[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1106043: marked as done (unblock: connman/1.44-3)

Your message dated Mon, 19 May 2025 14:45:32 +0000
with message-id <E1uH1kC-002i3K-0h@respighi.debian.org>
and subject line unblock connman
has caused the Debian Bug report #1106043,
regarding unblock: connman/1.44-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1106043: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106043
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: connman@packages.debian.org
Control: affects -1 + src:connman
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package connman

[ Reason ]
To fix two security issues CVE-2025-32366 (Closes: #1102193) and CVE-2025-32743 (Closes: #1103530). Patches are cherry-picked from upstream and are fairly trivial. 


[ Impact ]
Less security issues to Trixie's release that would need to be fixed latter by security or LTS teams. 

[ Tests ]
The package builds fine and is in unstable/Ubuntu since ~ a week without any complain. 

[ Risks ]
The risks are low since these patches come from upstream and are trivial.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing




unblock connman/1.44-3
diff -Nru connman-1.44/debian/changelog connman-1.44/debian/changelog
--- connman-1.44/debian/changelog	2025-04-12 17:40:21.000000000 +0200
+++ connman-1.44/debian/changelog	2025-05-13 09:06:57.000000000 +0200
@@ -1,3 +1,18 @@
+connman (1.44-3) unstable; urgency=medium
+
+  * Cherry-pick upstream patch fixing CVE-2025-32366 (Closes: #1102193)
+  * Set myself as Maintainer.
+  * Improve DEP3 headers of other patches.
+
+ -- Dylan Aïssi <daissi@debian.org>  Tue, 13 May 2025 09:06:57 +0200
+
+connman (1.44-2) unstable; urgency=medium
+
+  * Team upload.
+  * Cherry-pick upstream patch fixing CVE-2025-32743 (Closes: #1103530)
+
+ -- Dylan Aïssi <daissi@debian.org>  Tue, 06 May 2025 22:47:54 +0200
+
 connman (1.44-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru connman-1.44/debian/control connman-1.44/debian/control
--- connman-1.44/debian/control	2025-04-12 17:40:21.000000000 +0200
+++ connman-1.44/debian/control	2025-05-13 09:06:57.000000000 +0200
@@ -1,7 +1,8 @@
 Source: connman
-Maintainer: Vignesh Raman <vignesh.raman@collabora.com>
+Maintainer: Dylan Aïssi <daissi@debian.org>
 Uploaders: Alexander Sack <asac@debian.org>,
-           Alf Gaida <agaida@siduction.org>
+           Alf Gaida <agaida@siduction.org>,
+           Vignesh Raman <vignesh.raman@collabora.com>
 Section: net
 Priority: optional
 Build-Depends: debhelper-compat (= 13),
diff -Nru connman-1.44/debian/patches/02-systemd-service-file-shutdown-problems.patch connman-1.44/debian/patches/02-systemd-service-file-shutdown-problems.patch
--- connman-1.44/debian/patches/02-systemd-service-file-shutdown-problems.patch	2025-04-12 17:40:21.000000000 +0200
+++ connman-1.44/debian/patches/02-systemd-service-file-shutdown-problems.patch	2025-05-13 09:06:57.000000000 +0200
@@ -3,6 +3,7 @@
  https://lintian.debian.org/tags/systemd-service-file-shutdown-problems.html
 Forwarded: not needed
 Last-Update: 2019-05-01
+Author: Alf Gaida <agaida@siduction.org>
 
 --- a/src/connman-wait-online.service.in
 +++ b/src/connman-wait-online.service.in
diff -Nru connman-1.44/debian/patches/CVE-2025-32366.patch connman-1.44/debian/patches/CVE-2025-32366.patch
--- connman-1.44/debian/patches/CVE-2025-32366.patch	1970-01-01 01:00:00.000000000 +0100
+++ connman-1.44/debian/patches/CVE-2025-32366.patch	2025-05-13 09:06:57.000000000 +0200
@@ -0,0 +1,41 @@
+From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
+From: "신윤제(학부생-소프트웨어전공)" <ioerts@kookmin.ac.kr>
+Date: Mon, 12 May 2025 10:48:18 +0200
+Subject: dnsproxy: Address CVE-2025-32366 vulnerability
+
+In Connman parse_rr in dnsproxy.c has a memcpy length
+that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
+and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
+than the amount of remaining packet data in the current state of
+parsing. As a result, values of stack memory locations may be sent
+over the network in a response.
+
+This patch adds a check to ensure that (*end + *rdlen) does not exceed
+the valid range. If the condition is violated, the function returns
+-EINVAL.
+
+Fixes: CVE-2025-32366
+Bug-Debian: https://bugs.debian.org/1102193
+Origin: upstream, https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4
+Forwarded: not-needed
+---
+ src/dnsproxy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 7ee26d9ff..1dd2f7f5d 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -998,6 +998,9 @@ static int parse_rr(const unsigned char *buf, const unsigned char *start,
+ 	if ((offset + *rdlen) > *response_size)
+ 		return -ENOBUFS;
+ 
++	if ((*end + *rdlen) > max)
++		return -EINVAL;
++
+ 	memcpy(response + offset, *end, *rdlen);
+ 
+ 	*end += *rdlen;
+-- 
+cgit 1.2.3-korg
+
diff -Nru connman-1.44/debian/patches/CVE-2025-32743.patch connman-1.44/debian/patches/CVE-2025-32743.patch
--- connman-1.44/debian/patches/CVE-2025-32743.patch	1970-01-01 01:00:00.000000000 +0100
+++ connman-1.44/debian/patches/CVE-2025-32743.patch	2025-05-13 09:06:57.000000000 +0200
@@ -0,0 +1,46 @@
+From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001
+From: Praveen Kumar <praveen.kumar@windriver.com>
+Date: Thu, 24 Apr 2025 11:39:29 +0000
+Subject: dnsproxy: Fix NULL/empty lookup causing potential crash
+
+In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
+can be NULL or an empty string when the TC (Truncated) bit is set in
+a DNS response. This allows attackers to cause a denial of service
+(application crash) or possibly execute arbitrary code, because those
+lookup values lead to incorrect length calculations and incorrect
+memcpy operations.
+
+This patch includes a check to make sure loookup value is valid before
+using it. This helps avoid unexpected value when the input is empty or
+incorrect.
+
+Fixes: CVE-2025-32743
+Bug-Debian: https://bugs.debian.org/1103530
+Origin: upstream, https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f
+Forwarded: not-needed
+---
+ src/dnsproxy.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index f28a5d755..7ee26d9ff 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -1685,8 +1685,13 @@ static int ns_resolv(struct server_data *server, struct request_data *req,
+ 				gpointer request, gpointer name)
+ {
+ 	int sk = -1;
++	int err;
+ 	const char *lookup = (const char *)name;
+-	int err = ns_try_resolv_from_cache(req, request, lookup);
++
++	if (!lookup || strlen(lookup) == 0)
++		return -EINVAL;
++
++	err = ns_try_resolv_from_cache(req, request, lookup);
+ 
+ 	if (err > 0)
+ 		/* cache hit */
+-- 
+cgit 1.2.3-korg
+
diff -Nru connman-1.44/debian/patches/series connman-1.44/debian/patches/series
--- connman-1.44/debian/patches/series	2025-04-12 17:40:21.000000000 +0200
+++ connman-1.44/debian/patches/series	2025-05-13 09:06:57.000000000 +0200
@@ -1,2 +1,4 @@
 01-init-script-lsb-headers.patch
 02-systemd-service-file-shutdown-problems.patch
+CVE-2025-32743.patch
+CVE-2025-32366.patch

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: