diff options
Diffstat (limited to 'meta-oe/recipes-support/c-ares')
11 files changed, 1260 insertions, 345 deletions
diff --git a/meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch b/meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch deleted file mode 100644 index 8f15f8424c..0000000000 --- a/meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch +++ /dev/null @@ -1,27 +0,0 @@ -From f2f1e134bf5d9d0789942848e03006af8d926cf8 Mon Sep 17 00:00:00 2001 -From: Wang Mingyu <wangmy@cn.fujitsu.com> -Date: Tue, 17 Mar 2020 12:53:35 +0800 -Subject: [PATCH] fix configure error : mv libcares.pc.cmakein to - libcares.pc.cmake - -Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com> ---- - CMakeLists.txt | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 3a5878d..c2e5740 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -563,7 +563,7 @@ IF (CARES_STATIC) - ENDIF() - - # Write ares_config.h configuration file. This is used only for the build. --CONFIGURE_FILE (libcares.pc.cmakein ${PROJECT_BINARY_DIR}/libcares.pc @ONLY) -+CONFIGURE_FILE (libcares.pc.cmake ${PROJECT_BINARY_DIR}/libcares.pc @ONLY) - - - --- -2.17.1 - diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2022-4904.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2022-4904.patch new file mode 100644 index 0000000000..fb0aee372f --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2022-4904.patch @@ -0,0 +1,67 @@ +From 9903253c347f9e0bffd285ae3829aef251cc852d Mon Sep 17 00:00:00 2001 +From: hopper-vul <118949689+hopper-vul@users.noreply.github.com> +Date: Wed, 18 Jan 2023 22:14:26 +0800 +Subject: [PATCH] Add str len check in config_sortlist to avoid stack overflow + (#497) + +In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse +the input str and initialize a sortlist configuration. + +However, ares_set_sortlist has not any checks about the validity of the input str. +It is very easy to create an arbitrary length stack overflow with the unchecked +`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` +statements in the config_sortlist call, which could potentially cause severe +security impact in practical programs. + +This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the +potential stack overflows. + +fixes #496 + +Fix By: @hopper-vul + +CVE: CVE-2022-4904 +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/9903253c347f9e0bffd285ae3829aef251cc852d] + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/lib/ares_init.c | 4 ++++ + test/ares-test-init.cc | 2 ++ + 2 files changed, 6 insertions(+) + +diff --git a/src/lib/ares_init.c b/src/lib/ares_init.c +index 51668a5c..3f9cec65 100644 +--- a/src/lib/ares_init.c ++++ b/src/lib/ares_init.c +@@ -1913,6 +1913,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + q = str; + while (*q && *q != '/' && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 16) ++ return ARES_EBADSTR; + memcpy(ipbuf, str, q-str); + ipbuf[q-str] = '\0'; + /* Find the prefix */ +@@ -1921,6 +1923,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + const char *str2 = q+1; + while (*q && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 32) ++ return ARES_EBADSTR; + memcpy(ipbufpfx, str, q-str); + ipbufpfx[q-str] = '\0'; + str = str2; +diff --git a/test/ares-test-init.cc b/test/ares-test-init.cc +index 63c6a228..ee845181 100644 +--- a/test/ares-test-init.cc ++++ b/test/ares-test-init.cc +@@ -275,6 +275,8 @@ TEST_F(DefaultChannelTest, SetAddresses) { + + TEST_F(DefaultChannelTest, SetSortlistFailures) { + EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123")); + } diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31130.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31130.patch new file mode 100644 index 0000000000..603d2687d5 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31130.patch @@ -0,0 +1,329 @@ +From f22cc01039b6473b736d3bf438f56a2654cdf2b2 Mon Sep 17 00:00:00 2001 +From: Brad House <brad@brad-house.com> +Date: Mon, 22 May 2023 06:51:34 -0400 +Subject: [PATCH] Merge pull request from GHSA-x6mf-cxr9-8q6v + +* Merged latest OpenBSD changes for inet_net_pton_ipv6() into c-ares. +* Always use our own IP conversion functions now, do not delegate to OS + so we can have consistency in testing and fuzzing. +* Removed bogus test cases that never should have passed. +* Add new test case for crash bug found. + +Fix By: Brad House (@bradh352) + +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/f22cc01039b6473b736d3bf438f56a2654cdf2b2] +CVE: CVE-2023-31130 + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/lib/inet_net_pton.c | 155 ++++++++++++++++++++----------------- + test/ares-test-internal.cc | 7 +- + 2 files changed, 86 insertions(+), 76 deletions(-) + +diff --git a/src/lib/inet_net_pton.c b/src/lib/inet_net_pton.c +index 840de506..fc50425b 100644 +--- a/src/lib/inet_net_pton.c ++++ b/src/lib/inet_net_pton.c +@@ -1,19 +1,20 @@ + + /* +- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC") ++ * Copyright (c) 2012 by Gilles Chehade <gilles@openbsd.org> + * Copyright (c) 1996,1999 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * +- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES +- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR +- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT +- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS ++ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE ++ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL ++ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR ++ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ++ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS ++ * SOFTWARE. + */ + + #include "ares_setup.h" +@@ -35,9 +36,6 @@ + + const struct ares_in6_addr ares_in6addr_any = { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } }; + +- +-#ifndef HAVE_INET_NET_PTON +- + /* + * static int + * inet_net_pton_ipv4(src, dst, size) +@@ -60,7 +58,7 @@ const struct ares_in6_addr ares_in6addr_any = { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0, + * Paul Vixie (ISC), June 1996 + */ + static int +-inet_net_pton_ipv4(const char *src, unsigned char *dst, size_t size) ++ares_inet_net_pton_ipv4(const char *src, unsigned char *dst, size_t size) + { + static const char xdigits[] = "0123456789abcdef"; + static const char digits[] = "0123456789"; +@@ -261,19 +259,14 @@ getv4(const char *src, unsigned char *dst, int *bitsp) + } + + static int +-inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) ++ares_inet_pton6(const char *src, unsigned char *dst) + { + static const char xdigits_l[] = "0123456789abcdef", +- xdigits_u[] = "0123456789ABCDEF"; ++ xdigits_u[] = "0123456789ABCDEF"; + unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp; + const char *xdigits, *curtok; +- int ch, saw_xdigit; ++ int ch, saw_xdigit, count_xdigit; + unsigned int val; +- int digits; +- int bits; +- size_t bytes; +- int words; +- int ipv4; + + memset((tp = tmp), '\0', NS_IN6ADDRSZ); + endp = tp + NS_IN6ADDRSZ; +@@ -283,22 +276,22 @@ inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) + if (*++src != ':') + goto enoent; + curtok = src; +- saw_xdigit = 0; ++ saw_xdigit = count_xdigit = 0; + val = 0; +- digits = 0; +- bits = -1; +- ipv4 = 0; + while ((ch = *src++) != '\0') { + const char *pch; + + if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL) + pch = strchr((xdigits = xdigits_u), ch); + if (pch != NULL) { ++ if (count_xdigit >= 4) ++ goto enoent; + val <<= 4; +- val |= aresx_sztoui(pch - xdigits); +- if (++digits > 4) ++ val |= (pch - xdigits); ++ if (val > 0xffff) + goto enoent; + saw_xdigit = 1; ++ count_xdigit++; + continue; + } + if (ch == ':') { +@@ -308,78 +301,107 @@ inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) + goto enoent; + colonp = tp; + continue; +- } else if (*src == '\0') ++ } else if (*src == '\0') { + goto enoent; ++ } + if (tp + NS_INT16SZ > endp) +- return (0); +- *tp++ = (unsigned char)((val >> 8) & 0xff); +- *tp++ = (unsigned char)(val & 0xff); ++ goto enoent; ++ *tp++ = (unsigned char) (val >> 8) & 0xff; ++ *tp++ = (unsigned char) val & 0xff; + saw_xdigit = 0; +- digits = 0; ++ count_xdigit = 0; + val = 0; + continue; + } + if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) && +- getv4(curtok, tp, &bits) > 0) { +- tp += NS_INADDRSZ; ++ ares_inet_net_pton_ipv4(curtok, tp, INADDRSZ) > 0) { ++ tp += INADDRSZ; + saw_xdigit = 0; +- ipv4 = 1; ++ count_xdigit = 0; + break; /* '\0' was seen by inet_pton4(). */ + } +- if (ch == '/' && getbits(src, &bits) > 0) +- break; + goto enoent; + } + if (saw_xdigit) { + if (tp + NS_INT16SZ > endp) + goto enoent; +- *tp++ = (unsigned char)((val >> 8) & 0xff); +- *tp++ = (unsigned char)(val & 0xff); ++ *tp++ = (unsigned char) (val >> 8) & 0xff; ++ *tp++ = (unsigned char) val & 0xff; + } +- if (bits == -1) +- bits = 128; +- +- words = (bits + 15) / 16; +- if (words < 2) +- words = 2; +- if (ipv4) +- words = 8; +- endp = tmp + 2 * words; +- + if (colonp != NULL) { + /* + * Since some memmove()'s erroneously fail to handle + * overlapping regions, we'll do the shift by hand. + */ +- const ares_ssize_t n = tp - colonp; +- ares_ssize_t i; ++ const int n = tp - colonp; ++ int i; + + if (tp == endp) + goto enoent; + for (i = 1; i <= n; i++) { +- *(endp - i) = *(colonp + n - i); +- *(colonp + n - i) = 0; ++ endp[- i] = colonp[n - i]; ++ colonp[n - i] = 0; + } + tp = endp; + } + if (tp != endp) + goto enoent; + +- bytes = (bits + 7) / 8; +- if (bytes > size) +- goto emsgsize; +- memcpy(dst, tmp, bytes); +- return (bits); ++ memcpy(dst, tmp, NS_IN6ADDRSZ); ++ return (1); + +- enoent: ++enoent: + SET_ERRNO(ENOENT); + return (-1); + +- emsgsize: ++emsgsize: + SET_ERRNO(EMSGSIZE); + return (-1); + } + ++static int ++ares_inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) ++{ ++ struct ares_in6_addr in6; ++ int ret; ++ int bits; ++ size_t bytes; ++ char buf[INET6_ADDRSTRLEN + sizeof("/128")]; ++ char *sep; ++ const char *errstr; ++ ++ if (strlen(src) >= sizeof buf) { ++ SET_ERRNO(EMSGSIZE); ++ return (-1); ++ } ++ strncpy(buf, src, sizeof buf); ++ ++ sep = strchr(buf, '/'); ++ if (sep != NULL) ++ *sep++ = '\0'; ++ ++ ret = ares_inet_pton6(buf, (unsigned char *)&in6); ++ if (ret != 1) ++ return (-1); ++ ++ if (sep == NULL) ++ bits = 128; ++ else { ++ if (!getbits(sep, &bits)) { ++ SET_ERRNO(ENOENT); ++ return (-1); ++ } ++ } ++ ++ bytes = (bits + 7) / 8; ++ if (bytes > size) { ++ SET_ERRNO(EMSGSIZE); ++ return (-1); ++ } ++ memcpy(dst, &in6, bytes); ++ return (bits); ++} ++ + /* + * int + * inet_net_pton(af, src, dst, size) +@@ -403,18 +425,15 @@ ares_inet_net_pton(int af, const char *src, void *dst, size_t size) + { + switch (af) { + case AF_INET: +- return (inet_net_pton_ipv4(src, dst, size)); ++ return (ares_inet_net_pton_ipv4(src, dst, size)); + case AF_INET6: +- return (inet_net_pton_ipv6(src, dst, size)); ++ return (ares_inet_net_pton_ipv6(src, dst, size)); + default: + SET_ERRNO(EAFNOSUPPORT); + return (-1); + } + } + +-#endif /* HAVE_INET_NET_PTON */ +- +-#ifndef HAVE_INET_PTON + int ares_inet_pton(int af, const char *src, void *dst) + { + int result; +@@ -434,11 +453,3 @@ int ares_inet_pton(int af, const char *src, void *dst) + return 0; + return (result > -1 ? 1 : -1); + } +-#else /* HAVE_INET_PTON */ +-int ares_inet_pton(int af, const char *src, void *dst) +-{ +- /* just relay this to the underlying function */ +- return inet_pton(af, src, dst); +-} +- +-#endif +diff --git a/test/ares-test-internal.cc b/test/ares-test-internal.cc +index 96d4edec..161f0a5c 100644 +--- a/test/ares-test-internal.cc ++++ b/test/ares-test-internal.cc +@@ -81,6 +81,7 @@ TEST_F(LibraryTest, InetPtoN) { + EXPECT_EQ(0, ares_inet_net_pton(AF_INET6, "12:34::ff/0", &a6, sizeof(a6))); + EXPECT_EQ(16 * 8, ares_inet_net_pton(AF_INET6, "12:34::ffff:0.2", &a6, sizeof(a6))); + EXPECT_EQ(16 * 8, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234", &a6, sizeof(a6))); ++ EXPECT_EQ(2, ares_inet_net_pton(AF_INET6, "0::00:00:00/2", &a6, sizeof(a6))); + + // Various malformed versions + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET, "", &a4, sizeof(a4))); +@@ -118,11 +119,9 @@ TEST_F(LibraryTest, InetPtoN) { + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, ":1234:1234:1234:1234:1234:1234:1234:1234", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, ":1234:1234:1234:1234:1234:1234:1234:1234:", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678", &a6, sizeof(a6))); +- // TODO(drysdale): check whether the next two tests should give -1. +- EXPECT_EQ(0, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678", &a6, sizeof(a6))); +- EXPECT_EQ(0, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678:5678", &a6, sizeof(a6))); ++ EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678", &a6, sizeof(a6))); ++ EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678:5678", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:257.2.3.4", &a6, sizeof(a6))); +- EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:002.2.3.4", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:1.2.3.4.5.6", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:1.2.3.4.5", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:1.2.3.z", &a6, sizeof(a6))); +-- +2.25.1 + diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31147.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31147.patch new file mode 100644 index 0000000000..ba17721a58 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31147.patch @@ -0,0 +1,717 @@ +From 823df3b989e59465d17b0a2eb1239a5fc048b4e5 Mon Sep 17 00:00:00 2001 +From: Brad House <brad@brad-house.com> +Date: Mon, 22 May 2023 06:51:06 -0400 +Subject: [PATCH] Merge pull request from GHSA-8r8p-23f3-64c2 + +* segment random number generation into own file + +* abstract random code to make it more modular so we can have multiple backends + +* rand: add support for arc4random_buf() and also direct CARES_RANDOM_FILE reading + +* autotools: fix detection of arc4random_buf + +* rework initial rc4 seed for PRNG as last fallback + +* rc4: more proper implementation, simplified for clarity + +* clarifications + +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/823df3b989e59465d17b0a2eb1239a5fc048b4e5] +CVE: CVE-2023-31147 + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + CMakeLists.txt | 2 + + configure.ac | 1 + + m4/cares-functions.m4 | 85 +++++++++++ + src/lib/Makefile.inc | 1 + + src/lib/ares_config.h.cmake | 3 + + src/lib/ares_destroy.c | 3 + + src/lib/ares_init.c | 82 ++--------- + src/lib/ares_private.h | 19 ++- + src/lib/ares_query.c | 36 +---- + src/lib/ares_rand.c | 274 ++++++++++++++++++++++++++++++++++++ + 10 files changed, 387 insertions(+), 119 deletions(-) + create mode 100644 src/lib/ares_rand.c + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 194485a3..1fb9af55 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -386,6 +386,8 @@ CHECK_SYMBOL_EXISTS (strncasecmp "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_STRNCAS + CHECK_SYMBOL_EXISTS (strncmpi "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_STRNCMPI) + CHECK_SYMBOL_EXISTS (strnicmp "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_STRNICMP) + CHECK_SYMBOL_EXISTS (writev "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_WRITEV) ++CHECK_SYMBOL_EXISTS (arc4random_buf "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_ARC4RANDOM_BUF) ++ + + # On Android, the system headers may define __system_property_get(), but excluded + # from libc. We need to perform a link test instead of a header/symbol test. +diff --git a/configure.ac b/configure.ac +index 1d0fb5ce..9a763696 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -683,6 +683,7 @@ CARES_CHECK_FUNC_STRNCASECMP + CARES_CHECK_FUNC_STRNCMPI + CARES_CHECK_FUNC_STRNICMP + CARES_CHECK_FUNC_WRITEV ++CARES_CHECK_FUNC_ARC4RANDOM_BUF + + + dnl check for AF_INET6 +diff --git a/m4/cares-functions.m4 b/m4/cares-functions.m4 +index 0f3992c7..d4f4f994 100644 +--- a/m4/cares-functions.m4 ++++ b/m4/cares-functions.m4 +@@ -3753,3 +3753,88 @@ AC_DEFUN([CARES_CHECK_FUNC_WRITEV], [ + ac_cv_func_writev="no" + fi + ]) ++ ++dnl CARES_CHECK_FUNC_ARC4RANDOM_BUF ++dnl ------------------------------------------------- ++dnl Verify if arc4random_buf is available, prototyped, and ++dnl can be compiled. If all of these are true, and ++dnl usage has not been previously disallowed with ++dnl shell variable cares_disallow_arc4random_buf, then ++dnl HAVE_ARC4RANDOM_BUF will be defined. ++ ++AC_DEFUN([CARES_CHECK_FUNC_ARC4RANDOM_BUF], [ ++ AC_REQUIRE([CARES_INCLUDES_STDLIB])dnl ++ # ++ tst_links_arc4random_buf="unknown" ++ tst_proto_arc4random_buf="unknown" ++ tst_compi_arc4random_buf="unknown" ++ tst_allow_arc4random_buf="unknown" ++ # ++ AC_MSG_CHECKING([if arc4random_buf can be linked]) ++ AC_LINK_IFELSE([ ++ AC_LANG_FUNC_LINK_TRY([arc4random_buf]) ++ ],[ ++ AC_MSG_RESULT([yes]) ++ tst_links_arc4random_buf="yes" ++ ],[ ++ AC_MSG_RESULT([no]) ++ tst_links_arc4random_buf="no" ++ ]) ++ # ++ if test "$tst_links_arc4random_buf" = "yes"; then ++ AC_MSG_CHECKING([if arc4random_buf is prototyped]) ++ AC_EGREP_CPP([arc4random_buf],[ ++ $cares_includes_stdlib ++ ],[ ++ AC_MSG_RESULT([yes]) ++ tst_proto_arc4random_buf="yes" ++ ],[ ++ AC_MSG_RESULT([no]) ++ tst_proto_arc4random_buf="no" ++ ]) ++ fi ++ # ++ if test "$tst_proto_arc4random_buf" = "yes"; then ++ AC_MSG_CHECKING([if arc4random_buf is compilable]) ++ AC_COMPILE_IFELSE([ ++ AC_LANG_PROGRAM([[ ++ $cares_includes_stdlib ++ ]],[[ ++ arc4random_buf(NULL, 0); ++ return 1; ++ ]]) ++ ],[ ++ AC_MSG_RESULT([yes]) ++ tst_compi_arc4random_buf="yes" ++ ],[ ++ AC_MSG_RESULT([no]) ++ tst_compi_arc4random_buf="no" ++ ]) ++ fi ++ # ++ if test "$tst_compi_arc4random_buf" = "yes"; then ++ AC_MSG_CHECKING([if arc4random_buf usage allowed]) ++ if test "x$cares_disallow_arc4random_buf" != "xyes"; then ++ AC_MSG_RESULT([yes]) ++ tst_allow_arc4random_buf="yes" ++ else ++ AC_MSG_RESULT([no]) ++ tst_allow_arc4random_buf="no" ++ fi ++ fi ++ # ++ AC_MSG_CHECKING([if arc4random_buf might be used]) ++ if test "$tst_links_arc4random_buf" = "yes" && ++ test "$tst_proto_arc4random_buf" = "yes" && ++ test "$tst_compi_arc4random_buf" = "yes" && ++ test "$tst_allow_arc4random_buf" = "yes"; then ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE_UNQUOTED(HAVE_ARC4RANDOM_BUF, 1, ++ [Define to 1 if you have the arc4random_buf function.]) ++ ac_cv_func_arc4random_buf="yes" ++ else ++ AC_MSG_RESULT([no]) ++ ac_cv_func_arc4random_buf="no" ++ fi ++]) ++ +diff --git a/src/lib/Makefile.inc b/src/lib/Makefile.inc +index a3b060c2..72a7673c 100644 +--- a/src/lib/Makefile.inc ++++ b/src/lib/Makefile.inc +@@ -45,6 +45,7 @@ CSOURCES = ares__addrinfo2hostent.c \ + ares_platform.c \ + ares_process.c \ + ares_query.c \ ++ ares_rand.c \ + ares_search.c \ + ares_send.c \ + ares_strcasecmp.c \ +diff --git a/src/lib/ares_config.h.cmake b/src/lib/ares_config.h.cmake +index fddb7853..798820a3 100644 +--- a/src/lib/ares_config.h.cmake ++++ b/src/lib/ares_config.h.cmake +@@ -346,6 +346,9 @@ + /* Define to 1 if you need the memory.h header file even with stdlib.h */ + #cmakedefine NEED_MEMORY_H + ++/* Define if have arc4random_buf() */ ++#cmakedefine HAVE_ARC4RANDOM_BUF ++ + /* a suitable file/device to read random data from */ + #cmakedefine CARES_RANDOM_FILE "@CARES_RANDOM_FILE@" + +diff --git a/src/lib/ares_destroy.c b/src/lib/ares_destroy.c +index fed2009a..0447af4c 100644 +--- a/src/lib/ares_destroy.c ++++ b/src/lib/ares_destroy.c +@@ -90,6 +90,9 @@ void ares_destroy(ares_channel channel) + if (channel->resolvconf_path) + ares_free(channel->resolvconf_path); + ++ if (channel->rand_state) ++ ares__destroy_rand_state(channel->rand_state); ++ + ares_free(channel); + } + +diff --git a/src/lib/ares_init.c b/src/lib/ares_init.c +index de5d86c9..2607ed6f 100644 +--- a/src/lib/ares_init.c ++++ b/src/lib/ares_init.c +@@ -72,7 +72,6 @@ static int config_nameserver(struct server_state **servers, int *nservers, + static int set_search(ares_channel channel, const char *str); + static int set_options(ares_channel channel, const char *str); + static const char *try_option(const char *p, const char *q, const char *opt); +-static int init_id_key(rc4_key* key,int key_data_len); + + static int config_sortlist(struct apattern **sortlist, int *nsort, + const char *str); +@@ -149,6 +148,7 @@ int ares_init_options(ares_channel *channelptr, struct ares_options *options, + channel->sock_funcs = NULL; + channel->sock_func_cb_data = NULL; + channel->resolvconf_path = NULL; ++ channel->rand_state = NULL; + + channel->last_server = 0; + channel->last_timeout_processed = (time_t)now.tv_sec; +@@ -202,9 +202,13 @@ int ares_init_options(ares_channel *channelptr, struct ares_options *options, + /* Generate random key */ + + if (status == ARES_SUCCESS) { +- status = init_id_key(&channel->id_key, ARES_ID_KEY_LEN); ++ channel->rand_state = ares__init_rand_state(); ++ if (channel->rand_state == NULL) { ++ status = ARES_ENOMEM; ++ } ++ + if (status == ARES_SUCCESS) +- channel->next_id = ares__generate_new_id(&channel->id_key); ++ channel->next_id = ares__generate_new_id(channel->rand_state); + else + DEBUGF(fprintf(stderr, "Error: init_id_key failed: %s\n", + ares_strerror(status))); +@@ -224,6 +228,8 @@ done: + ares_free(channel->lookups); + if(channel->resolvconf_path) + ares_free(channel->resolvconf_path); ++ if (channel->rand_state) ++ ares__destroy_rand_state(channel->rand_state); + ares_free(channel); + return status; + } +@@ -2495,76 +2501,6 @@ static int sortlist_alloc(struct apattern **sortlist, int *nsort, + return 1; + } + +-/* initialize an rc4 key. If possible a cryptographically secure random key +- is generated using a suitable function (for example win32's RtlGenRandom as +- described in +- http://blogs.msdn.com/michael_howard/archive/2005/01/14/353379.aspx +- otherwise the code defaults to cross-platform albeit less secure mechanism +- using rand +-*/ +-static void randomize_key(unsigned char* key,int key_data_len) +-{ +- int randomized = 0; +- int counter=0; +-#ifdef WIN32 +- BOOLEAN res; +- if (ares_fpSystemFunction036) +- { +- res = (*ares_fpSystemFunction036) (key, key_data_len); +- if (res) +- randomized = 1; +- } +-#else /* !WIN32 */ +-#ifdef CARES_RANDOM_FILE +- FILE *f = fopen(CARES_RANDOM_FILE, "rb"); +- if(f) { +- setvbuf(f, NULL, _IONBF, 0); +- counter = aresx_uztosi(fread(key, 1, key_data_len, f)); +- fclose(f); +- } +-#endif +-#endif /* WIN32 */ +- +- if (!randomized) { +- for (;counter<key_data_len;counter++) +- key[counter]=(unsigned char)(rand() % 256); /* LCOV_EXCL_LINE */ +- } +-} +- +-static int init_id_key(rc4_key* key,int key_data_len) +-{ +- unsigned char index1; +- unsigned char index2; +- unsigned char* state; +- short counter; +- unsigned char *key_data_ptr = 0; +- +- key_data_ptr = ares_malloc(key_data_len); +- if (!key_data_ptr) +- return ARES_ENOMEM; +- memset(key_data_ptr, 0, key_data_len); +- +- state = &key->state[0]; +- for(counter = 0; counter < 256; counter++) +- /* unnecessary AND but it keeps some compilers happier */ +- state[counter] = (unsigned char)(counter & 0xff); +- randomize_key(key->state,key_data_len); +- key->x = 0; +- key->y = 0; +- index1 = 0; +- index2 = 0; +- for(counter = 0; counter < 256; counter++) +- { +- index2 = (unsigned char)((key_data_ptr[index1] + state[counter] + +- index2) % 256); +- ARES_SWAP_BYTE(&state[counter], &state[index2]); +- +- index1 = (unsigned char)((index1 + 1) % key_data_len); +- } +- ares_free(key_data_ptr); +- return ARES_SUCCESS; +-} +- + void ares_set_local_ip4(ares_channel channel, unsigned int local_ip) + { + channel->local_ip4 = local_ip; +diff --git a/src/lib/ares_private.h b/src/lib/ares_private.h +index 60d69e08..518b5c33 100644 +--- a/src/lib/ares_private.h ++++ b/src/lib/ares_private.h +@@ -101,8 +101,6 @@ W32_FUNC const char *_w32_GetHostsFile (void); + + #endif + +-#define ARES_ID_KEY_LEN 31 +- + #include "ares_ipv6.h" + #include "ares_llist.h" + +@@ -262,12 +260,8 @@ struct apattern { + unsigned short type; + }; + +-typedef struct rc4_key +-{ +- unsigned char state[256]; +- unsigned char x; +- unsigned char y; +-} rc4_key; ++struct ares_rand_state; ++typedef struct ares_rand_state ares_rand_state; + + struct ares_channeldata { + /* Configuration data */ +@@ -302,8 +296,8 @@ struct ares_channeldata { + + /* ID to use for next query */ + unsigned short next_id; +- /* key to use when generating new ids */ +- rc4_key id_key; ++ /* random state to use when generating new ids */ ++ ares_rand_state *rand_state; + + /* Generation number to use for the next TCP socket open/close */ + int tcp_connection_generation; +@@ -359,7 +353,10 @@ void ares__close_sockets(ares_channel channel, struct server_state *server); + int ares__get_hostent(FILE *fp, int family, struct hostent **host); + int ares__read_line(FILE *fp, char **buf, size_t *bufsize); + void ares__free_query(struct query *query); +-unsigned short ares__generate_new_id(rc4_key* key); ++ ++ares_rand_state *ares__init_rand_state(void); ++void ares__destroy_rand_state(ares_rand_state *state); ++unsigned short ares__generate_new_id(ares_rand_state *state); + struct timeval ares__tvnow(void); + int ares__expand_name_validated(const unsigned char *encoded, + const unsigned char *abuf, +diff --git a/src/lib/ares_query.c b/src/lib/ares_query.c +index 508274db..42323bec 100644 +--- a/src/lib/ares_query.c ++++ b/src/lib/ares_query.c +@@ -33,32 +33,6 @@ struct qquery { + + static void qcallback(void *arg, int status, int timeouts, unsigned char *abuf, int alen); + +-static void rc4(rc4_key* key, unsigned char *buffer_ptr, int buffer_len) +-{ +- unsigned char x; +- unsigned char y; +- unsigned char* state; +- unsigned char xorIndex; +- int counter; +- +- x = key->x; +- y = key->y; +- +- state = &key->state[0]; +- for(counter = 0; counter < buffer_len; counter ++) +- { +- x = (unsigned char)((x + 1) % 256); +- y = (unsigned char)((state[x] + y) % 256); +- ARES_SWAP_BYTE(&state[x], &state[y]); +- +- xorIndex = (unsigned char)((state[x] + state[y]) % 256); +- +- buffer_ptr[counter] = (unsigned char)(buffer_ptr[counter]^state[xorIndex]); +- } +- key->x = x; +- key->y = y; +-} +- + static struct query* find_query_by_id(ares_channel channel, unsigned short id) + { + unsigned short qid; +@@ -78,7 +52,6 @@ static struct query* find_query_by_id(ares_channel channel, unsigned short id) + return NULL; + } + +- + /* a unique query id is generated using an rc4 key. Since the id may already + be used by a running query (as infrequent as it may be), a lookup is + performed per id generation. In practice this search should happen only +@@ -89,19 +62,12 @@ static unsigned short generate_unique_id(ares_channel channel) + unsigned short id; + + do { +- id = ares__generate_new_id(&channel->id_key); ++ id = ares__generate_new_id(channel->rand_state); + } while (find_query_by_id(channel, id)); + + return (unsigned short)id; + } + +-unsigned short ares__generate_new_id(rc4_key* key) +-{ +- unsigned short r=0; +- rc4(key, (unsigned char *)&r, sizeof(r)); +- return r; +-} +- + void ares_query(ares_channel channel, const char *name, int dnsclass, + int type, ares_callback callback, void *arg) + { +diff --git a/src/lib/ares_rand.c b/src/lib/ares_rand.c +new file mode 100644 +index 00000000..a564bc23 +--- /dev/null ++++ b/src/lib/ares_rand.c +@@ -0,0 +1,274 @@ ++/* Copyright 1998 by the Massachusetts Institute of Technology. ++ * Copyright (C) 2007-2013 by Daniel Stenberg ++ * ++ * Permission to use, copy, modify, and distribute this ++ * software and its documentation for any purpose and without ++ * fee is hereby granted, provided that the above copyright ++ * notice appear in all copies and that both that copyright ++ * notice and this permission notice appear in supporting ++ * documentation, and that the name of M.I.T. not be used in ++ * advertising or publicity pertaining to distribution of the ++ * software without specific, written prior permission. ++ * M.I.T. makes no representations about the suitability of ++ * this software for any purpose. It is provided "as is" ++ * without express or implied warranty. ++ */ ++ ++#include "ares_setup.h" ++#include "ares.h" ++#include "ares_private.h" ++#include "ares_nowarn.h" ++#include <stdlib.h> ++ ++typedef enum { ++ ARES_RAND_OS = 1, /* OS-provided such as RtlGenRandom or arc4random */ ++ ARES_RAND_FILE = 2, /* OS file-backed random number generator */ ++ ARES_RAND_RC4 = 3 /* Internal RC4 based PRNG */ ++} ares_rand_backend; ++ ++typedef struct ares_rand_rc4 ++{ ++ unsigned char S[256]; ++ size_t i; ++ size_t j; ++} ares_rand_rc4; ++ ++struct ares_rand_state ++{ ++ ares_rand_backend type; ++ union { ++ FILE *rand_file; ++ ares_rand_rc4 rc4; ++ } state; ++}; ++ ++ ++/* Define RtlGenRandom = SystemFunction036. This is in advapi32.dll. There is ++ * no need to dynamically load this, other software used widely does not. ++ * http://blogs.msdn.com/michael_howard/archive/2005/01/14/353379.aspx ++ * https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-rtlgenrandom ++ */ ++#ifdef _WIN32 ++BOOLEAN WINAPI SystemFunction036(PVOID RandomBuffer, ULONG RandomBufferLength); ++# ifndef RtlGenRandom ++# define RtlGenRandom(a,b) SystemFunction036(a,b) ++# endif ++#endif ++ ++ ++#define ARES_RC4_KEY_LEN 32 /* 256 bits */ ++ ++static unsigned int ares_u32_from_ptr(void *addr) ++{ ++ if (sizeof(void *) == 8) { ++ return (unsigned int)((((size_t)addr >> 32) & 0xFFFFFFFF) | ((size_t)addr & 0xFFFFFFFF)); ++ } ++ return (unsigned int)((size_t)addr & 0xFFFFFFFF); ++} ++ ++ ++/* initialize an rc4 key as the last possible fallback. */ ++static void ares_rc4_generate_key(ares_rand_rc4 *rc4_state, unsigned char *key, size_t key_len) ++{ ++ size_t i; ++ size_t len = 0; ++ unsigned int data; ++ struct timeval tv; ++ ++ if (key_len != ARES_RC4_KEY_LEN) ++ return; ++ ++ /* Randomness is hard to come by. Maybe the system randomizes heap and stack addresses. ++ * Maybe the current timestamp give us some randomness. ++ * Use rc4_state (heap), &i (stack), and ares__tvnow() ++ */ ++ data = ares_u32_from_ptr(rc4_state); ++ memcpy(key + len, &data, sizeof(data)); ++ len += sizeof(data); ++ ++ data = ares_u32_from_ptr(&i); ++ memcpy(key + len, &data, sizeof(data)); ++ len += sizeof(data); ++ ++ tv = ares__tvnow(); ++ data = (unsigned int)((tv.tv_sec | tv.tv_usec) & 0xFFFFFFFF); ++ memcpy(key + len, &data, sizeof(data)); ++ len += sizeof(data); ++ ++ srand(ares_u32_from_ptr(rc4_state) | ares_u32_from_ptr(&i) | (unsigned int)((tv.tv_sec | tv.tv_usec) & 0xFFFFFFFF)); ++ ++ for (i=len; i<key_len; i++) { ++ key[i]=(unsigned char)(rand() % 256); /* LCOV_EXCL_LINE */ ++ } ++} ++ ++ ++static void ares_rc4_init(ares_rand_rc4 *rc4_state) ++{ ++ unsigned char key[ARES_RC4_KEY_LEN]; ++ size_t i; ++ size_t j; ++ ++ ares_rc4_generate_key(rc4_state, key, sizeof(key)); ++ ++ for (i = 0; i < sizeof(rc4_state->S); i++) { ++ rc4_state->S[i] = i & 0xFF; ++ } ++ ++ for(i = 0, j = 0; i < 256; i++) { ++ j = (j + rc4_state->S[i] + key[i % sizeof(key)]) % 256; ++ ARES_SWAP_BYTE(&rc4_state->S[i], &rc4_state->S[j]); ++ } ++ ++ rc4_state->i = 0; ++ rc4_state->j = 0; ++} ++ ++/* Just outputs the key schedule, no need to XOR with any data since we have none */ ++static void ares_rc4_prng(ares_rand_rc4 *rc4_state, unsigned char *buf, int len) ++{ ++ unsigned char *S = rc4_state->S; ++ size_t i = rc4_state->i; ++ size_t j = rc4_state->j; ++ size_t cnt; ++ ++ for (cnt=0; cnt<len; cnt++) { ++ i = (i + 1) % 256; ++ j = (j + S[i]) % 256; ++ ++ ARES_SWAP_BYTE(&S[i], &S[j]); ++ buf[cnt] = S[(S[i] + S[j]) % 256]; ++ } ++ ++ rc4_state->i = i; ++ rc4_state->j = j; ++} ++ ++ ++static int ares__init_rand_engine(ares_rand_state *state) ++{ ++ memset(state, 0, sizeof(*state)); ++ ++#if defined(HAVE_ARC4RANDOM_BUF) || defined(_WIN32) ++ state->type = ARES_RAND_OS; ++ return 1; ++#elif defined(CARES_RANDOM_FILE) ++ state->type = ARES_RAND_FILE; ++ state->state.rand_file = fopen(CARES_RANDOM_FILE, "rb"); ++ if (state->state.rand_file) { ++ setvbuf(state->state.rand_file, NULL, _IONBF, 0); ++ return 1; ++ } ++ /* Fall-Thru on failure to RC4 */ ++#endif ++ ++ state->type = ARES_RAND_RC4; ++ ares_rc4_init(&state->state.rc4); ++ ++ /* Currently cannot fail */ ++ return 1; ++} ++ ++ ++ares_rand_state *ares__init_rand_state() ++{ ++ ares_rand_state *state = NULL; ++ ++ state = ares_malloc(sizeof(*state)); ++ if (!state) ++ return NULL; ++ ++ if (!ares__init_rand_engine(state)) { ++ ares_free(state); ++ return NULL; ++ } ++ ++ return state; ++} ++ ++ ++static void ares__clear_rand_state(ares_rand_state *state) ++{ ++ if (!state) ++ return; ++ ++ switch (state->type) { ++ case ARES_RAND_OS: ++ break; ++ case ARES_RAND_FILE: ++ fclose(state->state.rand_file); ++ break; ++ case ARES_RAND_RC4: ++ break; ++ } ++} ++ ++ ++static void ares__reinit_rand(ares_rand_state *state) ++{ ++ ares__clear_rand_state(state); ++ ares__init_rand_engine(state); ++} ++ ++ ++void ares__destroy_rand_state(ares_rand_state *state) ++{ ++ if (!state) ++ return; ++ ++ ares__clear_rand_state(state); ++ ares_free(state); ++} ++ ++ ++static void ares__rand_bytes(ares_rand_state *state, unsigned char *buf, size_t len) ++{ ++ ++ while (1) { ++ size_t rv; ++ size_t bytes_read = 0; ++ ++ switch (state->type) { ++ case ARES_RAND_OS: ++#ifdef _WIN32 ++ RtlGenRandom(buf, len); ++ return; ++#elif defined(HAVE_ARC4RANDOM_BUF) ++ arc4random_buf(buf, len); ++ return; ++#else ++ /* Shouldn't be possible to be here */ ++ break; ++#endif ++ ++ case ARES_RAND_FILE: ++ while (1) { ++ size_t rv = fread(buf + bytes_read, 1, len - bytes_read, state->state.rand_file); ++ if (rv == 0) ++ break; /* critical error, will reinit rand state */ ++ ++ bytes_read += rv; ++ if (bytes_read == len) ++ return; ++ } ++ break; ++ ++ case ARES_RAND_RC4: ++ ares_rc4_prng(&state->state.rc4, buf, len); ++ return; ++ } ++ ++ /* If we didn't return before we got here, that means we had a critical rand ++ * failure and need to reinitialized */ ++ ares__reinit_rand(state); ++ } ++} ++ ++unsigned short ares__generate_new_id(ares_rand_state *state) ++{ ++ unsigned short r=0; ++ ++ ares__rand_bytes(state, (unsigned char *)&r, sizeof(r)); ++ return r; ++} ++ +-- +2.25.1 + diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch new file mode 100644 index 0000000000..63192d3c81 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch @@ -0,0 +1,84 @@ +From b9b8413cfdb70a3f99e1573333b23052d57ec1ae Mon Sep 17 00:00:00 2001 +From: Brad House <brad@brad-house.com> +Date: Mon, 22 May 2023 06:51:49 -0400 +Subject: [PATCH] Merge pull request from GHSA-9g78-jv2r-p7vc + +Link: https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1 + +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae] +CVE: CVE-2023-32067 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/lib/ares_process.c | 41 +++++++++++++++++++++++++---------------- + 1 file changed, 25 insertions(+), 16 deletions(-) + +diff --git a/src/lib/ares_process.c b/src/lib/ares_process.c +index bf0cde464..6cac0a99f 100644 +--- a/src/lib/ares_process.c ++++ b/src/lib/ares_process.c +@@ -470,7 +470,7 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds, + { + struct server_state *server; + int i; +- ares_ssize_t count; ++ ares_ssize_t read_len; + unsigned char buf[MAXENDSSZ + 1]; + #ifdef HAVE_RECVFROM + ares_socklen_t fromlen; +@@ -513,32 +513,41 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds, + /* To reduce event loop overhead, read and process as many + * packets as we can. */ + do { +- if (server->udp_socket == ARES_SOCKET_BAD) +- count = 0; +- +- else { +- if (server->addr.family == AF_INET) ++ if (server->udp_socket == ARES_SOCKET_BAD) { ++ read_len = -1; ++ } else { ++ if (server->addr.family == AF_INET) { + fromlen = sizeof(from.sa4); +- else ++ } else { + fromlen = sizeof(from.sa6); +- count = socket_recvfrom(channel, server->udp_socket, (void *)buf, +- sizeof(buf), 0, &from.sa, &fromlen); ++ } ++ read_len = socket_recvfrom(channel, server->udp_socket, (void *)buf, ++ sizeof(buf), 0, &from.sa, &fromlen); + } + +- if (count == -1 && try_again(SOCKERRNO)) ++ if (read_len == 0) { ++ /* UDP is connectionless, so result code of 0 is a 0-length UDP ++ * packet, and not an indication the connection is closed like on ++ * tcp */ + continue; +- else if (count <= 0) ++ } else if (read_len < 0) { ++ if (try_again(SOCKERRNO)) ++ continue; ++ + handle_error(channel, i, now); ++ + #ifdef HAVE_RECVFROM +- else if (!same_address(&from.sa, &server->addr)) ++ } else if (!same_address(&from.sa, &server->addr)) { + /* The address the response comes from does not match the address we + * sent the request to. Someone may be attempting to perform a cache + * poisoning attack. */ +- break; ++ continue; + #endif +- else +- process_answer(channel, buf, (int)count, i, 0, now); +- } while (count > 0); ++ ++ } else { ++ process_answer(channel, buf, (int)read_len, i, 0, now); ++ } ++ } while (read_len >= 0); + } + } + diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2024-25629.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2024-25629.patch new file mode 100644 index 0000000000..2887634289 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2024-25629.patch @@ -0,0 +1,32 @@ +From: a804c04ddc8245fc8adf0e92368709639125e183 Mon Sep 17 00:00:00 2001 +From: Brad House <brad@brad-house.com> +Date: Mon, 11 Mar 2024 14:29:39 +0000 +Subject: [PATCH] Merge pull request from GHSA-mg26-v6qh-x48q + +CVE: CVE-2024-25629 +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183] +Signed-off-by: Ashish Sharma <asharma@mvista.com> +--- + src/lib/ares__read_line.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/lib/ares__read_line.c b/src/lib/ares__read_line.c +index c62ad2a..d6625a3 100644 +--- a/src/lib/ares__read_line.c ++++ b/src/lib/ares__read_line.c +@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize) + if (!fgets(*buf + offset, bytestoread, fp)) + return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF; + len = offset + strlen(*buf + offset); ++ ++ /* Probably means there was an embedded NULL as the first character in ++ * the line, throw away line */ ++ if (len == 0) { ++ offset = 0; ++ continue; ++ } ++ + if ((*buf)[len - 1] == '\n') + { + (*buf)[len - 1] = 0; +-- diff --git a/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-fix-formatting-and-handling-of-root.patch b/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-fix-formatting-and-handling-of-root.patch deleted file mode 100644 index d1cb54aefb..0000000000 --- a/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-fix-formatting-and-handling-of-root.patch +++ /dev/null @@ -1,115 +0,0 @@ -From: bradh352 <brad@brad-house.com> -Date: Fri, 11 Jun 2021 12:39:24 -0400 -Subject: [2/2] ares_expand_name(): fix formatting and handling of root name - response -Origin: https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3672 - -Fixes issue introduced in prior commit with formatting and handling -of parsing a root name response which should not be escaped. - -Fix By: Brad House -CVE: CVE-2021-3672 -Upstream-Status: Backport [http://snapshot.debian.org/archive/debian-security/20210810T064453Z/pool/updates/main/c/c-ares/c-ares_1.17.1-1%2Bdeb11u1.debian.tar.xz] -Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> ---- - ares_expand_name.c | 62 ++++++++++++++++++++++++-------------- - 1 file changed, 40 insertions(+), 22 deletions(-) - -diff --git a/ares_expand_name.c b/ares_expand_name.c -index f1c874a97cfc..eb9268c1ff0a 100644 ---- a/ares_expand_name.c -+++ b/ares_expand_name.c -@@ -127,27 +127,37 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf, - } - else - { -- len = *p; -+ int name_len = *p; -+ len = name_len; - p++; -+ - while (len--) - { -- if (!isprint(*p)) { -- /* Output as \DDD for consistency with RFC1035 5.1 */ -- *q++ = '\\'; -- *q++ = '0' + *p / 100; -- *q++ = '0' + (*p % 100) / 10; -- *q++ = '0' + (*p % 10); -- } else if (is_reservedch(*p)) { -- *q++ = '\\'; -- *q++ = *p; -- } else { -- *q++ = *p; -- } -+ /* Output as \DDD for consistency with RFC1035 5.1, except -+ * for the special case of a root name response */ -+ if (!isprint(*p) && !(name_len == 1 && *p == 0)) -+ { -+ -+ *q++ = '\\'; -+ *q++ = '0' + *p / 100; -+ *q++ = '0' + (*p % 100) / 10; -+ *q++ = '0' + (*p % 10); -+ } -+ else if (is_reservedch(*p)) -+ { -+ *q++ = '\\'; -+ *q++ = *p; -+ } -+ else -+ { -+ *q++ = *p; -+ } - p++; - } - *q++ = '.'; - } -- } -+ } -+ - if (!indir) - *enclen = aresx_uztosl(p + 1U - encoded); - -@@ -194,21 +204,29 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf, - } - else if (top == 0x00) - { -- offset = *encoded; -+ int name_len = *encoded; -+ offset = name_len; - if (encoded + offset + 1 >= abuf + alen) - return -1; - encoded++; -+ - while (offset--) - { -- if (!isprint(*encoded)) { -- n += 4; -- } else if (is_reservedch(*encoded)) { -- n += 2; -- } else { -- n += 1; -- } -+ if (!isprint(*encoded) && !(name_len == 1 && *encoded == 0)) -+ { -+ n += 4; -+ } -+ else if (is_reservedch(*encoded)) -+ { -+ n += 2; -+ } -+ else -+ { -+ n += 1; -+ } - encoded++; - } -+ - n++; - } - else --- -2.32.0 - diff --git a/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch b/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch deleted file mode 100644 index 3603ef1278..0000000000 --- a/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch +++ /dev/null @@ -1,90 +0,0 @@ -From: bradh352 <brad@brad-house.com> -Date: Fri, 11 Jun 2021 11:27:45 -0400 -Subject: [1/2] ares_expand_name() should escape more characters -Origin: https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3672 - -RFC1035 5.1 specifies some reserved characters and escaping sequences -that are allowed to be specified. Expand the list of reserved characters -and also escape non-printable characters using the \DDD format as -specified in the RFC. - -Bug Reported By: philipp.jeitner@sit.fraunhofer.de -Fix By: Brad House (@bradh352) -CVE: CVE-2021-3672 -Upstream-Status: Backport [http://snapshot.debian.org/archive/debian-security/20210810T064453Z/pool/updates/main/c/c-ares/c-ares_1.17.1-1%2Bdeb11u1.debian.tar.xz] -Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> ---- - ares_expand_name.c | 41 +++++++++++++++++++++++++++++++++++--- - 1 file changed, 38 insertions(+), 3 deletions(-) - -diff --git a/ares_expand_name.c b/ares_expand_name.c -index 407200ef5b4b..f1c874a97cfc 100644 ---- a/ares_expand_name.c -+++ b/ares_expand_name.c -@@ -32,6 +32,26 @@ - static int name_length(const unsigned char *encoded, const unsigned char *abuf, - int alen); - -+/* Reserved characters for names that need to be escaped */ -+static int is_reservedch(int ch) -+{ -+ switch (ch) { -+ case '"': -+ case '.': -+ case ';': -+ case '\\': -+ case '(': -+ case ')': -+ case '@': -+ case '$': -+ return 1; -+ default: -+ break; -+ } -+ -+ return 0; -+} -+ - /* Expand an RFC1035-encoded domain name given by encoded. The - * containing message is given by abuf and alen. The result given by - * *s, which is set to a NUL-terminated allocated buffer. *enclen is -@@ -111,9 +131,18 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf, - p++; - while (len--) - { -- if (*p == '.' || *p == '\\') -+ if (!isprint(*p)) { -+ /* Output as \DDD for consistency with RFC1035 5.1 */ -+ *q++ = '\\'; -+ *q++ = '0' + *p / 100; -+ *q++ = '0' + (*p % 100) / 10; -+ *q++ = '0' + (*p % 10); -+ } else if (is_reservedch(*p)) { - *q++ = '\\'; -- *q++ = *p; -+ *q++ = *p; -+ } else { -+ *q++ = *p; -+ } - p++; - } - *q++ = '.'; -@@ -171,7 +200,13 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf, - encoded++; - while (offset--) - { -- n += (*encoded == '.' || *encoded == '\\') ? 2 : 1; -+ if (!isprint(*encoded)) { -+ n += 4; -+ } else if (is_reservedch(*encoded)) { -+ n += 2; -+ } else { -+ n += 1; -+ } - encoded++; - } - n++; --- -2.32.0 - diff --git a/meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch b/meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch deleted file mode 100644 index 0eb7e4bbb3..0000000000 --- a/meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 12414304245cce6ef0e8b9547949be5109845353 Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Tue, 24 Jul 2018 13:33:33 +0800 -Subject: [PATCH] cmake: Install libcares.pc - -Prepare and install libcares.pc file during cmake build, so libraries -using pkg-config to find libcares will not fail. - -Signed-off-by: Alexey Firago <alexey_firago@mentor.com> - -update to 1.14.0, fix patch warning - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - CMakeLists.txt | 28 +++++++++++++++++++++++----- - 1 file changed, 23 insertions(+), 5 deletions(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index fd123e1..3a5878d 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -214,22 +214,25 @@ ADD_DEFINITIONS(${SYSFLAGS}) - - - # Tell C-Ares about libraries to depend on -+# Also pass these libraries to pkg-config file -+SET(CARES_PRIVATE_LIBS_LIST) - IF (HAVE_LIBRESOLV) -- LIST (APPEND CARES_DEPENDENT_LIBS resolv) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lresolv") - ENDIF () - IF (HAVE_LIBNSL) -- LIST (APPEND CARES_DEPENDENT_LIBS nsl) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lnsl") - ENDIF () - IF (HAVE_LIBSOCKET) -- LIST (APPEND CARES_DEPENDENT_LIBS socket) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lsocket") - ENDIF () - IF (HAVE_LIBRT) -- LIST (APPEND CARES_DEPENDENT_LIBS rt) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lrt") - ENDIF () - IF (WIN32) -- LIST (APPEND CARES_DEPENDENT_LIBS ws2_32 Advapi32) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lws2_32") - ENDIF () - -+string (REPLACE ";" " " CARES_PRIVATE_LIBS "${CARES_PRIVATE_LIBS_LIST}") - - # When checking for symbols, we need to make sure we set the proper - # headers, libraries, and definitions for the detection to work properly -@@ -554,6 +557,15 @@ CONFIGURE_FILE (ares_build.h.cmake ${PROJECT_BINARY_DIR}/ares_build.h) - # Write ares_config.h configuration file. This is used only for the build. - CONFIGURE_FILE (ares_config.h.cmake ${PROJECT_BINARY_DIR}/ares_config.h) - -+# Pass required CFLAGS to pkg-config in case of static library -+IF (CARES_STATIC) -+ SET (CPPFLAG_CARES_STATICLIB "-DCARES_STATICLIB") -+ENDIF() -+ -+# Write ares_config.h configuration file. This is used only for the build. -+CONFIGURE_FILE (libcares.pc.cmakein ${PROJECT_BINARY_DIR}/libcares.pc @ONLY) -+ -+ - - # TRANSFORM_MAKEFILE_INC - # -@@ -728,6 +740,12 @@ IF (CARES_INSTALL) - INSTALL (FILES "${CMAKE_CURRENT_BINARY_DIR}/libcares.pc" COMPONENT Devel DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig") - ENDIF () - -+# pkg-config file -+IF (CARES_INSTALL) -+ SET (PKGCONFIG_INSTALL_DIR "${CMAKE_INSTALL_LIBDIR}/pkgconfig") -+ INSTALL (FILES "${CMAKE_CURRENT_BINARY_DIR}/libcares.pc" DESTINATION ${PKGCONFIG_INSTALL_DIR}) -+ENDIF () -+ - # Legacy chain-building variables (provided for compatibility with old code). - # Don't use these, external code should be updated to refer to the aliases directly (e.g., Cares::cares). - SET (CARES_FOUND 1 CACHE INTERNAL "CARES LIBRARY FOUND") --- -2.17.1 - diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb deleted file mode 100644 index b77604797d..0000000000 --- a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright (c) 2012-2014 LG Electronics, Inc. -SUMMARY = "c-ares is a C library that resolves names asynchronously." -HOMEPAGE = "http://daniel.haxx.se/projects/c-ares/" -SECTION = "libs" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006" - -PV = "1.16.0+gitr${SRCPV}" - -SRC_URI = "\ - git://github.com/c-ares/c-ares.git;branch=main;protocol=https \ - file://cmake-install-libcares.pc.patch \ - file://0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch \ - file://ares_expand_name-should-escape-more-characters.patch \ - file://ares_expand_name-fix-formatting-and-handling-of-root.patch \ -" -SRCREV = "74a1426ba60e2cd7977e53a22ef839c87415066e" - -UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P<pver>\d+_(\d_?)+)" - -S = "${WORKDIR}/git" - -inherit cmake pkgconfig - -PACKAGES =+ "${PN}-utils" - -FILES_${PN}-utils = "${bindir}" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb new file mode 100644 index 0000000000..b5936e1ad0 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb @@ -0,0 +1,31 @@ +# Copyright (c) 2012-2014 LG Electronics, Inc. +SUMMARY = "c-ares is a C library that resolves names asynchronously." +HOMEPAGE = "http://daniel.haxx.se/projects/c-ares/" +SECTION = "libs" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006" + +SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https \ + file://CVE-2022-4904.patch \ + file://CVE-2023-31130.patch \ + file://CVE-2023-31147.patch \ + file://CVE-2023-32067.patch \ + file://CVE-2024-25629.patch \ + " +SRCREV = "2aa086f822aad5017a6f2061ef656f237a62d0ed" + +UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P<pver>\d+_(\d_?)+)" + +S = "${WORKDIR}/git" + +inherit cmake pkgconfig + +PACKAGES =+ "${PN}-utils" + +FILES_${PN}-utils = "${bindir}" + +BBCLASSEXTEND = "native nativesdk" + +# this vulneribility applies only when cross-compiling using autotools +# yocto cross-compiles via cmake which is also listed as official workaround +CVE_CHECK_WHITELIST += "CVE-2023-31124" |