summaryrefslogtreecommitdiff
path: root/meta-openembedded/meta-oe/recipes-connectivity
diff options
context:
space:
mode:
Diffstat (limited to 'meta-openembedded/meta-oe/recipes-connectivity')
-rw-r--r--meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch68
-rw-r--r--meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb1
-rw-r--r--meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/files/CVE-2023-35789.patch131
-rw-r--r--meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.13.0.bb4
4 files changed, 203 insertions, 1 deletions
diff --git a/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch b/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch
new file mode 100644
index 0000000000..160c090bce
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch
@@ -0,0 +1,68 @@
+From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 21 Aug 2023 03:08:15 +0000
+Subject: [PATCH] Ensure array count consistency in kadm5 RPC
+
+In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
+key_data array count when decoding. Otherwise when the structure is
+later freed, xdr_array() could iterate over the wrong number of
+elements, either leaking some memory or freeing uninitialized
+pointers. Reported by Robert Morris.
+
+CVE: CVE-2023-36054
+
+An authenticated attacker can cause a kadmind process to crash by
+freeing uninitialized pointers. Remote code execution is unlikely.
+An attacker with control of a kadmin server can cause a kadmin client
+to crash by freeing uninitialized pointers.
+
+ticket: 9099 (new)
+tags: pullup
+target_version: 1.21-next
+target_version: 1.20-next
+
+Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
+index 2892d41..94b1ce8 100644
+--- a/src/lib/kadm5/kadm_rpc_xdr.c
++++ b/src/lib/kadm5/kadm_rpc_xdr.c
+@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+ int v)
+ {
+ unsigned int n;
++ bool_t r;
+
+ if (!xdr_krb5_principal(xdrs, &objp->principal)) {
+ return (FALSE);
+@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+ if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
+ return (FALSE);
+ }
++ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
++ return (FALSE);
++ }
+ if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
+ return (FALSE);
+ }
+@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+ return FALSE;
+ }
+ n = objp->n_key_data;
+- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
+- &n, ~0, sizeof(krb5_key_data),
+- xdr_krb5_key_data_nocontents)) {
++ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
++ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
++ objp->n_key_data = n;
++ if (!r) {
+ return (FALSE);
+ }
+
+--
+2.40.0
diff --git a/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb b/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb
index 10fff11c25..e353b58aa1 100644
--- a/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb
+++ b/meta-openembedded/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
file://etc/default/krb5-admin-server \
file://krb5-kdc.service \
file://krb5-admin-server.service \
+ file://CVE-2023-36054.patch;striplevel=2 \
"
SRC_URI[md5sum] = "73f5780e7b587ccd8b8cfc10c965a686"
SRC_URI[sha256sum] = "704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851"
diff --git a/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/files/CVE-2023-35789.patch b/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/files/CVE-2023-35789.patch
new file mode 100644
index 0000000000..dfd1f98759
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/files/CVE-2023-35789.patch
@@ -0,0 +1,131 @@
+CVE: CVE-2023-35789
+Upstream-Status: Backport [ https://github.com/alanxz/rabbitmq-c/commit/463054383fbeef889b409a7f843df5365288e2a0 ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+From 463054383fbeef889b409a7f843df5365288e2a0 Mon Sep 17 00:00:00 2001
+From: Christian Kastner <ckk@kvr.at>
+Date: Tue, 13 Jun 2023 14:21:52 +0200
+Subject: [PATCH] Add option to read username/password from file (#781)
+
+* Add option to read username/password from file
+---
+ tools/common.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 66 insertions(+)
+
+diff --git a/tools/common.c b/tools/common.c
+index 73b47e25..7efe557b 100644
+--- a/tools/common.c
++++ b/tools/common.c
+@@ -18,6 +18,11 @@
+ #include "compat.h"
+ #endif
+
++/* For when reading auth data from a file */
++#define MAXAUTHTOKENLEN 128
++#define USERNAMEPREFIX "username:"
++#define PASSWORDPREFIX "password:"
++
+ void die(const char *fmt, ...) {
+ va_list ap;
+ va_start(ap, fmt);
+@@ -125,6 +130,7 @@ static char *amqp_vhost;
+ static char *amqp_username;
+ static char *amqp_password;
+ static int amqp_heartbeat = 0;
++static char *amqp_authfile;
+ #ifdef WITH_SSL
+ static int amqp_ssl = 0;
+ static char *amqp_cacert = "/etc/ssl/certs/cacert.pem";
+@@ -147,6 +153,8 @@ struct poptOption connect_options[] = {
+ "the password to login with", "password"},
+ {"heartbeat", 0, POPT_ARG_INT, &amqp_heartbeat, 0,
+ "heartbeat interval, set to 0 to disable", "heartbeat"},
++ {"authfile", 0, POPT_ARG_STRING, &amqp_authfile, 0,
++ "path to file containing username/password for authentication", "file"},
+ #ifdef WITH_SSL
+ {"ssl", 0, POPT_ARG_NONE, &amqp_ssl, 0, "connect over SSL/TLS", NULL},
+ {"cacert", 0, POPT_ARG_STRING, &amqp_cacert, 0,
+@@ -158,6 +166,50 @@ struct poptOption connect_options[] = {
+ #endif /* WITH_SSL */
+ {NULL, '\0', 0, NULL, 0, NULL, NULL}};
+
++void read_authfile(const char *path) {
++ size_t n;
++ FILE *fp = NULL;
++ char token[MAXAUTHTOKENLEN];
++
++ if ((amqp_username = malloc(MAXAUTHTOKENLEN)) == NULL ||
++ (amqp_password = malloc(MAXAUTHTOKENLEN)) == NULL) {
++ die("Out of memory");
++ } else if ((fp = fopen(path, "r")) == NULL) {
++ die("Could not read auth data file %s", path);
++ }
++
++ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL ||
++ strncmp(token, USERNAMEPREFIX, strlen(USERNAMEPREFIX))) {
++ die("Malformed auth file (missing username)");
++ }
++ strncpy(amqp_username, &token[strlen(USERNAMEPREFIX)], MAXAUTHTOKENLEN);
++ /* Missing newline means token was cut off */
++ n = strlen(amqp_username);
++ if (amqp_username[n - 1] != '\n') {
++ die("Username too long");
++ } else {
++ amqp_username[n - 1] = '\0';
++ }
++
++ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL ||
++ strncmp(token, PASSWORDPREFIX, strlen(PASSWORDPREFIX))) {
++ die("Malformed auth file (missing password)");
++ }
++ strncpy(amqp_password, &token[strlen(PASSWORDPREFIX)], MAXAUTHTOKENLEN);
++ /* Missing newline means token was cut off */
++ n = strlen(amqp_password);
++ if (amqp_password[n - 1] != '\n') {
++ die("Password too long");
++ } else {
++ amqp_password[n - 1] = '\0';
++ }
++
++ (void)fgetc(fp);
++ if (!feof(fp)) {
++ die("Malformed auth file (trailing data)");
++ }
++}
++
+ static void init_connection_info(struct amqp_connection_info *ci) {
+ ci->user = NULL;
+ ci->password = NULL;
+@@ -237,6 +289,8 @@ static void init_connection_info(struct amqp_connection_info *ci) {
+ if (amqp_username) {
+ if (amqp_url) {
+ die("--username and --url options cannot be used at the same time");
++ } else if (amqp_authfile) {
++ die("--username and --authfile options cannot be used at the same time");
+ }
+
+ ci->user = amqp_username;
+@@ -245,11 +299,23 @@ static void init_connection_info(struct amqp_connection_info *ci) {
+ if (amqp_password) {
+ if (amqp_url) {
+ die("--password and --url options cannot be used at the same time");
++ } else if (amqp_authfile) {
++ die("--password and --authfile options cannot be used at the same time");
+ }
+
+ ci->password = amqp_password;
+ }
+
++ if (amqp_authfile) {
++ if (amqp_url) {
++ die("--authfile and --url options cannot be used at the same time");
++ }
++
++ read_authfile(amqp_authfile);
++ ci->user = amqp_username;
++ ci->password = amqp_password;
++ }
++
+ if (amqp_vhost) {
+ if (amqp_url) {
+ die("--vhost and --url options cannot be used at the same time");
diff --git a/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.13.0.bb b/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.13.0.bb
index f9c2b2c8a9..ea80ec3344 100644
--- a/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.13.0.bb
+++ b/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.13.0.bb
@@ -3,7 +3,9 @@ HOMEPAGE = "https://github.com/alanxz/rabbitmq-c"
LIC_FILES_CHKSUM = "file://LICENSE;md5=7e12f6e40e662e039e2f02b4893011ec"
LICENSE = "MIT"
-SRC_URI = "git://github.com/alanxz/rabbitmq-c.git;branch=master;protocol=https"
+SRC_URI = "git://github.com/alanxz/rabbitmq-c.git;branch=master;protocol=https \
+ file://CVE-2023-35789.patch \
+"
# v0.13.0-master
SRCREV = "974d71adceae6d742ae20a4c880d99c131f1460a"
generated by cgit v1.2.3 (git 2.39.0) at 2024-06-02 17:38:41 +0300