c-ares: fix CVE-2023-32067

c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1. References: https://nvd.nist.gov/vuln/detail/CVE-2023-32067 https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Urade, Yogita t.mo <Yogita.Urade@windriver.com> 2023-06-09 14:35:05 +0000
committer: Armin Kuster <akuster808@gmail.com> 2023-06-15 08:10:11 -0400
commit: fec772d55fa6003e9a87b3b2413905ff57f077fb (patch)
tree: e0e4c5026e6ba6c9680c5b32eec6b0f2a454f461
parent: 5fb3554563dd46c731fd21b38923b6b7f3554686 (diff)
download: meta-openembedded-fec772d55fa6003e9a87b3b2413905ff57f077fb.tar.gz
2 files changed, 90 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch
new file mode 100644
index 0000000000..cd13e7d9e5
--- /dev/null
+++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch
@@ -0,0 +1,87 @@
+From b9b8413cfdb70a3f99e1573333b23052d57ec1ae Mon Sep 17 00:00:00 2001
+From: Brad House <brad@brad-house.com>
+Date: Mon, 22 May 2023 06:51:49 -0400
+Subject: [PATCH] Merge pull request from GHSA-9g78-jv2r-p7vc
+CVE: CVE-2023-32067
+Upstream Status: Backport
+[https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/lib/ares_process.c | 41 +++++++++++++++++++++++++----------------
+ 1 file changed, 25 insertions(+), 16 deletions(-)
+diff --git a/src/lib/ares_process.c b/src/lib/ares_process.c
+index bf0cde4..6cac0a9 100644
+--- a/src/lib/ares_process.c
+++ b/src/lib/ares_process.c
+@@ -470,7 +470,7 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
+ {
+   struct server_state *server;
+   int i;
+-  ares_ssize_t count;
+  ares_ssize_t read_len;
+   unsigned char buf[MAXENDSSZ + 1];
+ #ifdef HAVE_RECVFROM
+   ares_socklen_t fromlen;
+@@ -513,32 +513,41 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
+       /* To reduce event loop overhead, read and process as many
+        * packets as we can. */
+       do {
+-        if (server->udp_socket == ARES_SOCKET_BAD)
+-          count = 0;
+-
+-        else {
+-          if (server->addr.family == AF_INET)
+        if (server->udp_socket == ARES_SOCKET_BAD) {
+          read_len = -1;
+        } else {
+          if (server->addr.family == AF_INET) {
+             fromlen = sizeof(from.sa4);
+-          else
+          } else {
+             fromlen = sizeof(from.sa6);
+-          count = socket_recvfrom(channel, server->udp_socket, (void *)buf,
+-                                  sizeof(buf), 0, &from.sa, &fromlen);
+          }
+          read_len = socket_recvfrom(channel, server->udp_socket, (void *)buf,
+                                     sizeof(buf), 0, &from.sa, &fromlen);
+         }
+-        if (count == -1 && try_again(SOCKERRNO))
+        if (read_len == 0) {
+          /* UDP is connectionless, so result code of 0 is a 0-length UDP
+           * packet, and not an indication the connection is closed like on
+           * tcp */
+           continue;
+-        else if (count <= 0)
+        } else if (read_len < 0) {
+          if (try_again(SOCKERRNO))
+            continue;
+
+           handle_error(channel, i, now);
+
+ #ifdef HAVE_RECVFROM
+-        else if (!same_address(&from.sa, &server->addr))
+        } else if (!same_address(&from.sa, &server->addr)) {
+           /* The address the response comes from does not match the address we
+            * sent the request to. Someone may be attempting to perform a cache
+            * poisoning attack. */
+-          break;
+          continue;
+ #endif
+-        else
+-          process_answer(channel, buf, (int)count, i, 0, now);
+-       } while (count > 0);
+
+        } else {
+          process_answer(channel, buf, (int)read_len, i, 0, now);
+        }
+      } while (read_len >= 0);
+     }
+ }
+--
+2.40.0
diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.19.0.bb b/meta-oe/recipes-support/c-ares/c-ares_1.19.0.bb
index bb19ff1bd3..997f27a895 100644
--- a/meta-oe/recipes-support/c-ares/c-ares_1.19.0.bb
+++ b/meta-oe/recipes-support/c-ares/c-ares_1.19.0.bb
@@ -5,7 +5,9 @@ SECTION = "libs"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006"
-SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https"
+SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https \
+           file://CVE-2023-32067.patch \
+          "
 SRCREV = "fddf01938d3789e06cc1c3774e4cd0c7d2a89976"
 UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P<pver>\d+_(\d_?)+)"
author	Urade, Yogita t.mo <Yogita.Urade@windriver.com>	2023-06-09 14:35:05 +0000
committer	Armin Kuster <akuster808@gmail.com>	2023-06-15 08:10:11 -0400
commit	fec772d55fa6003e9a87b3b2413905ff57f077fb (patch)
tree	e0e4c5026e6ba6c9680c5b32eec6b0f2a454f461
parent	5fb3554563dd46c731fd21b38923b6b7f3554686 (diff)
download	meta-openembedded-fec772d55fa6003e9a87b3b2413905ff57f077fb.tar.gz

diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch new file mode 100644 index 0000000000..cd13e7d9e5 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch
@@ -0,0 +1,87 @@
		1	From b9b8413cfdb70a3f99e1573333b23052d57ec1ae Mon Sep 17 00:00:00 2001
		2	From: Brad House <brad@brad-house.com>
		3	Date: Mon, 22 May 2023 06:51:49 -0400
		4	Subject: [PATCH] Merge pull request from GHSA-9g78-jv2r-p7vc
		5
		6	CVE: CVE-2023-32067
		7
		8	Upstream Status: Backport
		9	[https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae]
		10
		11	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		12	---
		13	src/lib/ares_process.c \| 41 +++++++++++++++++++++++++----------------
		14	1 file changed, 25 insertions(+), 16 deletions(-)
		15
		16	diff --git a/src/lib/ares_process.c b/src/lib/ares_process.c
		17	index bf0cde4..6cac0a9 100644
		18	--- a/src/lib/ares_process.c
		19	+++ b/src/lib/ares_process.c
		20	@@ -470,7 +470,7 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
		21	{
		22	struct server_state *server;
		23	int i;
		24	- ares_ssize_t count;
		25	+ ares_ssize_t read_len;
		26	unsigned char buf[MAXENDSSZ + 1];
		27	#ifdef HAVE_RECVFROM
		28	ares_socklen_t fromlen;
		29	@@ -513,32 +513,41 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
		30	/* To reduce event loop overhead, read and process as many
		31	* packets as we can. */
		32	do {
		33	- if (server->udp_socket == ARES_SOCKET_BAD)
		34	- count = 0;
		35	-
		36	- else {
		37	- if (server->addr.family == AF_INET)
		38	+ if (server->udp_socket == ARES_SOCKET_BAD) {
		39	+ read_len = -1;
		40	+ } else {
		41	+ if (server->addr.family == AF_INET) {
		42	fromlen = sizeof(from.sa4);
		43	- else
		44	+ } else {
		45	fromlen = sizeof(from.sa6);
		46	- count = socket_recvfrom(channel, server->udp_socket, (void *)buf,
		47	- sizeof(buf), 0, &from.sa, &fromlen);
		48	+ }
		49	+ read_len = socket_recvfrom(channel, server->udp_socket, (void *)buf,
		50	+ sizeof(buf), 0, &from.sa, &fromlen);
		51	}
		52
		53	- if (count == -1 && try_again(SOCKERRNO))
		54	+ if (read_len == 0) {
		55	+ /* UDP is connectionless, so result code of 0 is a 0-length UDP
		56	+ * packet, and not an indication the connection is closed like on
		57	+ * tcp */
		58	continue;
		59	- else if (count <= 0)
		60	+ } else if (read_len < 0) {
		61	+ if (try_again(SOCKERRNO))
		62	+ continue;
		63	+
		64	handle_error(channel, i, now);
		65	+
		66	#ifdef HAVE_RECVFROM
		67	- else if (!same_address(&from.sa, &server->addr))
		68	+ } else if (!same_address(&from.sa, &server->addr)) {
		69	/* The address the response comes from does not match the address we
		70	* sent the request to. Someone may be attempting to perform a cache
		71	* poisoning attack. */
		72	- break;
		73	+ continue;
		74	#endif
		75	- else
		76	- process_answer(channel, buf, (int)count, i, 0, now);
		77	- } while (count > 0);
		78	+
		79	+ } else {
		80	+ process_answer(channel, buf, (int)read_len, i, 0, now);
		81	+ }
		82	+ } while (read_len >= 0);
		83	}
		84	}
		85
		86	--
		87	2.40.0


diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.19.0.bb b/meta-oe/recipes-support/c-ares/c-ares_1.19.0.bb index bb19ff1bd3..997f27a895 100644 --- a/meta-oe/recipes-support/c-ares/c-ares_1.19.0.bb +++ b/meta-oe/recipes-support/c-ares/c-ares_1.19.0.bb
@@ -5,7 +5,9 @@ SECTION = "libs"
5	LICENSE = "MIT"	5	LICENSE = "MIT"
6	LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006"	6	LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006"
7		7
8	SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https"	8	SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https \
		9	file://CVE-2023-32067.patch \
		10	"
9	SRCREV = "fddf01938d3789e06cc1c3774e4cd0c7d2a89976"	11	SRCREV = "fddf01938d3789e06cc1c3774e4cd0c7d2a89976"
10		12
11	UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P<pver>\d+_(\d_?)+)"	13	UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P<pver>\d+_(\d_?)+)"