* [PATCH] busybox: Security Fix CVE-2016-6301
@ 2017-04-05 14:37 Andrej Valek
2017-04-05 15:02 ` ✗ patchtest: failure for " Patchwork
2017-04-06 7:07 ` [PATCH v2] busybox: Security fix CVE-2016-6301 Andrej Valek
0 siblings, 2 replies; 3+ messages in thread
From: Andrej Valek @ 2017-04-05 14:37 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
---
.../busybox/busybox/CVE-2016-6301.patch | 37 ++++++++++++++++++++++
meta/recipes-core/busybox/busybox_1.24.1.bb | 1 +
2 files changed, 38 insertions(+)
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2016-6301.patch
diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-6301.patch b/meta/recipes-core/busybox/busybox/CVE-2016-6301.patch
new file mode 100644
index 0000000..851bc20
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2016-6301.patch
@@ -0,0 +1,37 @@
+busybox1.24.1: Fix CVE-2016-6301
+
+[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1363710
+
+ntpd: NTP server denial of service flaw
+
+The busybox NTP implementation doesn't check the NTP mode of packets
+received on the server port and responds to any packet with the right
+size. This includes responses from another NTP server. An attacker can
+send a packet with a spoofed source address in order to create an
+infinite loop of responses between two busybox NTP servers. Adding
+more packets to the loop increases the traffic between the servers
+until one of them has a fully loaded CPU and/or network.
+
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=150dc7a2b483b8338a3e185c478b4b23ee884e71]
+CVE: CVE-2016-6301
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
+
+diff --git a/networking/ntpd.c b/networking/ntpd.c
+index 9732c9b..0f6a55f 100644
+--- a/networking/ntpd.c
++++ b/networking/ntpd.c
+@@ -1985,6 +1985,13 @@ recv_and_process_client_pkt(void /*int fd*/)
+ goto bail;
+ }
+
++ /* Respond only to client and symmetric active packets */
++ if ((msg.m_status & MODE_MASK) != MODE_CLIENT
++ && (msg.m_status & MODE_MASK) != MODE_SYM_ACT
++ ) {
++ goto bail;
++ }
++
+ query_status = msg.m_status;
+ query_xmttime = msg.m_xmttime;
+
diff --git a/meta/recipes-core/busybox/busybox_1.24.1.bb b/meta/recipes-core/busybox/busybox_1.24.1.bb
index 41fc641..6013ec9 100644
--- a/meta/recipes-core/busybox/busybox_1.24.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.24.1.bb
@@ -47,6 +47,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://CVE-2016-2148.patch \
file://CVE-2016-2147.patch \
file://CVE-2016-2147_2.patch \
+ file://CVE-2016-6301.patch \
file://ip_fix_problem_on_mips64_n64_big_endian_musl_systems.patch \
file://makefile-fix-backport.patch \
file://0001-sed-fix-sed-n-flushes-pattern-space-terminates-early.patch \
--
2.1.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* ✗ patchtest: failure for busybox: Security Fix CVE-2016-6301
2017-04-05 14:37 [PATCH] busybox: Security Fix CVE-2016-6301 Andrej Valek
@ 2017-04-05 15:02 ` Patchwork
2017-04-06 7:07 ` [PATCH v2] busybox: Security fix CVE-2016-6301 Andrej Valek
1 sibling, 0 replies; 3+ messages in thread
From: Patchwork @ 2017-04-05 15:02 UTC (permalink / raw)
To: Andrej Valek; +Cc: openembedded-core
== Series Details ==
Series: busybox: Security Fix CVE-2016-6301
Revision: 1
URL : https://patchwork.openembedded.org/series/6173/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Patch busybox: Security Fix CVE-2016-6301
Issue Missing or incorrectly formatted CVE tag in commit message [test_cve_presence_in_commit_message]
Suggested fix Include a "CVE-xxxx-xxxx" tag in the commit message
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH v2] busybox: Security fix CVE-2016-6301
2017-04-05 14:37 [PATCH] busybox: Security Fix CVE-2016-6301 Andrej Valek
2017-04-05 15:02 ` ✗ patchtest: failure for " Patchwork
@ 2017-04-06 7:07 ` Andrej Valek
1 sibling, 0 replies; 3+ messages in thread
From: Andrej Valek @ 2017-04-06 7:07 UTC (permalink / raw)
To: openembedded-core
ntpd: NTP server denial of service flaw
CVE: CVE-2016-6301
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
---
.../busybox/busybox/CVE-2016-6301.patch | 37 ++++++++++++++++++++++
meta/recipes-core/busybox/busybox_1.24.1.bb | 1 +
2 files changed, 38 insertions(+)
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2016-6301.patch
diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-6301.patch b/meta/recipes-core/busybox/busybox/CVE-2016-6301.patch
new file mode 100644
index 0000000..851bc20
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2016-6301.patch
@@ -0,0 +1,37 @@
+busybox1.24.1: Fix CVE-2016-6301
+
+[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1363710
+
+ntpd: NTP server denial of service flaw
+
+The busybox NTP implementation doesn't check the NTP mode of packets
+received on the server port and responds to any packet with the right
+size. This includes responses from another NTP server. An attacker can
+send a packet with a spoofed source address in order to create an
+infinite loop of responses between two busybox NTP servers. Adding
+more packets to the loop increases the traffic between the servers
+until one of them has a fully loaded CPU and/or network.
+
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=150dc7a2b483b8338a3e185c478b4b23ee884e71]
+CVE: CVE-2016-6301
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
+
+diff --git a/networking/ntpd.c b/networking/ntpd.c
+index 9732c9b..0f6a55f 100644
+--- a/networking/ntpd.c
++++ b/networking/ntpd.c
+@@ -1985,6 +1985,13 @@ recv_and_process_client_pkt(void /*int fd*/)
+ goto bail;
+ }
+
++ /* Respond only to client and symmetric active packets */
++ if ((msg.m_status & MODE_MASK) != MODE_CLIENT
++ && (msg.m_status & MODE_MASK) != MODE_SYM_ACT
++ ) {
++ goto bail;
++ }
++
+ query_status = msg.m_status;
+ query_xmttime = msg.m_xmttime;
+
diff --git a/meta/recipes-core/busybox/busybox_1.24.1.bb b/meta/recipes-core/busybox/busybox_1.24.1.bb
index 41fc641..6013ec9 100644
--- a/meta/recipes-core/busybox/busybox_1.24.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.24.1.bb
@@ -47,6 +47,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://CVE-2016-2148.patch \
file://CVE-2016-2147.patch \
file://CVE-2016-2147_2.patch \
+ file://CVE-2016-6301.patch \
file://ip_fix_problem_on_mips64_n64_big_endian_musl_systems.patch \
file://makefile-fix-backport.patch \
file://0001-sed-fix-sed-n-flushes-pattern-space-terminates-early.patch \
--
2.1.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-04-06 7:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-05 14:37 [PATCH] busybox: Security Fix CVE-2016-6301 Andrej Valek
2017-04-05 15:02 ` ✗ patchtest: failure for " Patchwork
2017-04-06 7:07 ` [PATCH v2] busybox: Security fix CVE-2016-6301 Andrej Valek
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.