From: "Changqing Li" <changqing.li@windriver.com>
To: <openembedded-devel@lists.openembedded.org>
Subject: [hardnott][PATCH] c-ares: fix CVE-2021-3672
Date: Tue, 14 Sep 2021 16:17:21 +0800 [thread overview]
Message-ID: <20210914081721.39342-1-changqing.li@windriver.com> (raw)
From: Changqing Li <changqing.li@windriver.com>
Refer:
https://c-ares.org/adv_20210810.html
https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83
https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
.../c-ares/c-ares/0001-CVE-2021-3672.patch | 91 +++++++++++++++
.../c-ares/c-ares/0002-CVE-2021-3672.patch | 104 ++++++++++++++++++
.../recipes-support/c-ares/c-ares_1.16.1.bb | 2 +
3 files changed, 197 insertions(+)
create mode 100644 meta-oe/recipes-support/c-ares/c-ares/0001-CVE-2021-3672.patch
create mode 100644 meta-oe/recipes-support/c-ares/c-ares/0002-CVE-2021-3672.patch
diff --git a/meta-oe/recipes-support/c-ares/c-ares/0001-CVE-2021-3672.patch b/meta-oe/recipes-support/c-ares/c-ares/0001-CVE-2021-3672.patch
new file mode 100644
index 000000000..93afb838f
--- /dev/null
+++ b/meta-oe/recipes-support/c-ares/c-ares/0001-CVE-2021-3672.patch
@@ -0,0 +1,91 @@
+From 13363ab0eb3f5a3223571d073888816bd3e650f9 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 14 Sep 2021 13:49:11 +0800
+Subject: [PATCH 1/2] ares_expand_name() should escape more characters
+
+RFC1035 5.1 specifies some reserved characters and escaping sequences
+that are allowed to be specified. Expand the list of reserved characters
+and also escape non-printable characters using the \DDD format as
+specified in the RFC.
+
+Bug Reported By: philipp.jeitner@sit.fraunhofer.de
+Fix By: Brad House (@bradh352)
+
+Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83]
+CVE: CVE-2021-3672
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ ares_expand_name.c | 41 ++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 38 insertions(+), 3 deletions(-)
+
+diff --git a/ares_expand_name.c b/ares_expand_name.c
+index 3a38e67..8604543 100644
+--- a/ares_expand_name.c
++++ b/ares_expand_name.c
+@@ -38,6 +38,26 @@
+ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
+ int alen);
+
++/* Reserved characters for names that need to be escaped */
++static int is_reservedch(int ch)
++{
++ switch (ch) {
++ case '"':
++ case '.':
++ case ';':
++ case '\\':
++ case '(':
++ case ')':
++ case '@':
++ case '$':
++ return 1;
++ default:
++ break;
++ }
++
++ return 0;
++}
++
+ /* Expand an RFC1035-encoded domain name given by encoded. The
+ * containing message is given by abuf and alen. The result given by
+ * *s, which is set to a NUL-terminated allocated buffer. *enclen is
+@@ -117,9 +137,18 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf,
+ p++;
+ while (len--)
+ {
+- if (*p == '.' || *p == '\\')
++ if (!isprint(*p)) {
++ /* Output as \DDD for consistency with RFC1035 5.1 */
++ *q++ = '\\';
++ *q++ = '0' + *p / 100;
++ *q++ = '0' + (*p % 100) / 10;
++ *q++ = '0' + (*p % 10);
++ } else if (is_reservedch(*p)) {
+ *q++ = '\\';
+- *q++ = *p;
++ *q++ = *p;
++ } else {
++ *q++ = *p;
++ }
+ p++;
+ }
+ *q++ = '.';
+@@ -177,7 +206,13 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
+ encoded++;
+ while (offset--)
+ {
+- n += (*encoded == '.' || *encoded == '\\') ? 2 : 1;
++ if (!isprint(*encoded)) {
++ n += 4;
++ } else if (is_reservedch(*encoded)) {
++ n += 2;
++ } else {
++ n += 1;
++ }
+ encoded++;
+ }
+ n++;
+--
+2.17.1
+
diff --git a/meta-oe/recipes-support/c-ares/c-ares/0002-CVE-2021-3672.patch b/meta-oe/recipes-support/c-ares/c-ares/0002-CVE-2021-3672.patch
new file mode 100644
index 000000000..e3b32f5fe
--- /dev/null
+++ b/meta-oe/recipes-support/c-ares/c-ares/0002-CVE-2021-3672.patch
@@ -0,0 +1,104 @@
+From 446225e54b4f23c08a07968433b39d62ed65afd1 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 14 Sep 2021 13:59:28 +0800
+Subject: [PATCH 2/2] ares_expand_name(): fix formatting and handling of root
+ name response
+
+Fixes issue introduced in prior commit with formatting and handling
+of parsing a root name response which should not be escaped.
+
+Fix By: Brad House
+
+Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14]
+CVE: CVE-2021-3672
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ ares_expand_name.c | 56 +++++++++++++++++++++++++++++-----------------
+ 1 file changed, 35 insertions(+), 21 deletions(-)
+
+diff --git a/ares_expand_name.c b/ares_expand_name.c
+index 8604543..af0c2e8 100644
+--- a/ares_expand_name.c
++++ b/ares_expand_name.c
+@@ -133,22 +133,30 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf,
+ }
+ else
+ {
+- len = *p;
++ int name_len = *p;
++ len = name_len;
+ p++;
+ while (len--)
+ {
+- if (!isprint(*p)) {
+- /* Output as \DDD for consistency with RFC1035 5.1 */
+- *q++ = '\\';
+- *q++ = '0' + *p / 100;
+- *q++ = '0' + (*p % 100) / 10;
+- *q++ = '0' + (*p % 10);
+- } else if (is_reservedch(*p)) {
+- *q++ = '\\';
+- *q++ = *p;
+- } else {
+- *q++ = *p;
+- }
++ /* Output as \DDD for consistency with RFC1035 5.1, except
++ * for the special case of a root name response */
++ if (!isprint(*p) && !(name_len == 1 && *p == 0))
++ {
++
++ *q++ = '\\';
++ *q++ = '0' + *p / 100;
++ *q++ = '0' + (*p % 100) / 10;
++ *q++ = '0' + (*p % 10);
++ }
++ else if (is_reservedch(*p))
++ {
++ *q++ = '\\';
++ *q++ = *p;
++ }
++ else
++ {
++ *q++ = *p;
++ }
+ p++;
+ }
+ *q++ = '.';
+@@ -200,19 +208,25 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
+ }
+ else if (top == 0x00)
+ {
+- offset = *encoded;
++ int name_len = *encoded;
++ offset = name_len;
+ if (encoded + offset + 1 >= abuf + alen)
+ return -1;
+ encoded++;
+ while (offset--)
+ {
+- if (!isprint(*encoded)) {
+- n += 4;
+- } else if (is_reservedch(*encoded)) {
+- n += 2;
+- } else {
+- n += 1;
+- }
++ if (!isprint(*encoded) && !(name_len == 1 && *encoded == 0))
++ {
++ n += 4;
++ }
++ else if (is_reservedch(*encoded))
++ {
++ n += 2;
++ }
++ else
++ {
++ n += 1;
++ }
+ encoded++;
+ }
+ n++;
+--
+2.17.1
+
diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb
index 67dd70180..afcc1cc4b 100644
--- a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb
+++ b/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb
@@ -11,6 +11,8 @@ SRC_URI = "\
git://github.com/c-ares/c-ares.git \
file://cmake-install-libcares.pc.patch \
file://0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch \
+ file://0001-CVE-2021-3672.patch \
+ file://0002-CVE-2021-3672.patch \
"
SRCREV = "74a1426ba60e2cd7977e53a22ef839c87415066e"
--
2.17.1
reply other threads:[~2021-09-14 8:21 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210914081721.39342-1-changqing.li@windriver.com \
--to=changqing.li@windriver.com \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.