[main]: Updating 'uclibc-ng' to version 1.0.39. (#1830)

2022-01-04 04:35:19 -08:00 · 2022-01-04 04:35:19 -08:00 · 2d00768c32
parent 0d51280759
commit 2d00768c32
4 changed files with 18 additions and 168 deletions
--- a/SPECS/uclibc-ng/CVE-2021-43523.patch
+++ b/SPECS/uclibc-ng/CVE-2021-43523.patch
@ -1,152 +0,0 @@
-From 0f822af0445e5348ce7b7bd8ce1204244f31d174 Mon Sep 17 00:00:00 2001
-From: mirabilos <m@mirbsd.org>
-Date: Mon, 9 Aug 2021 03:37:31 +0200
-Subject: [PATCH] =?UTF-8?q?libc/inet/resolv.c:=20add=20=5F=5Fhnbad=20to=20?=
- =?UTF-8?q?check=20DNS=20entries=20for=20validity=E2=80=A6?=
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-… using the same rules glibc does
-
-also call __hnbad in some places to check answers
---
- libc/inet/resolv.c | 64 ++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 62 insertions(+), 2 deletions(-)
-
-diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c
-index ed2e0d2..b9e7f1a 100644
--- a/libc/inet/resolv.c
-+++ b/libc/inet/resolv.c
-@@ -416,6 +416,7 @@ extern int __encode_answer(struct resolv_answer *a,
- 		int maxlen) attribute_hidden;
- extern void __open_nameservers(void) attribute_hidden;
- extern void __close_nameservers(void) attribute_hidden;
-+extern int __hnbad(const char *dotted) attribute_hidden;
- 
- /*
-  * Theory of operation.
-@@ -1204,6 +1205,7 @@ int __dns_lookup(const char *name,
- 	bool ends_with_dot;
- 	bool contains_dot;
- 	sockaddr46_t sa;
-+	int num_answers;
- 
- 	fd = -1;
- 	lookup = NULL;
-@@ -1446,6 +1448,7 @@ int __dns_lookup(const char *name,
- 			goto fail1;
- 		}
- 		pos = HFIXEDSZ;
-+		/*XXX TODO: check that question matches query (and qdcount==1?) */
- 		for (j = 0; j < h.qdcount; j++) {
- 			DPRINTF("Skipping question %d at %d\n", j, pos);
- 			i = __length_question(packet + pos, packet_len - pos);
-@@ -1460,6 +1463,7 @@ int __dns_lookup(const char *name,
- 		DPRINTF("Decoding answer at pos %d\n", pos);
- 
- 		first_answer = 1;
-+		num_answers = 0;
- 		a->dotted = NULL;
- 		for (j = 0; j < h.ancount; j++) {
- 			i = __decode_answer(packet, pos, packet_len, &ma);
-@@ -1467,12 +1471,15 @@ int __dns_lookup(const char *name,
- 				DPRINTF("failed decode %d\n", i);
- 				/* If the message was truncated but we have
- 				 * decoded some answers, pretend it's OK */
-				if (j && h.tc)
-+				if (num_answers && h.tc)
- 					break;
- 				goto try_next_server;
- 			}
- 			pos += i;
- 
-+			if (__hnbad(ma.dotted))
-+				break;
-+			++num_answers;
- 			if (first_answer) {
- 				ma.buf = a->buf;
- 				ma.buflen = a->buflen;
-@@ -1502,6 +1509,10 @@ int __dns_lookup(const char *name,
- 				++a->add_count;
- 			}
- 		}
-+		if (!num_answers) {
-+			h_errno = NO_RECOVERY;
-+			goto fail1;
-+		}
- 
- 		/* Success! */
- 		DPRINTF("Answer name = |%s|\n", a->dotted);
-@@ -2468,7 +2479,7 @@ int gethostbyaddr_r(const void *addr, socklen_t addrlen,
- 		/* Decode CNAME into buf, feed it to __dns_lookup() again */
- 		i = __decode_dotted(packet, a.rdoffset, packet_len, buf, buflen);
- 		free(packet);
-		if (i < 0) {
-+		if (i < 0 || __hnbad(buf)) {
- 			*h_errnop = NO_RECOVERY;
- 			return -1;
- 		}
-@@ -2477,6 +2488,10 @@ int gethostbyaddr_r(const void *addr, socklen_t addrlen,
- 	if (a.atype == T_PTR) {	/* ADDRESS */
- 		i = __decode_dotted(packet, a.rdoffset, packet_len, buf, buflen);
- 		free(packet);
-+		if (__hnbad(buf)) {
-+			*h_errnop = NO_RECOVERY;
-+			return -1;
-+		}
- 		result_buf->h_name = buf;
- 		result_buf->h_addrtype = type;
- 		result_buf->h_length = addrlen;
-@@ -3041,6 +3056,51 @@ int ns_name_pton(const char *src, u_char *dst, size_t dstsiz)
- }
- libc_hidden_def(ns_name_pton)
- 
-+/*
-+ * __hnbad(dotted)
-+ *	Check whether a name is valid enough for DNS. The rules, as
-+ *	laid down by glibc, are:
-+ *	- printable input string
-+ *	- converts to label notation
-+ *	- each label only contains [0-9a-zA-Z_-], up to 63 octets
-+ *	- first label doesn’t begin with ‘-’
-+ *	This both is weaker than Unix hostnames (e.g. it allows
-+ *	underscores and leading/trailing hyphen-minus) and stronger
-+ *	than general (e.g. a leading “*.” is valid sometimes), take care.
-+ * return:
-+ *	0 if the name is ok
-+ */
-+int __hnbad(const char *dotted)
-+{
-+	unsigned char c, n, *cp;
-+	unsigned char buf[NS_MAXCDNAME];
-+
-+	cp = (unsigned char *)dotted;
-+	while ((c = *cp++))
-+		if (c < 0x21 || c > 0x7E)
-+			return (1);
-+	if (ns_name_pton(dotted, buf, sizeof(buf)) < 0)
-+		return (2);
-+	if (buf[0] > 0 && buf[1] == '-')
-+		return (3);
-+	cp = buf;
-+	while ((n = *cp++)) {
-+		if (n > 63)
-+			return (4);
-+		while (n--) {
-+			c = *cp++;
-+			if (c < '-' ||
-+			    (c > '-' && c < '0') ||
-+			    (c > '9' && c < 'A') ||
-+			    (c > 'Z' && c < '_') ||
-+			    (c > '_' && c < 'a') ||
-+			    c > 'z')
-+				return (5);
-+		}
-+	}
-+	return (0);
-+}
-+
- /*
-  * ns_name_unpack(msg, eom, src, dst, dstsiz)
-  *      Unpack a domain name from a message, source may be compressed.
--- a/SPECS/uclibc-ng/uclibc-ng.signatures.json
+++ b/SPECS/uclibc-ng/uclibc-ng.signatures.json
@ -1,6 +1,6 @@
 {
 "Signatures": {
-  "uClibc-ng-1.0.37.tar.xz": "b2b815d20645cf604b99728202bf3ecb62507ce39dfa647884b4453caf86212c",
+  "uClibc-ng-1.0.39.tar.xz": "cb089dfe14867a38f222d6428e85d0e1191dcbb66dd9b1a671484f6bc7c81920",
  "uClibc.config": "5cd0bebdcc29597e6abdcfcbb0d7309633dd843b273b0baca718e6d5f2fb0f1f"
 }
 }
--- a/SPECS/uclibc-ng/uclibc-ng.spec
+++ b/SPECS/uclibc-ng/uclibc-ng.spec
@ -3,15 +3,14 @@
 %global debug_package %{nil}
 Summary:        C library for embedded Linux
 Name:           uclibc-ng
-Version:        1.0.37
-Release:        2%{?dist}
+Version:        1.0.39
+Release:        1%{?dist}
 License:        LGPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://www.uclibc.org/
 Source0:        https://downloads.uclibc-ng.org/releases/%{version}/%{uclibc_name}-%{version}.tar.xz
 Source1:        uClibc.config
-Patch0:         CVE-2021-43523.patch

 BuildRequires:  gcc

@ -83,6 +82,9 @@ rm -rf  %{buildroot}/include/
 %{_libdir}/uClibc

 %changelog
+* Mon Jan 03 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.0.39-1
+- Updating to version 1.0.39.
+
 * Thu Nov 18 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.0.37-2
 - Adding patch for CVE-2021-43523.

--- a/cgmanifest.json
+++ b/cgmanifest.json
@ -24009,16 +24009,6 @@
        }
      }
    },
-    {
-      "component": {
-        "type": "other",
-        "other": {
-          "name": "python-requests_ntlm",
-          "version": "1.1.0",
-          "downloadUrl": "https://github.com/requests/requests-ntlm/archive/v1.1.0/requests_ntlm-1.1.0.tar.gz"
-        }
-      }
-    },
    {
      "component": {
        "type": "other",
@ -24039,6 +24029,16 @@
        }
      }
    },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "python-requests_ntlm",
+          "version": "1.1.0",
+          "downloadUrl": "https://github.com/requests/requests-ntlm/archive/v1.1.0/requests_ntlm-1.1.0.tar.gz"
+        }
+      }
+    },
    {
      "component": {
        "type": "other",
@ -28337,8 +28337,8 @@
        "type": "other",
        "other": {
          "name": "uclibc-ng",
-          "version": "1.0.37",
-          "downloadUrl": "https://downloads.uclibc-ng.org/releases/1.0.37/uClibc-ng-1.0.37.tar.xz"
+          "version": "1.0.39",
+          "downloadUrl": "https://downloads.uclibc-ng.org/releases/1.0.39/uClibc-ng-1.0.39.tar.xz"
        }
      }
    },