From patchwork Wed May 7 06:51:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Praveen Kumar X-Patchwork-Id: 62574 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6021DC369DC for ; Wed, 7 May 2025 06:51:31 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.2363.1746600685536224940 for ; Tue, 06 May 2025 23:51:25 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=7222048fe2=praveen.kumar@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5473v3l2013860 for ; Wed, 7 May 2025 06:51:24 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 46e430kcmh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 07 May 2025 06:51:24 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Tue, 6 May 2025 23:51:22 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Tue, 6 May 2025 23:51:20 -0700 From: Praveen Kumar To: CC: Praveen Kumar Subject: [oe-core][scarthgap][PATCH 1/1] connman :fix CVE-2025-32743 Date: Wed, 7 May 2025 06:51:15 +0000 Message-ID: <20250507065115.1862102-1-praveen.kumar@windriver.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=BajY0qt2 c=1 sm=1 tr=0 ts=681b02ec cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=dt9VzEwgFbYA:10 a=PYnjg3YJAAAA:8 a=VwQbUJbxAAAA:8 a=t7CeM3EgAAAA:8 a=orGBpfcN-aQqT5LYJdQA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: t-8B911oqaFkEnfcOMaG15SaefCLeBq- X-Proofpoint-ORIG-GUID: t-8B911oqaFkEnfcOMaG15SaefCLeBq- X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTA3MDA2MyBTYWx0ZWRfXxsJaj+39woxH tXwX2eDsc5MXz6C1DJMcLHnbeTLrwd0/CB/wSbbOd0+k4u7wTayufmoFzmS3sGHsO7JZBl0oHY5 wYthN/dq70Y9/u5sM56Chkb5sDXgPx2oa7st701E/83EHMtIOk5qrBNJcCpeaXBWG8teKr900qL ONtX6nEtwpzzxH3sefus2AhxQ+4aKHOvG8XPTPV4xwLYeg+I03SRo5SW005kJ2vpWgMXsQ484xn /C36fZxYVlEEtoQgzeYDeI1pyxmC6oD72L/bj+GfzsSGiX6TyrIxiLiWGe9OcSbanDo8IZC1Zj6 fpkzXv6p04JgXBTHrnh49ynE00XmjQ9mHsoMKcXzqjxTmpbUEu0HAsFMdKQUuXRlRdHdemAB2Tq BhGAjagXiI5SM2XIIN7AOCerTL1/ViaG6JvdFlGXfg/hbhIWJn9yjVH8s30GwJOTrHdD51Bn X-Sensitive_Customer_Information: Yes X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-07_02,2025-05-06_01,2025-02-21_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 suspectscore=0 lowpriorityscore=0 phishscore=0 spamscore=0 priorityscore=1501 mlxscore=0 impostorscore=0 bulkscore=0 adultscore=0 malwarescore=0 mlxlogscore=999 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2504070000 definitions=main-2505070063 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 May 2025 06:51:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216094 In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c can be NULL or an empty string when the TC (Truncated) bit is set in a DNS response. This allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code, because those lookup values lead to incorrect length calculations and incorrect memcpy operations. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-32743 Upstream-patch: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f Signed-off-by: Praveen Kumar --- .../connman/connman/CVE-2025-32743.patch | 48 +++++++++++++++++++ .../connman/connman_1.42.bb | 1 + 2 files changed, 49 insertions(+) create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch new file mode 100644 index 0000000000..b31c59aa70 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch @@ -0,0 +1,48 @@ +From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001 +From: Praveen Kumar +Date: Thu, 24 Apr 2025 11:39:29 +0000 +Subject: [PATCH] dnsproxy: Fix NULL/empty lookup causing potential crash + +In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c +can be NULL or an empty string when the TC (Truncated) bit is set in +a DNS response. This allows attackers to cause a denial of service +(application crash) or possibly execute arbitrary code, because those +lookup values lead to incorrect length calculations and incorrect +memcpy operations. + +This patch includes a check to make sure loookup value is valid before +using it. This helps avoid unexpected value when the input is empty or +incorrect. + +Fixes: CVE-2025-32743 + +CVE: CVE-2025-32743 + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f] + +Signed-off-by: Praveen Kumar +--- + src/dnsproxy.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/dnsproxy.c b/src/dnsproxy.c +index 7ebffbc..1a5a4f3 100644 +--- a/src/dnsproxy.c ++++ b/src/dnsproxy.c +@@ -1669,8 +1669,13 @@ static int ns_resolv(struct server_data *server, struct request_data *req, + gpointer request, gpointer name) + { + int sk = -1; ++ int err; + const char *lookup = (const char *)name; +- int err = ns_try_resolv_from_cache(req, request, lookup); ++ ++ if (!lookup || strlen(lookup) == 0) ++ return -EINVAL; ++ ++ err = ns_try_resolv_from_cache(req, request, lookup); + + if (err > 0) + /* cache hit */ +-- +2.40.0 diff --git a/meta/recipes-connectivity/connman/connman_1.42.bb b/meta/recipes-connectivity/connman/connman_1.42.bb index 91ab9895ac..3a1c9802bd 100644 --- a/meta/recipes-connectivity/connman/connman_1.42.bb +++ b/meta/recipes-connectivity/connman/connman_1.42.bb @@ -7,6 +7,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://no-version-scripts.patch \ file://0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch \ file://0001-src-log.c-Include-libgen.h-for-basename-API.patch \ + file://CVE-2025-32743.patch \ " SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"