Fix CVE-2023-49441

(cherry picked from commit eb7f313c79a6e5f789fa3fe271f49e2148f09b92)
2024-06-11 02:15:31 +00:00 · 2024-06-11 02:15:31 +00:00 · 209753bf6c
commit 209753bf6c
parent c3cc74f2e5
2 changed files with 57 additions and 1 deletions
--- a/backport-CVE-2023-49441-Fix-standalone-SHA256-implementation.patch
+++ b/backport-CVE-2023-49441-Fix-standalone-SHA256-implementation.patch
@ -0,0 +1,49 @@
+From 65c2d6afd67a032f45f40d7e4d620f5d73e5f07d Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 22 Nov 2023 22:02:05 +0000
+Subject: [PATCH] Fix standalone SHA256 implementation.
+
+Bug report here:
+https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2023q4/017332.html
+
+This error probably has no practical effect since even if the hash
+is wrong, it's only compared internally to other hashes computed using
+the same code.
+
+Understanding the error:
+
+hash-questions.c:168:21: runtime error: left shift of 128 by 24 places
+cannot be represented in type 'int'
+
+requires a certain amount of c-lawyerliness. I think the problem is that
+
+m[i] = data[j] << 24
+
+promotes the unsigned char data array value to int before doing the shift and
+then promotes the result to unsigned char to match the type of m[i].
+What needs to happen is to cast the unsigned char to unsigned int
+BEFORE the shift.
+
+This patch does that with explicit casts.
+
+Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=65c2d6afd67a032f45f40d7e4d620f5d73e5f07d
+---
+ src/hash-questions.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/hash-questions.c b/src/hash-questions.c
+index c1ee135..e6304ac 100644
+--- a/src/hash-questions.c
+++ b/src/hash-questions.c
+@@ -165,7 +165,7 @@ static void sha256_transform(SHA256_CTX *ctx, const BYTE data[])
+   WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64];
+   
+   for (i = 0, j = 0; i < 16; ++i, j += 4)
+-    m[i] = (data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]);
+    m[i] = (((WORD)data[j]) << 24) | (((WORD)data[j + 1]) << 16) | (((WORD)data[j + 2]) << 8) | (((WORD)data[j + 3]));
+   for ( ; i < 64; ++i)
+     m[i] = SIG1(m[i - 2]) + m[i - 7] + SIG0(m[i - 15]) + m[i - 16];
+ 
+-- 
+2.33.0
+
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@ -1,6 +1,6 @@
 Name:           dnsmasq
 Version:        2.86
-Release:        7
+Release:        8
 Summary:        Dnsmasq provides network infrastructure for small networks
 License:        GPLv2 or GPLv3
 URL:            http://www.thekelleys.org.uk/dnsmasq/
@ -47,6 +47,7 @@ Patch36:        backport-Optimize-inserting-records-into-server-list.patch
 Patch37:        backport-Fix-massive-confusion-on-server-reload.patch
 Patch38:        backport-Fix-use-after-free-in-mark_servers.patch
 Patch39:        backport-Fix-memory-leak-when-using-dhcp-optsfile-with-DHCPv6.patch
+Patch40:        backport-CVE-2023-49441-Fix-standalone-SHA256-implementation.patch

 BuildRequires:  gcc
 BuildRequires:  dbus-devel pkgconfig libidn2-devel nettle-devel systemd
@ -136,6 +137,12 @@ install -Dpm644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysusersdir}/dnsmasq.conf
 %{_mandir}/man8/dnsmasq*

 %changelog
+* Tue Jun 11 2024 renmingshuai <renmingshuai@huawei.com> - 2.86-8
+- Type:CVE
+- Id:CVE-2023-49441
+- SUG:NA
+- DESC:Fix CVE-2023-49441
+
 * Wed Nov 22 2023 renmingshuai <renmingshuai@huawei.com> - 2.86-7
 - Type:bugfix
 - Id:NA