From patchwork Fri Jul 11 11:33:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 66622 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BB052C83F1A for ; Fri, 11 Jul 2025 11:33:27 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web10.11754.1752233598739141539 for ; Fri, 11 Jul 2025 04:33:18 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=9287d3c5d5=archana.polampalli@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 56BBFW89004020 for ; Fri, 11 Jul 2025 04:33:18 -0700 Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 47pyb5pduh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 11 Jul 2025 04:33:18 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Fri, 11 Jul 2025 04:33:17 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Fri, 11 Jul 2025 04:33:15 -0700 From: To: Subject: [oe-core][kirkstone][PATCH 1/3] openssl: fix CVE-2024-41996 Date: Fri, 11 Jul 2025 17:03:11 +0530 Message-ID: <20250711113313.3009782-1-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNzA4MDE5OCBTYWx0ZWRfX4bmrnRVEJ+Pm Dp0HyR8vWLrxE0HS/bApsFEsopQHi7E/XFhoqcVVot333u4xmdw48ixinUQY50pCNbQ/KT1HIqV ENZjuIgDTyGasNdhBUv7nJTn2+3jC0LNh4XgvT+1joTYbSrepTPMPtLDmoFXBAkx+qSq/MUA6Yz N3BRAWb04w7hxIZ9SBadct0VaJlkkf4zpqaIetNyO0/hTgWCykE2eqAi6uyKcaeAtb5fs59dOI6 MMbWoKRB5PPCvJKNtmbLDW6ugAd446GpfrsZYzqjeEx3WjvsqIZZdDmeaXw6gXPa+1M4IqB9T0l SjRYSgJTfSOjf8eFF6FWHzg3VO4tDLbWedLZNcfO4+7gKmrnVTUO9OOUuDAI0sF/O40dyFjOy/n zmQS8eGg X-Authority-Analysis: v=2.4 cv=V5590fni c=1 sm=1 tr=0 ts=6870f67e cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=IkcTkHD0fZMA:10 a=Wb1JkmetP80A:10 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=Ntg_Zx-WAAAA:8 a=pGLkceISAAAA:8 a=J-CBz89tdS-ELqlGiXkA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=FdTzh2GWekK77mhwV6Dw:22 a=RUfouJl5KNV7104ufCm4:22 X-Proofpoint-ORIG-GUID: 1Q7-1KHfSd95kMxRDj0RFwiqP8J0zMXO X-Proofpoint-GUID: 1Q7-1KHfSd95kMxRDj0RFwiqP8J0zMXO X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.7,FMLib:17.12.80.40 definitions=2025-07-11_03,2025-07-09_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 phishscore=0 spamscore=0 priorityscore=1501 clxscore=1015 impostorscore=0 suspectscore=0 adultscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2507080198 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 56BBFW89004020 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 11 Jul 2025 11:33:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/220141 From: Archana Polampalli Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key. Reference: https://github.com/openssl/openssl/pull/25088 Signed-off-by: Archana Polampalli --- .../openssl/openssl/CVE-2024-41996.patch | 48 +++++++++++++++++++ .../openssl/openssl_3.0.16.bb | 1 + 2 files changed, 49 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch new file mode 100644 index 0000000000..49ec9c0130 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch @@ -0,0 +1,48 @@ +From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 5 Aug 2024 17:54:14 +0200 +Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for known + safe-prime groups +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The partial validation is fully sufficient to check the key validity. + +Thanks to Szilárd Pfeiffer for reporting the issue. + +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/25088) + +CVE: CVE-2024-41996 + +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e70e34d857d4003199bcb5d3b52ca8102ccc1b98] + +Signed-off-by: Archana Polampalli +--- + providers/implementations/keymgmt/dh_kmgmt.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c +index 795a3f2..3e7a811 100644 +--- a/providers/implementations/keymgmt/dh_kmgmt.c ++++ b/providers/implementations/keymgmt/dh_kmgmt.c +@@ -387,9 +387,11 @@ static int dh_validate_public(const DH *dh, int checktype) + if (pub_key == NULL) + return 0; + +- /* The partial test is only valid for named group's with q = (p - 1) / 2 */ +- if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK +- && ossl_dh_is_named_safe_prime_group(dh)) ++ /* ++ * The partial test is only valid for named group's with q = (p - 1) / 2 ++ * but for that case it is also fully sufficient to check the key validity. ++ */ ++ if (ossl_dh_is_named_safe_prime_group(dh)) + return ossl_dh_check_pub_key_partial(dh, pub_key, &res); + + return DH_check_pub_key_ex(dh, pub_key); +-- +2.40.0 diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.16.bb b/meta/recipes-connectivity/openssl/openssl_3.0.16.bb index a9fffd18ba..3d6993872b 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.16.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.16.bb @@ -12,6 +12,7 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://afalg.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ + file://CVE-2024-41996.patch \ " SRC_URI:append:class-nativesdk = " \ From patchwork Fri Jul 11 11:33:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 66623 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BE422C83F1D for ; Fri, 11 Jul 2025 11:33:27 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.11755.1752233602807297446 for ; Fri, 11 Jul 2025 04:33:23 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=9287d3c5d5=archana.polampalli@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 56B6t3t6018630 for ; Fri, 11 Jul 2025 11:33:22 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 47ps91xgrs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 11 Jul 2025 11:33:21 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Fri, 11 Jul 2025 04:33:19 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Fri, 11 Jul 2025 04:33:17 -0700 From: To: Subject: [oe-core][kirkstone][PATCH 2/3] ofono: fix CVE-2023-4232 Date: Fri, 11 Jul 2025 17:03:12 +0530 Message-ID: <20250711113313.3009782-2-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250711113313.3009782-1-archana.polampalli@windriver.com> References: <20250711113313.3009782-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=PLcP+eqC c=1 sm=1 tr=0 ts=6870f681 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=Wb1JkmetP80A:10 a=VwQbUJbxAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=FXNONPSS1numF6Z2y4gA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: i4HxlQ5pNO6ZoC_Fc4hgmh_B9gTPYu-N X-Proofpoint-ORIG-GUID: i4HxlQ5pNO6ZoC_Fc4hgmh_B9gTPYu-N X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNzA4MDE5OCBTYWx0ZWRfX8k4oYj+EYyzt y3989COkxb+tTyK/XgORJI32cst4Hu9I4r/0rfbbjuh55w8g4tl9Cy0vRYgX4JgoDgX5lX9/6Jb Hbccm4Dq3qe81HnRTZHbmA5gnjhtw3JyfuOYcj3j3mf7lscXbv43OhKWqMHEEnW2ZKjR3l09Nue W2u6kWNYMcOrF9yF2jfoqLuaCEc9pf1QbIFkMic8lQSn8oTOk+f2bv4h8s6fo9x9xejE9c7qRWf M9vrotAW95EPzFXaAzkVB3IgvrAuUzaTSXt4LE+t5Q4YLdYlQIXLVzQAm8DqbYXKFK/rtLyLugk cHIGfGRd+o5+pDzygUDDGBfSZxnPvTQlLUiWZduboKpnvIsxl9hWqbVXgoHxG4Qs7BsDsyERDyM 5HUviZZD X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.7,FMLib:17.12.80.40 definitions=2025-07-11_03,2025-07-09_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 priorityscore=1501 clxscore=1015 suspectscore=0 adultscore=0 impostorscore=0 phishscore=0 spamscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2507080198 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 11 Jul 2025 11:33:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/220142 From: Archana Polampalli A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_status_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_status_report(). Signed-off-by: Archana Polampalli --- .../ofono/ofono/CVE-2023-4232.patch | 30 +++++++++++++++++++ meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2023-4232.patch diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2023-4232.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2023-4232.patch new file mode 100644 index 0000000000..da714f6a87 --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2023-4232.patch @@ -0,0 +1,30 @@ +From 2ff2da7ac374a790f8b2a0216bcb4e3126498225 Mon Sep 17 00:00:00 2001 +From: "Sicelo A. Mhlongo" +Date: Wed, 4 Dec 2024 10:18:52 +0200 +Subject: [PATCH] smsutil: check status report fits in buffer + +Fixes CVE-2023-4232 + +CVE: CVE-2023-4232 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=2ff2da7ac374a790f8b2a0216bcb4e3126498225] +Signed-off-by: Archana Polampalli +--- + src/smsutil.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/smsutil.c b/src/smsutil.c +index ac89f16c..a706e26f 100644 +--- a/src/smsutil.c ++++ b/src/smsutil.c +@@ -1088,6 +1088,9 @@ static gboolean decode_status_report(const unsigned char *pdu, int len, + if ((len - offset) < expected) + return FALSE; + ++ if (expected > (int)sizeof(out->status_report.ud)) ++ return FALSE; ++ + memcpy(out->status_report.ud, pdu + offset, expected); + } + +-- +2.30.2 diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb index 9f11af9236..8a298bfade 100644 --- a/meta/recipes-connectivity/ofono/ofono_1.34.bb +++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb @@ -26,6 +26,7 @@ SRC_URI = "\ file://CVE-2024-7547.patch \ file://CVE-2024-7540_CVE-2024-7541_CVE-2024-7542.patch \ file://CVE-2024-7537.patch \ + file://CVE-2023-4232.patch \ " SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7" From patchwork Fri Jul 11 11:33:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 66621 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2E5AC83F22 for ; Fri, 11 Jul 2025 11:33:27 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web10.11756.1752233604965805073 for ; Fri, 11 Jul 2025 04:33:24 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=9287d3c5d5=archana.polampalli@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 56B5t2d1024001 for ; Fri, 11 Jul 2025 04:33:24 -0700 Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 47q3jn68qr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 11 Jul 2025 04:33:24 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Fri, 11 Jul 2025 04:33:22 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Fri, 11 Jul 2025 04:33:21 -0700 From: To: Subject: [oe-core][kirkstone][PATCH 3/3] ofono: fix CVE-2023-4235 Date: Fri, 11 Jul 2025 17:03:13 +0530 Message-ID: <20250711113313.3009782-3-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250711113313.3009782-1-archana.polampalli@windriver.com> References: <20250711113313.3009782-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: 6ZPgJKpEFXsLPJLjdvmvFbwwrpy6mMgE X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNzA4MDE5OCBTYWx0ZWRfX2L0kndZX1n+2 dUGT1LHKPqK+2j2UrkWzdRNKtyi8ReSCM93NSeMSV+TC3S4g1pAcMgzAe8dGCSBQva2NHPFuVQw JXsyL/aGRblL4mFl3O+5NmTG1yC3CBxFaTt2A5S/RKhdOzu4VM8zyppSXf3HMoZs6o2apiS+n3l frjzTnbvLjby1WiyGwRjzdhXz+MysUsBs9hRBxlicn77L5rHCaNC98BMKna2BwF5mHyJdQKia/X 1/B9y8T4Soko3w+zpF0VPNIQp22DJoSWY4CiEPuOwe1vpAiZzorzOy7KhJ3LSIRgDfHt7m6Em4v ZfTQiOkaA6cpx3QIFdywuuECv6mTz1qVhIdWhZLIoOsBXQ+zD5NEqhTqaouffaWmcWlktH2Q/9J bWMB5yXz X-Proofpoint-ORIG-GUID: 6ZPgJKpEFXsLPJLjdvmvFbwwrpy6mMgE X-Authority-Analysis: v=2.4 cv=fv3cZE4f c=1 sm=1 tr=0 ts=6870f684 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=Wb1JkmetP80A:10 a=VwQbUJbxAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=FXNONPSS1numF6Z2y4gA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.7,FMLib:17.12.80.40 definitions=2025-07-11_03,2025-07-09_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 priorityscore=1501 impostorscore=0 spamscore=0 phishscore=0 malwarescore=0 bulkscore=0 suspectscore=0 clxscore=1015 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2507080198 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 11 Jul 2025 11:33:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/220143 From: Archana Polampalli A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_deliver_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_deliver_report(). Signed-off-by: Archana Polampalli --- .../ofono/ofono/CVE-2023-4235.patch | 37 +++++++++++++++++++ meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2023-4235.patch diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2023-4235.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2023-4235.patch new file mode 100644 index 0000000000..ce03bbd274 --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2023-4235.patch @@ -0,0 +1,37 @@ +From 02aa0f9bad3d9e47a152fc045d0f51874d901d7e Mon Sep 17 00:00:00 2001 +From: "Sicelo A. Mhlongo" +Date: Wed, 4 Dec 2024 10:18:51 +0200 +Subject: [PATCH] smsutil: check deliver reports fit in buffer + +Fixes CVE-2023-4235 + +CVE: CVE-2023-4235 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=02aa0f9bad3d9e47a152fc045d0f51874d901d7e] +Signed-off-by: Archana Polampalli +--- + src/smsutil.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/smsutil.c b/src/smsutil.c +index 484bfd0b..ac89f16c 100644 +--- a/src/smsutil.c ++++ b/src/smsutil.c +@@ -1240,10 +1240,16 @@ static gboolean decode_deliver_report(const unsigned char *pdu, int len, + return FALSE; + + if (out->type == SMS_TYPE_DELIVER_REPORT_ERROR) { ++ if (expected > (int) sizeof(out->deliver_err_report.ud)) ++ return FALSE; ++ + out->deliver_err_report.udl = udl; + memcpy(out->deliver_err_report.ud, + pdu + offset, expected); + } else { ++ if (expected > (int) sizeof(out->deliver_ack_report.ud)) ++ return FALSE; ++ + out->deliver_ack_report.udl = udl; + memcpy(out->deliver_ack_report.ud, + pdu + offset, expected); +-- +2.30.2 diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb index 8a298bfade..a3edf4ab5d 100644 --- a/meta/recipes-connectivity/ofono/ofono_1.34.bb +++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb @@ -27,6 +27,7 @@ SRC_URI = "\ file://CVE-2024-7540_CVE-2024-7541_CVE-2024-7542.patch \ file://CVE-2024-7537.patch \ file://CVE-2023-4232.patch \ + file://CVE-2023-4235.patch \ " SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"