[dunfell][PATCH] busybox: Security Fix For CVE-2018-1000500

[dunfell][PATCH] busybox: Security Fix For CVE-2018-1000500

[Rahul Kumar]

CVE: CVE-2018-1000500

Signed-off-by: Rahul Kumar <rahulk@mvista.com>
---
 .../busybox/busybox/busybox-CVE-2018-1000500.patch | 98 ++++++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.31.1.bb        |  1 +
 2 files changed, 99 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch

diff --git a/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch b/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch
new file mode 100644
index 0000000..cde3923
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch
@@ -0,0 +1,98 @@
+From 71e7e2fb35c806d20f9739d832cd9ae3a86fdee2 Mon Sep 17 00:00:00 2001
+From: Dimitri John Ledkov <xnox@ubuntu.com>
+Date: Tue, 19 May 2020 18:20:39 +0100
+Subject: [PATCH] wget: implement TLS verification with
+ ENABLE_FEATURE_WGET_OPENSSL
+
+When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
+verification by default. And only ignore verification errors, if
+--no-check-certificate was passed.
+
+Also note, that previously OPENSSL implementation did not implement
+TLS verification, nor printed any warning messages that verification
+was not performed.
+
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533
+
+CVE-2018-1000500
+
+Upstream Status: Backport https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91
+CVE: CVE-2018-1000500
+
+Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Rahul Kumar <rahulk@mvista.com>
+---
+ networking/wget.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/networking/wget.c b/networking/wget.c
+index 9153264..a7e6deb 100644
+--- a/networking/wget.c
++++ b/networking/wget.c
+@@ -91,6 +91,9 @@
+ //config:	patches, but do want to waste bandwidth expaining how wrong
+ //config:	it is, you will be ignored.
+ //config:
++//config:	FEATURE_WGET_OPENSSL does implement TLS verification
++//config:	using the certificates available to OpenSSL.
++//config:
+ //config:config FEATURE_WGET_OPENSSL
+ //config:	bool "Try to connect to HTTPS using openssl"
+ //config:	default y
+@@ -115,6 +118,9 @@
+ //config:	If openssl can't be executed, internal TLS code will be used
+ //config:	(if you enabled it); if openssl can be executed but fails later,
+ //config:	wget can't detect this, and download will fail.
++//config:
++//config:	By default TLS verification is performed, unless
++//config:	--no-check-certificate option is passed.
+ 
+ //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP))
+ 
+@@ -124,8 +130,11 @@
+ //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
+ //usage:       "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n"
+ //usage:       "	[-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n"
++//usage:	IF_FEATURE_WGET_OPENSSL(
++//usage:       "	[--no-check-certificate]\n"
++//usage:	)
+ /* Since we ignore these opts, we don't show them in --help */
+-/* //usage:    "	[--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */
++/* //usage:    "	[--no-cache] [--passive-ftp] [-t TRIES]" */
+ /* //usage:    "	[-nv] [-nc] [-nH] [-np]" */
+ //usage:       "	[-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
+ //usage:	)
+@@ -137,7 +146,9 @@
+ //usage:       "Retrieve files via HTTP or FTP\n"
+ //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
+ //usage:     "\n	--spider	Only check URL existence: $? is 0 if exists"
+-///////:     "\n	--no-check-certificate	Don't validate the server's certificate"
++//usage:	IF_FEATURE_WGET_OPENSSL(
++//usage:     "\n	--no-check-certificate	Don't validate the server's certificate"
++//usage:	)
+ //usage:	)
+ //usage:     "\n	-c		Continue retrieval of aborted transfer"
+ //usage:     "\n	-q		Quiet"
+@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
+ 	pid = xvfork();
+ 	if (pid == 0) {
+ 		/* Child */
+-		char *argv[8];
++		char *argv[9];
+ 
+ 		close(sp[0]);
+ 		xmove_fd(sp[1], 0);
+@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
+ 			argv[5] = (char*)"-servername";
+ 			argv[6] = (char*)servername;
+ 		}
++		if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
++			argv[7] = (char*)"-verify_return_error";
++		}
+ 
+ 		BB_EXECVP(argv[0], argv);
+ 		xmove_fd(3, 2);
+-- 
+2.7.4
+
diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb b/meta/recipes-core/busybox/busybox_1.31.1.bb
index 2bb1d59..a6b4702 100644
--- a/meta/recipes-core/busybox/busybox_1.31.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.31.1.bb
@@ -48,6 +48,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://0001-Remove-syscall-wrappers-around-clock_gettime-closes-.patch \
            file://0001-Remove-stime-function-calls.patch \
            file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \
+           file://busybox-CVE-2018-1000500.patch \
 "
 SRC_URI_append_libc-musl = " file://musl.cfg "
 
-- 
2.7.4

✗ patchtest: failure for busybox: Security Fix For CVE-2018-1000500

[Patchwork]

== Series Details ==

Series: busybox: Security Fix For CVE-2018-1000500
Revision: 1
URL   : https://patchwork.openembedded.org/series/25105/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             Upstream-Status is in incorrect format [test_upstream_status_presence_format] 
  Suggested fix    Fix Upstream-Status format in busybox-CVE-2018-1000500.patch
  Current          Upstream Status: Backport https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91
  Standard format  Upstream-Status: <Valid status>
  Valid status     Pending, Accepted, Backport, Denied, Inappropriate [reason], Submitted [where]



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

Re: [OE-core] [dunfell][PATCH] busybox: Security Fix For CVE-2018-1000500

[akuster]

[-- Attachment #1: Type: text/plain, Size: 5579 bytes --]



On 7/11/20 6:21 PM, Rahul Kumar wrote:
> CVE: CVE-2018-1000500
>
> Signed-off-by: Rahul Kumar <rahulk@mvista.com>

Does this affect master?

-armin
> ---
>  .../busybox/busybox/busybox-CVE-2018-1000500.patch | 98 ++++++++++++++++++++++
>  meta/recipes-core/busybox/busybox_1.31.1.bb        |  1 +
>  2 files changed, 99 insertions(+)
>  create mode 100644 meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch
>
> diff --git a/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch b/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch
> new file mode 100644
> index 0000000..cde3923
> --- /dev/null
> +++ b/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch
> @@ -0,0 +1,98 @@
> +From 71e7e2fb35c806d20f9739d832cd9ae3a86fdee2 Mon Sep 17 00:00:00 2001
> +From: Dimitri John Ledkov <xnox@ubuntu.com>
> +Date: Tue, 19 May 2020 18:20:39 +0100
> +Subject: [PATCH] wget: implement TLS verification with
> + ENABLE_FEATURE_WGET_OPENSSL
> +
> +When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
> +verification by default. And only ignore verification errors, if
> +--no-check-certificate was passed.
> +
> +Also note, that previously OPENSSL implementation did not implement
> +TLS verification, nor printed any warning messages that verification
> +was not performed.
> +
> +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533
> +
> +CVE-2018-1000500
> +
> +Upstream Status: Backport https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91
> +CVE: CVE-2018-1000500
> +
> +Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
> +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
> +Signed-off-by: Rahul Kumar <rahulk@mvista.com>
> +---
> + networking/wget.c | 20 +++++++++++++++++---
> + 1 file changed, 17 insertions(+), 3 deletions(-)
> +
> +diff --git a/networking/wget.c b/networking/wget.c
> +index 9153264..a7e6deb 100644
> +--- a/networking/wget.c
> ++++ b/networking/wget.c
> +@@ -91,6 +91,9 @@
> + //config:	patches, but do want to waste bandwidth expaining how wrong
> + //config:	it is, you will be ignored.
> + //config:
> ++//config:	FEATURE_WGET_OPENSSL does implement TLS verification
> ++//config:	using the certificates available to OpenSSL.
> ++//config:
> + //config:config FEATURE_WGET_OPENSSL
> + //config:	bool "Try to connect to HTTPS using openssl"
> + //config:	default y
> +@@ -115,6 +118,9 @@
> + //config:	If openssl can't be executed, internal TLS code will be used
> + //config:	(if you enabled it); if openssl can be executed but fails later,
> + //config:	wget can't detect this, and download will fail.
> ++//config:
> ++//config:	By default TLS verification is performed, unless
> ++//config:	--no-check-certificate option is passed.
> + 
> + //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP))
> + 
> +@@ -124,8 +130,11 @@
> + //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
> + //usage:       "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n"
> + //usage:       "	[-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n"
> ++//usage:	IF_FEATURE_WGET_OPENSSL(
> ++//usage:       "	[--no-check-certificate]\n"
> ++//usage:	)
> + /* Since we ignore these opts, we don't show them in --help */
> +-/* //usage:    "	[--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */
> ++/* //usage:    "	[--no-cache] [--passive-ftp] [-t TRIES]" */
> + /* //usage:    "	[-nv] [-nc] [-nH] [-np]" */
> + //usage:       "	[-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
> + //usage:	)
> +@@ -137,7 +146,9 @@
> + //usage:       "Retrieve files via HTTP or FTP\n"
> + //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
> + //usage:     "\n	--spider	Only check URL existence: $? is 0 if exists"
> +-///////:     "\n	--no-check-certificate	Don't validate the server's certificate"
> ++//usage:	IF_FEATURE_WGET_OPENSSL(
> ++//usage:     "\n	--no-check-certificate	Don't validate the server's certificate"
> ++//usage:	)
> + //usage:	)
> + //usage:     "\n	-c		Continue retrieval of aborted transfer"
> + //usage:     "\n	-q		Quiet"
> +@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
> + 	pid = xvfork();
> + 	if (pid == 0) {
> + 		/* Child */
> +-		char *argv[8];
> ++		char *argv[9];
> + 
> + 		close(sp[0]);
> + 		xmove_fd(sp[1], 0);
> +@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
> + 			argv[5] = (char*)"-servername";
> + 			argv[6] = (char*)servername;
> + 		}
> ++		if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
> ++			argv[7] = (char*)"-verify_return_error";
> ++		}
> + 
> + 		BB_EXECVP(argv[0], argv);
> + 		xmove_fd(3, 2);
> +-- 
> +2.7.4
> +
> diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb b/meta/recipes-core/busybox/busybox_1.31.1.bb
> index 2bb1d59..a6b4702 100644
> --- a/meta/recipes-core/busybox/busybox_1.31.1.bb
> +++ b/meta/recipes-core/busybox/busybox_1.31.1.bb
> @@ -48,6 +48,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
>             file://0001-Remove-syscall-wrappers-around-clock_gettime-closes-.patch \
>             file://0001-Remove-stime-function-calls.patch \
>             file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \
> +           file://busybox-CVE-2018-1000500.patch \
>  "
>  SRC_URI_append_libc-musl = " file://musl.cfg "
>  
>
> 


[-- Attachment #2: Type: text/html, Size: 7007 bytes --]

Re: [OE-core] [dunfell][PATCH] busybox: Security Fix For CVE-2018-1000500

[Rahul Kumar]

[-- Attachment #1: Type: text/plain, Size: 6770 bytes --]

Hi Armin,

As per my observation, master branch does not affect this CVE.

I could not get any reference where i find out exactly from which version
to which version, This CVE affect.

Since busybox upstarem released a patch for CVE-2018-1000500 with busybox
v1_32_0~25
and master branch is using busybox v1.32.0-r0 and I checked this patch code
is present in busybox  v1.32.0-r0 source code.
so master branch does not affect.

Feel free to point out if I am wrong at any place.

*Thanks & Regards,*
Rahul Kumar
Software Engineer,Linux Solutions Engineering
Group,Montavista Software LLC
Email Id: rahulk@mvista.com
<https://plus.google.com/+CodeTwoSoftware>


On Sun, Jul 12, 2020 at 8:33 AM akuster808 <akuster808@gmail.com> wrote:

>
>
> On 7/11/20 6:21 PM, Rahul Kumar wrote:
>
> CVE: CVE-2018-1000500
>
> Signed-off-by: Rahul Kumar <rahulk@mvista.com> <rahulk@mvista.com>
>
>
> Does this affect master?
>
> -armin
>
> ---
>  .../busybox/busybox/busybox-CVE-2018-1000500.patch | 98 ++++++++++++++++++++++
>  meta/recipes-core/busybox/busybox_1.31.1.bb        |  1 +
>  2 files changed, 99 insertions(+)
>  create mode 100644 meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch
>
> diff --git a/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch b/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch
> new file mode 100644
> index 0000000..cde3923
> --- /dev/null
> +++ b/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch
> @@ -0,0 +1,98 @@
> +From 71e7e2fb35c806d20f9739d832cd9ae3a86fdee2 Mon Sep 17 00:00:00 2001
> +From: Dimitri John Ledkov <xnox@ubuntu.com> <xnox@ubuntu.com>
> +Date: Tue, 19 May 2020 18:20:39 +0100
> +Subject: [PATCH] wget: implement TLS verification with
> + ENABLE_FEATURE_WGET_OPENSSL
> +
> +When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
> +verification by default. And only ignore verification errors, if
> +--no-check-certificate was passed.
> +
> +Also note, that previously OPENSSL implementation did not implement
> +TLS verification, nor printed any warning messages that verification
> +was not performed.
> +
> +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533
> +
> +CVE-2018-1000500
> +
> +Upstream Status: Backport https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91
> +CVE: CVE-2018-1000500
> +
> +Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> <xnox@ubuntu.com>
> +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> <vda.linux@googlemail.com>
> +Signed-off-by: Rahul Kumar <rahulk@mvista.com> <rahulk@mvista.com>
> +---
> + networking/wget.c | 20 +++++++++++++++++---
> + 1 file changed, 17 insertions(+), 3 deletions(-)
> +
> +diff --git a/networking/wget.c b/networking/wget.c
> +index 9153264..a7e6deb 100644
> +--- a/networking/wget.c
> ++++ b/networking/wget.c
> +@@ -91,6 +91,9 @@
> + //config:	patches, but do want to waste bandwidth expaining how wrong
> + //config:	it is, you will be ignored.
> + //config:
> ++//config:	FEATURE_WGET_OPENSSL does implement TLS verification
> ++//config:	using the certificates available to OpenSSL.
> ++//config:
> + //config:config FEATURE_WGET_OPENSSL
> + //config:	bool "Try to connect to HTTPS using openssl"
> + //config:	default y
> +@@ -115,6 +118,9 @@
> + //config:	If openssl can't be executed, internal TLS code will be used
> + //config:	(if you enabled it); if openssl can be executed but fails later,
> + //config:	wget can't detect this, and download will fail.
> ++//config:
> ++//config:	By default TLS verification is performed, unless
> ++//config:	--no-check-certificate option is passed.
> +
> + //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP))
> +
> +@@ -124,8 +130,11 @@
> + //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
> + //usage:       "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n"
> + //usage:       "	[-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n"
> ++//usage:	IF_FEATURE_WGET_OPENSSL(
> ++//usage:       "	[--no-check-certificate]\n"
> ++//usage:	)
> + /* Since we ignore these opts, we don't show them in --help */
> +-/* //usage:    "	[--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */
> ++/* //usage:    "	[--no-cache] [--passive-ftp] [-t TRIES]" */
> + /* //usage:    "	[-nv] [-nc] [-nH] [-np]" */
> + //usage:       "	[-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
> + //usage:	)
> +@@ -137,7 +146,9 @@
> + //usage:       "Retrieve files via HTTP or FTP\n"
> + //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
> + //usage:     "\n	--spider	Only check URL existence: $? is 0 if exists"
> +-///////:     "\n	--no-check-certificate	Don't validate the server's certificate"
> ++//usage:	IF_FEATURE_WGET_OPENSSL(
> ++//usage:     "\n	--no-check-certificate	Don't validate the server's certificate"
> ++//usage:	)
> + //usage:	)
> + //usage:     "\n	-c		Continue retrieval of aborted transfer"
> + //usage:     "\n	-q		Quiet"
> +@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
> + 	pid = xvfork();
> + 	if (pid == 0) {
> + 		/* Child */
> +-		char *argv[8];
> ++		char *argv[9];
> +
> + 		close(sp[0]);
> + 		xmove_fd(sp[1], 0);
> +@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
> + 			argv[5] = (char*)"-servername";
> + 			argv[6] = (char*)servername;
> + 		}
> ++		if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
> ++			argv[7] = (char*)"-verify_return_error";
> ++		}
> +
> + 		BB_EXECVP(argv[0], argv);
> + 		xmove_fd(3, 2);
> +--
> +2.7.4
> +
> diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb b/meta/recipes-core/busybox/busybox_1.31.1.bb
> index 2bb1d59..a6b4702 100644
> --- a/meta/recipes-core/busybox/busybox_1.31.1.bb
> +++ b/meta/recipes-core/busybox/busybox_1.31.1.bb
> @@ -48,6 +48,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
>             file://0001-Remove-syscall-wrappers-around-clock_gettime-closes-.patch \
>             file://0001-Remove-stime-function-calls.patch \
>             file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \
> +           file://busybox-CVE-2018-1000500.patch \
>  " <https://busybox.net/downloads/busybox-$%7BPV%7D.tar.bz2;name=tarball%5Cfile://0001-Remove-syscall-wrappers-around-clock_gettime-closes-.patch%5Cfile://0001-Remove-stime-function-calls.patch%5Cfile://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch%5C+file://busybox-CVE-2018-1000500.patch%5C>
>  SRC_URI_append_libc-musl = " file://musl.cfg "
>
>
> 
>
>
>

[-- Attachment #2: Type: text/html, Size: 9371 bytes --]