[Buildroot] [PATCH 1/2] package/libcoap: fix CVE-2023-30362

[Buildroot] [PATCH 1/2] package/libcoap: fix CVE-2023-30362

[Daniel Lang]

Signed-off-by: Daniel Lang <dalang@gmx.at>
---
 ...0001-Backport-fix-for-CVE-2023-30362.patch | 59 +++++++++++++++++++
 package/libcoap/libcoap.mk                    |  2 +
 2 files changed, 61 insertions(+)
 create mode 100644 package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch

diff --git a/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch b/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch
new file mode 100644
index 0000000000..c4e53d19a7
--- /dev/null
+++ b/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch
@@ -0,0 +1,59 @@
+From c63ecbdc6b38cc7e571a72964fe9ca63834dcc89 Mon Sep 17 00:00:00 2001
+From: Daniel Lang <ldaniell14260@gmail.com>
+Date: Wed, 6 Sep 2023 21:38:13 +0200
+Subject: [PATCH] Backport fix for CVE-2023-30362
+
+Upstream: https://github.com/obgm/libcoap/issues/1063#issuecomment-1626962307
+Signed-off-by: Daniel Lang <dalang@gmx.at>
+---
+ src/net.c | 34 +++++++++++++++++++++-------------
+ 1 file changed, 21 insertions(+), 13 deletions(-)
+
+diff --git a/src/net.c b/src/net.c
+index 98859443..e259ab00 100644
+--- a/src/net.c
++++ b/src/net.c
+@@ -1305,19 +1305,27 @@ coap_send_internal(coap_session_t *session, coap_pdu_t *pdu) {
+ 
+       /* Need to check that we are not seeing this proxy in the return loop */
+       if (pdu->data && opt == NULL) {
+-        if (pdu->used_size + 1 <= pdu->max_size) {
+-          char *a_match;
+-          size_t data_len = pdu->used_size - (pdu->data - pdu->token);
+-          pdu->data[data_len] = '\000';
+-          a_match = strstr((char*)pdu->data, cp);
+-          if (a_match && (a_match == (char*)pdu->data || a_match[-1] == ' ') &&
+-              ((size_t)(a_match - (char*)pdu->data + len) == data_len ||
+-               a_match[len] == ' ')) {
+-            coap_log(LOG_WARNING, "Proxy loop detected '%s'\n",
+-                     (char*)pdu->data);
+-            coap_delete_pdu(pdu);
+-            return (coap_mid_t)COAP_DROPPED_RESPONSE;
+-          }
++        char *a_match;
++        size_t data_len;
++
++        if (pdu->used_size + 1 > pdu->max_size) {
++          /* No space */
++          return (coap_mid_t)COAP_DROPPED_RESPONSE;
++        }
++        if (!coap_pdu_resize(pdu, pdu->used_size + 1)) {
++          /* Internal error */
++          return (coap_mid_t)COAP_DROPPED_RESPONSE;
++        }
++        data_len = pdu->used_size - (pdu->data - pdu->token);
++        pdu->data[data_len] = '\000';
++        a_match = strstr((char*)pdu->data, cp);
++        if (a_match && (a_match == (char*)pdu->data || a_match[-1] == ' ') &&
++            ((size_t)(a_match - (char*)pdu->data + len) == data_len ||
++             a_match[len] == ' ')) {
++          coap_log(LOG_WARNING, "Proxy loop detected '%s'\n",
++                   (char*)pdu->data);
++          coap_delete_pdu(pdu);
++          return (coap_mid_t)COAP_DROPPED_RESPONSE;
+         }
+       }
+       if (pdu->used_size + len + 1 <= pdu->max_size) {
+-- 
+2.42.0
+
diff --git a/package/libcoap/libcoap.mk b/package/libcoap/libcoap.mk
index 4b536d8117..3773ad293c 100644
--- a/package/libcoap/libcoap.mk
+++ b/package/libcoap/libcoap.mk
@@ -14,6 +14,8 @@ LIBCOAP_DEPENDENCIES = host-pkgconf
 LIBCOAP_CONF_OPTS = \
 	--disable-examples --disable-examples-source --without-tinydtls
 LIBCOAP_AUTORECONF = YES
+# 0001-Backport-fix-for-CVE-2023-30362.patch
+LIBCOAP_IGNORE_CVES += CVE-2023-30362
 
 ifeq ($(BR2_PACKAGE_GNUTLS),y)
 LIBCOAP_DEPENDENCIES += gnutls
-- 
2.42.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/2] package/libcoap: ignore CVE-2023-35862

[Daniel Lang]

According to a collaborator [0] the affected code isn't in 4.3.1

[0]: https://github.com/obgm/libcoap/issues/1117

Signed-off-by: Daniel Lang <dalang@gmx.at>
---
 package/libcoap/libcoap.mk | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/libcoap/libcoap.mk b/package/libcoap/libcoap.mk
index 3773ad293c..94bfc59702 100644
--- a/package/libcoap/libcoap.mk
+++ b/package/libcoap/libcoap.mk
@@ -16,6 +16,8 @@ LIBCOAP_CONF_OPTS = \
 LIBCOAP_AUTORECONF = YES
 # 0001-Backport-fix-for-CVE-2023-30362.patch
 LIBCOAP_IGNORE_CVES += CVE-2023-30362
+# Doesn't affect 4.3.1, see https://github.com/obgm/libcoap/issues/1117
+LIBCOAP_IGNORE_CVES += CVE-2023-35862
 
 ifeq ($(BR2_PACKAGE_GNUTLS),y)
 LIBCOAP_DEPENDENCIES += gnutls
-- 
2.42.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/2] package/libcoap: ignore CVE-2023-35862

[Thomas Petazzoni via buildroot]

On Wed,  6 Sep 2023 21:44:19 +0200
Daniel Lang <dalang@gmx.at> wrote:

> According to a collaborator [0] the affected code isn't in 4.3.1
> 
> [0]: https://github.com/obgm/libcoap/issues/1117
> 
> Signed-off-by: Daniel Lang <dalang@gmx.at>
> ---
>  package/libcoap/libcoap.mk | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/package/libcoap/libcoap.mk b/package/libcoap/libcoap.mk
> index 3773ad293c..94bfc59702 100644
> --- a/package/libcoap/libcoap.mk
> +++ b/package/libcoap/libcoap.mk
> @@ -16,6 +16,8 @@ LIBCOAP_CONF_OPTS = \
>  LIBCOAP_AUTORECONF = YES
>  # 0001-Backport-fix-for-CVE-2023-30362.patch
>  LIBCOAP_IGNORE_CVES += CVE-2023-30362
> +# Doesn't affect 4.3.1, see https://github.com/obgm/libcoap/issues/1117
> +LIBCOAP_IGNORE_CVES += CVE-2023-35862

Then instead the NVD maintainers need to be reported this issue, so
that the NVD database gets fixed. At least for now that's how we've
tried to resolve such issues.

However, admittedly, the last bug reports I did to NVD people were
ignored, while in the past, they used to be taken into account quite
efficiently.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/libcoap: fix CVE-2023-30362

[Arnout Vandecappelle via buildroot]

On 06/09/2023 21:44, Daniel Lang wrote:
> Signed-off-by: Daniel Lang <dalang@gmx.at>
> ---
>   ...0001-Backport-fix-for-CVE-2023-30362.patch | 59 +++++++++++++++++++
>   package/libcoap/libcoap.mk                    |  2 +
>   2 files changed, 61 insertions(+)
>   create mode 100644 package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch
> 
> diff --git a/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch b/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch
> new file mode 100644
> index 0000000000..c4e53d19a7
> --- /dev/null
> +++ b/package/libcoap/0001-Backport-fix-for-CVE-2023-30362.patch
> @@ -0,0 +1,59 @@
> +From c63ecbdc6b38cc7e571a72964fe9ca63834dcc89 Mon Sep 17 00:00:00 2001
> +From: Daniel Lang <ldaniell14260@gmail.com>

  I've set this to the actual author, Jon Shallow. BSD-2c doesn't require much, 
but it _does_ require to mention the author.

  With that, applied to master, thanks.

  Regards,
  Arnout

> +Date: Wed, 6 Sep 2023 21:38:13 +0200
> +Subject: [PATCH] Backport fix for CVE-2023-30362
> +
> +Upstream: https://github.com/obgm/libcoap/issues/1063#issuecomment-1626962307
> +Signed-off-by: Daniel Lang <dalang@gmx.at>
> +---
> + src/net.c | 34 +++++++++++++++++++++-------------
> + 1 file changed, 21 insertions(+), 13 deletions(-)
> +
> +diff --git a/src/net.c b/src/net.c
> +index 98859443..e259ab00 100644
> +--- a/src/net.c
> ++++ b/src/net.c
> +@@ -1305,19 +1305,27 @@ coap_send_internal(coap_session_t *session, coap_pdu_t *pdu) {
> +
> +       /* Need to check that we are not seeing this proxy in the return loop */
> +       if (pdu->data && opt == NULL) {
> +-        if (pdu->used_size + 1 <= pdu->max_size) {
> +-          char *a_match;
> +-          size_t data_len = pdu->used_size - (pdu->data - pdu->token);
> +-          pdu->data[data_len] = '\000';
> +-          a_match = strstr((char*)pdu->data, cp);
> +-          if (a_match && (a_match == (char*)pdu->data || a_match[-1] == ' ') &&
> +-              ((size_t)(a_match - (char*)pdu->data + len) == data_len ||
> +-               a_match[len] == ' ')) {
> +-            coap_log(LOG_WARNING, "Proxy loop detected '%s'\n",
> +-                     (char*)pdu->data);
> +-            coap_delete_pdu(pdu);
> +-            return (coap_mid_t)COAP_DROPPED_RESPONSE;
> +-          }
> ++        char *a_match;
> ++        size_t data_len;
> ++
> ++        if (pdu->used_size + 1 > pdu->max_size) {
> ++          /* No space */
> ++          return (coap_mid_t)COAP_DROPPED_RESPONSE;
> ++        }
> ++        if (!coap_pdu_resize(pdu, pdu->used_size + 1)) {
> ++          /* Internal error */
> ++          return (coap_mid_t)COAP_DROPPED_RESPONSE;
> ++        }
> ++        data_len = pdu->used_size - (pdu->data - pdu->token);
> ++        pdu->data[data_len] = '\000';
> ++        a_match = strstr((char*)pdu->data, cp);
> ++        if (a_match && (a_match == (char*)pdu->data || a_match[-1] == ' ') &&
> ++            ((size_t)(a_match - (char*)pdu->data + len) == data_len ||
> ++             a_match[len] == ' ')) {
> ++          coap_log(LOG_WARNING, "Proxy loop detected '%s'\n",
> ++                   (char*)pdu->data);
> ++          coap_delete_pdu(pdu);
> ++          return (coap_mid_t)COAP_DROPPED_RESPONSE;
> +         }
> +       }
> +       if (pdu->used_size + len + 1 <= pdu->max_size) {
> +--
> +2.42.0
> +
> diff --git a/package/libcoap/libcoap.mk b/package/libcoap/libcoap.mk
> index 4b536d8117..3773ad293c 100644
> --- a/package/libcoap/libcoap.mk
> +++ b/package/libcoap/libcoap.mk
> @@ -14,6 +14,8 @@ LIBCOAP_DEPENDENCIES = host-pkgconf
>   LIBCOAP_CONF_OPTS = \
>   	--disable-examples --disable-examples-source --without-tinydtls
>   LIBCOAP_AUTORECONF = YES
> +# 0001-Backport-fix-for-CVE-2023-30362.patch
> +LIBCOAP_IGNORE_CVES += CVE-2023-30362
>   
>   ifeq ($(BR2_PACKAGE_GNUTLS),y)
>   LIBCOAP_DEPENDENCIES += gnutls
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/2] package/libcoap: ignore CVE-2023-35862

[Arnout Vandecappelle via buildroot]

On 07/09/2023 15:25, Thomas Petazzoni via buildroot wrote:
> On Wed,  6 Sep 2023 21:44:19 +0200
> Daniel Lang <dalang@gmx.at> wrote:
> 
>> According to a collaborator [0] the affected code isn't in 4.3.1
>>
>> [0]: https://github.com/obgm/libcoap/issues/1117
>>
>> Signed-off-by: Daniel Lang <dalang@gmx.at>
>> ---
>>   package/libcoap/libcoap.mk | 2 ++
>>   1 file changed, 2 insertions(+)
>>
>> diff --git a/package/libcoap/libcoap.mk b/package/libcoap/libcoap.mk
>> index 3773ad293c..94bfc59702 100644
>> --- a/package/libcoap/libcoap.mk
>> +++ b/package/libcoap/libcoap.mk
>> @@ -16,6 +16,8 @@ LIBCOAP_CONF_OPTS = \
>>   LIBCOAP_AUTORECONF = YES
>>   # 0001-Backport-fix-for-CVE-2023-30362.patch
>>   LIBCOAP_IGNORE_CVES += CVE-2023-30362
>> +# Doesn't affect 4.3.1, see https://github.com/obgm/libcoap/issues/1117
>> +LIBCOAP_IGNORE_CVES += CVE-2023-35862
> 
> Then instead the NVD maintainers need to be reported this issue, so
> that the NVD database gets fixed. At least for now that's how we've
> tried to resolve such issues.

  The issue was never in any released version. So if the CPE entry is fixed in 
NVD, it will be changed from
   cpe:2.3:a:libcoap:libcoap:4.3.1:*:*:*:*:*:*:*
to
   cpe:2.3:a:libcoap:libcoap:-:*:*:*:*:*:*:*

  As I just wrote: we _have_ to treat the - conservatively and assume it's 
matching. So even if NVD is corrected, we'll need the exclusion.

  Of course, it would be much nicer _not_ to correct the NVD, because then we 
can simply remove the exclusion after bumping to 4.3.3 :-)

  In any case: applied to master, thanks.

  Regards,
  Arnout

> 
> However, admittedly, the last bug reports I did to NVD people were
> ignored, while in the past, they used to be taken into account quite
> efficiently.
> 
> Thomas
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/libcoap: fix CVE-2023-30362

[Peter Korsgaard]

>>>>> "Daniel" == Daniel Lang <dalang@gmx.at> writes:

 > Signed-off-by: Daniel Lang <dalang@gmx.at>

Committed to 2023.02.x, 2023.05.x and 2023.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/2] package/libcoap: ignore CVE-2023-35862

[Peter Korsgaard]

>>>>> "Daniel" == Daniel Lang <dalang@gmx.at> writes:

 > According to a collaborator [0] the affected code isn't in 4.3.1
 > [0]: https://github.com/obgm/libcoap/issues/1117

 > Signed-off-by: Daniel Lang <dalang@gmx.at>

Committed to 2023.02.x, 2023.05.x and 2023.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot