From patchwork Sun Jul 20 20:04:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 67136 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 78DC9C87FC3 for ; Sun, 20 Jul 2025 20:05:07 +0000 (UTC) Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) by mx.groups.io with SMTP id smtpd.web10.24652.1753041899735030394 for ; Sun, 20 Jul 2025 13:04:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=b2huEgwW; spf=softfail (domain: sakoman.com, ip: 209.85.215.173, mailfrom: steve@sakoman.com) Received: by mail-pg1-f173.google.com with SMTP id 41be03b00d2f7-b3220c39cffso3597309a12.0 for ; Sun, 20 Jul 2025 13:04:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1753041899; x=1753646699; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=u5ajE5KzQyXdutsNkPKNdYMb8w3Th/2Ynv2GeOMDvYo=; b=b2huEgwWtY7VzgofFJ+FYlpAx/H/8tulS8AF0eUfDpdErhCn2kgKu7fpMw1lMhWBYd OOmbzK50ko7wKWhcixqhP/kVCi0jXNI9e5qfE4HUikjrGq7qX6lHUj1DiBhCtsIRfdVN Dx9tU+y81YdPrQT4F8TpDsXwoqWjFzfQOdKqUb3Vxh5dpwZxgLJxPeQ5HdbuqmVEs0QM Clim9Eu6bYY5727ekhh+h8+sN8B8aud792zBL/xhhPWruumLulF7r4mb/sIlhCJt6WTG dIb04kQuv+7okZ14pjN8cf+PgdwMslTi83S6hyycBbSr9UajHQTYoN0GVsJwUdaB4GFR M0Kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1753041899; x=1753646699; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=u5ajE5KzQyXdutsNkPKNdYMb8w3Th/2Ynv2GeOMDvYo=; b=aQet8QD3pc0PD9LfaCbR8ZSm1wQcmUiZwwRRDMGTeRxgzXdwaeEnZJ3uR89cZQgKke gGaUjI/PQjdcLhcGGoj/pNTT57qPD7iS2bzm9ggmN93iGYHoj96pVWKZfJcc4YMZJCkP JgeuwWZVGhnENGw0bIFJ4E1QqJcf3IES9yoiI55gwL00ZvLqfE8c9X5yHMXY7Dcpih4P WC/fDHuV40D20noOIIpJyZSWp2vlxvwSr+J5TlcEUYuB0GvCUJMGEx3mzW+mBJPsYM7M Q5PuhzRSpJUUhNy35fKAP69wvTPJbSQ+IAYlcv106scSZlPegR3YNa3/3uSuXOxBh09w 8qYQ== X-Gm-Message-State: AOJu0Ywz2iO7wx0f2mk8Smp5a+6FxxT3Cwwq0hSkyyxqUaLRl4k+QFRj NnfUq5LTjR0cx2kgH1/hdEI8v4/wT0e2uhB+QI9VqC3jcUCrYyfDY1dXtTPfXQ3I81d6qwAQYoX Llx1NZJs= X-Gm-Gg: ASbGncvoJjwQeE+mRO3qSwf/MYdpQug5I0xrtGOX04QiFqE8z6115WDy/U9g+hWeqvD 3KPoGFLeGFdceuOWeAG+ztQ8LHro7M2krwj8X+jfgJ4Y1ZXJWILXBMJEtbuprZBlw0Rxxt+ID5u ILtts6+ZH/7+apBaBpj1Glpm2icUQ6fCuQSx7Yb3nM64yvtCzAU7qskeywDOdR4yXr3rkD2Hmql Osu/0M73LSocHPimNJwcNP7IgcXaIODhvzRv08CUO/n8uPvZ7h9yBxc0sjaPJ2NQ+A3mU5Tv/Iz a+GmOcOVmXwEogcwwmj4MSsTBKA0FwL83p5cQrfCww3m05Q5P8AKylitzI/NXA5ybts91GV2EUb cOCv2qTxe61J57w== X-Google-Smtp-Source: AGHT+IFlsUff6iXC0CyUWa/cazWvv413ad2UFVueumGTQUpVoijWlncFwuMOA7HwlDcuCP8bDH8rmw== X-Received: by 2002:a17:903:3b8b:b0:234:db06:ac0 with SMTP id d9443c01a7336-23e257749dcmr264863285ad.45.1753041898585; Sun, 20 Jul 2025 13:04:58 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:31c9:438f:a923:8d3c]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-23e3b60f096sm44894035ad.78.2025.07.20.13.04.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 20 Jul 2025 13:04:58 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][walnascar 01/12] avahi: fix CVE-2024-52616 Date: Sun, 20 Jul 2025 13:04:38 -0700 Message-ID: <0376d69c39305333f2b2817ae7a1f4911f63e2e9.1753041740.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 20 Jul 2025 20:05:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/220626 From: Zhang Peng CVE-2024-52616: A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-52616] [https://github.com/avahi/avahi/security/advisories/GHSA-r9j3-vjjh-p8vm] Upstream patches: [https://github.com/avahi/avahi/commit/f8710bdc8b29ee1176fe3bfaeabebbda1b7a79f7] Signed-off-by: Zhang Peng Signed-off-by: Steve Sakoman (cherry pick from commit: 28de3f131b17dc4165df927060ee51f0de3ada90) Signed-off-by: Zhang Peng Signed-off-by: Steve Sakoman --- meta/recipes-connectivity/avahi/avahi_0.8.bb | 1 + .../avahi/files/CVE-2024-52616.patch | 104 ++++++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2024-52616.patch diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb index 220160a7e1..734a73541f 100644 --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb @@ -35,6 +35,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \ file://CVE-2023-38471-2.patch \ file://CVE-2023-38472.patch \ file://CVE-2023-38473.patch \ + file://CVE-2024-52616.patch \ " GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/" diff --git a/meta/recipes-connectivity/avahi/files/CVE-2024-52616.patch b/meta/recipes-connectivity/avahi/files/CVE-2024-52616.patch new file mode 100644 index 0000000000..a156f98728 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2024-52616.patch @@ -0,0 +1,104 @@ +From f8710bdc8b29ee1176fe3bfaeabebbda1b7a79f7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Mon, 11 Nov 2024 00:56:09 +0100 +Subject: [PATCH] Properly randomize query id of DNS packets + +CVE: CVE-2024-52616 +Upstream-Status: Backport [https://github.com/avahi/avahi/commit/f8710bdc8b29ee1176fe3bfaeabebbda1b7a79f7] + +Signed-off-by: Zhang Peng +--- + avahi-core/wide-area.c | 36 ++++++++++++++++++++++++++++-------- + configure.ac | 3 ++- + 2 files changed, 30 insertions(+), 9 deletions(-) + +diff --git a/avahi-core/wide-area.c b/avahi-core/wide-area.c +index 971f5e714..00a15056e 100644 +--- a/avahi-core/wide-area.c ++++ b/avahi-core/wide-area.c +@@ -40,6 +40,13 @@ + #include "addr-util.h" + #include "rr-util.h" + ++#ifdef HAVE_SYS_RANDOM_H ++#include ++#endif ++#ifndef HAVE_GETRANDOM ++# define getrandom(d, len, flags) (-1) ++#endif ++ + #define CACHE_ENTRIES_MAX 500 + + typedef struct AvahiWideAreaCacheEntry AvahiWideAreaCacheEntry; +@@ -84,8 +91,6 @@ struct AvahiWideAreaLookupEngine { + int fd_ipv4, fd_ipv6; + AvahiWatch *watch_ipv4, *watch_ipv6; + +- uint16_t next_id; +- + /* Cache */ + AVAHI_LLIST_HEAD(AvahiWideAreaCacheEntry, cache); + AvahiHashmap *cache_by_key; +@@ -201,6 +206,26 @@ static void sender_timeout_callback(AvahiTimeEvent *e, void *userdata) { + avahi_time_event_update(e, avahi_elapse_time(&tv, 1000, 0)); + } + ++static uint16_t get_random_uint16(void) { ++ uint16_t next_id; ++ ++ if (getrandom(&next_id, sizeof(next_id), 0) == -1) ++ next_id = (uint16_t) rand(); ++ return next_id; ++} ++ ++static uint16_t avahi_wide_area_next_id(AvahiWideAreaLookupEngine *e) { ++ uint16_t next_id; ++ ++ next_id = get_random_uint16(); ++ while (find_lookup(e, next_id)) { ++ /* This ID is already used, get new. */ ++ next_id = get_random_uint16(); ++ } ++ return next_id; ++} ++ ++ + AvahiWideAreaLookup *avahi_wide_area_lookup_new( + AvahiWideAreaLookupEngine *e, + AvahiKey *key, +@@ -227,11 +252,7 @@ AvahiWideAreaLookup *avahi_wide_area_lookup_new( + /* If more than 65K wide area quries are issued simultaneously, + * this will break. This should be limited by some higher level */ + +- for (;; e->next_id++) +- if (!find_lookup(e, e->next_id)) +- break; /* This ID is not yet used. */ +- +- l->id = e->next_id++; ++ l->id = avahi_wide_area_next_id(e); + + /* We keep the packet around in case we need to repeat our query */ + l->packet = avahi_dns_packet_new(0); +@@ -604,7 +625,6 @@ AvahiWideAreaLookupEngine *avahi_wide_area_engine_new(AvahiServer *s) { + e->watch_ipv6 = s->poll_api->watch_new(e->server->poll_api, e->fd_ipv6, AVAHI_WATCH_IN, socket_event, e); + + e->n_dns_servers = e->current_dns_server = 0; +- e->next_id = (uint16_t) rand(); + + /* Initialize cache */ + AVAHI_LLIST_HEAD_INIT(AvahiWideAreaCacheEntry, e->cache); +diff --git a/configure.ac b/configure.ac +index a3211b80e..31bce3d76 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -367,7 +367,8 @@ AC_FUNC_SELECT_ARGTYPES + # whether libc's malloc does too. (Same for realloc.) + #AC_FUNC_MALLOC + #AC_FUNC_REALLOC +-AC_CHECK_FUNCS([gethostname memchr memmove memset mkdir select socket strchr strcspn strdup strerror strrchr strspn strstr uname setresuid setreuid setresgid setregid strcasecmp gettimeofday putenv strncasecmp strlcpy gethostbyname seteuid setegid setproctitle getprogname]) ++AC_CHECK_FUNCS([gethostname memchr memmove memset mkdir select socket strchr strcspn strdup strerror strrchr strspn strstr uname setresuid setreuid setresgid setregid strcasecmp gettimeofday putenv strncasecmp strlcpy gethostbyname seteuid setegid setproctitle getprogname getrandom]) ++AC_CHECK_HEADERS([sys/random.h]) + + AC_FUNC_CHOWN + AC_FUNC_STAT +