CVE-2021-33833: The issue affects the dnsproxy component in releases 1.32 to 1.39 of connman. Unpacking of NAME and RDATA/RDLENGTH fields with TYPE A/AAAA in the uncompress function uses a memcpy with insufficient bounds checking, which can overflow a stack buffer. Researcher has written a POC, works with stack overflow heuristics and PIE disabled, so stack overflow protection seems to mitigate it. I am apparently not authorized to access the homepage of Connman, so I can't tell if there's any fixed release upstream. There is a patch at URL, however.
I'll try to find out if the homepage has moved or just has a temporary problem, but in the meantime: https://git.kernel.org/pub/scm/network/connman/connman.git/
Guessing this is the relevant patch then: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac59da57086f45ad426889f31b78cfccc6de6848 commit ac59da57086f45ad426889f31b78cfccc6de6848 Author: Ben Kohler <bkohler@gentoo.org> AuthorDate: 2021-06-10 11:34:05 +0000 Commit: Ben Kohler <bkohler@gentoo.org> CommitDate: 2021-06-10 11:34:31 +0000 net-misc/connman: bump to 1.40 Bug: https://bugs.gentoo.org/795084 Package-Manager: Portage-3.0.19, Repoman-3.0.3 Signed-off-by: Ben Kohler <bkohler@gentoo.org> net-misc/connman/Manifest | 1 + net-misc/connman/connman-1.40.ebuild | 101 +++++++++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+)
Thank you! Please stabilize when ready.
ppc stable
ppc64 stable
x86 stable
amd64 done
arm64 done
arm done all arches done
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=419fb3386c724da91004543a5b0494c16a375c2d commit 419fb3386c724da91004543a5b0494c16a375c2d Author: Ben Kohler <bkohler@gentoo.org> AuthorDate: 2021-06-22 23:50:21 +0000 Commit: Ben Kohler <bkohler@gentoo.org> CommitDate: 2021-06-22 23:50:41 +0000 net-misc/connman: drop old Bug: https://bugs.gentoo.org/795084 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Ben Kohler <bkohler@gentoo.org> net-misc/connman/Manifest | 1 - net-misc/connman/connman-1.39-r1.ebuild | 101 -------------------------------- 2 files changed, 102 deletions(-)
GLSA request filed.
This issue was resolved and addressed in GLSA 202107-29 at https://security.gentoo.org/glsa/202107-29 by GLSA coordinator Sam James (sam_c).
