From patchwork Tue Jan 14 08:03:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 55475 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5BCB3E77188 for ; Tue, 14 Jan 2025 08:03:52 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.39781.1736841825069302520 for ; Tue, 14 Jan 2025 00:03:45 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=3109dc8df7=yogita.urade@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 50E7QeUB025408 for ; Tue, 14 Jan 2025 08:03:44 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 443fm8ar6n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 14 Jan 2025 08:03:43 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Tue, 14 Jan 2025 00:03:41 -0800 From: yurade To: Subject: [OE-core][kirkstone][PATCH 1/6] ofono: fix CVE-2024-7539 Date: Tue, 14 Jan 2025 08:03:17 +0000 Message-ID: <20250114080322.3571990-1-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Authority-Analysis: v=2.4 cv=Mtmo63ae c=1 sm=1 tr=0 ts=67861a5f cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=HCiNrPZc1L8A:10 a=VdSt8ZQiCzkA:10 a=xNf9USuDAAAA:8 a=VwQbUJbxAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=eYCCJDtN_mypVY28GlcA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: 1kwgIbouLlsLeqglVcqy407cl4O8plYQ X-Proofpoint-GUID: 1kwgIbouLlsLeqglVcqy407cl4O8plYQ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-01-14_01,2025-01-13_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxscore=0 phishscore=0 clxscore=1015 mlxlogscore=999 impostorscore=0 priorityscore=1501 adultscore=0 lowpriorityscore=0 malwarescore=0 bulkscore=0 spamscore=0 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1 engine=8.21.0-2411120000 definitions=main-2501140066 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Jan 2025 08:03:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209776 From: Yogita Urade oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CUSD commands. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-23195. Reference: https://security-tracker.debian.org/tracker/CVE-2024-7539 Upstream Patch: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc Signed-off-by: Yogita Urade --- .../ofono/ofono/CVE-2024-7539.patch | 88 +++++++++++++++++++ meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 + 2 files changed, 89 insertions(+) create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch new file mode 100644 index 0000000000..46e45580c2 --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch @@ -0,0 +1,88 @@ +From 389e2344f86319265fb72ae590b470716e038fdc Mon Sep 17 00:00:00 2001 +From: "Sicelo A. Mhlongo" +Date: Tue, 17 Dec 2024 11:31:29 +0200 +Subject: [PATCH] ussd: ensure ussd content fits in buffers + +Fixes: CVE-2024-7539 + +CVE: CVE-2024-7539 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc] + +Signed-off-by: Yogita Urade +--- + drivers/atmodem/ussd.c | 5 ++++- + drivers/huaweimodem/ussd.c | 5 ++++- + drivers/speedupmodem/ussd.c | 5 ++++- + 3 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/atmodem/ussd.c b/drivers/atmodem/ussd.c +index 3be1832..29f86dc 100644 +--- a/drivers/atmodem/ussd.c ++++ b/drivers/atmodem/ussd.c +@@ -106,7 +106,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) + const char *content; + int dcs; + enum sms_charset charset; +- unsigned char msg[160]; ++ unsigned char msg[160] = {0}; + const unsigned char *msg_ptr = NULL; + long msg_len; + +@@ -124,6 +124,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) + if (!g_at_result_iter_next_number(&iter, &dcs)) + dcs = 0; + ++ if (strlen(content) > sizeof(msg) * 2) ++ goto out; ++ + if (!cbs_dcs_decode(dcs, NULL, NULL, &charset, NULL, NULL, NULL)) { + ofono_error("Unsupported USSD data coding scheme (%02x)", dcs); + status = 4; /* Not supported */ +diff --git a/drivers/huaweimodem/ussd.c b/drivers/huaweimodem/ussd.c +index fbed3cd..4160b7d 100644 +--- a/drivers/huaweimodem/ussd.c ++++ b/drivers/huaweimodem/ussd.c +@@ -50,7 +50,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) + GAtResultIter iter; + int status, dcs; + const char *content; +- unsigned char msg[160]; ++ unsigned char msg[160] = {0}; + const unsigned char *msg_ptr = NULL; + long msg_len; + +@@ -68,6 +68,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) + if (!g_at_result_iter_next_number(&iter, &dcs)) + dcs = 0; + ++ if (strlen(content) > sizeof(msg) * 2) ++ goto out; ++ + msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg); + + out: +diff --git a/drivers/speedupmodem/ussd.c b/drivers/speedupmodem/ussd.c +index 57b91d7..99af19a 100644 +--- a/drivers/speedupmodem/ussd.c ++++ b/drivers/speedupmodem/ussd.c +@@ -49,7 +49,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) + GAtResultIter iter; + int status, dcs; + const char *content; +- unsigned char msg[160]; ++ unsigned char msg[160] = {0}; + const unsigned char *msg_ptr = NULL; + long msg_len; + +@@ -67,6 +67,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) + if (!g_at_result_iter_next_number(&iter, &dcs)) + dcs = 0; + ++ if (strlen(content) > sizeof(msg) * 2) ++ goto out; ++ + msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg); + + out: +-- +2.40.0 diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb index 3ffb713472..a7c3a9085d 100644 --- a/meta/recipes-connectivity/ofono/ofono_1.34.bb +++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb @@ -18,6 +18,7 @@ SRC_URI = "\ file://CVE-2023-2794-0002.patch \ file://CVE-2023-2794-0003.patch \ file://CVE-2023-2794-0004.patch \ + file://CVE-2024-7539.patch \ " SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7" From patchwork Tue Jan 14 08:03:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 55477 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 92354C02187 for ; Tue, 14 Jan 2025 08:03:52 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.40307.1736841826338489660 for ; Tue, 14 Jan 2025 00:03:46 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=3109dc8df7=yogita.urade@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 50E7LNLD016902 for ; Tue, 14 Jan 2025 08:03:45 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 443fm8ar6q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 14 Jan 2025 08:03:45 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Tue, 14 Jan 2025 00:03:43 -0800 From: yurade To: Subject: [OE-core][kirkstone][PATCH 2/6] ofono: fix CVE-2024-7543 Date: Tue, 14 Jan 2025 08:03:18 +0000 Message-ID: <20250114080322.3571990-2-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250114080322.3571990-1-yogita.urade@windriver.com> References: <20250114080322.3571990-1-yogita.urade@windriver.com> MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Authority-Analysis: v=2.4 cv=Mtmo63ae c=1 sm=1 tr=0 ts=67861a61 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=HCiNrPZc1L8A:10 a=VdSt8ZQiCzkA:10 a=xNf9USuDAAAA:8 a=VwQbUJbxAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=-5Q0eFtxmzE3yrJQt80A:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: oSRt51uO-Q1gWJDkbsBY89Dp7Cab-i5F X-Proofpoint-GUID: oSRt51uO-Q1gWJDkbsBY89Dp7Cab-i5F X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-01-14_01,2025-01-13_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxscore=0 phishscore=0 clxscore=1015 mlxlogscore=999 impostorscore=0 priorityscore=1501 adultscore=0 lowpriorityscore=0 malwarescore=0 bulkscore=0 spamscore=0 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1 engine=8.21.0-2411120000 definitions=main-2501140066 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Jan 2025 08:03:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209777 From: Yogita Urade oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23456. Reference: https://security-tracker.debian.org/tracker/CVE-2024-7543 Upstream patch: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=90e60ada012de42964214d8155260f5749d0dcc7 Signed-off-by: Yogita Urade --- .../ofono/ofono/CVE-2024-7543.patch | 30 +++++++++++++++++++ meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch new file mode 100644 index 0000000000..d71d00b832 --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch @@ -0,0 +1,30 @@ +From 90e60ada012de42964214d8155260f5749d0dcc7 Mon Sep 17 00:00:00 2001 +From: Ivaylo Dimitrov +Date: Tue, 3 Dec 2024 21:43:50 +0200 +Subject: [PATCH] stkutil: Fix CVE-2024-7543 + +CVE: CVE-2024-7543 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=90e60ada012de42964214d8155260f5749d0dcc7] + +Signed-off-by: Yogita Urade +--- + src/stkutil.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/stkutil.c b/src/stkutil.c +index 4f31af4..fdd11ad 100644 +--- a/src/stkutil.c ++++ b/src/stkutil.c +@@ -1876,6 +1876,10 @@ static bool parse_dataobj_mms_reference(struct comprehension_tlv_iter *iter, + + data = comprehension_tlv_iter_get_data(iter); + mr->len = len; ++ ++ if (len > sizeof(mr->ref)) ++ return false; ++ + memcpy(mr->ref, data, len); + + return true; +-- +2.40.0 diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb index a7c3a9085d..731b186b12 100644 --- a/meta/recipes-connectivity/ofono/ofono_1.34.bb +++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb @@ -19,6 +19,7 @@ SRC_URI = "\ file://CVE-2023-2794-0003.patch \ file://CVE-2023-2794-0004.patch \ file://CVE-2024-7539.patch \ + file://CVE-2024-7543.patch \ " SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7" From patchwork Tue Jan 14 08:03:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 55474 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7FDD0C02183 for ; Tue, 14 Jan 2025 08:03:52 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.39782.1736841828371260709 for ; Tue, 14 Jan 2025 00:03:48 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=3109dc8df7=yogita.urade@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 50E7MJTR014360 for ; Tue, 14 Jan 2025 08:03:47 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 443dv12tj5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 14 Jan 2025 08:03:47 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Tue, 14 Jan 2025 00:03:44 -0800 From: yurade To: Subject: [OE-core][kirkstone][PATCH 3/6] ofono: fix CVE-2024-7544 Date: Tue, 14 Jan 2025 08:03:19 +0000 Message-ID: <20250114080322.3571990-3-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250114080322.3571990-1-yogita.urade@windriver.com> References: <20250114080322.3571990-1-yogita.urade@windriver.com> MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Proofpoint-GUID: G6CZ6hQB2NsWJaDbq-s7oAG3KXw7DoLl X-Authority-Analysis: v=2.4 cv=N5zTF39B c=1 sm=1 tr=0 ts=67861a63 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=HCiNrPZc1L8A:10 a=VdSt8ZQiCzkA:10 a=xNf9USuDAAAA:8 a=VwQbUJbxAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=-5Q0eFtxmzE3yrJQt80A:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: G6CZ6hQB2NsWJaDbq-s7oAG3KXw7DoLl X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-01-14_01,2025-01-13_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 priorityscore=1501 lowpriorityscore=0 mlxlogscore=999 clxscore=1015 suspectscore=0 bulkscore=0 mlxscore=0 phishscore=0 spamscore=0 impostorscore=0 malwarescore=0 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1 engine=8.21.0-2411120000 definitions=main-2501140066 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Jan 2025 08:03:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209778 From: Yogita Urade oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23457. Reference: https://security-tracker.debian.org/tracker/CVE-2024-7544 Upstream patch: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a240705a0d5d41eca6de4125ab2349ecde4c873a Signed-off-by: Yogita Urade --- .../ofono/ofono/CVE-2024-7544.patch | 30 +++++++++++++++++++ meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch new file mode 100644 index 0000000000..ebbf809030 --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch @@ -0,0 +1,30 @@ +From a240705a0d5d41eca6de4125ab2349ecde4c873a Mon Sep 17 00:00:00 2001 +From: Ivaylo Dimitrov +Date: Tue, 3 Dec 2024 21:43:49 +0200 +Subject: [PATCH] stkutil: Fix CVE-2024-7544 + +CVE: CVE-2024-7544 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a240705a0d5d41eca6de4125ab2349ecde4c873a] + +Signed-off-by: Yogita Urade +--- + src/stkutil.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/stkutil.c b/src/stkutil.c +index fdd11ad..475caaa 100644 +--- a/src/stkutil.c ++++ b/src/stkutil.c +@@ -1898,6 +1898,10 @@ static bool parse_dataobj_mms_id(struct comprehension_tlv_iter *iter, + + data = comprehension_tlv_iter_get_data(iter); + mi->len = len; ++ ++ if (len > sizeof(mi->id)) ++ return false; ++ + memcpy(mi->id, data, len); + + return true; +-- +2.40.0 diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb index 731b186b12..54710aa9fd 100644 --- a/meta/recipes-connectivity/ofono/ofono_1.34.bb +++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb @@ -20,6 +20,7 @@ SRC_URI = "\ file://CVE-2023-2794-0004.patch \ file://CVE-2024-7539.patch \ file://CVE-2024-7543.patch \ + file://CVE-2024-7544.patch \ " SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7" From patchwork Tue Jan 14 08:03:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 55478 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 83263C02185 for ; Tue, 14 Jan 2025 08:03:52 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.40308.1736841830048165845 for ; Tue, 14 Jan 2025 00:03:50 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=3109dc8df7=yogita.urade@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 50E6OW7n000578 for ; Tue, 14 Jan 2025 08:03:49 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 443fm8ar6r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 14 Jan 2025 08:03:49 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Tue, 14 Jan 2025 00:03:46 -0800 From: yurade To: Subject: [OE-core][kirkstone][PATCH 4/6] ofono: fix CVE-2024-7545 Date: Tue, 14 Jan 2025 08:03:20 +0000 Message-ID: <20250114080322.3571990-4-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250114080322.3571990-1-yogita.urade@windriver.com> References: <20250114080322.3571990-1-yogita.urade@windriver.com> MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Authority-Analysis: v=2.4 cv=Mtmo63ae c=1 sm=1 tr=0 ts=67861a65 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=HCiNrPZc1L8A:10 a=VdSt8ZQiCzkA:10 a=xNf9USuDAAAA:8 a=VwQbUJbxAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=-5Q0eFtxmzE3yrJQt80A:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: NARnsJLU-YfkSGRy26PgTbXTFr1PsR7H X-Proofpoint-GUID: NARnsJLU-YfkSGRy26PgTbXTFr1PsR7H X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-01-14_01,2025-01-13_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxscore=0 phishscore=0 clxscore=1015 mlxlogscore=999 impostorscore=0 priorityscore=1501 adultscore=0 lowpriorityscore=0 malwarescore=0 bulkscore=0 spamscore=0 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1 engine=8.21.0-2411120000 definitions=main-2501140066 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Jan 2025 08:03:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209779 From: Yogita Urade oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23458. Reeference: https://security-tracker.debian.org/tracker/CVE-2024-7545 Upstream patch: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=556e14548c38c2b96d85881542046ee7ed750bb5 Signed-off-by: Yogita Urade --- .../ofono/ofono/CVE-2024-7545.patch | 32 +++++++++++++++++++ meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 + 2 files changed, 33 insertions(+) create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch new file mode 100644 index 0000000000..80dc3c9ab0 --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch @@ -0,0 +1,32 @@ +From 556e14548c38c2b96d85881542046ee7ed750bb5 Mon Sep 17 00:00:00 2001 +From: Sicelo A. Mhlongo +Date: Wed, Dec 4 12:07:34 2024 +0200 +Subject: [PATCH] stkutil: ensure data fits in buffer + +Fixes CVE-2024-7545 + +CVE: CVE-2024-7545 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=556e14548c38c2b96d85881542046ee7ed750bb5] + +Signed-off-by: Yogita Urade +--- + src/stkutil.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/stkutil.c b/src/stkutil.c +index 475caaa..e1fd75c 100644 +--- a/src/stkutil.c ++++ b/src/stkutil.c +@@ -1938,6 +1938,10 @@ static bool parse_dataobj_mms_content_id( + + data = comprehension_tlv_iter_get_data(iter); + mci->len = len; ++ ++ if (len > sizeof(mci->id)) ++ return false; ++ + memcpy(mci->id, data, len); + + return true; +-- +2.40.0 diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb index 54710aa9fd..0597caff3c 100644 --- a/meta/recipes-connectivity/ofono/ofono_1.34.bb +++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb @@ -21,6 +21,7 @@ SRC_URI = "\ file://CVE-2024-7539.patch \ file://CVE-2024-7543.patch \ file://CVE-2024-7544.patch \ + file://CVE-2024-7545.patch \ " SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7" From patchwork Tue Jan 14 08:03:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 55476 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 902B7C02184 for ; Tue, 14 Jan 2025 08:03:52 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.39783.1736841831921106149 for ; Tue, 14 Jan 2025 00:03:52 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=3109dc8df7=yogita.urade@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 50E7MJTS014360 for ; Tue, 14 Jan 2025 08:03:51 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 443dv12tj7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 14 Jan 2025 08:03:50 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Tue, 14 Jan 2025 00:03:48 -0800 From: yurade To: Subject: [OE-core][kirkstone][PATCH 5/6] ofono: fix CVE-2024-7546 Date: Tue, 14 Jan 2025 08:03:21 +0000 Message-ID: <20250114080322.3571990-5-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250114080322.3571990-1-yogita.urade@windriver.com> References: <20250114080322.3571990-1-yogita.urade@windriver.com> MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Proofpoint-GUID: 0i1_GYRiw2IwgsoXIvlL5nNXFuRsBqb7 X-Authority-Analysis: v=2.4 cv=N5zTF39B c=1 sm=1 tr=0 ts=67861a67 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=HCiNrPZc1L8A:10 a=VdSt8ZQiCzkA:10 a=xNf9USuDAAAA:8 a=VwQbUJbxAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=-5Q0eFtxmzE3yrJQt80A:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: 0i1_GYRiw2IwgsoXIvlL5nNXFuRsBqb7 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-01-14_01,2025-01-13_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 priorityscore=1501 lowpriorityscore=0 mlxlogscore=999 clxscore=1015 suspectscore=0 bulkscore=0 mlxscore=0 phishscore=0 spamscore=0 impostorscore=0 malwarescore=0 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1 engine=8.21.0-2411120000 definitions=main-2501140066 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Jan 2025 08:03:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209780 From: Yogita Urade oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23459. Reference: https://security-tracker.debian.org/tracker/CVE-2024-7546 Upstream patch: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=79ea6677669e50b0bb9c231765adb4f81c375f63 Signed-off-by: Yogita Urade --- .../ofono/ofono/CVE-2024-7546.patch | 30 +++++++++++++++++++ meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch new file mode 100644 index 0000000000..aac6751625 --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch @@ -0,0 +1,30 @@ +From 79ea6677669e50b0bb9c231765adb4f81c375f63 Mon Sep 17 00:00:00 2001 +From: Ivaylo Dimitrov +Date: Tue, 3 Dec 2024 21:43:52 +0200 +Subject: [PATCH] Fix CVE-2024-7546 + +CVE: CVE-2024-7546 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=79ea6677669e50b0bb9c231765adb4f81c375f63] + +Signed-off-by: Yogita Urade +--- + src/stkutil.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/stkutil.c b/src/stkutil.c +index e1fd75c..88a715d 100644 +--- a/src/stkutil.c ++++ b/src/stkutil.c +@@ -1783,6 +1783,10 @@ static bool parse_dataobj_frame_layout(struct comprehension_tlv_iter *iter, + + fl->layout = data[0]; + fl->len = len - 1; ++ ++ if (fl->len > sizeof(fl->size)) ++ return false; ++ + memcpy(fl->size, data + 1, fl->len); + + return true; +-- +2.40.0 diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb index 0597caff3c..0c1e0ea6f8 100644 --- a/meta/recipes-connectivity/ofono/ofono_1.34.bb +++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb @@ -22,6 +22,7 @@ SRC_URI = "\ file://CVE-2024-7543.patch \ file://CVE-2024-7544.patch \ file://CVE-2024-7545.patch \ + file://CVE-2024-7546.patch \ " SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7" From patchwork Tue Jan 14 08:03:22 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 55479 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8094FE77188 for ; Tue, 14 Jan 2025 08:04:02 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.39785.1736841833722694523 for ; Tue, 14 Jan 2025 00:03:53 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=3109dc8df7=yogita.urade@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 50E7LNLE016902 for ; Tue, 14 Jan 2025 08:03:53 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 443fm8ar6t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 14 Jan 2025 08:03:52 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Tue, 14 Jan 2025 00:03:50 -0800 From: yurade To: Subject: [OE-core][kirkstone][PATCH 6/6] ofono: fix CVE-2024-7547 Date: Tue, 14 Jan 2025 08:03:22 +0000 Message-ID: <20250114080322.3571990-6-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250114080322.3571990-1-yogita.urade@windriver.com> References: <20250114080322.3571990-1-yogita.urade@windriver.com> MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Authority-Analysis: v=2.4 cv=Mtmo63ae c=1 sm=1 tr=0 ts=67861a68 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=HCiNrPZc1L8A:10 a=VdSt8ZQiCzkA:10 a=xNf9USuDAAAA:8 a=VwQbUJbxAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=WaMr6RvcABQZGJvYwNEA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: HyEgEPRNqwS64KdV-Ev6l9oCMDo2Wm-M X-Proofpoint-GUID: HyEgEPRNqwS64KdV-Ev6l9oCMDo2Wm-M X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-01-14_01,2025-01-13_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxscore=0 phishscore=0 clxscore=1011 mlxlogscore=999 impostorscore=0 priorityscore=1501 adultscore=0 lowpriorityscore=0 malwarescore=0 bulkscore=0 spamscore=0 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1 engine=8.21.0-2411120000 definitions=main-2501140066 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Jan 2025 08:04:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209781 From: Yogita Urade oFono SMS Decoder Stack-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of SMS PDUs. The issue results from the lack of proper validation of the length of user- supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23460. Reference: https://security-tracker.debian.org/tracker/CVE-2024-7547 Upstream patch: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=305df050d02aea8532f7625d6642685aa530f9b0 Signed-off-by: Yogita Urade --- .../ofono/ofono/CVE-2024-7547.patch | 29 +++++++++++++++++++ meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 + 2 files changed, 30 insertions(+) create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch new file mode 100644 index 0000000000..b6b08127a8 --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch @@ -0,0 +1,29 @@ +From 305df050d02aea8532f7625d6642685aa530f9b0 Mon Sep 17 00:00:00 2001 +From: Ivaylo Dimitrov +Date: Tue, 3 Dec 2024 21:43:51 +0200 +Subject: [PATCH] Fix CVE-2024-7547 + +CVE: CVE-2024-7547 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=305df050d02aea8532f7625d6642685aa530f9b0] + +Signed-off-by: Yogita Urade +--- + src/smsutil.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/smsutil.c b/src/smsutil.c +index e073a06..f8ff428 100644 +--- a/src/smsutil.c ++++ b/src/smsutil.c +@@ -1475,6 +1475,9 @@ static gboolean decode_command(const unsigned char *pdu, int len, + if ((len - offset) < out->command.cdl) + return FALSE; + ++ if (out->command.cdl > sizeof(out->command.cd)) ++ return FALSE; ++ + memcpy(out->command.cd, pdu + offset, out->command.cdl); + + return TRUE; +-- +2.40.0 diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb index 0c1e0ea6f8..8205ea683d 100644 --- a/meta/recipes-connectivity/ofono/ofono_1.34.bb +++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb @@ -23,6 +23,7 @@ SRC_URI = "\ file://CVE-2024-7544.patch \ file://CVE-2024-7545.patch \ file://CVE-2024-7546.patch \ + file://CVE-2024-7547.patch \ " SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"