From: Leon Anavi Date: Thu, 21 Aug 2025 20:43:50 +0000 (+0300) Subject: connman: Upgrade 1.44 -> 1.45 X-Git-Tag: uninative-5.0~482 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c5fd636aa6f310e868ea29a72913ea96edcf57c5;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git connman: Upgrade 1.44 -> 1.45 Upgrade to release 1.45: - Add missing newlines on error messages - timezone: Replace Localtime file copy with symbolic link - Fix CVE-2025-32366 vulnerability - Fix CVE-2025-32743 vulnerability - vpn: Fix extracting of PrefixLength D-Bus value - vpn: Fix mem leak of gid_list in task setup - dchpv6: Set err to 0 when client creation succeeds Signed-off-by: Leon Anavi Signed-off-by: Mathieu Dubois-Briand --- diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch deleted file mode 100644 index 62f07e707a9..00000000000 --- a/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001 -From: Yoonje Shin -Date: Mon, 12 May 2025 10:48:18 +0200 -Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability - -In Connman parse_rr in dnsproxy.c has a memcpy length -that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen) -and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger -than the amount of remaining packet data in the current state of -parsing. As a result, values of stack memory locations may be sent -over the network in a response. - -This patch adds a check to ensure that (*end + *rdlen) does not exceed -the valid range. If the condition is violated, the function returns --EINVAL. - -CVE: CVE-2025-32366 - -Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4] - -Signed-off-by: Praveen Kumar ---- - src/dnsproxy.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/dnsproxy.c b/src/dnsproxy.c -index 7ee26d9..1dd2f7f 100644 ---- a/src/dnsproxy.c -+++ b/src/dnsproxy.c -@@ -998,6 +998,9 @@ static int parse_rr(const unsigned char *buf, const unsigned char *start, - if ((offset + *rdlen) > *response_size) - return -ENOBUFS; - -+ if ((*end + *rdlen) > max) -+ return -EINVAL; -+ - memcpy(response + offset, *end, *rdlen); - - *end += *rdlen; --- -2.40.0 diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch deleted file mode 100644 index c114589679c..00000000000 --- a/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001 -From: Praveen Kumar -Date: Thu, 24 Apr 2025 11:39:29 +0000 -Subject: [PATCH] dnsproxy: Fix NULL/empty lookup causing potential crash - -In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c -can be NULL or an empty string when the TC (Truncated) bit is set in -a DNS response. This allows attackers to cause a denial of service -(application crash) or possibly execute arbitrary code, because those -lookup values lead to incorrect length calculations and incorrect -memcpy operations. - -This patch includes a check to make sure loookup value is valid before -using it. This helps avoid unexpected value when the input is empty or -incorrect. - -Fixes: CVE-2025-32743 - -CVE: CVE-2025-32743 - -Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f] - -Signed-off-by: Praveen Kumar ---- - src/dnsproxy.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/dnsproxy.c b/src/dnsproxy.c -index f28a5d7..7ee26d9 100644 ---- a/src/dnsproxy.c -+++ b/src/dnsproxy.c -@@ -1685,8 +1685,13 @@ static int ns_resolv(struct server_data *server, struct request_data *req, - gpointer request, gpointer name) - { - int sk = -1; -+ int err; - const char *lookup = (const char *)name; -- int err = ns_try_resolv_from_cache(req, request, lookup); -+ -+ if (!lookup || strlen(lookup) == 0) -+ return -EINVAL; -+ -+ err = ns_try_resolv_from_cache(req, request, lookup); - - if (err > 0) - /* cache hit */ --- -2.40.0 diff --git a/meta/recipes-connectivity/connman/connman_1.44.bb b/meta/recipes-connectivity/connman/connman_1.45.bb similarity index 98% rename from meta/recipes-connectivity/connman/connman_1.44.bb rename to meta/recipes-connectivity/connman/connman_1.45.bb index 1b0fbe438c7..cfc6114712d 100644 --- a/meta/recipes-connectivity/connman/connman_1.44.bb +++ b/meta/recipes-connectivity/connman/connman_1.45.bb @@ -21,11 +21,9 @@ DEPENDS = "dbus glib-2.0" SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://connman \ file://0002-resolve-musl-does-not-implement-res_ninit.patch \ - file://CVE-2025-32743.patch \ - file://CVE-2025-32366.patch \ " -SRC_URI[sha256sum] = "2be2b00321632b775f9eff713acd04ef21e31fbf388f6ebf45512ff4289574ff" +SRC_URI[sha256sum] = "77128cce80865455c4f106b5901a575e2dfdb35a7d2e2e2996f16e85cba10913" RRECOMMENDS:${PN} = "connman-conf" RCONFLICTS:${PN} = "networkmanager"