c-ares: fix CVE-2022-4904 & Update SRC_URI branch and protocols

Upstream-Status: Backport [https://git.openembedded.org/meta-openembedded-contrib/commit/?h=stable/kirkstone-nut&id=092e125f44f65427d42db95db3779daf4893d10f & https://git.openembedded.org/meta-openembedded-contrib/commit/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb?h=stable/kirkstone-nut&id=b402a3076fbafe05d0b8621e50603b65c3fe8147 Upstream-Commit: https://github.com/c-ares/c-ares/commit/9903253c347f9e0bffd285ae3829aef251cc852d] Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2023-06-09 09:40:45 +0530
committer: Armin Kuster <akuster808@gmail.com> 2023-06-23 06:58:18 -0400
commit: eae14f75ed5ecc6723e84fcbe7d99071f747ad50 (patch)
tree: eaeff01e02cc352dc52a80b9c58415a4412c0864
parent: d8c29311e5840e0ab18b8767b66f1fe589f86449 (diff)
download: meta-openembedded-eae14f75ed5ecc6723e84fcbe7d99071f747ad50.tar.gz
2 files changed, 70 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2022-4904.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2022-4904.patch
new file mode 100644
index 0000000000..fb0aee372f
--- /dev/null
+++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2022-4904.patch
@@ -0,0 +1,67 @@
+From 9903253c347f9e0bffd285ae3829aef251cc852d Mon Sep 17 00:00:00 2001
+From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
+Date: Wed, 18 Jan 2023 22:14:26 +0800
+Subject: [PATCH] Add str len check in config_sortlist to avoid stack overflow
+ (#497)
+In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
+the input str and initialize a sortlist configuration.
+However, ares_set_sortlist has not any checks about the validity of the input str.
+It is very easy to create an arbitrary length stack overflow with the unchecked
+`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
+statements in the config_sortlist call, which could potentially cause severe
+security impact in practical programs.
+This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
+potential stack overflows.
+fixes #496
+Fix By: @hopper-vul
+CVE: CVE-2022-4904
+Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/9903253c347f9e0bffd285ae3829aef251cc852d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/lib/ares_init.c    | 4 ++++
+ test/ares-test-init.cc | 2 ++
+ 2 files changed, 6 insertions(+)
+diff --git a/src/lib/ares_init.c b/src/lib/ares_init.c
+index 51668a5c..3f9cec65 100644
+--- a/src/lib/ares_init.c
+++ b/src/lib/ares_init.c
+@@ -1913,6 +1913,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
+       q = str;
+       while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
+         q++;
+      if (q-str >= 16)
+        return ARES_EBADSTR;
+       memcpy(ipbuf, str, q-str);
+       ipbuf[q-str] = '\0';
+       /* Find the prefix */
+@@ -1921,6 +1923,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
+           const char *str2 = q+1;
+           while (*q && *q != ';' && !ISSPACE(*q))
+             q++;
+          if (q-str >= 32)
+            return ARES_EBADSTR;
+           memcpy(ipbufpfx, str, q-str);
+           ipbufpfx[q-str] = '\0';
+           str = str2;
+diff --git a/test/ares-test-init.cc b/test/ares-test-init.cc
+index 63c6a228..ee845181 100644
+--- a/test/ares-test-init.cc
+++ b/test/ares-test-init.cc
+@@ -275,6 +275,8 @@ TEST_F(DefaultChannelTest, SetAddresses) {
+ 
+ TEST_F(DefaultChannelTest, SetSortlistFailures) {
+   EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4"));
+  EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16"));
+  EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*"));
+   EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk"));
+   EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123"));
+ }
diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb
index 25ce45d74c..6a367e69e1 100644
--- a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb
+++ b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb
@@ -5,7 +5,9 @@ SECTION = "libs"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006"
-SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main"
+SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https \
+           file://CVE-2022-4904.patch \
+          "
 SRCREV = "2aa086f822aad5017a6f2061ef656f237a62d0ed"
 UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P<pver>\d+_(\d_?)+)"
author	Vijay Anusuri <vanusuri@mvista.com>	2023-06-09 09:40:45 +0530
committer	Armin Kuster <akuster808@gmail.com>	2023-06-23 06:58:18 -0400
commit	eae14f75ed5ecc6723e84fcbe7d99071f747ad50 (patch)
tree	eaeff01e02cc352dc52a80b9c58415a4412c0864
parent	d8c29311e5840e0ab18b8767b66f1fe589f86449 (diff)
download	meta-openembedded-eae14f75ed5ecc6723e84fcbe7d99071f747ad50.tar.gz

diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2022-4904.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2022-4904.patch new file mode 100644 index 0000000000..fb0aee372f --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2022-4904.patch
@@ -0,0 +1,67 @@
		1	From 9903253c347f9e0bffd285ae3829aef251cc852d Mon Sep 17 00:00:00 2001
		2	From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
		3	Date: Wed, 18 Jan 2023 22:14:26 +0800
		4	Subject: [PATCH] Add str len check in config_sortlist to avoid stack overflow
		5	(#497)
		6
		7	In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
		8	the input str and initialize a sortlist configuration.
		9
		10	However, ares_set_sortlist has not any checks about the validity of the input str.
		11	It is very easy to create an arbitrary length stack overflow with the unchecked
		12	`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
		13	statements in the config_sortlist call, which could potentially cause severe
		14	security impact in practical programs.
		15
		16	This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
		17	potential stack overflows.
		18
		19	fixes #496
		20
		21	Fix By: @hopper-vul
		22
		23	CVE: CVE-2022-4904
		24	Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/9903253c347f9e0bffd285ae3829aef251cc852d]
		25
		26	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		27	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		28	---
		29	src/lib/ares_init.c \| 4 ++++
		30	test/ares-test-init.cc \| 2 ++
		31	2 files changed, 6 insertions(+)
		32
		33	diff --git a/src/lib/ares_init.c b/src/lib/ares_init.c
		34	index 51668a5c..3f9cec65 100644
		35	--- a/src/lib/ares_init.c
		36	+++ b/src/lib/ares_init.c
		37	@@ -1913,6 +1913,8 @@ static int config_sortlist(struct apattern *sortlist, int nsort,
		38	q = str;
		39	while (q && q != '/' && q != ';' && !ISSPACE(q))
		40	q++;
		41	+ if (q-str >= 16)
		42	+ return ARES_EBADSTR;
		43	memcpy(ipbuf, str, q-str);
		44	ipbuf[q-str] = '\0';
		45	/* Find the prefix */
		46	@@ -1921,6 +1923,8 @@ static int config_sortlist(struct apattern *sortlist, int nsort,
		47	const char *str2 = q+1;
		48	while (q && q != ';' && !ISSPACE(*q))
		49	q++;
		50	+ if (q-str >= 32)
		51	+ return ARES_EBADSTR;
		52	memcpy(ipbufpfx, str, q-str);
		53	ipbufpfx[q-str] = '\0';
		54	str = str2;
		55	diff --git a/test/ares-test-init.cc b/test/ares-test-init.cc
		56	index 63c6a228..ee845181 100644
		57	--- a/test/ares-test-init.cc
		58	+++ b/test/ares-test-init.cc
		59	@@ -275,6 +275,8 @@ TEST_F(DefaultChannelTest, SetAddresses) {
		60
		61	TEST_F(DefaultChannelTest, SetSortlistFailures) {
		62	EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4"));
		63	+ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16"));
		64	+ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*"));
		65	EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk"));
		66	EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123"));
		67	}


diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb index 25ce45d74c..6a367e69e1 100644 --- a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb +++ b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb
@@ -5,7 +5,9 @@ SECTION = "libs"
5	LICENSE = "MIT"	5	LICENSE = "MIT"
6	LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006"	6	LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006"
7		7
8	SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main"	8	SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https \
		9	file://CVE-2022-4904.patch \
		10	"
9	SRCREV = "2aa086f822aad5017a6f2061ef656f237a62d0ed"	11	SRCREV = "2aa086f822aad5017a6f2061ef656f237a62d0ed"
10		12
11	UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P<pver>\d+_(\d_?)+)"	13	UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P<pver>\d+_(\d_?)+)"