diff mbox series

[meta-oe,dunfell,v2] c-ares: Fix multiple security vulnerabilities

Message ID 20211119161640.822-1-radovan.scasny@siemens.com
State New
Headers show
Series [meta-oe,dunfell,v2] c-ares: Fix multiple security vulnerabilities | expand

Commit Message

Radovan Scasny Nov. 19, 2021, 4:16 p.m. UTC 
Below are patches for security vulnerabilites

1. 0002-avoid-read-heap-buffer-overflow-332.patch
   https://github.com/c-ares/c-ares/issues/333

2. 0003-Avoid-buffer-overflow-in-RC4-loop-comparison-336.patch
   https://github.com/c-ares/c-ares/pull/336

3. 0004-ares_parse_-a-aaaa-_reply-could-return-larger-naddrt.patch
   CVE-2020-8277

Signed-off-by: Radovan Scasny <radovan.scasny@siemens.com>
---
 ...-avoid-read-heap-buffer-overflow-332.patch | 34 +++++++++++
 ...-overflow-in-RC4-loop-comparison-336.patch | 42 ++++++++++++++
 ...aa-_reply-could-return-larger-naddrt.patch | 58 +++++++++++++++++++
 .../recipes-support/c-ares/c-ares_1.16.1.bb   |  3 +
 4 files changed, 137 insertions(+)
 create mode 100644 meta-oe/recipes-support/c-ares/c-ares/0002-avoid-read-heap-buffer-overflow-332.patch
 create mode 100644 meta-oe/recipes-support/c-ares/c-ares/0003-Avoid-buffer-overflow-in-RC4-loop-comparison-336.patch
 create mode 100644 meta-oe/recipes-support/c-ares/c-ares/0004-ares_parse_-a-aaaa-_reply-could-return-larger-naddrt.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/c-ares/c-ares/0002-avoid-read-heap-buffer-overflow-332.patch b/meta-oe/recipes-support/c-ares/c-ares/0002-avoid-read-heap-buffer-overflow-332.patch
new file mode 100644
index 0000000000..cafb801cbd
--- /dev/null
+++ b/meta-oe/recipes-support/c-ares/c-ares/0002-avoid-read-heap-buffer-overflow-332.patch
@@ -0,0 +1,34 @@ 
+From 1b98172b141fe874ad43e679e67506f9b2139043 Mon Sep 17 00:00:00 2001
+From: lutianxiong <50396812+ltx2018@users.noreply.github.com>
+Date: Fri, 22 May 2020 20:02:21 +0800
+Subject: [PATCH] avoid read-heap-buffer-overflow (#332)
+
+Fix invalid read in ares_parse_soa_reply.c found during fuzzing
+
+Fixes Bug: #333
+Fix By: lutianxiong (@ltx2018)
+
+Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/1b98172b141fe874ad43e679e67506f9b2139043] 
+Signed-off-by: Radovan Scasny <radovan.scasny@siemens.com>
+
+---
+ ares_parse_soa_reply.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/ares_parse_soa_reply.c b/ares_parse_soa_reply.c
+index 2a2cac8..7cfaed2 100644
+--- a/ares_parse_soa_reply.c
++++ b/ares_parse_soa_reply.c
+@@ -69,6 +69,9 @@ ares_parse_soa_reply(const unsigned char *abuf, int alen,
+   status = ares__expand_name_for_response(aptr, abuf, alen, &qname, &len);
+   if (status != ARES_SUCCESS)
+     goto failed_stat;
++
++  if (alen <= len + HFIXEDSZ + 1)
++    goto failed;
+   aptr += len;
+ 
+   qclass = DNS_QUESTION_TYPE(aptr);
+-- 
+2.20.1
+
diff --git a/meta-oe/recipes-support/c-ares/c-ares/0003-Avoid-buffer-overflow-in-RC4-loop-comparison-336.patch b/meta-oe/recipes-support/c-ares/c-ares/0003-Avoid-buffer-overflow-in-RC4-loop-comparison-336.patch
new file mode 100644
index 0000000000..3b602a655f
--- /dev/null
+++ b/meta-oe/recipes-support/c-ares/c-ares/0003-Avoid-buffer-overflow-in-RC4-loop-comparison-336.patch
@@ -0,0 +1,42 @@ 
+From 6d6cd5daf63b812734343bd020677829b13db2ac Mon Sep 17 00:00:00 2001
+From: Fionn Fitzmaurice <1897918+fionn@users.noreply.github.com>
+Date: Fri, 3 Jul 2020 07:39:54 +0800
+Subject: [PATCH] Avoid buffer overflow in RC4 loop comparison (#336)
+
+The rc4 function iterates over a buffer of size buffer_len who's maximum
+value is INT_MAX with a counter of type short that is not guaranteed to
+have maximum size INT_MAX.
+
+In circumstances where short is narrower than int and where buffer_len
+is larger than the maximum value of a short, it may be possible to loop
+infinitely as counter will overflow and never be greater than or equal
+to buffer_len.
+
+The solution is to make the comparison be between types of equal width.
+This commit defines counter as an int.
+
+Fix By: Fionn Fitzmaurice (@fionn)
+
+Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/6d6cd5daf63b812734343bd020677829b13db2ac]
+Signed-off-by: Radovan Scasny <radovan.scasny@siemens.com>
+
+---
+ ares_query.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ares_query.c b/ares_query.c
+index b38b8a6..5bbb2f5 100644
+--- a/ares_query.c
++++ b/ares_query.c
+@@ -45,7 +45,7 @@ static void rc4(rc4_key* key, unsigned char *buffer_ptr, int buffer_len)
+   unsigned char y;
+   unsigned char* state;
+   unsigned char xorIndex;
+-  short counter;
++  int counter;
+ 
+   x = key->x;
+   y = key->y;
+-- 
+2.20.1
+
diff --git a/meta-oe/recipes-support/c-ares/c-ares/0004-ares_parse_-a-aaaa-_reply-could-return-larger-naddrt.patch b/meta-oe/recipes-support/c-ares/c-ares/0004-ares_parse_-a-aaaa-_reply-could-return-larger-naddrt.patch
new file mode 100644
index 0000000000..25530982df
--- /dev/null
+++ b/meta-oe/recipes-support/c-ares/c-ares/0004-ares_parse_-a-aaaa-_reply-could-return-larger-naddrt.patch
@@ -0,0 +1,58 @@ 
+From 0d252eb3b2147179296a3bdb4ef97883c97c54d3 Mon Sep 17 00:00:00 2001
+From: bradh352 <brad@brad-house.com>
+Date: Thu, 12 Nov 2020 10:24:40 -0500
+Subject: [PATCH] ares_parse_{a,aaaa}_reply could return larger *naddrttls than
+ passed in
+
+If there are more ttls returned than the maximum provided by the requestor, then
+the *naddrttls response would be larger than the actual number of elements in
+the addrttls array.
+
+This bug could lead to invalid memory accesses in applications using c-ares.
+
+This behavior appeared to break with PR #257
+
+Fixes: #371
+Reported By: Momtchil Momtchev (@mmomtchev)
+Fix By: Brad House (@bradh352)
+
+Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/0d252eb3b2147179296a3bdb4ef97883c97c54d3]
+CVE: CVE-2020-8277
+Signed-off-by: Radovan Scasny <radovan.scasny@siemens.com>
+
+---
+ ares_parse_a_reply.c    | 3 ++-
+ ares_parse_aaaa_reply.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/ares_parse_a_reply.c b/ares_parse_a_reply.c
+index d8a9e9b..e71c993 100644
+--- a/ares_parse_a_reply.c
++++ b/ares_parse_a_reply.c
+@@ -197,7 +197,8 @@ int ares_parse_a_reply(const unsigned char *abuf, int alen,
+ 
+   if (naddrttls)
+     {
+-      *naddrttls = naddrs;
++      /* Truncated to at most *naddrttls entries */
++      *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs;
+     }
+ 
+   ares__freeaddrinfo_cnames(ai.cnames);
+diff --git a/ares_parse_aaaa_reply.c b/ares_parse_aaaa_reply.c
+index 0d39bfa..346d430 100644
+--- a/ares_parse_aaaa_reply.c
++++ b/ares_parse_aaaa_reply.c
+@@ -200,7 +200,8 @@ int ares_parse_aaaa_reply(const unsigned char *abuf, int alen,
+ 
+   if (naddrttls)
+     {
+-      *naddrttls = naddrs;
++      /* Truncated to at most *naddrttls entries */
++      *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs;
+     }
+ 
+   ares__freeaddrinfo_cnames(ai.cnames);
+-- 
+2.20.1
+
diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb
index 36bb9be172..8379d5b102 100644
--- a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb
+++ b/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb
@@ -13,6 +13,9 @@  SRC_URI = "\
     file://0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch \
     file://ares_expand_name-should-escape-more-characters.patch \
     file://ares_expand_name-fix-formatting-and-handling-of-root.patch \
+    file://0002-avoid-read-heap-buffer-overflow-332.patch \
+    file://0003-Avoid-buffer-overflow-in-RC4-loop-comparison-336.patch \
+    file://0004-ares_parse_-a-aaaa-_reply-could-return-larger-naddrt.patch \
 "
 SRCREV = "74a1426ba60e2cd7977e53a22ef839c87415066e"