mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity

c-ares: fix CVE-2021-3672

Browse Source 
Refer:
https://c-ares.org/adv_20210810.html
https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83
https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Changqing Li
2021-09-14 16:17:21 +08:00
committed by Armin Kuster
parent 355e47cd85
commit dc262c52b0
3 changed files with 197 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-support/c-ares/c-ares/0001-CVE-2021-3672.patch
+91
View File
@@ -0,0 +1,91 @@
From 13363ab0eb3f5a3223571d073888816bd3e650f9 Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Tue, 14 Sep 2021 13:49:11 +0800
Subject: [PATCH 1/2] ares_expand_name() should escape more characters
RFC1035 5.1 specifies some reserved characters and escaping sequences
that are allowed to be specified. Expand the list of reserved characters
and also escape non-printable characters using the \DDD format as
specified in the RFC.
Bug Reported By: philipp.jeitner@sit.fraunhofer.de
Fix By: Brad House (@bradh352)
Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83]
CVE: CVE-2021-3672
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
ares_expand_name.c | 41 ++++++++++++++++++++++++++++++++++++++---
1 file changed, 38 insertions(+), 3 deletions(-)
diff --git a/ares_expand_name.c b/ares_expand_name.c
index 3a38e67..8604543 100644
--- a/ares_expand_name.c
+++ b/ares_expand_name.c
@@ -38,6 +38,26 @@
static int name_length(const unsigned char *encoded, const unsigned char *abuf,
int alen);
+/* Reserved characters for names that need to be escaped */
+static int is_reservedch(int ch)
+{
+ switch (ch) {
+ case '"':
+ case '.':
+ case ';':
+ case '\\':
+ case '(':
+ case ')':
+ case '@':
+ case '$':
+ return 1;
+ default:
+ break;
+ }
+
+ return 0;
+}
+
/* Expand an RFC1035-encoded domain name given by encoded. The
* containing message is given by abuf and alen. The result given by
* *s, which is set to a NUL-terminated allocated buffer. *enclen is
@@ -117,9 +137,18 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf,
p++;
while (len--)
{
- if (*p == '.' || *p == '\\')
+ if (!isprint(*p)) {
+ /* Output as \DDD for consistency with RFC1035 5.1 */
+ *q++ = '\\';
+ *q++ = '0' + *p / 100;
+ *q++ = '0' + (*p % 100) / 10;
+ *q++ = '0' + (*p % 10);
+ } else if (is_reservedch(*p)) {
*q++ = '\\';
- *q++ = *p;
+ *q++ = *p;
+ } else {
+ *q++ = *p;
+ }
p++;
}
*q++ = '.';
@@ -177,7 +206,13 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
encoded++;
while (offset--)
{
- n += (*encoded == '.' || *encoded == '\\') ? 2 : 1;
+ if (!isprint(*encoded)) {
+ n += 4;
+ } else if (is_reservedch(*encoded)) {
+ n += 2;
+ } else {
+ n += 1;
+ }
encoded++;
}
n++;
--
2.17.1
meta-oe/recipes-support/c-ares/c-ares/0002-CVE-2021-3672.patch
+104
View File
@@ -0,0 +1,104 @@
From 446225e54b4f23c08a07968433b39d62ed65afd1 Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Tue, 14 Sep 2021 13:59:28 +0800
Subject: [PATCH 2/2] ares_expand_name(): fix formatting and handling of root
name response
Fixes issue introduced in prior commit with formatting and handling
of parsing a root name response which should not be escaped.
Fix By: Brad House
Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14]
CVE: CVE-2021-3672
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
ares_expand_name.c | 56 +++++++++++++++++++++++++++++-----------------
1 file changed, 35 insertions(+), 21 deletions(-)
diff --git a/ares_expand_name.c b/ares_expand_name.c
index 8604543..af0c2e8 100644
--- a/ares_expand_name.c
+++ b/ares_expand_name.c
@@ -133,22 +133,30 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf,
}
else
{
- len = *p;
+ int name_len = *p;
+ len = name_len;
p++;
while (len--)
{
- if (!isprint(*p)) {
- /* Output as \DDD for consistency with RFC1035 5.1 */
- *q++ = '\\';
- *q++ = '0' + *p / 100;
- *q++ = '0' + (*p % 100) / 10;
- *q++ = '0' + (*p % 10);
- } else if (is_reservedch(*p)) {
- *q++ = '\\';
- *q++ = *p;
- } else {
- *q++ = *p;
- }
+ /* Output as \DDD for consistency with RFC1035 5.1, except
+ * for the special case of a root name response */
+ if (!isprint(*p) && !(name_len == 1 && *p == 0))
+ {
+
+ *q++ = '\\';
+ *q++ = '0' + *p / 100;
+ *q++ = '0' + (*p % 100) / 10;
+ *q++ = '0' + (*p % 10);
+ }
+ else if (is_reservedch(*p))
+ {
+ *q++ = '\\';
+ *q++ = *p;
+ }
+ else
+ {
+ *q++ = *p;
+ }
p++;
}
*q++ = '.';
@@ -200,19 +208,25 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
}
else if (top == 0x00)
{
- offset = *encoded;
+ int name_len = *encoded;
+ offset = name_len;
if (encoded + offset + 1 >= abuf + alen)
return -1;
encoded++;
while (offset--)
{
- if (!isprint(*encoded)) {
- n += 4;
- } else if (is_reservedch(*encoded)) {
- n += 2;
- } else {
- n += 1;
- }
+ if (!isprint(*encoded) && !(name_len == 1 && *encoded == 0))
+ {
+ n += 4;
+ }
+ else if (is_reservedch(*encoded))
+ {
+ n += 2;
+ }
+ else
+ {
+ n += 1;
+ }
encoded++;
}
n++;
--
2.17.1
meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb
+2
View File
@@ -11,6 +11,8 @@ SRC_URI = "\
git://github.com/c-ares/c-ares.git \
file://cmake-install-libcares.pc.patch \
file://0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch \
file://0001-CVE-2021-3672.patch \
file://0002-CVE-2021-3672.patch \
"
SRCREV = "74a1426ba60e2cd7977e53a22ef839c87415066e"