Bug#1034533: marked as done (unblock: connman/1.41-3)

To: Sebastian Ramacher <sramacher@respighi.debian.org>
Subject: Bug#1034533: marked as done (unblock: connman/1.41-3)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 17 Apr 2023 21:15:21 +0000
Message-id: <[🔎] handler.1034533.D1034533.16817659881213662.ackdone@bugs.debian.org>
Reply-to: 1034533@bugs.debian.org
References: <E1poVzd-003KDz-5t@respighi.debian.org> <[🔎] 00ac7f7f-f114-bde6-6d7e-1ca596425ba8@debian.org>

Your message dated Mon, 17 Apr 2023 21:02:33 +0000
with message-id <E1poVzd-003KDz-5t@respighi.debian.org>
and subject line unblock connman
has caused the Debian Bug report #1034533,
regarding unblock: connman/1.41-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1034533: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034533
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: connman/1.41-3
From: Bastian Germann <bage@debian.org>
Date: Mon, 17 Apr 2023 21:07:08 +0200
Message-id: <[🔎] 00ac7f7f-f114-bde6-6d7e-1ca596425ba8@debian.org>

Package: release.debian.org
Control: affects -1 + src:connman
X-Debbugs-Cc: connman@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package connman.

[ Reason ]
Open CVE-2023-28488 in bookworm

[ Impact ]
User is vulnerable for CVE-2023-28488.

[ Tests ]
Exploit at https://github.com/moehw/poc_exploits/tree/master/CVE-2023-28488

[ Risks ]
None.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock connman/1.41-3

diff -Nru connman-1.41/debian/changelog connman-1.41/debian/changelog
--- connman-1.41/debian/changelog	2022-08-19 07:20:06.000000000 +0200
+++ connman-1.41/debian/changelog	2023-04-14 11:45:14.000000000 +0200
@@ -1,3 +1,9 @@
+connman (1.41-3) unstable; urgency=medium
+
+  * gdhcp: Verify and sanitize packet length first (CVE-2023-28488)
+
+ -- Vignesh Raman <vignesh.raman@collabora.com>  Fri, 14 Apr 2023 15:15:14 +0530
+
 connman (1.41-2) unstable; urgency=medium
 
   * d/patches: (Closes: #1016976)
diff -Nru connman-1.41/debian/patches/gdhcp-Verify-and-sanitize-packet-length-first.patch connman-1.41/debian/patches/gdhcp-Verify-and-sanitize-packet-length-first.patch
--- connman-1.41/debian/patches/gdhcp-Verify-and-sanitize-packet-length-first.patch	1970-01-01 01:00:00.000000000 +0100
+++ connman-1.41/debian/patches/gdhcp-Verify-and-sanitize-packet-length-first.patch	2023-04-14 11:45:14.000000000 +0200
@@ -0,0 +1,58 @@
+From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@monom.org>
+Date: Tue, 11 Apr 2023 08:12:56 +0200
+Subject: [PATCH] gdhcp: Verify and sanitize packet length first
+
+Avoid overwriting the read packet length after the initial test. Thus
+move all the length checks which depends on the total length first
+and do not use the total lenght from the IP packet afterwards.
+
+Fixes CVE-2023-28488
+
+Reported by Polina Smirnova <moe.hwr@gmail.com>
+---
+ gdhcp/client.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/gdhcp/client.c b/gdhcp/client.c
+index 7efa7e45..82017692 100644
+--- a/gdhcp/client.c
++++ b/gdhcp/client.c
+@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes)
+ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
+ 				struct sockaddr_in *dst_addr)
+ {
+-	int bytes;
+ 	struct ip_udp_dhcp_packet packet;
+ 	uint16_t check;
++	int bytes, tot_len;
+ 
+ 	memset(&packet, 0, sizeof(packet));
+ 
+@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
+ 	if (bytes < 0)
+ 		return -1;
+ 
+-	if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
+-		return -1;
+-
+-	if (bytes < ntohs(packet.ip.tot_len))
++	tot_len = ntohs(packet.ip.tot_len);
++	if (bytes > tot_len) {
++		/* ignore any extra garbage bytes */
++		bytes = tot_len;
++	} else if (bytes < tot_len) {
+ 		/* packet is bigger than sizeof(packet), we did partial read */
+ 		return -1;
++	}
+ 
+-	/* ignore any extra garbage bytes */
+-	bytes = ntohs(packet.ip.tot_len);
++	if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
++		return -1;
+ 
+ 	if (!sanity_check(&packet, bytes))
+ 		return -1;
+-- 
+2.30.2
+
diff -Nru connman-1.41/debian/patches/series connman-1.41/debian/patches/series
--- connman-1.41/debian/patches/series	2022-08-19 07:20:06.000000000 +0200
+++ connman-1.41/debian/patches/series	2023-04-14 11:45:14.000000000 +0200
@@ -3,3 +3,4 @@
 wispr-Add-reference-counter-to-portal-context.patch
 wispr-Update-portal-context-references.patch
 gweb-Fix-OOB-write-in-received_data.patch
+gdhcp-Verify-and-sanitize-packet-length-first.patch

--- End Message ---

--- Begin Message ---

To: 1034533-done@bugs.debian.org

Subject: unblock connman

From: Sebastian Ramacher <sramacher@respighi.debian.org>

Date: Mon, 17 Apr 2023 21:02:33 +0000

Message-id: <E1poVzd-003KDz-5t@respighi.debian.org>
Unblocked.
--- End Message ---

Reply to:

References:
- Bug#1034533: unblock: connman/1.41-3
  - From: Bastian Germann <bage@debian.org>

Prev by Date: Bug#1034446: unblock: linux/6.1.24-1
Next by Date: Bug#1034245: marked as done (pre-approval: unblock: openvswitch/3.1.1 (CVE-2023-1668))
Previous by thread: Processed: unblock: connman/1.41-3
Next by thread: Bug#1033570: marked as done (unblock: kdenlive/22.12.3-2)
Index(es):
- Date
- Thread