c-ares: fix CVE-2021-3672

Refer: https://c-ares.org/adv_20210810.html https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83 https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14 Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Changqing Li <changqing.li@windriver.com> 2021-09-14 16:17:21 +0800
committer: Armin Kuster <akuster808@gmail.com> 2021-09-14 07:41:42 -0700
commit: dc262c52b0b10625bf7a2330e1c4e0fe2d8db6aa (patch)
tree: a3dfc7af93783cd68f27830ab7e0c0f9cf93015d
parent: 355e47cd858809cb2470a7bf9e769c5a3d5be756 (diff)
download: meta-openembedded-dc262c52b0b10625bf7a2330e1c4e0fe2d8db6aa.tar.gz
3 files changed, 197 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/c-ares/c-ares/0001-CVE-2021-3672.patch b/meta-oe/recipes-support/c-ares/c-ares/0001-CVE-2021-3672.patch
new file mode 100644
index 0000000000..93afb838fb
--- /dev/null
+++ b/meta-oe/recipes-support/c-ares/c-ares/0001-CVE-2021-3672.patch
@@ -0,0 +1,91 @@
+From 13363ab0eb3f5a3223571d073888816bd3e650f9 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 14 Sep 2021 13:49:11 +0800
+Subject: [PATCH 1/2] ares_expand_name() should escape more characters
+RFC1035 5.1 specifies some reserved characters and escaping sequences
+that are allowed to be specified.  Expand the list of reserved characters
+and also escape non-printable characters using the \DDD format as
+specified in the RFC.
+Bug Reported By: philipp.jeitner@sit.fraunhofer.de
+Fix By: Brad House (@bradh352)
+Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83]
+CVE: CVE-2021-3672
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ ares_expand_name.c | 41 ++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 38 insertions(+), 3 deletions(-)
+diff --git a/ares_expand_name.c b/ares_expand_name.c
+index 3a38e67..8604543 100644
+--- a/ares_expand_name.c
+++ b/ares_expand_name.c
+@@ -38,6 +38,26 @@
+ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
+                        int alen);
+ 
+/* Reserved characters for names that need to be escaped */
+static int is_reservedch(int ch)
+{
+  switch (ch) {
+    case '"':
+    case '.':
+    case ';':
+    case '\\':
+    case '(':
+    case ')':
+    case '@':
+    case '$':
+      return 1;
+    default:
+      break;
+  }
+
+  return 0;
+}
+
+ /* Expand an RFC1035-encoded domain name given by encoded.  The
+  * containing message is given by abuf and alen.  The result given by
+  * *s, which is set to a NUL-terminated allocated buffer.  *enclen is
+@@ -117,9 +137,18 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf,
+           p++;
+           while (len--)
+             {
+-              if (*p == '.' || *p == '\\')
+              if (!isprint(*p)) {
+                /* Output as \DDD for consistency with RFC1035 5.1 */
+                *q++ = '\\';
+                *q++ = '0' + *p / 100;
+                *q++ = '0' + (*p % 100) / 10;
+                *q++ = '0' + (*p % 10);
+              } else if (is_reservedch(*p)) {
+                 *q++ = '\\';
+-              *q++ = *p;
+                *q++ = *p;
+              } else {
+                *q++ = *p;
+              }
+               p++;
+             }
+           *q++ = '.';
+@@ -177,7 +206,13 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
+           encoded++;
+           while (offset--)
+             {
+-              n += (*encoded == '.' || *encoded == '\\') ? 2 : 1;
+              if (!isprint(*encoded)) {
+                n += 4;
+              } else if (is_reservedch(*encoded)) {
+                n += 2;
+              } else {
+                n += 1;
+              }
+               encoded++;
+             }
+           n++;
+-- 
+2.17.1
diff --git a/meta-oe/recipes-support/c-ares/c-ares/0002-CVE-2021-3672.patch b/meta-oe/recipes-support/c-ares/c-ares/0002-CVE-2021-3672.patch
new file mode 100644
index 0000000000..e3b32f5fef
--- /dev/null
+++ b/meta-oe/recipes-support/c-ares/c-ares/0002-CVE-2021-3672.patch
@@ -0,0 +1,104 @@
+From 446225e54b4f23c08a07968433b39d62ed65afd1 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 14 Sep 2021 13:59:28 +0800
+Subject: [PATCH 2/2] ares_expand_name(): fix formatting and handling of root
+ name response
+Fixes issue introduced in prior commit with formatting and handling
+of parsing a root name response which should not be escaped.
+Fix By: Brad House
+Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14]
+CVE: CVE-2021-3672
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ ares_expand_name.c | 56 +++++++++++++++++++++++++++++-----------------
+ 1 file changed, 35 insertions(+), 21 deletions(-)
+diff --git a/ares_expand_name.c b/ares_expand_name.c
+index 8604543..af0c2e8 100644
+--- a/ares_expand_name.c
+++ b/ares_expand_name.c
+@@ -133,22 +133,30 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf,
+         }
+       else
+         {
+-          len = *p;
+          int name_len = *p;
+          len = name_len;
+           p++;
+           while (len--)
+             {
+-              if (!isprint(*p)) {
+-                /* Output as \DDD for consistency with RFC1035 5.1 */
+-                *q++ = '\\';
+-                *q++ = '0' + *p / 100;
+-                *q++ = '0' + (*p % 100) / 10;
+-                *q++ = '0' + (*p % 10);
+-              } else if (is_reservedch(*p)) {
+-                *q++ = '\\';
+-                *q++ = *p;
+-              } else {
+-                *q++ = *p;
+-              }
+              /* Output as \DDD for consistency with RFC1035 5.1, except
+               * for the special case of a root name response  */
+              if (!isprint(*p) && !(name_len == 1 && *p == 0))
+                {
+
+                  *q++ = '\\';
+                  *q++ = '0' + *p / 100;
+                  *q++ = '0' + (*p % 100) / 10;
+                  *q++ = '0' + (*p % 10);
+                }
+              else if (is_reservedch(*p))
+                {
+                  *q++ = '\\';
+                  *q++ = *p;
+                }
+              else
+                {
+                  *q++ = *p;
+                }
+               p++;
+             }
+           *q++ = '.';
+@@ -200,19 +208,25 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
+         }
+       else if (top == 0x00)
+         {
+-          offset = *encoded;
+          int name_len = *encoded;
+          offset = name_len;
+           if (encoded + offset + 1 >= abuf + alen)
+             return -1;
+           encoded++;
+           while (offset--)
+             {
+-              if (!isprint(*encoded)) {
+-                n += 4;
+-              } else if (is_reservedch(*encoded)) {
+-                n += 2;
+-              } else {
+-                n += 1;
+-              }
+              if (!isprint(*encoded) && !(name_len == 1 && *encoded == 0))
+                {
+                  n += 4;
+                }
+              else if (is_reservedch(*encoded))
+                {
+                  n += 2;
+                }
+              else
+                {
+                  n += 1;
+                }
+               encoded++;
+             }
+           n++;
+-- 
+2.17.1
diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb
index 67dd701807..afcc1cc4b8 100644
--- a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb
+++ b/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb
@@ -11,6 +11,8 @@ SRC_URI = "\
    git://github.com/c-ares/c-ares.git \
    file://cmake-install-libcares.pc.patch \
    file://0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch \
+    file://0001-CVE-2021-3672.patch \
+    file://0002-CVE-2021-3672.patch \
 "
 SRCREV = "74a1426ba60e2cd7977e53a22ef839c87415066e"
author	Changqing Li <changqing.li@windriver.com>	2021-09-14 16:17:21 +0800
committer	Armin Kuster <akuster808@gmail.com>	2021-09-14 07:41:42 -0700
commit	dc262c52b0b10625bf7a2330e1c4e0fe2d8db6aa (patch)
tree	a3dfc7af93783cd68f27830ab7e0c0f9cf93015d
parent	355e47cd858809cb2470a7bf9e769c5a3d5be756 (diff)
download	meta-openembedded-dc262c52b0b10625bf7a2330e1c4e0fe2d8db6aa.tar.gz

diff --git a/meta-oe/recipes-support/c-ares/c-ares/0001-CVE-2021-3672.patch b/meta-oe/recipes-support/c-ares/c-ares/0001-CVE-2021-3672.patch new file mode 100644 index 0000000000..93afb838fb --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/0001-CVE-2021-3672.patch
@@ -0,0 +1,91 @@
		1	From 13363ab0eb3f5a3223571d073888816bd3e650f9 Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Tue, 14 Sep 2021 13:49:11 +0800
		4	Subject: [PATCH 1/2] ares_expand_name() should escape more characters
		5
		6	RFC1035 5.1 specifies some reserved characters and escaping sequences
		7	that are allowed to be specified. Expand the list of reserved characters
		8	and also escape non-printable characters using the \DDD format as
		9	specified in the RFC.
		10
		11	Bug Reported By: philipp.jeitner@sit.fraunhofer.de
		12	Fix By: Brad House (@bradh352)
		13
		14	Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83]
		15	CVE: CVE-2021-3672
		16
		17	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		18	---
		19	ares_expand_name.c \| 41 ++++++++++++++++++++++++++++++++++++++---
		20	1 file changed, 38 insertions(+), 3 deletions(-)
		21
		22	diff --git a/ares_expand_name.c b/ares_expand_name.c
		23	index 3a38e67..8604543 100644
		24	--- a/ares_expand_name.c
		25	+++ b/ares_expand_name.c
		26	@@ -38,6 +38,26 @@
		27	static int name_length(const unsigned char encoded, const unsigned char abuf,
		28	int alen);
		29
		30	+/* Reserved characters for names that need to be escaped */
		31	+static int is_reservedch(int ch)
		32	+{
		33	+ switch (ch) {
		34	+ case '"':
		35	+ case '.':
		36	+ case ';':
		37	+ case '\\':
		38	+ case '(':
		39	+ case ')':
		40	+ case '@':
		41	+ case '$':
		42	+ return 1;
		43	+ default:
		44	+ break;
		45	+ }
		46	+
		47	+ return 0;
		48	+}
		49	+
		50	/* Expand an RFC1035-encoded domain name given by encoded. The
		51	* containing message is given by abuf and alen. The result given by
		52	* s, which is set to a NUL-terminated allocated buffer. enclen is
		53	@@ -117,9 +137,18 @@ int ares_expand_name(const unsigned char encoded, const unsigned char abuf,
		54	p++;
		55	while (len--)
		56	{
		57	- if (p == '.' \|\| p == '\\')
		58	+ if (!isprint(*p)) {
		59	+ /* Output as \DDD for consistency with RFC1035 5.1 */
		60	+ *q++ = '\\';
		61	+ q++ = '0' + p / 100;
		62	+ q++ = '0' + (p % 100) / 10;
		63	+ q++ = '0' + (p % 10);
		64	+ } else if (is_reservedch(*p)) {
		65	*q++ = '\\';
		66	- q++ = p;
		67	+ q++ = p;
		68	+ } else {
		69	+ q++ = p;
		70	+ }
		71	p++;
		72	}
		73	*q++ = '.';
		74	@@ -177,7 +206,13 @@ static int name_length(const unsigned char encoded, const unsigned char abuf,
		75	encoded++;
		76	while (offset--)
		77	{
		78	- n += (encoded == '.' \|\| encoded == '\\') ? 2 : 1;
		79	+ if (!isprint(*encoded)) {
		80	+ n += 4;
		81	+ } else if (is_reservedch(*encoded)) {
		82	+ n += 2;
		83	+ } else {
		84	+ n += 1;
		85	+ }
		86	encoded++;
		87	}
		88	n++;
		89	--
		90	2.17.1
		91


diff --git a/meta-oe/recipes-support/c-ares/c-ares/0002-CVE-2021-3672.patch b/meta-oe/recipes-support/c-ares/c-ares/0002-CVE-2021-3672.patch new file mode 100644 index 0000000000..e3b32f5fef --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/0002-CVE-2021-3672.patch
@@ -0,0 +1,104 @@
		1	From 446225e54b4f23c08a07968433b39d62ed65afd1 Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Tue, 14 Sep 2021 13:59:28 +0800
		4	Subject: [PATCH 2/2] ares_expand_name(): fix formatting and handling of root
		5	name response
		6
		7	Fixes issue introduced in prior commit with formatting and handling
		8	of parsing a root name response which should not be escaped.
		9
		10	Fix By: Brad House
		11
		12	Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14]
		13	CVE: CVE-2021-3672
		14
		15	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		16	---
		17	ares_expand_name.c \| 56 +++++++++++++++++++++++++++++-----------------
		18	1 file changed, 35 insertions(+), 21 deletions(-)
		19
		20	diff --git a/ares_expand_name.c b/ares_expand_name.c
		21	index 8604543..af0c2e8 100644
		22	--- a/ares_expand_name.c
		23	+++ b/ares_expand_name.c
		24	@@ -133,22 +133,30 @@ int ares_expand_name(const unsigned char encoded, const unsigned char abuf,
		25	}
		26	else
		27	{
		28	- len = *p;
		29	+ int name_len = *p;
		30	+ len = name_len;
		31	p++;
		32	while (len--)
		33	{
		34	- if (!isprint(*p)) {
		35	- /* Output as \DDD for consistency with RFC1035 5.1 */
		36	- *q++ = '\\';
		37	- q++ = '0' + p / 100;
		38	- q++ = '0' + (p % 100) / 10;
		39	- q++ = '0' + (p % 10);
		40	- } else if (is_reservedch(*p)) {
		41	- *q++ = '\\';
		42	- q++ = p;
		43	- } else {
		44	- q++ = p;
		45	- }
		46	+ /* Output as \DDD for consistency with RFC1035 5.1, except
		47	+ * for the special case of a root name response */
		48	+ if (!isprint(p) && !(name_len == 1 && p == 0))
		49	+ {
		50	+
		51	+ *q++ = '\\';
		52	+ q++ = '0' + p / 100;
		53	+ q++ = '0' + (p % 100) / 10;
		54	+ q++ = '0' + (p % 10);
		55	+ }
		56	+ else if (is_reservedch(*p))
		57	+ {
		58	+ *q++ = '\\';
		59	+ q++ = p;
		60	+ }
		61	+ else
		62	+ {
		63	+ q++ = p;
		64	+ }
		65	p++;
		66	}
		67	*q++ = '.';
		68	@@ -200,19 +208,25 @@ static int name_length(const unsigned char encoded, const unsigned char abuf,
		69	}
		70	else if (top == 0x00)
		71	{
		72	- offset = *encoded;
		73	+ int name_len = *encoded;
		74	+ offset = name_len;
		75	if (encoded + offset + 1 >= abuf + alen)
		76	return -1;
		77	encoded++;
		78	while (offset--)
		79	{
		80	- if (!isprint(*encoded)) {
		81	- n += 4;
		82	- } else if (is_reservedch(*encoded)) {
		83	- n += 2;
		84	- } else {
		85	- n += 1;
		86	- }
		87	+ if (!isprint(encoded) && !(name_len == 1 && encoded == 0))
		88	+ {
		89	+ n += 4;
		90	+ }
		91	+ else if (is_reservedch(*encoded))
		92	+ {
		93	+ n += 2;
		94	+ }
		95	+ else
		96	+ {
		97	+ n += 1;
		98	+ }
		99	encoded++;
		100	}
		101	n++;
		102	--
		103	2.17.1
		104


diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb index 67dd701807..afcc1cc4b8 100644 --- a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb +++ b/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb
@@ -11,6 +11,8 @@ SRC_URI = "\
11	git://github.com/c-ares/c-ares.git \	11	git://github.com/c-ares/c-ares.git \
12	file://cmake-install-libcares.pc.patch \	12	file://cmake-install-libcares.pc.patch \
13	file://0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch \	13	file://0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch \
		14	file://0001-CVE-2021-3672.patch \
		15	file://0002-CVE-2021-3672.patch \
14	"	16	"
15	SRCREV = "74a1426ba60e2cd7977e53a22ef839c87415066e"	17	SRCREV = "74a1426ba60e2cd7977e53a22ef839c87415066e"
16		18