fix CVE-2023-49441

2024-07-08 01:45:16 +00:00 · 2024-07-08 01:45:16 +00:00 · 819610ca2b
commit 819610ca2b
parent 612e9ec457
2 changed files with 57 additions and 1 deletions
--- a/backport-CVE-2023-49441-Fix-standalone-SHA256-implementation.patch
+++ b/backport-CVE-2023-49441-Fix-standalone-SHA256-implementation.patch
@ -0,0 +1,49 @@
+From 65c2d6afd67a032f45f40d7e4d620f5d73e5f07d Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 22 Nov 2023 22:02:05 +0000
+Subject: [PATCH] Fix standalone SHA256 implementation.
+
+Bug report here:
+https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2023q4/017332.html
+
+This error probably has no practical effect since even if the hash
+is wrong, it's only compared internally to other hashes computed using
+the same code.
+
+Understanding the error:
+
+hash-questions.c:168:21: runtime error: left shift of 128 by 24 places
+cannot be represented in type 'int'
+
+requires a certain amount of c-lawyerliness. I think the problem is that
+
+m[i] = data[j] << 24
+
+promotes the unsigned char data array value to int before doing the shift and
+then promotes the result to unsigned char to match the type of m[i].
+What needs to happen is to cast the unsigned char to unsigned int
+BEFORE the shift.
+
+This patch does that with explicit casts.
+
+Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=65c2d6afd67a032f45f40d7e4d620f5d73e5f07d
+---
+ src/hash_questions.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/hash_questions.c b/src/hash_questions.c
+index c1ee135..e6304ac 100644
+--- a/src/hash_questions.c
+++ b/src/hash_questions.c
+@@ -165,7 +165,7 @@ static void sha256_transform(SHA256_CTX *ctx, const BYTE data[])
+   WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64];
+   
+   for (i = 0, j = 0; i < 16; ++i, j += 4)
+-    m[i] = (data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]);
+    m[i] = (((WORD)data[j]) << 24) | (((WORD)data[j + 1]) << 16) | (((WORD)data[j + 2]) << 8) | (((WORD)data[j + 3]));
+   for ( ; i < 64; ++i)
+     m[i] = SIG1(m[i - 2]) + m[i - 7] + SIG0(m[i - 15]) + m[i - 16];
+ 
+-- 
+2.33.0
+
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@ -1,6 +1,6 @@
 Name:           dnsmasq
 Version:        2.82
-Release:        14
+Release:        15
 Summary:        Dnsmasq provides network infrastructure for small networks
 License:        GPLv2 or GPLv3
 URL:            http://www.thekelleys.org.uk/dnsmasq/
@ -38,6 +38,7 @@ Patch27:     backport-CVE-2023-28450-Set-the-default-maximum-DNS-UDP-packet.patc
 Patch28:     backport-Fix-parsing-of-IPv6-addresses-with-peer-from-netlink.patch
 Patch29:     backport-Reduce-code-duplication-reuse-existing-functions.patch
 Patch30:     backport-Fix-memory-leak-when-using-dhcp-optsfile-with-DHCPv6.patch
+Patch31:     backport-CVE-2023-49441-Fix-standalone-SHA256-implementation.patch

 BuildRequires:  dbus-devel pkgconfig libidn2-devel nettle-devel systemd
 Requires:       nettle >= 3.4 %{name}-help
@ -130,6 +131,12 @@ install -Dpm644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysusersdir}/dnsmasq.conf
 %{_mandir}/man8/dnsmasq*

 %changelog
+* Mon Jul 8 2024 renmingshuai <renmingshuai@huawei.com> - 2.82-15
+- Type:CVE
+- Id:
+- SUG:NA
+- DESC:fix CVE-2023-49441
+
 * Wed Dec 6 2023 renmingshuai <renmingshuai@huawei.com> - 2.82-14
 - Type:bugfix
 - Id: