* [dunfell 00/12] Patch review May 30th
@ 2021-05-30 18:34 Armin Kuster
2021-05-30 18:34 ` [dunfell 01/12] exiv2: Fix CVE-2021-29457 Armin Kuster
` (11 more replies)
0 siblings, 12 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw)
To: openembedded-devel
Please have comments back by Monday. Some have already been posted on the ML.
The following changes since commit 11eae114522a6befa06c7f4021a83bc016133543:
linuxptp: Fix cross build (2021-05-14 10:03:51 -0700)
are available in the Git repository at:
git://git.openembedded.org/meta-openembedded-contrib stable/dunfell-nut
http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/dunfell-nut
Alexander Vickberg (1):
hostapd: fix building with CONFIG_TLS=internal
Mikko Rapeli (1):
ebtables: use bitbake optimization levels
Sana Kazi (1):
dnsmasq: Add fixes for CVEs reported for dnsmasq
akash.hadke (1):
opencv: Add fix for CVE-2019-5063 and CVE-2019-5064
wangmy (8):
exiv2: Fix CVE-2021-29457
exiv2: Fix CVE-2021-29458
exiv2: Fix CVE-2021-29463
exiv2: Fix CVE-2021-3482
exiv2: Fix CVE-2021-29464
exiv2: Fix CVE-2021-29470
exiv2: Fix CVE-2021-29473
libsdl: Fix CVE-2019-13616
.../ebtables_optimizations.patch | 19 +
.../ebtables/ebtables_2.0.10-4.bb | 1 +
.../recipes-support/dnsmasq/dnsmasq_2.81.bb | 7 +-
.../dnsmasq/files/CVE-2020-25681.patch | 370 +++++++++++
.../dnsmasq/files/CVE-2020-25684.patch | 98 +++
.../dnsmasq/files/CVE-2020-25685-1.patch | 587 ++++++++++++++++++
.../dnsmasq/files/CVE-2020-25685-2.patch | 175 ++++++
.../dnsmasq/files/CVE-2020-25686-1.patch | 332 ++++++++++
.../dnsmasq/files/CVE-2020-25686-2.patch | 63 ++
...001-Prepare-for-CVE-2021-30004.patch.patch | 45 ++
.../hostapd/hostapd_2.9.bb | 1 +
.../libsdl/libsdl-1.2.15/CVE-2019-13616.patch | 27 +
.../recipes-graphics/libsdl/libsdl_1.2.15.bb | 1 +
.../exiv2/exiv2/CVE-2021-29457.patch | 26 +
.../exiv2/exiv2/CVE-2021-29458.patch | 37 ++
.../exiv2/exiv2/CVE-2021-29463.patch | 120 ++++
.../exiv2/exiv2/CVE-2021-29464.patch | 72 +++
.../exiv2/exiv2/CVE-2021-29470.patch | 32 +
.../exiv2/exiv2/CVE-2021-29473.patch | 21 +
.../exiv2/exiv2/CVE-2021-3482.patch | 54 ++
meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 9 +-
.../opencv/CVE-2019-5063_and_2019-5064.patch | 78 +++
.../recipes-support/opencv/opencv_4.1.0.bb | 1 +
23 files changed, 2174 insertions(+), 2 deletions(-)
create mode 100644 meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables_optimizations.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch
create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch
create mode 100644 meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-13616.patch
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch
create mode 100644 meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch
--
2.17.1
^ permalink raw reply [flat|nested] 13+ messages in thread
* [dunfell 01/12] exiv2: Fix CVE-2021-29457
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 02/12] exiv2: Fix CVE-2021-29458 Armin Kuster
` (10 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw)
To: openembedded-devel
From: wangmy <wangmy@fujitsu.com>
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29457
The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to gain code execution, if they can
trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/commit/0230620e6ea5e2da0911318e07ce6e66d1ebdf22]
CVE: CVE-2021-29457
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5be72693096cef671bf54bf1dd6ee8125614d064)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../exiv2/exiv2/CVE-2021-29457.patch | 26 +++++++++++++++++++
meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 3 ++-
2 files changed, 28 insertions(+), 1 deletion(-)
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch
new file mode 100644
index 0000000000..e5d069487c
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch
@@ -0,0 +1,26 @@
+From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001
+From: Pydera <pydera@mailbox.org>
+Date: Thu, 8 Apr 2021 17:36:16 +0200
+Subject: [PATCH] Fix out of buffer access in #1529
+
+---
+ src/jp2image.cpp | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 88ab9b2d6..12025f966 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -776,9 +776,10 @@ static void boxes_check(size_t b,size_t m)
+ #endif
+ box.length = (uint32_t) (io_->size() - io_->tell() + 8);
+ }
+- if (box.length == 1)
++ if (box.length < 8)
+ {
+- // FIXME. Special case. the real box size is given in another place.
++ // box is broken, so there is nothing we can do here
++ throw Error(kerCorruptedMetadata);
+ }
+
+ // Read whole box : Box header + Box data (not fixed size - can be null).
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index ed1e8de5c2..a13db42edd 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -9,7 +9,8 @@ SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994
# Once patch is obsolete (project should be aware due to PRs), dos2unix can be removed either
inherit dos2unix
-SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch"
+SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
+ file://CVE-2021-29457.patch"
S = "${WORKDIR}/${BPN}-${PV}-Source"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 02/12] exiv2: Fix CVE-2021-29458
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
2021-05-30 18:34 ` [dunfell 01/12] exiv2: Fix CVE-2021-29457 Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 03/12] exiv2: Fix CVE-2021-29463 Armin Kuster
` (9 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw)
To: openembedded-devel
From: wangmy <wangmy@fujitsu.com>
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29458
The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2,
if they can trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1536/commits/06d2db6e5fd2fcca9c060e95fc97f8a5b5d4c22d]
CVE: CVE-2021-29458
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f0d83c14d9064ce1ee19b92d95c8daf790fe7488)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../exiv2/exiv2/CVE-2021-29458.patch | 37 +++++++++++++++++++
meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 3 +-
2 files changed, 39 insertions(+), 1 deletion(-)
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch
new file mode 100644
index 0000000000..285f6fe4ce
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch
@@ -0,0 +1,37 @@
+From 9b7a19f957af53304655ed1efe32253a1b11a8d0 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Fri, 9 Apr 2021 13:37:48 +0100
+Subject: [PATCH] Fix integer overflow.
+---
+ src/crwimage_int.cpp | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
+index aefaf22..2e3e507 100644
+--- a/src/crwimage_int.cpp
++++ b/src/crwimage_int.cpp
+@@ -559,7 +559,7 @@ namespace Exiv2 {
+ void CiffComponent::setValue(DataBuf buf)
+ {
+ if (isAllocated_) {
+- delete pData_;
++ delete[] pData_;
+ pData_ = 0;
+ size_ = 0;
+ }
+@@ -1167,7 +1167,11 @@ namespace Exiv2 {
+ pCrwMapping->crwDir_);
+ if (edX != edEnd || edY != edEnd || edO != edEnd) {
+ uint32_t size = 28;
+- if (cc && cc->size() > size) size = cc->size();
++ if (cc) {
++ if (cc->size() < size)
++ throw Error(kerCorruptedMetadata);
++ size = cc->size();
++ }
+ DataBuf buf(size);
+ std::memset(buf.pData_, 0x0, buf.size_);
+ if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8);
+--
+2.25.1
+
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index a13db42edd..1dc909eeb0 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -10,7 +10,8 @@ SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994
# Once patch is obsolete (project should be aware due to PRs), dos2unix can be removed either
inherit dos2unix
SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
- file://CVE-2021-29457.patch"
+ file://CVE-2021-29457.patch \
+ file://CVE-2021-29458.patch"
S = "${WORKDIR}/${BPN}-${PV}-Source"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 03/12] exiv2: Fix CVE-2021-29463
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
2021-05-30 18:34 ` [dunfell 01/12] exiv2: Fix CVE-2021-29457 Armin Kuster
2021-05-30 18:34 ` [dunfell 02/12] exiv2: Fix CVE-2021-29458 Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 04/12] exiv2: Fix CVE-2021-3482 Armin Kuster
` (8 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw)
To: openembedded-devel
From: wangmy <wangmy@fujitsu.com>
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29463
The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2,
if they can trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/commit/783b3a6ff15ed6f82a8f8e6c8a6f3b84a9b04d4b]
CVE: CVE-2021-29463
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8e63ac6c86852a12408c2415be073c71420758ff)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../exiv2/exiv2/CVE-2021-29463.patch | 120 ++++++++++++++++++
meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 3 +-
2 files changed, 122 insertions(+), 1 deletion(-)
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch
new file mode 100644
index 0000000000..5ab64a7d3e
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch
@@ -0,0 +1,120 @@
+From 783b3a6ff15ed6f82a8f8e6c8a6f3b84a9b04d4b Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Mon, 19 Apr 2021 18:06:00 +0100
+Subject: [PATCH] Improve bound checking in WebPImage::doWriteMetadata()
+
+---
+ src/webpimage.cpp | 41 ++++++++++++++++++++++++++++++-----------
+ 1 file changed, 30 insertions(+), 11 deletions(-)
+
+diff --git a/src/webpimage.cpp b/src/webpimage.cpp
+index 4ddec544c..fee110bca 100644
+--- a/src/webpimage.cpp
++++ b/src/webpimage.cpp
+@@ -145,7 +145,7 @@ namespace Exiv2 {
+ DataBuf chunkId(WEBP_TAG_SIZE+1);
+ chunkId.pData_ [WEBP_TAG_SIZE] = '\0';
+
+- io_->read(data, WEBP_TAG_SIZE * 3);
++ readOrThrow(*io_, data, WEBP_TAG_SIZE * 3, Exiv2::kerCorruptedMetadata);
+ uint64_t filesize = Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian);
+
+ /* Set up header */
+@@ -185,13 +185,20 @@ namespace Exiv2 {
+ case we have any exif or xmp data, also check
+ for any chunks with alpha frame/layer set */
+ while ( !io_->eof() && (uint64_t) io_->tell() < filesize) {
+- io_->read(chunkId.pData_, WEBP_TAG_SIZE);
+- io_->read(size_buff, WEBP_TAG_SIZE);
+- long size = Exiv2::getULong(size_buff, littleEndian);
++ readOrThrow(*io_, chunkId.pData_, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata);
++ readOrThrow(*io_, size_buff, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata);
++ const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian);
++
++ // Check that `size_u32` is safe to cast to `long`.
++ enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()),
++ Exiv2::kerCorruptedMetadata);
++ const long size = static_cast<long>(size_u32);
+ DataBuf payload(size);
+- io_->read(payload.pData_, payload.size_);
+- byte c;
+- if ( payload.size_ % 2 ) io_->read(&c,1);
++ readOrThrow(*io_, payload.pData_, payload.size_, Exiv2::kerCorruptedMetadata);
++ if ( payload.size_ % 2 ) {
++ byte c;
++ readOrThrow(*io_, &c, 1, Exiv2::kerCorruptedMetadata);
++ }
+
+ /* Chunk with information about features
+ used in the file. */
+@@ -199,6 +206,7 @@ namespace Exiv2 {
+ has_vp8x = true;
+ }
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X) && !has_size) {
++ enforce(size >= 10, Exiv2::kerCorruptedMetadata);
+ has_size = true;
+ byte size_buf[WEBP_TAG_SIZE];
+
+@@ -227,6 +235,7 @@ namespace Exiv2 {
+ }
+ #endif
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8) && !has_size) {
++ enforce(size >= 10, Exiv2::kerCorruptedMetadata);
+ has_size = true;
+ byte size_buf[2];
+
+@@ -244,11 +253,13 @@ namespace Exiv2 {
+
+ /* Chunk with with lossless image data. */
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_alpha) {
++ enforce(size >= 5, Exiv2::kerCorruptedMetadata);
+ if ((payload.pData_[4] & WEBP_VP8X_ALPHA_BIT) == WEBP_VP8X_ALPHA_BIT) {
+ has_alpha = true;
+ }
+ }
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_size) {
++ enforce(size >= 5, Exiv2::kerCorruptedMetadata);
+ has_size = true;
+ byte size_buf_w[2];
+ byte size_buf_h[3];
+@@ -276,11 +287,13 @@ namespace Exiv2 {
+
+ /* Chunk with animation frame. */
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_alpha) {
++ enforce(size >= 6, Exiv2::kerCorruptedMetadata);
+ if ((payload.pData_[5] & 0x2) == 0x2) {
+ has_alpha = true;
+ }
+ }
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_size) {
++ enforce(size >= 12, Exiv2::kerCorruptedMetadata);
+ has_size = true;
+ byte size_buf[WEBP_TAG_SIZE];
+
+@@ -309,16 +322,22 @@ namespace Exiv2 {
+
+ io_->seek(12, BasicIo::beg);
+ while ( !io_->eof() && (uint64_t) io_->tell() < filesize) {
+- io_->read(chunkId.pData_, 4);
+- io_->read(size_buff, 4);
++ readOrThrow(*io_, chunkId.pData_, 4, Exiv2::kerCorruptedMetadata);
++ readOrThrow(*io_, size_buff, 4, Exiv2::kerCorruptedMetadata);
++
++ const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian);
+
+- long size = Exiv2::getULong(size_buff, littleEndian);
++ // Check that `size_u32` is safe to cast to `long`.
++ enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()),
++ Exiv2::kerCorruptedMetadata);
++ const long size = static_cast<long>(size_u32);
+
+ DataBuf payload(size);
+- io_->read(payload.pData_, size);
++ readOrThrow(*io_, payload.pData_, size, Exiv2::kerCorruptedMetadata);
+ if ( io_->tell() % 2 ) io_->seek(+1,BasicIo::cur); // skip pad
+
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X)) {
++ enforce(size >= 1, Exiv2::kerCorruptedMetadata);
+ if (has_icc){
+ payload.pData_[0] |= WEBP_VP8X_ICC_BIT;
+ } else {
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index 1dc909eeb0..fb8d126198 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -11,7 +11,8 @@ SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994
inherit dos2unix
SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
file://CVE-2021-29457.patch \
- file://CVE-2021-29458.patch"
+ file://CVE-2021-29458.patch \
+ file://CVE-2021-29463.patch"
S = "${WORKDIR}/${BPN}-${PV}-Source"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 04/12] exiv2: Fix CVE-2021-3482
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
` (2 preceding siblings ...)
2021-05-30 18:34 ` [dunfell 03/12] exiv2: Fix CVE-2021-29463 Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 05/12] exiv2: Fix CVE-2021-29464 Armin Kuster
` (7 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw)
To: openembedded-devel
From: wangmy <wangmy@fujitsu.com>
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3482
Improper input validation of the rawData.size property in Jp2Image::readMetadata() in jp2image.cpp
can lead to a heap-based buffer overflow via a crafted JPG image containing malicious EXIF data.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1523/commits/22ea582c6b74ada30bec3a6b15de3c3e52f2b4da]
CVE: CVE-2021-3482
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9e7c2c9713dc2824af2a33b0a3feb4f29e7f0269)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../exiv2/exiv2/CVE-2021-3482.patch | 54 +++++++++++++++++++
meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 3 +-
2 files changed, 56 insertions(+), 1 deletion(-)
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch
new file mode 100644
index 0000000000..e7c5e1b656
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch
@@ -0,0 +1,54 @@
+From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001
+From: Robin Mills <robin@clanmills.com>
+Date: Mon, 5 Apr 2021 20:33:25 +0100
+Subject: [PATCH] fix_1522_jp2image_exif_asan
+
+---
+ src/jp2image.cpp | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index eb31cea4a..88ab9b2d6 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -28,6 +28,7 @@
+ #include "image.hpp"
+ #include "image_int.hpp"
+ #include "basicio.hpp"
++#include "enforce.hpp"
+ #include "error.hpp"
+ #include "futils.hpp"
+ #include "types.hpp"
+@@ -353,7 +354,7 @@ static void boxes_check(size_t b,size_t m)
+ if (io_->error()) throw Error(kerFailedToReadImageData);
+ if (bufRead != rawData.size_) throw Error(kerInputDataReadFailed);
+
+- if (rawData.size_ > 0)
++ if (rawData.size_ > 8) // "II*\0long"
+ {
+ // Find the position of Exif header in bytes array.
+ long pos = ( (rawData.pData_[0] == rawData.pData_[1])
+@@ -497,6 +498,7 @@ static void boxes_check(size_t b,size_t m)
+ position = io_->tell();
+ box.length = getLong((byte*)&box.length, bigEndian);
+ box.type = getLong((byte*)&box.type, bigEndian);
++ enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata);
+
+ if (bPrint) {
+ out << Internal::stringFormat("%8ld | %8ld | ", (size_t)(position - sizeof(box)),
+@@ -581,12 +583,13 @@ static void boxes_check(size_t b,size_t m)
+ throw Error(kerInputDataReadFailed);
+
+ if (bPrint) {
+- out << Internal::binaryToString(makeSlice(rawData, 0, 40));
++ out << Internal::binaryToString(
++ makeSlice(rawData, 0, rawData.size_>40?40:rawData.size_));
+ out.flush();
+ }
+ lf(out, bLF);
+
+- if (bIsExif && bRecursive && rawData.size_ > 0) {
++ if (bIsExif && bRecursive && rawData.size_ > 8) { // "II*\0long"
+ if ((rawData.pData_[0] == rawData.pData_[1]) &&
+ (rawData.pData_[0] == 'I' || rawData.pData_[0] == 'M')) {
+ BasicIo::AutoPtr p = BasicIo::AutoPtr(new MemIo(rawData.pData_, rawData.size_));
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index fb8d126198..8c4c81799b 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -12,7 +12,8 @@ inherit dos2unix
SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
file://CVE-2021-29457.patch \
file://CVE-2021-29458.patch \
- file://CVE-2021-29463.patch"
+ file://CVE-2021-29463.patch \
+ file://CVE-2021-3482.patch"
S = "${WORKDIR}/${BPN}-${PV}-Source"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 05/12] exiv2: Fix CVE-2021-29464
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
` (3 preceding siblings ...)
2021-05-30 18:34 ` [dunfell 04/12] exiv2: Fix CVE-2021-3482 Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 06/12] exiv2: Fix CVE-2021-29470 Armin Kuster
` (6 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw)
To: openembedded-devel
From: wangmy <wangmy@fujitsu.com>
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29464
The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to gain code execution, if they can
trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/commit/f9308839198aca5e68a65194f151a1de92398f54]
CVE: CVE-2021-29464
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8c9470bdfaa1d33347ffaf25b3e18d2163667e18)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../exiv2/exiv2/CVE-2021-29464.patch | 72 +++++++++++++++++++
meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 1 +
2 files changed, 73 insertions(+)
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch
new file mode 100644
index 0000000000..f0c482450c
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch
@@ -0,0 +1,72 @@
+From 61734d8842cb9cc59437463e3bac54d6231d9487 Mon Sep 17 00:00:00 2001
+From: Wang Mingyu <wangmy@fujitsu.com>
+Date: Tue, 18 May 2021 10:52:54 +0900
+Subject: [PATCH] modify
+
+Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
+---
+ src/jp2image.cpp | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 52723a4..0ac4f50 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -643,11 +643,11 @@ static void boxes_check(size_t b,size_t m)
+ void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf)
+ {
+ DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
+- int outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
+- int inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
++ long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
++ long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
+ Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_;
+- int32_t length = getLong((byte*)&pBox->length, bigEndian);
+- int32_t count = sizeof (Jp2BoxHeader);
++ uint32_t length = getLong((byte*)&pBox->length, bigEndian);
++ uint32_t count = sizeof (Jp2BoxHeader);
+ char* p = (char*) boxBuf.pData_;
+ bool bWroteColor = false ;
+
+@@ -664,6 +664,7 @@ static void boxes_check(size_t b,size_t m)
+ #ifdef EXIV2_DEBUG_MESSAGES
+ std::cout << "Jp2Image::encodeJp2Header subbox: "<< toAscii(subBox.type) << " length = " << subBox.length << std::endl;
+ #endif
++ enforce(subBox.length <= length - count, Exiv2::kerCorruptedMetadata);
+ count += subBox.length;
+ newBox.type = subBox.type;
+ } else {
+@@ -672,12 +673,13 @@ static void boxes_check(size_t b,size_t m)
+ count = length;
+ }
+
+- int32_t newlen = subBox.length;
++ uint32_t newlen = subBox.length;
+ if ( newBox.type == kJp2BoxTypeColorHeader ) {
+ bWroteColor = true ;
+ if ( ! iccProfileDefined() ) {
+ const char* pad = "\x01\x00\x00\x00\x00\x00\x10\x00\x00\x05\x1cuuid";
+ uint32_t psize = 15;
++ enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata);
+ ul2Data((byte*)&newBox.length,psize ,bigEndian);
+ ul2Data((byte*)&newBox.type ,newBox.type,bigEndian);
+ ::memcpy(output.pData_+outlen ,&newBox ,sizeof(newBox));
+@@ -686,6 +688,7 @@ static void boxes_check(size_t b,size_t m)
+ } else {
+ const char* pad = "\0x02\x00\x00";
+ uint32_t psize = 3;
++ enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata);
+ ul2Data((byte*)&newBox.length,psize+iccProfile_.size_,bigEndian);
+ ul2Data((byte*)&newBox.type,newBox.type,bigEndian);
+ ::memcpy(output.pData_+outlen ,&newBox ,sizeof(newBox) );
+@@ -694,6 +697,7 @@ static void boxes_check(size_t b,size_t m)
+ newlen = psize + iccProfile_.size_;
+ }
+ } else {
++ enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata);
+ ::memcpy(output.pData_+outlen,boxBuf.pData_+inlen,subBox.length);
+ }
+
+--
+2.25.1
+
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index 8c4c81799b..024f4c794a 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -13,6 +13,7 @@ SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.pat
file://CVE-2021-29457.patch \
file://CVE-2021-29458.patch \
file://CVE-2021-29463.patch \
+ file://CVE-2021-29464.patch \
file://CVE-2021-3482.patch"
S = "${WORKDIR}/${BPN}-${PV}-Source"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 06/12] exiv2: Fix CVE-2021-29470
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
` (4 preceding siblings ...)
2021-05-30 18:34 ` [dunfell 05/12] exiv2: Fix CVE-2021-29464 Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 07/12] exiv2: Fix CVE-2021-29473 Armin Kuster
` (5 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw)
To: openembedded-devel
From: wangmy <wangmy@fujitsu.com>
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29470
The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2,
if they can trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1581/commits/6628a69c036df2aa036290e6cd71767c159c79ed]
CVE: CVE-2021-29470
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bb1400efda77a7289ca20782172bfbe1f457f161)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../exiv2/exiv2/CVE-2021-29470.patch | 32 +++++++++++++++++++
meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 1 +
2 files changed, 33 insertions(+)
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch
new file mode 100644
index 0000000000..eedf9d79aa
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch
@@ -0,0 +1,32 @@
+From 6628a69c036df2aa036290e6cd71767c159c79ed Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 21 Apr 2021 12:06:04 +0100
+Subject: [PATCH] Add more bounds checks in Jp2Image::encodeJp2Header
+---
+ src/jp2image.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index b424225..349a9f0 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -645,13 +645,16 @@ static void boxes_check(size_t b,size_t m)
+ DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
+ long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
+ long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
++ enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
+ Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_;
+ uint32_t length = getLong((byte*)&pBox->length, bigEndian);
++ enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
+ uint32_t count = sizeof (Jp2BoxHeader);
+ char* p = (char*) boxBuf.pData_;
+ bool bWroteColor = false ;
+
+ while ( count < length || !bWroteColor ) {
++ enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
+ Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
+
+ // copy data. pointer could be into a memory mapped file which we will decode!
+--
+2.25.1
+
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index 024f4c794a..2419bab352 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -14,6 +14,7 @@ SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.pat
file://CVE-2021-29458.patch \
file://CVE-2021-29463.patch \
file://CVE-2021-29464.patch \
+ file://CVE-2021-29470.patch \
file://CVE-2021-3482.patch"
S = "${WORKDIR}/${BPN}-${PV}-Source"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 07/12] exiv2: Fix CVE-2021-29473
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
` (5 preceding siblings ...)
2021-05-30 18:34 ` [dunfell 06/12] exiv2: Fix CVE-2021-29470 Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 08/12] libsdl: Fix CVE-2019-13616 Armin Kuster
` (4 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw)
To: openembedded-devel
From: wangmy <wangmy@fujitsu.com>
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29473
The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2,
if they can trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1587/commits/e6a0982f7cd9282052b6e3485a458d60629ffa0b]
CVE: CVE-2021-29473
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a9aecd2c32fc8f238f62ef70813e032b6b52c2f2)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../exiv2/exiv2/CVE-2021-29473.patch | 21 +++++++++++++++++++
meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 1 +
2 files changed, 22 insertions(+)
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch
new file mode 100644
index 0000000000..4afedf8e59
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch
@@ -0,0 +1,21 @@
+From e6a0982f7cd9282052b6e3485a458d60629ffa0b Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Fri, 23 Apr 2021 11:44:44 +0100
+Subject: [PATCH] Add bounds check in Jp2Image::doWriteMetadata().
+
+---
+ src/jp2image.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 1694fed27..ca8c9ddbb 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -908,6 +908,7 @@ static void boxes_check(size_t b,size_t m)
+
+ case kJp2BoxTypeUuid:
+ {
++ enforce(boxBuf.size_ >= 24, Exiv2::kerCorruptedMetadata);
+ if(memcmp(boxBuf.pData_ + 8, kJp2UuidExif, 16) == 0)
+ {
+ #ifdef EXIV2_DEBUG_MESSAGES
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index 2419bab352..d5d9e62ff2 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -15,6 +15,7 @@ SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.pat
file://CVE-2021-29463.patch \
file://CVE-2021-29464.patch \
file://CVE-2021-29470.patch \
+ file://CVE-2021-29473.patch \
file://CVE-2021-3482.patch"
S = "${WORKDIR}/${BPN}-${PV}-Source"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 08/12] libsdl: Fix CVE-2019-13616
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
` (6 preceding siblings ...)
2021-05-30 18:34 ` [dunfell 07/12] exiv2: Fix CVE-2021-29473 Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 09/12] hostapd: fix building with CONFIG_TLS=internal Armin Kuster
` (3 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw)
To: openembedded-devel
From: wangmy <wangmy@fujitsu.com>
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13616
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read
in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c.
Upstream-Status: Backport [https://github.com/libsdl-org/SDL/commit/97fefd050976bbbfca9608499f6a7d9fb86e70db]
CVE: CVE-2019-13616
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../libsdl/libsdl-1.2.15/CVE-2019-13616.patch | 27 +++++++++++++++++++
.../recipes-graphics/libsdl/libsdl_1.2.15.bb | 1 +
2 files changed, 28 insertions(+)
create mode 100644 meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-13616.patch
diff --git a/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-13616.patch b/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-13616.patch
new file mode 100644
index 0000000000..2db67966cf
--- /dev/null
+++ b/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-13616.patch
@@ -0,0 +1,27 @@
+From 97fefd050976bbbfca9608499f6a7d9fb86e70db Mon Sep 17 00:00:00 2001
+From: Sam Lantinga <slouken@libsdl.org>
+Date: Tue, 30 Jul 2019 11:00:00 -0700
+Subject: [PATCH] Fixed bug 4538 - validate image size when loading BMP files
+---
+ src/video/SDL_bmp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
+index 8eadc5f..5b5e12c 100644
+--- a/src/video/SDL_bmp.c
++++ b/src/video/SDL_bmp.c
+@@ -143,6 +143,11 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
+ (void) biYPelsPerMeter;
+ (void) biClrImportant;
+
++ if (biWidth <= 0 || biHeight == 0) {
++ SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight);
++ was_error = SDL_TRUE;
++ goto done;
++ }
+ if (biHeight < 0) {
+ topDown = SDL_TRUE;
+ biHeight = -biHeight;
+--
+2.25.1
+
diff --git a/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb b/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb
index 7a01908322..d91a1856b4 100644
--- a/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb
+++ b/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb
@@ -27,6 +27,7 @@ SRC_URI = "http://www.libsdl.org/release/SDL-${PV}.tar.gz \
file://CVE-2019-7637.patch \
file://CVE-2019-7638.patch \
file://CVE-2019-7576.patch \
+ file://CVE-2019-13616.patch \
"
UPSTREAM_CHECK_REGEX = "SDL-(?P<pver>\d+(\.\d+)+)\.tar"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 09/12] hostapd: fix building with CONFIG_TLS=internal
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
` (7 preceding siblings ...)
2021-05-30 18:34 ` [dunfell 08/12] libsdl: Fix CVE-2019-13616 Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 10/12] opencv: Add fix for CVE-2019-5063 and CVE-2019-5064 Armin Kuster
` (2 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw)
To: openembedded-devel
From: Alexander Vickberg <wickbergster@gmail.com>
The patch recently added for CVE-2021-30004 broke compilation with
CONFIG_TLS=internal. This adds the necessary function to let it
compile again.
Signed-off-by: Alexander Vickberg <wickbergster@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d6ef4170747d6668fa940328334055eef3e1e1d6)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...001-Prepare-for-CVE-2021-30004.patch.patch | 45 +++++++++++++++++++
.../hostapd/hostapd_2.9.bb | 1 +
2 files changed, 46 insertions(+)
create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch
new file mode 100644
index 0000000000..1bedb4f753
--- /dev/null
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch
@@ -0,0 +1,45 @@
+From 14fab0772db19297c82dd1b8612c9335369dce41 Mon Sep 17 00:00:00 2001
+From: Alexander Vickberg <wickbergster@gmail.com>
+Date: Mon, 17 May 2021 17:54:13 +0200
+Subject: [PATCH] Prepare for CVE-2021-30004.patch
+
+Without this building fails for CONFIG_TLS=internal
+
+Signed-off-by: Alexander Vickberg <wickbergster@gmail.com>
+---
+ src/tls/asn1.h | 6 ++++++
+ src/utils/includes.h | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/src/tls/asn1.h b/src/tls/asn1.h
+index 6bd7df5..77b94ef 100644
+--- a/src/tls/asn1.h
++++ b/src/tls/asn1.h
+@@ -66,6 +66,12 @@ void asn1_oid_to_str(const struct asn1_oid *oid, char *buf, size_t len);
+ unsigned long asn1_bit_string_to_long(const u8 *buf, size_t len);
+ int asn1_oid_equal(const struct asn1_oid *a, const struct asn1_oid *b);
+
++static inline bool asn1_is_null(const struct asn1_hdr *hdr)
++{
++ return hdr->class == ASN1_CLASS_UNIVERSAL &&
++ hdr->tag == ASN1_TAG_NULL;
++}
++
+ extern struct asn1_oid asn1_sha1_oid;
+ extern struct asn1_oid asn1_sha256_oid;
+
+diff --git a/src/utils/includes.h b/src/utils/includes.h
+index 75513fc..741fc9c 100644
+--- a/src/utils/includes.h
++++ b/src/utils/includes.h
+@@ -18,6 +18,7 @@
+
+ #include <stdlib.h>
+ #include <stddef.h>
++#include <stdbool.h>
+ #include <stdio.h>
+ #include <stdarg.h>
+ #include <string.h>
+--
+2.25.1
+
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
index e586018685..a9780bc6db 100644
--- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
@@ -11,6 +11,7 @@ SRC_URI = " \
file://defconfig \
file://init \
file://hostapd.service \
+ file://0001-Prepare-for-CVE-2021-30004.patch.patch \
file://CVE-2019-16275.patch \
file://CVE-2019-5061.patch \
file://CVE-2021-0326.patch \
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 10/12] opencv: Add fix for CVE-2019-5063 and CVE-2019-5064
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
` (8 preceding siblings ...)
2021-05-30 18:34 ` [dunfell 09/12] hostapd: fix building with CONFIG_TLS=internal Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 11/12] ebtables: use bitbake optimization levels Armin Kuster
2021-05-30 18:34 ` [dunfell 12/12] dnsmasq: Add fixes for CVEs reported for dnsmasq Armin Kuster
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw)
To: openembedded-devel
From: "akash.hadke" <akash.hadke@kpit.com>
Added fix for below CVE's
CVE-2019-5063
CVE-2019-5064
Link: https://github.com/opencv/opencv/commit/f42d5399aac80d371b17d689851406669c9b9111.patch
Signed-off-by: akash hadke <akash.hadke@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../opencv/CVE-2019-5063_and_2019-5064.patch | 78 +++++++++++++++++++
.../recipes-support/opencv/opencv_4.1.0.bb | 1 +
2 files changed, 79 insertions(+)
create mode 100644 meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch
diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch b/meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch
new file mode 100644
index 0000000000..b4d5e6dc44
--- /dev/null
+++ b/meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch
@@ -0,0 +1,78 @@
+From f42d5399aac80d371b17d689851406669c9b9111 Mon Sep 17 00:00:00 2001
+From: Alexander Alekhin <alexander.alekhin@intel.com>
+Date: Thu, 7 Nov 2019 14:01:51 +0300
+Subject: [PATCH] core(persistence): add more checks for implementation
+ limitations
+
+Signed-off-by: akash hadke <akash.hadke@kpit.com>
+---
+ modules/core/src/persistence_json.cpp | 8 ++++++++
+ modules/core/src/persistence_xml.cpp | 6 ++++--
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+---
+CVE: CVE-2019-5063
+CVE: CVE-2019-5064
+Upstream-Status: Backport [https://github.com/opencv/opencv/commit/f42d5399aac80d371b17d689851406669c9b9111.patch]
+---
+diff --git a/modules/core/src/persistence_json.cpp b/modules/core/src/persistence_json.cpp
+index 89914e6534f..2efdf17d3f5 100644
+--- a/modules/core/src/persistence_json.cpp
++++ b/modules/core/src/persistence_json.cpp
+@@ -578,10 +578,14 @@ class JSONParser : public FileStorageParser
+ sz = (int)(ptr - beg);
+ if( sz > 0 )
+ {
++ if (i + sz >= CV_FS_MAX_LEN)
++ CV_PARSE_ERROR_CPP("string is too long");
+ memcpy(buf + i, beg, sz);
+ i += sz;
+ }
+ ptr++;
++ if (i + 1 >= CV_FS_MAX_LEN)
++ CV_PARSE_ERROR_CPP("string is too long");
+ switch ( *ptr )
+ {
+ case '\\':
+@@ -605,6 +609,8 @@ class JSONParser : public FileStorageParser
+ sz = (int)(ptr - beg);
+ if( sz > 0 )
+ {
++ if (i + sz >= CV_FS_MAX_LEN)
++ CV_PARSE_ERROR_CPP("string is too long");
+ memcpy(buf + i, beg, sz);
+ i += sz;
+ }
+@@ -620,6 +626,8 @@ class JSONParser : public FileStorageParser
+ sz = (int)(ptr - beg);
+ if( sz > 0 )
+ {
++ if (i + sz >= CV_FS_MAX_LEN)
++ CV_PARSE_ERROR_CPP("string is too long");
+ memcpy(buf + i, beg, sz);
+ i += sz;
+ }
+diff --git a/modules/core/src/persistence_xml.cpp b/modules/core/src/persistence_xml.cpp
+index 89876dd3da8..52b53744254 100644
+--- a/modules/core/src/persistence_xml.cpp
++++ b/modules/core/src/persistence_xml.cpp
+@@ -627,6 +627,8 @@ class XMLParser : public FileStorageParser
+ c = '\"';
+ else
+ {
++ if (len + 2 + i >= CV_FS_MAX_LEN)
++ CV_PARSE_ERROR_CPP("string is too long");
+ memcpy( strbuf + i, ptr-1, len + 2 );
+ i += len + 2;
+ }
+@@ -635,9 +637,9 @@ class XMLParser : public FileStorageParser
+ CV_PERSISTENCE_CHECK_END_OF_BUFFER_BUG_CPP();
+ }
+ }
++ if (i + 1 >= CV_FS_MAX_LEN)
++ CV_PARSE_ERROR_CPP("Too long string literal");
+ strbuf[i++] = c;
+- if( i >= CV_FS_MAX_LEN )
+- CV_PARSE_ERROR_CPP( "Too long string literal" );
+ }
+ elem->setValue(FileNode::STRING, strbuf, i);
+ }
diff --git a/meta-oe/recipes-support/opencv/opencv_4.1.0.bb b/meta-oe/recipes-support/opencv/opencv_4.1.0.bb
index de708fd06d..19d5d0c891 100644
--- a/meta-oe/recipes-support/opencv/opencv_4.1.0.bb
+++ b/meta-oe/recipes-support/opencv/opencv_4.1.0.bb
@@ -54,6 +54,7 @@ SRC_URI = "git://github.com/opencv/opencv.git;name=opencv \
file://CVE-2019-14493.patch \
file://CVE-2019-15939.patch \
file://CVE-2019-19624.patch \
+ file://CVE-2019-5063_and_2019-5064.patch \
"
PV = "4.1.0"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 11/12] ebtables: use bitbake optimization levels
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
` (9 preceding siblings ...)
2021-05-30 18:34 ` [dunfell 10/12] opencv: Add fix for CVE-2019-5063 and CVE-2019-5064 Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
2021-05-30 18:34 ` [dunfell 12/12] dnsmasq: Add fixes for CVEs reported for dnsmasq Armin Kuster
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw)
To: openembedded-devel
From: Mikko Rapeli <mikko.rapeli@bmw.de>
Don't overwrite with O3 optimization. Reduces ebtables
binary package size from 416241 to 412145 bytes, and
enables further optimizations with e.g. -Os flags
via bitbake distro wide settings.
Only ebtables versions up to 2.0.10-4 and dunfell are affected.
The version 2.0.11 from hardknott and master branch use system
wide flags already.
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../ebtables_optimizations.patch | 19 +++++++++++++++++++
.../ebtables/ebtables_2.0.10-4.bb | 1 +
2 files changed, 20 insertions(+)
create mode 100644 meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables_optimizations.patch
diff --git a/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables_optimizations.patch b/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables_optimizations.patch
new file mode 100644
index 0000000000..21d4cfd822
--- /dev/null
+++ b/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables_optimizations.patch
@@ -0,0 +1,19 @@
+ebtables: use optimizations from bitbake
+
+Enables building with O2 or Os to create smaller binaries.
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
+
+--- a/Makefile 2021-04-16 12:43:40.475431286 +0000
++++ b/Makefile 2021-04-16 12:45:23.654597711 +0000
+@@ -18,7 +18,7 @@ SYSCONFIGDIR:=/etc/sysconfig
+ DESTDIR:=
+
+ CFLAGS:=-Wall -Wunused -Werror
+-CFLAGS_SH_LIB:=-fPIC -O3
++CFLAGS_SH_LIB:=-fPIC
+ CC:=gcc
+
+ ifeq ($(shell uname -m),sparc64)
diff --git a/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb b/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb
index 276784009f..8b6dcea439 100644
--- a/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb
+++ b/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb
@@ -31,6 +31,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/ebtables/ebtables-v${PV}.tar.gz \
file://0007-extensions-Use-stdint-types.patch \
file://0008-ethernetdb.h-Remove-C-specific-compiler-hint-macro-_.patch \
file://0009-ebtables-Allow-RETURN-target-rules-in-user-defined-c.patch \
+ file://ebtables_optimizations.patch \
"
SRC_URI_append_libc-musl = " file://0010-Adjust-header-include-sequence.patch"
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dunfell 12/12] dnsmasq: Add fixes for CVEs reported for dnsmasq
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
` (10 preceding siblings ...)
2021-05-30 18:34 ` [dunfell 11/12] ebtables: use bitbake optimization levels Armin Kuster
@ 2021-05-30 18:34 ` Armin Kuster
11 siblings, 0 replies; 13+ messages in thread
From: Armin Kuster @ 2021-05-30 18:34 UTC (permalink / raw)
To: openembedded-devel
From: Sana Kazi <Sana.Kazi@kpit.com>
Applied single patch for below listed CVEs:
CVE-2020-25681
CVE-2020-25682
CVE-2020-25683
CVE-2020-25687
as they are fixed by single commit
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a
Link: https://www.openwall.com/lists/oss-security/2021/01/19/1
Also, applied patch for below listed CVEs:
CVE-2020-25684
CVE-2020-25685
CVE-2020-25686
all CVEs applicable to v2.81
Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
Signed-off-by: Nisha Parrakat <nishaparrakat@gmail.com>
[Refreshed patches]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../recipes-support/dnsmasq/dnsmasq_2.81.bb | 7 +-
.../dnsmasq/files/CVE-2020-25681.patch | 370 +++++++++++
.../dnsmasq/files/CVE-2020-25684.patch | 98 +++
.../dnsmasq/files/CVE-2020-25685-1.patch | 587 ++++++++++++++++++
.../dnsmasq/files/CVE-2020-25685-2.patch | 175 ++++++
.../dnsmasq/files/CVE-2020-25686-1.patch | 332 ++++++++++
.../dnsmasq/files/CVE-2020-25686-2.patch | 63 ++
7 files changed, 1631 insertions(+), 1 deletion(-)
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
index 92415386c2..a1dc0f3a0a 100644
--- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
@@ -4,5 +4,10 @@ SRC_URI[dnsmasq-2.81.md5sum] = "e43808177a773014b5892ccba238f7a8"
SRC_URI[dnsmasq-2.81.sha256sum] = "3c28c68c6c2967c3a96e9b432c0c046a5df17a426d3a43cffe9e693cf05804d0"
SRC_URI += "\
file://lua.patch \
+ file://CVE-2020-25681.patch \
+ file://CVE-2020-25684.patch \
+ file://CVE-2020-25685-1.patch \
+ file://CVE-2020-25685-2.patch \
+ file://CVE-2020-25686-1.patch \
+ file://CVE-2020-25686-2.patch \
"
-
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch
new file mode 100644
index 0000000000..6756157700
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch
@@ -0,0 +1,370 @@
+From 4e96a4be685c9e4445f6ee79ad0b36b9119b502a Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 11 Nov 2020 23:25:04 +0000
+Subject: [PATCH] Fix remote buffer overflow CERT VU#434904
+
+The problem is in the sort_rrset() function and allows a remote
+attacker to overwrite memory. Any dnsmasq instance with DNSSEC
+enabled is vulnerable.
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+---
+ CHANGELOG | 7 +-
+ src/dnssec.c | 273 ++++++++++++++++++++++++++++-----------------------
+ 2 files changed, 158 insertions(+), 122 deletions(-)
+
+CVE: CVE-2020-25681
+CVE: CVE-2020-25682
+CVE: CVE-2020-25683
+CVE: CVE-2020-25687
+Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a]
+Comment: Refreshed first two hunks
+
+Index: dnsmasq-2.81/src/dnssec.c
+===================================================================
+--- dnsmasq-2.81.orig/src/dnssec.c
++++ dnsmasq-2.81/src/dnssec.c
+@@ -223,138 +223,144 @@ static int check_date_range(unsigned lon
+ && serial_compare_32(curtime, date_end) == SERIAL_LT;
+ }
+
+-/* Return bytes of canonicalised rdata, when the return value is zero, the remaining
+- data, pointed to by *p, should be used raw. */
+-static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end, char *buff, int bufflen,
+- unsigned char **p, u16 **desc)
++/* Return bytes of canonicalised rrdata one by one.
++ Init state->ip with the RR, and state->end with the end of same.
++ Init state->op to NULL.
++ Init state->desc to RR descriptor.
++ Init state->buff with a MAXDNAME * 2 buffer.
++
++ After each call which returns 1, state->op points to the next byte of data.
++ On returning 0, the end has been reached.
++*/
++struct rdata_state {
++ u16 *desc;
++ size_t c;
++ unsigned char *end, *ip, *op;
++ char *buff;
++};
++
++static int get_rdata(struct dns_header *header, size_t plen, struct rdata_state *state)
+ {
+- int d = **desc;
++ int d;
+
+- /* No more data needs mangling */
+- if (d == (u16)-1)
++ if (state->op && state->c != 1)
+ {
+- /* If there's more data than we have space for, just return what fits,
+- we'll get called again for more chunks */
+- if (end - *p > bufflen)
+- {
+- memcpy(buff, *p, bufflen);
+- *p += bufflen;
+- return bufflen;
+- }
+-
+- return 0;
++ state->op++;
++ state->c--;
++ return 1;
+ }
+-
+- (*desc)++;
+-
+- if (d == 0 && extract_name(header, plen, p, buff, 1, 0))
+- /* domain-name, canonicalise */
+- return to_wire(buff);
+- else
+- {
+- /* plain data preceding a domain-name, don't run off the end of the data */
+- if ((end - *p) < d)
+- d = end - *p;
+-
+- if (d != 0)
++
++ while (1)
++ {
++ d = *(state->desc);
++ if (d == (u16)-1)
+ {
+- memcpy(buff, *p, d);
+- *p += d;
++ /* all the bytes to the end. */
++ if ((state->c = state->end - state->ip) != 0)
++ {
++ state->op = state->ip;
++ state->ip = state->end;;
++ }
++ else
++ return 0;
++ }
++ else
++ {
++ state->desc++;
++
++ if (d == (u16)0)
++ {
++ /* domain-name, canonicalise */
++ int len;
++
++ if (!extract_name(header, plen, &state->ip, state->buff, 1, 0) ||
++ (len = to_wire(state->buff)) == 0)
++ continue;
++
++ state->c = len;
++ state->op = (unsigned char *)state->buff;
++ }
++ else
++ {
++ /* plain data preceding a domain-name, don't run off the end of the data */
++ if ((state->end - state->ip) < d)
++ d = state->end - state->ip;
++
++ if (d == 0)
++ continue;
++
++ state->op = state->ip;
++ state->c = d;
++ state->ip += d;
++ }
+ }
+
+- return d;
++ return 1;
+ }
+ }
+
+-/* Bubble sort the RRset into the canonical order.
+- Note that the byte-streams from two RRs may get unsynced: consider
+- RRs which have two domain-names at the start and then other data.
+- The domain-names may have different lengths in each RR, but sort equal
+-
+- ------------
+- |abcde|fghi|
+- ------------
+- |abcd|efghi|
+- ------------
+-
+- leaving the following bytes as deciding the order. Hence the nasty left1 and left2 variables.
+-*/
++/* Bubble sort the RRset into the canonical order. */
+
+ static int sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int rrsetidx,
+ unsigned char **rrset, char *buff1, char *buff2)
+ {
+- int swap, quit, i, j;
++ int swap, i, j;
+
+ do
+ {
+ for (swap = 0, i = 0; i < rrsetidx-1; i++)
+ {
+- int rdlen1, rdlen2, left1, left2, len1, len2, len, rc;
+- u16 *dp1, *dp2;
+- unsigned char *end1, *end2;
++ int rdlen1, rdlen2;
++ struct rdata_state state1, state2;
++
+ /* Note that these have been determined to be OK previously,
+ so we don't need to check for NULL return here. */
+- unsigned char *p1 = skip_name(rrset[i], header, plen, 10);
+- unsigned char *p2 = skip_name(rrset[i+1], header, plen, 10);
+-
+- p1 += 8; /* skip class, type, ttl */
+- GETSHORT(rdlen1, p1);
+- end1 = p1 + rdlen1;
+-
+- p2 += 8; /* skip class, type, ttl */
+- GETSHORT(rdlen2, p2);
+- end2 = p2 + rdlen2;
+-
+- dp1 = dp2 = rr_desc;
+-
+- for (quit = 0, left1 = 0, left2 = 0, len1 = 0, len2 = 0; !quit;)
++ state1.ip = skip_name(rrset[i], header, plen, 10);
++ state2.ip = skip_name(rrset[i+1], header, plen, 10);
++ state1.op = state2.op = NULL;
++ state1.buff = buff1;
++ state2.buff = buff2;
++ state1.desc = state2.desc = rr_desc;
++
++ state1.ip += 8; /* skip class, type, ttl */
++ GETSHORT(rdlen1, state1.ip);
++ if (!CHECK_LEN(header, state1.ip, plen, rdlen1))
++ return rrsetidx; /* short packet */
++ state1.end = state1.ip + rdlen1;
++ state2.ip += 8; /* skip class, type, ttl */
++ GETSHORT(rdlen2, state2.ip);
++ if (!CHECK_LEN(header, state2.ip, plen, rdlen2))
++ return rrsetidx; /* short packet */
++ state2.end = state2.ip + rdlen2;
++
++ while (1)
+ {
+- if (left1 != 0)
+- memmove(buff1, buff1 + len1 - left1, left1);
+-
+- if ((len1 = get_rdata(header, plen, end1, buff1 + left1, (MAXDNAME * 2) - left1, &p1, &dp1)) == 0)
+- {
+- quit = 1;
+- len1 = end1 - p1;
+- memcpy(buff1 + left1, p1, len1);
++ int ok1, ok2;
++ ok1 = get_rdata(header, plen, &state1);
++ ok2 = get_rdata(header, plen, &state2);
++
++ if (!ok1 && !ok2)
++ {
++ /* Two RRs are equal, remove one copy. RFC 4034, para 6.3 */
++ for (j = i+1; j < rrsetidx-1; j++)
++ rrset[j] = rrset[j+1];
++ rrsetidx--;
++ i--;
++ break;
+ }
+- len1 += left1;
+-
+- if (left2 != 0)
+- memmove(buff2, buff2 + len2 - left2, left2);
+-
+- if ((len2 = get_rdata(header, plen, end2, buff2 + left2, (MAXDNAME *2) - left2, &p2, &dp2)) == 0)
+- {
+- quit = 1;
+- len2 = end2 - p2;
+- memcpy(buff2 + left2, p2, len2);
+- }
+- len2 += left2;
+-
+- if (len1 > len2)
+- left1 = len1 - len2, left2 = 0, len = len2;
+- else
+- left2 = len2 - len1, left1 = 0, len = len1;
+-
+- rc = (len == 0) ? 0 : memcmp(buff1, buff2, len);
+-
+- if (rc > 0 || (rc == 0 && quit && len1 > len2))
++ else if (ok1 && (!ok2 || *state1.op > *state2.op))
+ {
+ unsigned char *tmp = rrset[i+1];
+ rrset[i+1] = rrset[i];
+ rrset[i] = tmp;
+- swap = quit = 1;
+- }
+- else if (rc == 0 && quit && len1 == len2)
+- {
+- /* Two RRs are equal, remove one copy. RFC 4034, para 6.3 */
+- for (j = i+1; j < rrsetidx-1; j++)
+- rrset[j] = rrset[j+1];
+- rrsetidx--;
+- i--;
++ swap = 1;
++ break;
+ }
+- else if (rc < 0)
+- quit = 1;
++ else if (ok2 && (!ok1 || *state2.op > *state1.op))
++ break;
++
++ /* arrive here when bytes are equal, go round the loop again
++ and compare the next ones. */
+ }
+ }
+ } while (swap);
+@@ -569,12 +575,15 @@ static int validate_rrset(time_t now, st
+ wire_len = to_wire(keyname);
+ hash->update(ctx, (unsigned int)wire_len, (unsigned char*)keyname);
+ from_wire(keyname);
++
++#define RRBUFLEN 300 /* Most RRs are smaller than this. */
+
+ for (i = 0; i < rrsetidx; ++i)
+ {
+- int seg;
+- unsigned char *end, *cp;
+- u16 len, *dp;
++ int j;
++ struct rdata_state state;
++ u16 len;
++ unsigned char rrbuf[RRBUFLEN];
+
+ p = rrset[i];
+
+@@ -586,12 +595,11 @@ static int validate_rrset(time_t now, st
+ /* if more labels than in RRsig name, hash *.<no labels in rrsig labels field> 4035 5.3.2 */
+ if (labels < name_labels)
+ {
+- int k;
+- for (k = name_labels - labels; k != 0; k--)
++ for (j = name_labels - labels; j != 0; j--)
+ {
+ while (*name_start != '.' && *name_start != 0)
+ name_start++;
+- if (k != 1 && *name_start == '.')
++ if (j != 1 && *name_start == '.')
+ name_start++;
+ }
+
+@@ -612,24 +620,44 @@ static int validate_rrset(time_t now, st
+ if (!CHECK_LEN(header, p, plen, rdlen))
+ return STAT_BOGUS;
+
+- end = p + rdlen;
+-
+- /* canonicalise rdata and calculate length of same, use name buffer as workspace.
+- Note that name buffer is twice MAXDNAME long in DNSSEC mode. */
+- cp = p;
+- dp = rr_desc;
+- for (len = 0; (seg = get_rdata(header, plen, end, name, MAXDNAME * 2, &cp, &dp)) != 0; len += seg);
+- len += end - cp;
+- len = htons(len);
++ /* canonicalise rdata and calculate length of same, use
++ name buffer as workspace for get_rdata. */
++ state.ip = p;
++ state.op = NULL;
++ state.desc = rr_desc;
++ state.buff = name;
++ state.end = p + rdlen;
++
++ for (j = 0; get_rdata(header, plen, &state); j++)
++ if (j < RRBUFLEN)
++ rrbuf[j] = *state.op;
++
++ len = htons((u16)j);
+ hash->update(ctx, 2, (unsigned char *)&len);
++
++ /* If the RR is shorter than RRBUFLEN (most of them, in practice)
++ then we can just digest it now. If it exceeds RRBUFLEN we have to
++ go back to the start and do it in chunks. */
++ if (j >= RRBUFLEN)
++ {
++ state.ip = p;
++ state.op = NULL;
++ state.desc = rr_desc;
++
++ for (j = 0; get_rdata(header, plen, &state); j++)
++ {
++ rrbuf[j] = *state.op;
++
++ if (j == RRBUFLEN - 1)
++ {
++ hash->update(ctx, RRBUFLEN, rrbuf);
++ j = -1;
++ }
++ }
++ }
+
+- /* Now canonicalise again and digest. */
+- cp = p;
+- dp = rr_desc;
+- while ((seg = get_rdata(header, plen, end, name, MAXDNAME * 2, &cp, &dp)))
+- hash->update(ctx, seg, (unsigned char *)name);
+- if (cp != end)
+- hash->update(ctx, end - cp, cp);
++ if (j != 0)
++ hash->update(ctx, j, rrbuf);
+ }
+
+ hash->digest(ctx, hash->digest_size, digest);
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch
new file mode 100644
index 0000000000..f7ff4b27cc
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch
@@ -0,0 +1,98 @@
+From 257ac0c5f7732cbc6aa96fdd3b06602234593aca Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 12 Nov 2020 18:49:23 +0000
+Subject: [PATCH] Check destination of DNS UDP query replies.
+
+At any time, dnsmasq will have a set of sockets open, bound to
+random ports, on which it sends queries to upstream nameservers.
+This patch fixes the existing problem that a reply for ANY in-flight
+query would be accepted via ANY open port, which increases the
+chances of an attacker flooding answers "in the blind" in an
+attempt to poison the DNS cache. CERT VU#434904 refers.
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+---
+ CHANGELOG | 6 +++++-
+ src/forward.c | 37 ++++++++++++++++++++++++++++---------
+ 2 files changed, 33 insertions(+), 10 deletions(-)
+
+CVE: CVE-2020-25684
+Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=257ac0c5f7732cbc6aa96fdd3b06602234593aca]
+Comment: No change in any hunk
+
+Index: dnsmasq-2.81/src/forward.c
+===================================================================
+--- dnsmasq-2.81.orig/src/forward.c
++++ dnsmasq-2.81/src/forward.c
+@@ -16,7 +16,7 @@
+
+ #include "dnsmasq.h"
+
+-static struct frec *lookup_frec(unsigned short id, void *hash);
++static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash);
+ static struct frec *lookup_frec_by_sender(unsigned short id,
+ union mysockaddr *addr,
+ void *hash);
+@@ -805,7 +805,7 @@ void reply_query(int fd, int family, tim
+ crc = questions_crc(header, n, daemon->namebuff);
+ #endif
+
+- if (!(forward = lookup_frec(ntohs(header->id), hash)))
++ if (!(forward = lookup_frec(ntohs(header->id), fd, family, hash)))
+ return;
+
+ #ifdef HAVE_DUMPFILE
+@@ -2338,14 +2338,25 @@ struct frec *get_new_frec(time_t now, in
+ }
+
+ /* crc is all-ones if not known. */
+-static struct frec *lookup_frec(unsigned short id, void *hash)
++static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash)
+ {
+ struct frec *f;
+
+ for(f = daemon->frec_list; f; f = f->next)
+ if (f->sentto && f->new_id == id &&
+ (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0))
+- return f;
++ {
++ /* sent from random port */
++ if (family == AF_INET && f->rfd4 && f->rfd4->fd == fd)
++ return f;
++
++ if (family == AF_INET6 && f->rfd6 && f->rfd6->fd == fd)
++ return f;
++
++ /* sent to upstream from bound socket. */
++ if (f->sentto->sfd && f->sentto->sfd->fd == fd)
++ return f;
++ }
+
+ return NULL;
+ }
+@@ -2406,12 +2417,20 @@ void server_gone(struct server *server)
+ static unsigned short get_id(void)
+ {
+ unsigned short ret = 0;
++ struct frec *f;
+
+- do
+- ret = rand16();
+- while (lookup_frec(ret, NULL));
+-
+- return ret;
++ while (1)
++ {
++ ret = rand16();
++
++ /* ensure id is unique. */
++ for (f = daemon->frec_list; f; f = f->next)
++ if (f->sentto && f->new_id == ret)
++ break;
++
++ if (!f)
++ return ret;
++ }
+ }
+
+
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch
new file mode 100644
index 0000000000..5eb582c671
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch
@@ -0,0 +1,587 @@
+From 2d765867c597db18be9d876c9c17e2c0fe1953cd Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 12 Nov 2020 22:06:07 +0000
+Subject: [PATCH] Use SHA-256 to provide security against DNS cache poisoning.
+
+Use the SHA-256 hash function to verify that DNS answers
+received are for the questions originally asked. This replaces
+the slightly insecure SHA-1 (when compiled with DNSSEC) or
+the very insecure CRC32 (otherwise). Refer: CERT VU#434904.
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+---
+ CHANGELOG | 5 +
+ Makefile | 3 +-
+ bld/Android.mk | 2 +-
+ src/dnsmasq.h | 11 +-
+ src/dnssec.c | 31 -----
+ src/forward.c | 43 ++-----
+ src/hash_questions.c | 281 +++++++++++++++++++++++++++++++++++++++++++
+ src/rfc1035.c | 49 --------
+ 8 files changed, 301 insertions(+), 124 deletions(-)
+ create mode 100644 src/hash_questions.c
+
+CVE: CVE-2020-25685
+Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b]
+Comment: No change in any hunk
+
+Index: dnsmasq-2.81/Makefile
+===================================================================
+--- dnsmasq-2.81.orig/Makefile
++++ dnsmasq-2.81/Makefile
+@@ -77,7 +77,8 @@ objs = cache.o rfc1035.o util.o option.o
+ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
+ dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
+ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
+- poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o metrics.o
++ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \
++ metrics.o hash_questions.o
+
+ hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
+ dns-protocol.h radv-protocol.h ip6addr.h metrics.h
+Index: dnsmasq-2.81/bld/Android.mk
+===================================================================
+--- dnsmasq-2.81.orig/bld/Android.mk
++++ dnsmasq-2.81/bld/Android.mk
+@@ -11,7 +11,7 @@ LOCAL_SRC_FILES := bpf.c cache.c dbus.c
+ radv.c slaac.c auth.c ipset.c domain.c \
+ dnssec.c dnssec-openssl.c blockdata.c tables.c \
+ loop.c inotify.c poll.c rrfilter.c edns0.c arp.c \
+- crypto.c dump.c ubus.c
++ crypto.c dump.c ubus.c metrics.c hash_questions.c
+
+ LOCAL_MODULE := dnsmasq
+
+Index: dnsmasq-2.81/src/dnsmasq.h
+===================================================================
+--- dnsmasq-2.81.orig/src/dnsmasq.h
++++ dnsmasq-2.81/src/dnsmasq.h
+@@ -654,11 +654,7 @@ struct hostsfile {
+ #define FREC_TEST_PKTSZ 256
+ #define FREC_HAS_EXTRADATA 512
+
+-#ifdef HAVE_DNSSEC
+-#define HASH_SIZE 20 /* SHA-1 digest size */
+-#else
+-#define HASH_SIZE sizeof(int)
+-#endif
++#define HASH_SIZE 32 /* SHA-256 digest size */
+
+ struct frec {
+ union mysockaddr source;
+@@ -1218,7 +1214,6 @@ int check_for_bogus_wildcard(struct dns_
+ struct bogus_addr *baddr, time_t now);
+ int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bogus_addr *baddr);
+ int check_for_local_domain(char *name, time_t now);
+-unsigned int questions_crc(struct dns_header *header, size_t plen, char *name);
+ size_t resize_packet(struct dns_header *header, size_t plen,
+ unsigned char *pheader, size_t hlen);
+ int add_resource_record(struct dns_header *header, char *limit, int *truncp,
+@@ -1243,9 +1238,11 @@ int dnssec_validate_reply(time_t now, st
+ int check_unsigned, int *neganswer, int *nons, int *nsec_ttl);
+ int dnskey_keytag(int alg, int flags, unsigned char *key, int keylen);
+ size_t filter_rrsigs(struct dns_header *header, size_t plen);
+-unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name);
+ int setup_timestamp(void);
+
++/* hash_questions.c */
++unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name);
++
+ /* crypto.c */
+ const struct nettle_hash *hash_find(char *name);
+ int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp);
+Index: dnsmasq-2.81/src/dnssec.c
+===================================================================
+--- dnsmasq-2.81.orig/src/dnssec.c
++++ dnsmasq-2.81/src/dnssec.c
+@@ -2084,35 +2084,4 @@ size_t dnssec_generate_query(struct dns_
+ return ret;
+ }
+
+-unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name)
+-{
+- int q;
+- unsigned int len;
+- unsigned char *p = (unsigned char *)(header+1);
+- const struct nettle_hash *hash;
+- void *ctx;
+- unsigned char *digest;
+-
+- if (!(hash = hash_find("sha1")) || !hash_init(hash, &ctx, &digest))
+- return NULL;
+-
+- for (q = ntohs(header->qdcount); q != 0; q--)
+- {
+- if (!extract_name(header, plen, &p, name, 1, 4))
+- break; /* bad packet */
+-
+- len = to_wire(name);
+- hash->update(ctx, len, (unsigned char *)name);
+- /* CRC the class and type as well */
+- hash->update(ctx, 4, p);
+-
+- p += 4;
+- if (!CHECK_LEN(header, p, plen, 0))
+- break; /* bad packet */
+- }
+-
+- hash->digest(ctx, hash->digest_size, digest);
+- return digest;
+-}
+-
+ #endif /* HAVE_DNSSEC */
+Index: dnsmasq-2.81/src/forward.c
+===================================================================
+--- dnsmasq-2.81.orig/src/forward.c
++++ dnsmasq-2.81/src/forward.c
+@@ -256,19 +256,16 @@ static int forward_query(int udpfd, unio
+ union all_addr *addrp = NULL;
+ unsigned int flags = 0;
+ struct server *start = NULL;
+-#ifdef HAVE_DNSSEC
+ void *hash = hash_questions(header, plen, daemon->namebuff);
++#ifdef HAVE_DNSSEC
+ int do_dnssec = 0;
+-#else
+- unsigned int crc = questions_crc(header, plen, daemon->namebuff);
+- void *hash = &crc;
+ #endif
+ unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
+ unsigned char *oph = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL);
+ (void)do_bit;
+
+ /* may be no servers available. */
+- if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))))
++ if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash)))
+ {
+ /* If we didn't get an answer advertising a maximal packet in EDNS,
+ fall back to 1280, which should work everywhere on IPv6.
+@@ -769,9 +766,6 @@ void reply_query(int fd, int family, tim
+ size_t nn;
+ struct server *server;
+ void *hash;
+-#ifndef HAVE_DNSSEC
+- unsigned int crc;
+-#endif
+
+ /* packet buffer overwritten */
+ daemon->srv_save = NULL;
+@@ -798,12 +792,7 @@ void reply_query(int fd, int family, tim
+ if (difftime(now, server->pktsz_reduced) > UDP_TEST_TIME)
+ server->edns_pktsz = daemon->edns_pktsz;
+
+-#ifdef HAVE_DNSSEC
+ hash = hash_questions(header, n, daemon->namebuff);
+-#else
+- hash = &crc;
+- crc = questions_crc(header, n, daemon->namebuff);
+-#endif
+
+ if (!(forward = lookup_frec(ntohs(header->id), fd, family, hash)))
+ return;
+@@ -1115,8 +1104,7 @@ void reply_query(int fd, int family, tim
+ log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, daemon->keyname, (union all_addr *)&(server->addr.in6.sin6_addr),
+ querystr("dnssec-query", querytype));
+
+- if ((hash = hash_questions(header, nn, daemon->namebuff)))
+- memcpy(new->hash, hash, HASH_SIZE);
++ memcpy(new->hash, hash_questions(header, nn, daemon->namebuff), HASH_SIZE);
+ new->new_id = get_id();
+ header->id = htons(new->new_id);
+ /* Save query for retransmission */
+@@ -1969,15 +1957,9 @@ unsigned char *tcp_request(int confd, ti
+ if (!flags && last_server)
+ {
+ struct server *firstsendto = NULL;
+-#ifdef HAVE_DNSSEC
+- unsigned char *newhash, hash[HASH_SIZE];
+- if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff)))
+- memcpy(hash, newhash, HASH_SIZE);
+- else
+- memset(hash, 0, HASH_SIZE);
+-#else
+- unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
+-#endif
++ unsigned char hash[HASH_SIZE];
++ memcpy(hash, hash_questions(header, (unsigned int)size, daemon->namebuff), HASH_SIZE);
++
+ /* Loop round available servers until we succeed in connecting to one.
+ Note that this code subtly ensures that consecutive queries on this connection
+ which can go to the same server, do so. */
+@@ -2116,20 +2098,11 @@ unsigned char *tcp_request(int confd, ti
+ /* If the crc of the question section doesn't match the crc we sent, then
+ someone might be attempting to insert bogus values into the cache by
+ sending replies containing questions and bogus answers. */
+-#ifdef HAVE_DNSSEC
+- newhash = hash_questions(header, (unsigned int)m, daemon->namebuff);
+- if (!newhash || memcmp(hash, newhash, HASH_SIZE) != 0)
++ if (memcmp(hash, hash_questions(header, (unsigned int)m, daemon->namebuff), HASH_SIZE) != 0)
+ {
+ m = 0;
+ break;
+ }
+-#else
+- if (crc != questions_crc(header, (unsigned int)m, daemon->namebuff))
+- {
+- m = 0;
+- break;
+- }
+-#endif
+
+ m = process_reply(header, now, last_server, (unsigned int)m,
+ option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer,
+@@ -2344,7 +2317,7 @@ static struct frec *lookup_frec(unsigned
+
+ for(f = daemon->frec_list; f; f = f->next)
+ if (f->sentto && f->new_id == id &&
+- (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0))
++ (memcmp(hash, f->hash, HASH_SIZE) == 0))
+ {
+ /* sent from random port */
+ if (family == AF_INET && f->rfd4 && f->rfd4->fd == fd)
+Index: dnsmasq-2.81/src/hash_questions.c
+===================================================================
+--- /dev/null
++++ dnsmasq-2.81/src/hash_questions.c
+@@ -0,0 +1,281 @@
++/* Copyright (c) 2012-2020 Simon Kelley
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; version 2 dated June, 1991, or
++ (at your option) version 3 dated 29 June, 2007.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++
++
++/* Hash the question section. This is used to safely detect query
++ retransmission and to detect answers to questions we didn't ask, which
++ might be poisoning attacks. Note that we decode the name rather
++ than CRC the raw bytes, since replies might be compressed differently.
++ We ignore case in the names for the same reason.
++
++ The hash used is SHA-256. If we're building with DNSSEC support,
++ we use the Nettle cypto library. If not, we prefer not to
++ add a dependency on Nettle, and use a stand-alone implementaion.
++*/
++
++#include "dnsmasq.h"
++
++#ifdef HAVE_DNSSEC
++unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name)
++{
++ int q;
++ unsigned char *p = (unsigned char *)(header+1);
++ const struct nettle_hash *hash;
++ void *ctx;
++ unsigned char *digest;
++
++ if (!(hash = hash_find("sha256")) || !hash_init(hash, &ctx, &digest))
++ {
++ /* don't think this can ever happen. */
++ static unsigned char dummy[HASH_SIZE];
++ static int warned = 0;
++
++ if (warned)
++ my_syslog(LOG_ERR, _("Failed to create SHA-256 hash object"));
++ warned = 1;
++
++ return dummy;
++ }
++
++ for (q = ntohs(header->qdcount); q != 0; q--)
++ {
++ char *cp, c;
++
++ if (!extract_name(header, plen, &p, name, 1, 4))
++ break; /* bad packet */
++
++ for (cp = name; (c = *cp); cp++)
++ if (c >= 'A' && c <= 'Z')
++ *cp += 'a' - 'A';
++
++ hash->update(ctx, cp - name, (unsigned char *)name);
++ /* CRC the class and type as well */
++ hash->update(ctx, 4, p);
++
++ p += 4;
++ if (!CHECK_LEN(header, p, plen, 0))
++ break; /* bad packet */
++ }
++
++ hash->digest(ctx, hash->digest_size, digest);
++ return digest;
++}
++
++#else /* HAVE_DNSSEC */
++
++#define SHA256_BLOCK_SIZE 32 // SHA256 outputs a 32 byte digest
++typedef unsigned char BYTE; // 8-bit byte
++typedef unsigned int WORD; // 32-bit word, change to "long" for 16-bit machines
++
++typedef struct {
++ BYTE data[64];
++ WORD datalen;
++ unsigned long long bitlen;
++ WORD state[8];
++} SHA256_CTX;
++
++static void sha256_init(SHA256_CTX *ctx);
++static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len);
++static void sha256_final(SHA256_CTX *ctx, BYTE hash[]);
++
++
++unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name)
++{
++ int q;
++ unsigned char *p = (unsigned char *)(header+1);
++ SHA256_CTX ctx;
++ static BYTE digest[SHA256_BLOCK_SIZE];
++
++ sha256_init(&ctx);
++
++ for (q = ntohs(header->qdcount); q != 0; q--)
++ {
++ char *cp, c;
++
++ if (!extract_name(header, plen, &p, name, 1, 4))
++ break; /* bad packet */
++
++ for (cp = name; (c = *cp); cp++)
++ if (c >= 'A' && c <= 'Z')
++ *cp += 'a' - 'A';
++
++ sha256_update(&ctx, (BYTE *)name, cp - name);
++ /* CRC the class and type as well */
++ sha256_update(&ctx, (BYTE *)p, 4);
++
++ p += 4;
++ if (!CHECK_LEN(header, p, plen, 0))
++ break; /* bad packet */
++ }
++
++ sha256_final(&ctx, digest);
++ return (unsigned char *)digest;
++}
++
++/* Code from here onwards comes from https://github.com/B-Con/crypto-algorithms
++ and was written by Brad Conte (brad@bradconte.com), to whom all credit is given.
++
++ This code is in the public domain, and the copyright notice at the head of this
++ file does not apply to it.
++*/
++
++
++/****************************** MACROS ******************************/
++#define ROTLEFT(a,b) (((a) << (b)) | ((a) >> (32-(b))))
++#define ROTRIGHT(a,b) (((a) >> (b)) | ((a) << (32-(b))))
++
++#define CH(x,y,z) (((x) & (y)) ^ (~(x) & (z)))
++#define MAJ(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
++#define EP0(x) (ROTRIGHT(x,2) ^ ROTRIGHT(x,13) ^ ROTRIGHT(x,22))
++#define EP1(x) (ROTRIGHT(x,6) ^ ROTRIGHT(x,11) ^ ROTRIGHT(x,25))
++#define SIG0(x) (ROTRIGHT(x,7) ^ ROTRIGHT(x,18) ^ ((x) >> 3))
++#define SIG1(x) (ROTRIGHT(x,17) ^ ROTRIGHT(x,19) ^ ((x) >> 10))
++
++/**************************** VARIABLES *****************************/
++static const WORD k[64] = {
++ 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5,
++ 0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174,
++ 0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da,
++ 0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967,
++ 0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85,
++ 0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070,
++ 0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3,
++ 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
++};
++
++/*********************** FUNCTION DEFINITIONS ***********************/
++static void sha256_transform(SHA256_CTX *ctx, const BYTE data[])
++{
++ WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64];
++
++ for (i = 0, j = 0; i < 16; ++i, j += 4)
++ m[i] = (data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]);
++ for ( ; i < 64; ++i)
++ m[i] = SIG1(m[i - 2]) + m[i - 7] + SIG0(m[i - 15]) + m[i - 16];
++
++ a = ctx->state[0];
++ b = ctx->state[1];
++ c = ctx->state[2];
++ d = ctx->state[3];
++ e = ctx->state[4];
++ f = ctx->state[5];
++ g = ctx->state[6];
++ h = ctx->state[7];
++
++ for (i = 0; i < 64; ++i)
++ {
++ t1 = h + EP1(e) + CH(e,f,g) + k[i] + m[i];
++ t2 = EP0(a) + MAJ(a,b,c);
++ h = g;
++ g = f;
++ f = e;
++ e = d + t1;
++ d = c;
++ c = b;
++ b = a;
++ a = t1 + t2;
++ }
++
++ ctx->state[0] += a;
++ ctx->state[1] += b;
++ ctx->state[2] += c;
++ ctx->state[3] += d;
++ ctx->state[4] += e;
++ ctx->state[5] += f;
++ ctx->state[6] += g;
++ ctx->state[7] += h;
++}
++
++static void sha256_init(SHA256_CTX *ctx)
++{
++ ctx->datalen = 0;
++ ctx->bitlen = 0;
++ ctx->state[0] = 0x6a09e667;
++ ctx->state[1] = 0xbb67ae85;
++ ctx->state[2] = 0x3c6ef372;
++ ctx->state[3] = 0xa54ff53a;
++ ctx->state[4] = 0x510e527f;
++ ctx->state[5] = 0x9b05688c;
++ ctx->state[6] = 0x1f83d9ab;
++ ctx->state[7] = 0x5be0cd19;
++}
++
++static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len)
++{
++ WORD i;
++
++ for (i = 0; i < len; ++i)
++ {
++ ctx->data[ctx->datalen] = data[i];
++ ctx->datalen++;
++ if (ctx->datalen == 64) {
++ sha256_transform(ctx, ctx->data);
++ ctx->bitlen += 512;
++ ctx->datalen = 0;
++ }
++ }
++}
++
++static void sha256_final(SHA256_CTX *ctx, BYTE hash[])
++{
++ WORD i;
++
++ i = ctx->datalen;
++
++ // Pad whatever data is left in the buffer.
++ if (ctx->datalen < 56)
++ {
++ ctx->data[i++] = 0x80;
++ while (i < 56)
++ ctx->data[i++] = 0x00;
++ }
++ else
++ {
++ ctx->data[i++] = 0x80;
++ while (i < 64)
++ ctx->data[i++] = 0x00;
++ sha256_transform(ctx, ctx->data);
++ memset(ctx->data, 0, 56);
++ }
++
++ // Append to the padding the total message's length in bits and transform.
++ ctx->bitlen += ctx->datalen * 8;
++ ctx->data[63] = ctx->bitlen;
++ ctx->data[62] = ctx->bitlen >> 8;
++ ctx->data[61] = ctx->bitlen >> 16;
++ ctx->data[60] = ctx->bitlen >> 24;
++ ctx->data[59] = ctx->bitlen >> 32;
++ ctx->data[58] = ctx->bitlen >> 40;
++ ctx->data[57] = ctx->bitlen >> 48;
++ ctx->data[56] = ctx->bitlen >> 56;
++ sha256_transform(ctx, ctx->data);
++
++ // Since this implementation uses little endian byte ordering and SHA uses big endian,
++ // reverse all the bytes when copying the final state to the output hash.
++ for (i = 0; i < 4; ++i)
++ {
++ hash[i] = (ctx->state[0] >> (24 - i * 8)) & 0x000000ff;
++ hash[i + 4] = (ctx->state[1] >> (24 - i * 8)) & 0x000000ff;
++ hash[i + 8] = (ctx->state[2] >> (24 - i * 8)) & 0x000000ff;
++ hash[i + 12] = (ctx->state[3] >> (24 - i * 8)) & 0x000000ff;
++ hash[i + 16] = (ctx->state[4] >> (24 - i * 8)) & 0x000000ff;
++ hash[i + 20] = (ctx->state[5] >> (24 - i * 8)) & 0x000000ff;
++ hash[i + 24] = (ctx->state[6] >> (24 - i * 8)) & 0x000000ff;
++ hash[i + 28] = (ctx->state[7] >> (24 - i * 8)) & 0x000000ff;
++ }
++}
++
++#endif
+Index: dnsmasq-2.81/src/rfc1035.c
+===================================================================
+--- dnsmasq-2.81.orig/src/rfc1035.c
++++ dnsmasq-2.81/src/rfc1035.c
+@@ -333,55 +333,6 @@ unsigned char *skip_section(unsigned cha
+ return ansp;
+ }
+
+-/* CRC the question section. This is used to safely detect query
+- retransmission and to detect answers to questions we didn't ask, which
+- might be poisoning attacks. Note that we decode the name rather
+- than CRC the raw bytes, since replies might be compressed differently.
+- We ignore case in the names for the same reason. Return all-ones
+- if there is not question section. */
+-#ifndef HAVE_DNSSEC
+-unsigned int questions_crc(struct dns_header *header, size_t plen, char *name)
+-{
+- int q;
+- unsigned int crc = 0xffffffff;
+- unsigned char *p1, *p = (unsigned char *)(header+1);
+-
+- for (q = ntohs(header->qdcount); q != 0; q--)
+- {
+- if (!extract_name(header, plen, &p, name, 1, 4))
+- return crc; /* bad packet */
+-
+- for (p1 = (unsigned char *)name; *p1; p1++)
+- {
+- int i = 8;
+- char c = *p1;
+-
+- if (c >= 'A' && c <= 'Z')
+- c += 'a' - 'A';
+-
+- crc ^= c << 24;
+- while (i--)
+- crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1;
+- }
+-
+- /* CRC the class and type as well */
+- for (p1 = p; p1 < p+4; p1++)
+- {
+- int i = 8;
+- crc ^= *p1 << 24;
+- while (i--)
+- crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1;
+- }
+-
+- p += 4;
+- if (!CHECK_LEN(header, p, plen, 0))
+- return crc; /* bad packet */
+- }
+-
+- return crc;
+-}
+-#endif
+-
+ size_t resize_packet(struct dns_header *header, size_t plen, unsigned char *pheader, size_t hlen)
+ {
+ unsigned char *ansp = skip_questions(header, plen);
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch
new file mode 100644
index 0000000000..302c42ccca
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch
@@ -0,0 +1,175 @@
+From 2024f9729713fd657d65e64c2e4e471baa0a3e5b Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Wed, 25 Nov 2020 17:18:55 +0100
+Subject: [PATCH] Support hash function from nettle (only)
+
+Unlike COPTS=-DHAVE_DNSSEC, allow usage of just sha256 function from
+nettle, but keep DNSSEC disabled at build time. Skips use of internal
+hash implementation without support for validation built-in.
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+---
+ Makefile | 8 +++++---
+ bld/pkg-wrapper | 41 ++++++++++++++++++++++-------------------
+ src/config.h | 8 ++++++++
+ src/crypto.c | 7 +++++++
+ src/dnsmasq.h | 2 +-
+ src/hash_questions.c | 2 +-
+ 6 files changed, 44 insertions(+), 24 deletions(-)
+
+CVE: CVE-2020-25685
+Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b]
+Comment: Refreshed a hunk from pkg-wrapper and second hunk from Makefile
+
+Index: dnsmasq-2.81/Makefile
+===================================================================
+--- dnsmasq-2.81.orig/Makefile
++++ dnsmasq-2.81/Makefile
+@@ -53,7 +53,7 @@ top?=$(CURDIR)
+
+ dbus_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1`
+ dbus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1`
+-ubus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy -lubox -lubus`
++ubus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy '-lubox -lubus'`
+ idn_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --cflags libidn`
+ idn_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --libs libidn`
+ idn2_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --cflags libidn2`
+@@ -62,8 +62,10 @@ ct_cflags = `echo $(COPTS) | $(top)/
+ ct_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack`
+ lua_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua`
+ lua_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua`
+-nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed`
+-nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed`
++nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags 'nettle hogweed' \
++ HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle`
++nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs 'nettle hogweed' \
++ HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle`
+ gmp_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp`
+ sunos_libs = `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi`
+ version = -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
+Index: dnsmasq-2.81/bld/pkg-wrapper
+===================================================================
+--- dnsmasq-2.81.orig/bld/pkg-wrapper
++++ dnsmasq-2.81/bld/pkg-wrapper
+@@ -1,35 +1,37 @@
+ #!/bin/sh
+
+-search=$1
+-shift
+-pkg=$1
+-shift
+-op=$1
+-shift
+-
+ in=`cat`
+
+-if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \
+- echo $in | grep $search >/dev/null 2>&1; then
++search()
++{
++ grep "^\#[[:space:]]*define[[:space:]]*$1" config.h >/dev/null 2>&1 || \
++ echo $in | grep $1 >/dev/null 2>&1
++}
++
++while [ "$#" -gt 0 ]; do
++ search=$1
++ pkg=$2
++ op=$3
++ lib=$4
++ shift 4
++if search "$search"; then
++
+ # Nasty, nasty, in --copy, arg 2 (if non-empty) is another config to search for, used with NO_GMP
+ if [ $op = "--copy" ]; then
+ if [ -z "$pkg" ]; then
+- pkg="$*"
+- elif grep "^\#[[:space:]]*define[[:space:]]*$pkg" config.h >/dev/null 2>&1 || \
+- echo $in | grep $pkg >/dev/null 2>&1; then
++ pkg="$lib"
++ elif search "$pkg"; then
+ pkg=""
+ else
+- pkg="$*"
++ pkg="$lib"
+ fi
+- elif grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \
+- echo $in | grep ${search}_STATIC >/dev/null 2>&1; then
+- pkg=`$pkg --static $op $*`
++ elif search "${search}_STATIC"; then
++ pkg=`$pkg --static $op $lib`
+ else
+- pkg=`$pkg $op $*`
++ pkg=`$pkg $op $lib`
+ fi
+
+- if grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \
+- echo $in | grep ${search}_STATIC >/dev/null 2>&1; then
++ if search "${search}_STATIC"; then
+ if [ $op = "--libs" ] || [ $op = "--copy" ]; then
+ echo "-Wl,-Bstatic $pkg -Wl,-Bdynamic"
+ else
+@@ -40,3 +42,4 @@ if grep "^\#[[:space:]]*define[[:space:]
+ fi
+ fi
+
++done
+Index: dnsmasq-2.81/src/config.h
+===================================================================
+--- dnsmasq-2.81.orig/src/config.h
++++ dnsmasq-2.81/src/config.h
+@@ -118,6 +118,9 @@ HAVE_AUTH
+ define this to include the facility to act as an authoritative DNS
+ server for one or more zones.
+
++HAVE_NETTLEHASH
++ include just hash function from nettle, but no DNSSEC.
++
+ HAVE_DNSSEC
+ include DNSSEC validator.
+
+@@ -185,6 +188,7 @@ RESOLVFILE
+ /* #define HAVE_IDN */
+ /* #define HAVE_LIBIDN2 */
+ /* #define HAVE_CONNTRACK */
++/* #define HAVE_NETTLEHASH */
+ /* #define HAVE_DNSSEC */
+
+
+@@ -418,6 +422,10 @@ static char *compile_opts =
+ "no-"
+ #endif
+ "auth "
++#if !defined(HAVE_NETTLEHASH) && !defined(HAVE_DNSSEC)
++"no-"
++#endif
++"nettlehash "
+ #ifndef HAVE_DNSSEC
+ "no-"
+ #endif
+Index: dnsmasq-2.81/src/dnsmasq.h
+===================================================================
+--- dnsmasq-2.81.orig/src/dnsmasq.h
++++ dnsmasq-2.81/src/dnsmasq.h
+@@ -161,6 +161,9 @@ extern int capget(cap_user_header_t head
+ # include <nettle/nettle-meta.h>
+ #endif
+
++#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH)
++# include <nettle/nettle-meta.h>
++#endif
+ /* daemon is function in the C library.... */
+ #define daemon dnsmasq_daemon
+
+Index: dnsmasq-2.81/src/hash_questions.c
+===================================================================
+--- dnsmasq-2.81.orig/src/hash_questions.c
++++ dnsmasq-2.81/src/hash_questions.c
+@@ -28,7 +28,7 @@
+
+ #include "dnsmasq.h"
+
+-#ifdef HAVE_DNSSEC
++#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH)
+ unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name)
+ {
+ int q;
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch
new file mode 100644
index 0000000000..fd9d0a9b16
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch
@@ -0,0 +1,332 @@
+From 15b60ddf935a531269bb8c68198de012a4967156 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 18 Nov 2020 18:34:55 +0000
+Subject: [PATCH] Handle multiple identical near simultaneous DNS queries
+ better.
+
+Previously, such queries would all be forwarded
+independently. This is, in theory, inefficent but in practise
+not a problem, _except_ that is means that an answer for any
+of the forwarded queries will be accepted and cached.
+An attacker can send a query multiple times, and for each repeat,
+another {port, ID} becomes capable of accepting the answer he is
+sending in the blind, to random IDs and ports. The chance of a
+succesful attack is therefore multiplied by the number of repeats
+of the query. The new behaviour detects repeated queries and
+merely stores the clients sending repeats so that when the
+first query completes, the answer can be sent to all the
+clients who asked. Refer: CERT VU#434904.
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+---
+ CHANGELOG | 16 +++++-
+ src/dnsmasq.h | 19 ++++---
+ src/forward.c | 142 ++++++++++++++++++++++++++++++++++++++++++--------
+ 3 files changed, 147 insertions(+), 30 deletions(-)
+
+CVE: CVE-2020-25686
+Upstream-Status: Backport [http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=15b60ddf935a531269bb8c68198de012a4967156]
+Comment: No change in any hunk
+
+Index: dnsmasq-2.81/src/dnsmasq.h
+===================================================================
+--- dnsmasq-2.81.orig/src/dnsmasq.h
++++ dnsmasq-2.81/src/dnsmasq.h
+@@ -655,19 +655,24 @@ struct hostsfile {
+ #define FREC_DO_QUESTION 64
+ #define FREC_ADDED_PHEADER 128
+ #define FREC_TEST_PKTSZ 256
+-#define FREC_HAS_EXTRADATA 512
++#define FREC_HAS_EXTRADATA 512
++#define FREC_HAS_PHEADER 1024
+
+ #define HASH_SIZE 32 /* SHA-256 digest size */
+
+ struct frec {
+- union mysockaddr source;
+- union all_addr dest;
++ struct frec_src {
++ union mysockaddr source;
++ union all_addr dest;
++ unsigned int iface, log_id;
++ unsigned short orig_id;
++ struct frec_src *next;
++ } frec_src;
+ struct server *sentto; /* NULL means free */
+ struct randfd *rfd4;
+ struct randfd *rfd6;
+- unsigned int iface;
+- unsigned short orig_id, new_id;
+- int log_id, fd, forwardall, flags;
++ unsigned short new_id;
++ int fd, forwardall, flags;
+ time_t time;
+ unsigned char *hash[HASH_SIZE];
+ #ifdef HAVE_DNSSEC
+@@ -1085,6 +1090,8 @@ extern struct daemon {
+ int back_to_the_future;
+ #endif
+ struct frec *frec_list;
++ struct frec_src *free_frec_src;
++ int frec_src_count;
+ struct serverfd *sfds;
+ struct irec *interfaces;
+ struct listener *listeners;
+Index: dnsmasq-2.81/src/forward.c
+===================================================================
+--- dnsmasq-2.81.orig/src/forward.c
++++ dnsmasq-2.81/src/forward.c
+@@ -20,6 +20,8 @@ static struct frec *lookup_frec(unsigned
+ static struct frec *lookup_frec_by_sender(unsigned short id,
+ union mysockaddr *addr,
+ void *hash);
++static struct frec *lookup_frec_by_query(void *hash, unsigned int flags);
++
+ static unsigned short get_id(void);
+ static void free_frec(struct frec *f);
+
+@@ -255,6 +257,7 @@ static int forward_query(int udpfd, unio
+ int type = SERV_DO_DNSSEC, norebind = 0;
+ union all_addr *addrp = NULL;
+ unsigned int flags = 0;
++ unsigned int fwd_flags = 0;
+ struct server *start = NULL;
+ void *hash = hash_questions(header, plen, daemon->namebuff);
+ #ifdef HAVE_DNSSEC
+@@ -263,7 +266,18 @@ static int forward_query(int udpfd, unio
+ unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
+ unsigned char *oph = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL);
+ (void)do_bit;
+-
++
++ if (header->hb4 & HB4_CD)
++ fwd_flags |= FREC_CHECKING_DISABLED;
++ if (ad_reqd)
++ fwd_flags |= FREC_AD_QUESTION;
++ if (oph)
++ fwd_flags |= FREC_HAS_PHEADER;
++#ifdef HAVE_DNSSEC
++ if (do_bit)
++ fwd_flags |= FREC_DO_QUESTION;
++#endif
++
+ /* may be no servers available. */
+ if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash)))
+ {
+@@ -336,6 +350,39 @@ static int forward_query(int udpfd, unio
+ }
+ else
+ {
++ /* Query from new source, but the same query may be in progress
++ from another source. If so, just add this client to the
++ list that will get the reply.
++
++ Note that is the EDNS client subnet option is in use, we can't do this,
++ as the clients (and therefore query EDNS options) will be different
++ for each query. The EDNS subnet code has checks to avoid
++ attacks in this case. */
++ if (!option_bool(OPT_CLIENT_SUBNET) && (forward = lookup_frec_by_query(hash, fwd_flags)))
++ {
++ /* Note whine_malloc() zeros memory. */
++ if (!daemon->free_frec_src &&
++ daemon->frec_src_count < daemon->ftabsize &&
++ (daemon->free_frec_src = whine_malloc(sizeof(struct frec_src))))
++ daemon->frec_src_count++;
++
++ /* If we've been spammed with many duplicates, just drop the query. */
++ if (daemon->free_frec_src)
++ {
++ struct frec_src *new = daemon->free_frec_src;
++ daemon->free_frec_src = new->next;
++ new->next = forward->frec_src.next;
++ forward->frec_src.next = new;
++ new->orig_id = ntohs(header->id);
++ new->source = *udpaddr;
++ new->dest = *dst_addr;
++ new->log_id = daemon->log_id;
++ new->iface = dst_iface;
++ }
++
++ return 1;
++ }
++
+ if (gotname)
+ flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
+
+@@ -343,22 +390,22 @@ static int forward_query(int udpfd, unio
+ do_dnssec = type & SERV_DO_DNSSEC;
+ #endif
+ type &= ~SERV_DO_DNSSEC;
+-
++
+ if (daemon->servers && !flags)
+ forward = get_new_frec(now, NULL, NULL);
+ /* table full - flags == 0, return REFUSED */
+
+ if (forward)
+ {
+- forward->source = *udpaddr;
+- forward->dest = *dst_addr;
+- forward->iface = dst_iface;
+- forward->orig_id = ntohs(header->id);
++ forward->frec_src.source = *udpaddr;
++ forward->frec_src.orig_id = ntohs(header->id);
++ forward->frec_src.dest = *dst_addr;
++ forward->frec_src.iface = dst_iface;
+ forward->new_id = get_id();
+ forward->fd = udpfd;
+ memcpy(forward->hash, hash, HASH_SIZE);
+ forward->forwardall = 0;
+- forward->flags = 0;
++ forward->flags = fwd_flags;
+ if (norebind)
+ forward->flags |= FREC_NOREBIND;
+ if (header->hb4 & HB4_CD)
+@@ -413,9 +460,9 @@ static int forward_query(int udpfd, unio
+ unsigned char *pheader;
+
+ /* If a query is retried, use the log_id for the retry when logging the answer. */
+- forward->log_id = daemon->log_id;
++ forward->frec_src.log_id = daemon->log_id;
+
+- plen = add_edns0_config(header, plen, ((unsigned char *)header) + PACKETSZ, &forward->source, now, &subnet);
++ plen = add_edns0_config(header, plen, ((unsigned char *)header) + PACKETSZ, &forward->frec_src.source, now, &subnet);
+
+ if (subnet)
+ forward->flags |= FREC_HAS_SUBNET;
+@@ -552,7 +599,7 @@ static int forward_query(int udpfd, unio
+ return 1;
+
+ /* could not send on, prepare to return */
+- header->id = htons(forward->orig_id);
++ header->id = htons(forward->frec_src.orig_id);
+ free_frec(forward); /* cancel */
+ }
+
+@@ -804,8 +851,8 @@ void reply_query(int fd, int family, tim
+
+ /* log_query gets called indirectly all over the place, so
+ pass these in global variables - sorry. */
+- daemon->log_display_id = forward->log_id;
+- daemon->log_source_addr = &forward->source;
++ daemon->log_display_id = forward->frec_src.log_id;
++ daemon->log_source_addr = &forward->frec_src.source;
+
+ if (daemon->ignore_addr && RCODE(header) == NOERROR &&
+ check_for_ignored_address(header, n, daemon->ignore_addr))
+@@ -1077,6 +1124,7 @@ void reply_query(int fd, int family, tim
+ new->sentto = server;
+ new->rfd4 = NULL;
+ new->rfd6 = NULL;
++ new->frec_src.next = NULL;
+ new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_HAS_EXTRADATA);
+ new->forwardall = 0;
+
+@@ -1212,9 +1260,11 @@ void reply_query(int fd, int family, tim
+
+ if ((nn = process_reply(header, now, forward->sentto, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer,
+ forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION,
+- forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source)))
++ forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->frec_src.source)))
+ {
+- header->id = htons(forward->orig_id);
++ struct frec_src *src;
++
++ header->id = htons(forward->frec_src.orig_id);
+ header->hb4 |= HB4_RA; /* recursion if available */
+ #ifdef HAVE_DNSSEC
+ /* We added an EDNSO header for the purpose of getting DNSSEC RRs, and set the value of the UDP payload size
+@@ -1230,13 +1280,26 @@ void reply_query(int fd, int family, tim
+ }
+ #endif
+
++ for (src = &forward->frec_src; src; src = src->next)
++ {
++ header->id = htons(src->orig_id);
++
+ #ifdef HAVE_DUMPFILE
+- dump_packet(DUMP_REPLY, daemon->packet, (size_t)nn, NULL, &forward->source);
++ dump_packet(DUMP_REPLY, daemon->packet, (size_t)nn, NULL, &src->source);
+ #endif
+-
+- send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
+- &forward->source, &forward->dest, forward->iface);
++
++ send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
++ &src->source, &src->dest, src->iface);
++
++ if (option_bool(OPT_EXTRALOG) && src != &forward->frec_src)
++ {
++ daemon->log_display_id = src->log_id;
++ daemon->log_source_addr = &src->source;
++ log_query(F_UPSTREAM, "query", NULL, "duplicate");
++ }
++ }
+ }
++
+ free_frec(forward); /* cancel */
+ }
+ }
+@@ -2198,6 +2261,17 @@ void free_rfd(struct randfd *rfd)
+
+ static void free_frec(struct frec *f)
+ {
++ struct frec_src *src, *tmp;
++
++ /* add back to freelist of not the record builtin to every frec. */
++ for (src = f->frec_src.next; src; src = tmp)
++ {
++ tmp = src->next;
++ src->next = daemon->free_frec_src;
++ daemon->free_frec_src = src;
++ }
++
++ f->frec_src.next = NULL;
+ free_rfd(f->rfd4);
+ f->rfd4 = NULL;
+ f->sentto = NULL;
+@@ -2339,17 +2413,39 @@ static struct frec *lookup_frec_by_sende
+ void *hash)
+ {
+ struct frec *f;
++ struct frec_src *src;
++
++ for (f = daemon->frec_list; f; f = f->next)
++ if (f->sentto &&
++ !(f->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) &&
++ memcmp(hash, f->hash, HASH_SIZE) == 0)
++ for (src = &f->frec_src; src; src = src->next)
++ if (src->orig_id == id &&
++ sockaddr_isequal(&src->source, addr))
++ return f;
++
++ return NULL;
++}
++
++static struct frec *lookup_frec_by_query(void *hash, unsigned int flags)
++{
++ struct frec *f;
++
++ /* FREC_DNSKEY and FREC_DS_QUERY are never set in flags, so the test below
++ ensures that no frec created for internal DNSSEC query can be returned here. */
++
++#define FLAGMASK (FREC_CHECKING_DISABLED | FREC_AD_QUESTION | FREC_DO_QUESTION \
++ | FREC_HAS_PHEADER | FREC_DNSKEY_QUERY | FREC_DS_QUERY)
+
+ for(f = daemon->frec_list; f; f = f->next)
+ if (f->sentto &&
+- f->orig_id == id &&
+- memcmp(hash, f->hash, HASH_SIZE) == 0 &&
+- sockaddr_isequal(&f->source, addr))
++ (f->flags & FLAGMASK) == flags &&
++ memcmp(hash, f->hash, HASH_SIZE) == 0)
+ return f;
+-
++
+ return NULL;
+ }
+-
++
+ /* Send query packet again, if we can. */
+ void resend_query()
+ {
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch
new file mode 100644
index 0000000000..a6ffd37260
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch
@@ -0,0 +1,63 @@
+From 6a6e06fbb0d4690507ceaf2bb6f0d8910f3d4914 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 4 Dec 2020 18:35:11 +0000
+Subject: [PATCH] Small cleanups in frec_src datastucture handling.
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+---
+ src/forward.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+CVE: CVE-2020-25686
+Upstream-Status: Backport [http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=6a6e06fbb0d4690507ceaf2bb6f0d8910f3d4914]
+Comment: No change in any hunk
+
+Index: dnsmasq-2.81/src/forward.c
+===================================================================
+--- dnsmasq-2.81.orig/src/forward.c
++++ dnsmasq-2.81/src/forward.c
+@@ -364,7 +364,10 @@ static int forward_query(int udpfd, unio
+ if (!daemon->free_frec_src &&
+ daemon->frec_src_count < daemon->ftabsize &&
+ (daemon->free_frec_src = whine_malloc(sizeof(struct frec_src))))
+- daemon->frec_src_count++;
++ {
++ daemon->frec_src_count++;
++ daemon->free_frec_src->next = NULL;
++ }
+
+ /* If we've been spammed with many duplicates, just drop the query. */
+ if (daemon->free_frec_src)
+@@ -401,6 +404,7 @@ static int forward_query(int udpfd, unio
+ forward->frec_src.orig_id = ntohs(header->id);
+ forward->frec_src.dest = *dst_addr;
+ forward->frec_src.iface = dst_iface;
++ forward->frec_src.next = NULL;
+ forward->new_id = get_id();
+ forward->fd = udpfd;
+ memcpy(forward->hash, hash, HASH_SIZE);
+@@ -2261,16 +2265,16 @@ void free_rfd(struct randfd *rfd)
+
+ static void free_frec(struct frec *f)
+ {
+- struct frec_src *src, *tmp;
+-
+- /* add back to freelist of not the record builtin to every frec. */
+- for (src = f->frec_src.next; src; src = tmp)
++ struct frec_src *last;
++
++ /* add back to freelist if not the record builtin to every frec. */
++ for (last = f->frec_src.next; last && last->next; last = last->next) ;
++ if (last)
+ {
+- tmp = src->next;
+- src->next = daemon->free_frec_src;
+- daemon->free_frec_src = src;
++ last->next = daemon->free_frec_src;
++ daemon->free_frec_src = f->frec_src.next;
+ }
+-
++
+ f->frec_src.next = NULL;
+ free_rfd(f->rfd4);
+ f->rfd4 = NULL;
--
2.17.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
end of thread, other threads:[~2021-05-30 18:34 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
2021-05-30 18:34 ` [dunfell 01/12] exiv2: Fix CVE-2021-29457 Armin Kuster
2021-05-30 18:34 ` [dunfell 02/12] exiv2: Fix CVE-2021-29458 Armin Kuster
2021-05-30 18:34 ` [dunfell 03/12] exiv2: Fix CVE-2021-29463 Armin Kuster
2021-05-30 18:34 ` [dunfell 04/12] exiv2: Fix CVE-2021-3482 Armin Kuster
2021-05-30 18:34 ` [dunfell 05/12] exiv2: Fix CVE-2021-29464 Armin Kuster
2021-05-30 18:34 ` [dunfell 06/12] exiv2: Fix CVE-2021-29470 Armin Kuster
2021-05-30 18:34 ` [dunfell 07/12] exiv2: Fix CVE-2021-29473 Armin Kuster
2021-05-30 18:34 ` [dunfell 08/12] libsdl: Fix CVE-2019-13616 Armin Kuster
2021-05-30 18:34 ` [dunfell 09/12] hostapd: fix building with CONFIG_TLS=internal Armin Kuster
2021-05-30 18:34 ` [dunfell 10/12] opencv: Add fix for CVE-2019-5063 and CVE-2019-5064 Armin Kuster
2021-05-30 18:34 ` [dunfell 11/12] ebtables: use bitbake optimization levels Armin Kuster
2021-05-30 18:34 ` [dunfell 12/12] dnsmasq: Add fixes for CVEs reported for dnsmasq Armin Kuster
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.