c10 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Mon, 25 Sep 2017 18:47:15 +0100 -Subject: [PATCH] Security fix, CVE-2017-14492, DHCPv6 RA heap overflow. - -Fix heap overflow in IPv6 router advertisement code. -This is a potentially serious security hole, as a -crafted RA request can overflow a buffer and crash or -control dnsmasq. Attacker must be on the local network. - -CVE: CVE-2017-14492 -Upstream-Status: Backport - -Signed-off-by: Sona Sarmadi ---- - CHANGELOG | 10 +++++++++- - src/radv.c | 3 +++ - 2 files changed, 12 insertions(+), 1 deletion(-) - -diff --git a/CHANGELOG b/CHANGELOG -index a7c2f35..df6c157 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -35,7 +35,15 @@ version 2.78 - and Kevin Hamacher of the Google Security Team for - finding this. - -- -+ Fix heap overflow in IPv6 router advertisement code. -+ This is a potentially serious security hole, as a -+ crafted RA request can overflow a buffer and crash or -+ control dnsmasq. Attacker must be on the local network. -+ CVE-2017-14492 applies. -+ Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana -+ and Kevin Hamacher of the Google Security Team for -+ finding this. -+ - - version 2.77 - Generate an error when configured with a CNAME loop, -diff --git a/src/radv.c b/src/radv.c -index 1032189..9b7e52c 100644 ---- a/src/radv.c -+++ b/src/radv.c -@@ -198,6 +198,9 @@ void icmp6_packet(time_t now) - /* look for link-layer address option for logging */ - if (sz >= 16 && packet[8] == ICMP6_OPT_SOURCE_MAC && (packet[9] * 8) + 8 <= sz) - { -+ if ((packet[9] * 8 - 2) * 3 - 1 >= MAXDNAME) { -+ return; -+ } - print_mac(daemon->namebuff, &packet[10], (packet[9] * 8) - 2); - mac = daemon->namebuff; - } --- -1.7.10.4 - diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch deleted file mode 100644 index fedb825..0000000 --- a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 3d4ff1ba8419546490b464418223132529514033 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Mon, 25 Sep 2017 18:52:50 +0100 -Subject: [PATCH] Security fix, CVE-2017-14493, DHCPv6 - Stack buffer - overflow. - -Fix stack overflow in DHCPv6 code. An attacker who can send -a DHCPv6 request to dnsmasq can overflow the stack frame and -crash or control dnsmasq. - -CVE: CVE-2017-14493 -Upstream-Status: Backport - -Signed-off-by: Sona Sarmadi ---- - CHANGELOG | 8 ++++++++ - src/rfc3315.c | 3 +++ - 2 files changed, 11 insertions(+) - -diff --git a/CHANGELOG b/CHANGELOG -index df6c157..c48378f 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -43,6 +43,14 @@ version 2.78 - Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana - and Kevin Hamacher of the Google Security Team for - finding this. -+ -+ Fix stack overflow in DHCPv6 code. An attacker who can send -+ a DHCPv6 request to dnsmasq can overflow the stack frame and -+ crash or control dnsmasq. -+ CVE-2017-14493 applies. -+ Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana -+ and Kevin Hamacher of the Google Security Team for -+ finding this. - - - version 2.77 -diff --git a/src/rfc3315.c b/src/rfc3315.c -index 1687931..920907c 100644 ---- a/src/rfc3315.c -+++ b/src/rfc3315.c -@@ -206,6 +206,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, - /* RFC-6939 */ - if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3))) - { -+ if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) { -+ return 0; -+ } - state->mac_type = opt6_uint(opt, 0, 2); - state->mac_len = opt6_len(opt) - 2; - memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len); --- -1.7.10.4 - diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14494.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14494.patch deleted file mode 100644 index d32f713..0000000 --- a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14494.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 33e3f1029c9ec6c63e430ff51063a6301d4b2262 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Mon, 25 Sep 2017 20:05:11 +0100 -Subject: [PATCH] Security fix, CVE-2017-14494, Infoleak handling DHCPv6 - forwarded requests. - -Fix information leak in DHCPv6. A crafted DHCPv6 packet can -cause dnsmasq to forward memory from outside the packet -buffer to a DHCPv6 server when acting as a relay. - -CVE: CVE-2017-14494 -Upstream-Status: Backport - -Signed-off-by: Sona Sarmadi ---- - CHANGELOG | 8 ++++++++ - src/rfc3315.c | 3 +++ - 2 files changed, 11 insertions(+) - -diff --git a/CHANGELOG b/CHANGELOG -index c48378f..d1cc074 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -51,6 +51,14 @@ version 2.78 - Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana - and Kevin Hamacher of the Google Security Team for - finding this. -+ -+ Fix information leak in DHCPv6. A crafted DHCPv6 packet can -+ cause dnsmasq to forward memory from outside the packet -+ buffer to a DHCPv6 server when acting as a relay. -+ CVE-2017-14494 applies. -+ Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana -+ and Kevin Hamacher of the Google Security Team for -+ finding this. - - - version 2.77 -diff --git a/src/rfc3315.c b/src/rfc3315.c -index 920907c..4ca43e0 100644 ---- a/src/rfc3315.c -+++ b/src/rfc3315.c -@@ -216,6 +216,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, - - for (opt = opts; opt; opt = opt6_next(opt, end)) - { -+ if (opt6_ptr(opt, 0) + opt6_len(opt) >= end) { -+ return 0; -+ } - int o = new_opt6(opt6_type(opt)); - if (opt6_type(opt) == OPTION6_RELAY_MSG) - { --- -1.7.10.4 - diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14495.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14495.patch deleted file mode 100644 index ba176a8..0000000 --- a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14495.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 51eadb692a5123b9838e5a68ecace3ac579a3a45 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Mon, 25 Sep 2017 20:16:50 +0100 -Subject: [PATCH] Security fix, CVE-2017-14495, OOM in DNS response creation. - -Fix out-of-memory Dos vulnerability. An attacker which can -send malicious DNS queries to dnsmasq can trigger memory -allocations in the add_pseudoheader function -The allocated memory is never freed which leads to a DoS -through memory exhaustion. dnsmasq is vulnerable only -if one of the following option is specified: ---add-mac, --add-cpe-id or --add-subnet. - -CVE: CVE-2017-14495 -Upstream-Status: Backport - -Signed-off-by: Sona Sarmadi ---- - CHANGELOG | 12 ++++++++++++ - src/edns0.c | 8 +++++++- - 2 files changed, 19 insertions(+), 1 deletion(-) - -diff --git a/CHANGELOG b/CHANGELOG -index 8fe00ed..9523329 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -70,6 +70,18 @@ version 2.78 - Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana - and Kevin Hamacher of the Google Security Team for - finding this. -+ -+ Fix out-of-memory Dos vulnerability. An attacker which can -+ send malicious DNS queries to dnsmasq can trigger memory -+ allocations in the add_pseudoheader function -+ The allocated memory is never freed which leads to a DoS -+ through memory exhaustion. dnsmasq is vulnerable only -+ if one of the following option is specified: -+ --add-mac, --add-cpe-id or --add-subnet. -+ CVE-2017-14495 applies. -+ Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana -+ and Kevin Hamacher of the Google Security Team for -+ finding this. - - - version 2.77 -diff --git a/src/edns0.c b/src/edns0.c -index 95b74ee..89b2692 100644 ---- a/src/edns0.c -+++ b/src/edns0.c -@@ -192,9 +192,15 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l - !(p = skip_section(p, - ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), - header, plen))) -+ { -+ free(buff); - return plen; -+ } - if (p + 11 > limit) -- return plen; /* Too big */ -+ { -+ free(buff); -+ return plen; /* Too big */ -+ } - *p++ = 0; /* empty name */ - PUTSHORT(T_OPT, p); - PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */ --- -1.7.10.4 - diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch deleted file mode 100644 index 333a890..0000000 --- a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 897c113fda0886a28a986cc6ba17bb93bd6cb1c7 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Mon, 25 Sep 2017 20:11:58 +0100 -Subject: [PATCH] Security fix, CVE-2017-14496, Integer underflow in DNS - response creation. - -Fix DoS in DNS. Invalid boundary checks in the -add_pseudoheader function allows a memcpy call with negative -size An attacker which can send malicious DNS queries -to dnsmasq can trigger a DoS remotely. -dnsmasq is vulnerable only if one of the following option is -specified: --add-mac, --add-cpe-id or --add-subnet. - -CVE: CVE-2017-14496 -Upstream-Status: Backport - -Signed-off-by: Sona Sarmadi ---- - CHANGELOG | 11 +++++++++++ - src/edns0.c | 13 ++++++++++++- - 2 files changed, 23 insertions(+), 1 deletion(-) - -diff --git a/CHANGELOG b/CHANGELOG -index d1cc074..8fe00ed 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -60,6 +60,17 @@ version 2.78 - and Kevin Hamacher of the Google Security Team for - finding this. - -+ Fix DoS in DNS. Invalid boundary checks in the -+ add_pseudoheader function allows a memcpy call with negative -+ size An attacker which can send malicious DNS queries -+ to dnsmasq can trigger a DoS remotely. -+ dnsmasq is vulnerable only if one of the following option is -+ specified: --add-mac, --add-cpe-id or --add-subnet. -+ CVE-2017-14496 applies. -+ Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana -+ and Kevin Hamacher of the Google Security Team for -+ finding this. -+ - - version 2.77 - Generate an error when configured with a CNAME loop, -diff --git a/src/edns0.c b/src/edns0.c -index f5b798c..95b74ee 100644 ---- a/src/edns0.c -+++ b/src/edns0.c -@@ -144,7 +144,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l - GETSHORT(len, p); - - /* malformed option, delete the whole OPT RR and start again. */ -- if (i + len > rdlen) -+ if (i + 4 + len > rdlen) - { - rdlen = 0; - is_last = 0; -@@ -193,6 +193,8 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l - ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), - header, plen))) - return plen; -+ if (p + 11 > limit) -+ return plen; /* Too big */ - *p++ = 0; /* empty name */ - PUTSHORT(T_OPT, p); - PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */ -@@ -204,6 +206,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l - /* Copy back any options */ - if (buff) - { -+ if (p + rdlen > limit) -+ { -+ free(buff); -+ return plen; /* Too big */ -+ } - memcpy(p, buff, rdlen); - free(buff); - p += rdlen; -@@ -220,8 +227,12 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l - /* Add new option */ - if (optno != 0 && replace != 2) - { -+ if (p + 4 > limit) -+ return plen; /* Too big */ - PUTSHORT(optno, p); - PUTSHORT(optlen, p); -+ if (p + optlen > limit) -+ return plen; /* Too big */ - memcpy(p, opt, optlen); - p += optlen; - PUTSHORT(p - datap, lenp); --- -1.7.10.4 - diff --git a/recipes-networking/dnsmasq/dnsmasq_%.bbappend b/recipes-networking/dnsmasq/dnsmasq_%.bbappend deleted file mode 100644 index ee31536..0000000 --- a/recipes-networking/dnsmasq/dnsmasq_%.bbappend +++ /dev/null @@ -1,11 +0,0 @@ -# look for files in the layer first -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "file://0001-CVE-2017-14491.patch \ - file://0002-CVE-2017-14491.patch \ - file://CVE-2017-14492.patch \ - file://CVE-2017-14493.patch \ - file://CVE-2017-14494.patch \ - file://CVE-2017-14496.patch \ - file://CVE-2017-14495.patch \ -" -- cgit v1.2.3-54-g00ecf