* [Buildroot] [git commit] busybox: security bump to version 1.24.2
@ 2016-03-25 22:36 Peter Korsgaard
0 siblings, 0 replies; only message in thread
From: Peter Korsgaard @ 2016-03-25 22:36 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=157dc65fb744c00c972a065079e83458b6249344
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
The version bump doesn't inherently fix the security issues, however the
added CVE patches do, which fix:
CVE-2016-2147 - out of bounds write (heap) due to integer underflow in
udhcpc.
CVE-2016-2148 - heap-based buffer overflow in OPTION_6RD parsing.
Drop patches that are upstream as well.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
...gs-strip-non-l-arguments-returned-by-pkg.patch} | 0
package/busybox/0002-unzip.patch | 111 -----------------
package/busybox/0003-ash-recursive-heredocs.patch | 84 +++++++++++++
.../busybox/0003-g-unzip-fix-recent-breakage.patch | 134 ---------------------
package/busybox/0004-fix-CVE-2016-2147.patch | 73 +++++++++++
package/busybox/0004-truncate-open-mode.patch | 74 ------------
package/busybox/0005-fix-CVE-2016-2148.patch | 56 +++++++++
package/busybox/busybox.hash | 6 +-
package/busybox/busybox.mk | 2 +-
9 files changed, 217 insertions(+), 323 deletions(-)
diff --git a/package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch b/package/busybox/0002-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
similarity index 100%
rename from package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
rename to package/busybox/0002-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
diff --git a/package/busybox/0002-unzip.patch b/package/busybox/0002-unzip.patch
deleted file mode 100644
index 400e528..0000000
--- a/package/busybox/0002-unzip.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From 1de25a6e87e0e627aa34298105a3d17c60a1f44e Mon Sep 17 00:00:00 2001
-From: Denys Vlasenko <vda.linux@googlemail.com>
-Date: Mon, 26 Oct 2015 19:33:05 +0100
-Subject: [PATCH] unzip: test for bad archive SEGVing
-
-function old new delta
-huft_build 1296 1300 +4
-
-Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
----
- archival/libarchive/decompress_gunzip.c | 11 +++++++----
- testsuite/unzip.tests | 23 ++++++++++++++++++++++-
- 2 files changed, 29 insertions(+), 5 deletions(-)
-
-diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
-index 7b6f459..30bf451 100644
---- a/archival/libarchive/decompress_gunzip.c
-+++ b/archival/libarchive/decompress_gunzip.c
-@@ -305,11 +305,12 @@ static int huft_build(const unsigned *b, const unsigned n,
- unsigned i; /* counter, current code */
- unsigned j; /* counter */
- int k; /* number of bits in current code */
-- unsigned *p; /* pointer into c[], b[], or v[] */
-+ const unsigned *p; /* pointer into c[], b[], or v[] */
- huft_t *q; /* points to current table */
- huft_t r; /* table entry for structure assignment */
- huft_t *u[BMAX]; /* table stack */
- unsigned v[N_MAX]; /* values in order of bit length */
-+ unsigned v_end;
- int ws[BMAX + 1]; /* bits decoded stack */
- int w; /* bits decoded */
- unsigned x[BMAX + 1]; /* bit offsets, then code stack */
-@@ -324,7 +325,7 @@ static int huft_build(const unsigned *b, const unsigned n,
-
- /* Generate counts for each bit length */
- memset(c, 0, sizeof(c));
-- p = (unsigned *) b; /* cast allows us to reuse p for pointing to b */
-+ p = b;
- i = n;
- do {
- c[*p]++; /* assume all entries <= BMAX */
-@@ -365,12 +366,14 @@ static int huft_build(const unsigned *b, const unsigned n,
- }
-
- /* Make a table of values in order of bit lengths */
-- p = (unsigned *) b;
-+ p = b;
- i = 0;
-+ v_end = 0;
- do {
- j = *p++;
- if (j != 0) {
- v[x[j]++] = i;
-+ v_end = x[j];
- }
- } while (++i < n);
-
-@@ -432,7 +435,7 @@ static int huft_build(const unsigned *b, const unsigned n,
-
- /* set up table entry in r */
- r.b = (unsigned char) (k - w);
-- if (p >= v + n) {
-+ if (p >= v + v_end) { // Was "if (p >= v + n)" but v[] can be shorter!
- r.e = 99; /* out of values--invalid code */
- } else if (*p < s) {
- r.e = (unsigned char) (*p < 256 ? 16 : 15); /* 256 is EOB code */
-diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests
-index 8677a03..ca0a458 100755
---- a/testsuite/unzip.tests
-+++ b/testsuite/unzip.tests
-@@ -7,7 +7,7 @@
-
- . ./testing.sh
-
--# testing "test name" "options" "expected result" "file input" "stdin"
-+# testing "test name" "commands" "expected result" "file input" "stdin"
- # file input will be file called "input"
- # test can create a file "actual" instead of writing to stdout
-
-@@ -30,6 +30,27 @@ testing "unzip (subdir only)" "unzip -q foo.zip foo/ && test -d foo && test ! -f
- rmdir foo
- rm foo.zip
-
-+# File containing some damaged encrypted stream
-+testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \
-+"Archive: bad.zip
-+ inflating: ]3j??r??I^[\x12K-%Ix
-+unzip: inflate error
-+1
-+" \
-+"" "\
-+begin-base64 644 bad.zip
-+UEsDBBQAAgkIAAAAIQA5AAAANwAAADwAAAAQAAcAXTNqwr1ywqtJGxJLLSVJ
-+eCkBD0AdKBk8JzQsIj01JC0/ORJQSwMEFAECCAAAAAAhADoAAAAPAAAANgAA
-+AAwAAQASw73Ct1DCokohPXQiNjoUNTUiHRwgLT4WHlBLAQIQABQAAggIAAAA
-+oQA5AAAANwAAADwAAAAQQAcADAAAACwAMgCAAAAAAABdM2rCvXLCq0kbEkst
-+JUl4KQEPQB0oGSY4Cz4QNgEnJSYIPVBLAQIAABQAAggAAAAAIQAqAAAADwAA
-+BDYAAAAMAAEADQAAADIADQAAAEEAAAASw73Ct1DKokohPXQiNzA+FAI1HCcW
-+NzITNFBLBQUKAC4JAA04Cw0EOhZQSwUGAQAABAIAAgCZAAAAeQAAAAIALhM=
-+====
-+"
-+
-+rm *
-+
- # Clean up scratch directory.
-
- cd ..
---
-2.6.2
-
diff --git a/package/busybox/0003-ash-recursive-heredocs.patch b/package/busybox/0003-ash-recursive-heredocs.patch
new file mode 100644
index 0000000..f054a90
--- /dev/null
+++ b/package/busybox/0003-ash-recursive-heredocs.patch
@@ -0,0 +1,84 @@
+From 4194c2875310c13ee3ca2bb0e1aea6a2ae67c55a Mon Sep 17 00:00:00 2001
+From: Ron Yorston <rmy@pobox.com>
+Date: Thu, 29 Oct 2015 16:44:56 +0000
+Subject: [PATCH] ash: fix error during recursive processing of here document
+
+Save the value of the checkkwd flag to prevent it being clobbered
+during recursion.
+
+Based on commit ec2c84d from git://git.kernel.org/pub/scm/utils/dash/dash.git
+by Herbert Xu.
+
+function old new delta
+readtoken 190 203 +13
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 1/0 up/down: 13/0) Total: 13 bytes
+
+Signed-off-by: Ron Yorston <rmy@pobox.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+(cherry picked from commit 713f07d906d9171953be0c12e2369869855b6ca6)
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+---
+ shell/ash.c | 5 +++--
+ shell/ash_test/ash-heredoc/heredoc3.right | 1 +
+ shell/ash_test/ash-heredoc/heredoc3.tests | 9 +++++++++
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+ create mode 100644 shell/ash_test/ash-heredoc/heredoc3.right
+ create mode 100755 shell/ash_test/ash-heredoc/heredoc3.tests
+
+diff --git a/shell/ash.c b/shell/ash.c
+index 8a1628e..256e933 100644
+--- a/shell/ash.c
++++ b/shell/ash.c
+@@ -11893,6 +11893,7 @@ static int
+ readtoken(void)
+ {
+ int t;
++ int kwd = checkkwd;
+ #if DEBUG
+ smallint alreadyseen = tokpushback;
+ #endif
+@@ -11906,7 +11907,7 @@ readtoken(void)
+ /*
+ * eat newlines
+ */
+- if (checkkwd & CHKNL) {
++ if (kwd & CHKNL) {
+ while (t == TNL) {
+ parseheredoc();
+ t = xxreadtoken();
+@@ -11920,7 +11921,7 @@ readtoken(void)
+ /*
+ * check for keywords
+ */
+- if (checkkwd & CHKKWD) {
++ if (kwd & CHKKWD) {
+ const char *const *pp;
+
+ pp = findkwd(wordtext);
+diff --git a/shell/ash_test/ash-heredoc/heredoc3.right b/shell/ash_test/ash-heredoc/heredoc3.right
+new file mode 100644
+index 0000000..ce01362
+--- /dev/null
++++ b/shell/ash_test/ash-heredoc/heredoc3.right
+@@ -0,0 +1 @@
++hello
+diff --git a/shell/ash_test/ash-heredoc/heredoc3.tests b/shell/ash_test/ash-heredoc/heredoc3.tests
+new file mode 100755
+index 0000000..96c227c
+--- /dev/null
++++ b/shell/ash_test/ash-heredoc/heredoc3.tests
+@@ -0,0 +1,9 @@
++echo hello >greeting
++cat <<EOF &&
++$(cat greeting)
++EOF
++{
++ echo $?
++ cat greeting
++} >/dev/null
++rm greeting
+--
+2.7.4
+
diff --git a/package/busybox/0003-g-unzip-fix-recent-breakage.patch b/package/busybox/0003-g-unzip-fix-recent-breakage.patch
deleted file mode 100644
index 061e2c4..0000000
--- a/package/busybox/0003-g-unzip-fix-recent-breakage.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-From 6bd3fff51aa74e2ee2d87887b12182a3b09792ef Mon Sep 17 00:00:00 2001
-From: Denys Vlasenko <vda.linux@googlemail.com>
-Date: Fri, 30 Oct 2015 23:41:53 +0100
-Subject: [PATCH] [g]unzip: fix recent breakage.
-
-Also, do emit error message we so painstakingly pass from gzip internals
-
-Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
----
- archival/libarchive/decompress_gunzip.c | 33 +++++++++++++++++++++------------
- testsuite/unzip.tests | 1 +
- 2 files changed, 22 insertions(+), 12 deletions(-)
-
-diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
-index 30bf451..20e4d9a 100644
---- a/archival/libarchive/decompress_gunzip.c
-+++ b/archival/libarchive/decompress_gunzip.c
-@@ -309,8 +309,7 @@ static int huft_build(const unsigned *b, const unsigned n,
- huft_t *q; /* points to current table */
- huft_t r; /* table entry for structure assignment */
- huft_t *u[BMAX]; /* table stack */
-- unsigned v[N_MAX]; /* values in order of bit length */
-- unsigned v_end;
-+ unsigned v[N_MAX + 1]; /* values in order of bit length. last v[] is never used */
- int ws[BMAX + 1]; /* bits decoded stack */
- int w; /* bits decoded */
- unsigned x[BMAX + 1]; /* bit offsets, then code stack */
-@@ -365,15 +364,17 @@ static int huft_build(const unsigned *b, const unsigned n,
- *xp++ = j;
- }
-
-- /* Make a table of values in order of bit lengths */
-+ /* Make a table of values in order of bit lengths.
-+ * To detect bad input, unused v[i]'s are set to invalid value UINT_MAX.
-+ * In particular, last v[i] is never filled and must not be accessed.
-+ */
-+ memset(v, 0xff, sizeof(v));
- p = b;
- i = 0;
-- v_end = 0;
- do {
- j = *p++;
- if (j != 0) {
- v[x[j]++] = i;
-- v_end = x[j];
- }
- } while (++i < n);
-
-@@ -435,7 +436,9 @@ static int huft_build(const unsigned *b, const unsigned n,
-
- /* set up table entry in r */
- r.b = (unsigned char) (k - w);
-- if (p >= v + v_end) { // Was "if (p >= v + n)" but v[] can be shorter!
-+ if (/*p >= v + n || -- redundant, caught by the second check: */
-+ *p == UINT_MAX /* do we access uninited v[i]? (see memset(v))*/
-+ ) {
- r.e = 99; /* out of values--invalid code */
- } else if (*p < s) {
- r.e = (unsigned char) (*p < 256 ? 16 : 15); /* 256 is EOB code */
-@@ -520,8 +523,9 @@ static NOINLINE int inflate_codes(STATE_PARAM_ONLY)
- e = t->e;
- if (e > 16)
- do {
-- if (e == 99)
-- abort_unzip(PASS_STATE_ONLY);;
-+ if (e == 99) {
-+ abort_unzip(PASS_STATE_ONLY);
-+ }
- bb >>= t->b;
- k -= t->b;
- e -= 16;
-@@ -557,8 +561,9 @@ static NOINLINE int inflate_codes(STATE_PARAM_ONLY)
- e = t->e;
- if (e > 16)
- do {
-- if (e == 99)
-+ if (e == 99) {
- abort_unzip(PASS_STATE_ONLY);
-+ }
- bb >>= t->b;
- k -= t->b;
- e -= 16;
-@@ -824,8 +829,9 @@ static int inflate_block(STATE_PARAM smallint *e)
-
- b_dynamic >>= 4;
- k_dynamic -= 4;
-- if (nl > 286 || nd > 30)
-+ if (nl > 286 || nd > 30) {
- abort_unzip(PASS_STATE_ONLY); /* bad lengths */
-+ }
-
- /* read in bit-length-code lengths */
- for (j = 0; j < nb; j++) {
-@@ -906,12 +912,14 @@ static int inflate_block(STATE_PARAM smallint *e)
- bl = lbits;
-
- i = huft_build(ll, nl, 257, cplens, cplext, &inflate_codes_tl, &bl);
-- if (i != 0)
-+ if (i != 0) {
- abort_unzip(PASS_STATE_ONLY);
-+ }
- bd = dbits;
- i = huft_build(ll + nl, nd, 0, cpdist, cpdext, &inflate_codes_td, &bd);
-- if (i != 0)
-+ if (i != 0) {
- abort_unzip(PASS_STATE_ONLY);
-+ }
-
- /* set up data for inflate_codes() */
- inflate_codes_setup(PASS_STATE bl, bd);
-@@ -999,6 +1007,7 @@ inflate_unzip_internal(STATE_PARAM transformer_state_t *xstate)
- error_msg = "corrupted data";
- if (setjmp(error_jmp)) {
- /* Error from deep inside zip machinery */
-+ bb_error_msg(error_msg);
- n = -1;
- goto ret;
- }
-diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests
-index ca0a458..d8738a3 100755
---- a/testsuite/unzip.tests
-+++ b/testsuite/unzip.tests
-@@ -34,6 +34,7 @@ rm foo.zip
- testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \
- "Archive: bad.zip
- inflating: ]3j??r??I^[\x12K-%Ix
-+unzip: corrupted data
- unzip: inflate error
- 1
- " \
---
-2.6.2
-
diff --git a/package/busybox/0004-fix-CVE-2016-2147.patch b/package/busybox/0004-fix-CVE-2016-2147.patch
new file mode 100644
index 0000000..bd1e47e
--- /dev/null
+++ b/package/busybox/0004-fix-CVE-2016-2147.patch
@@ -0,0 +1,73 @@
+From 3c4de6e36c4d387a648622e7b828a05f2b1b47e6 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Fri, 26 Feb 2016 15:54:56 +0100
+Subject: [PATCH] udhcpc: fix OPTION_6RD parsing (could overflow its malloced
+ buffer)
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+(cherry picked from commit 352f79acbd759c14399e39baef21fc4ffe180ac2)
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+---
+ networking/udhcp/common.c | 15 +++++++++++++--
+ networking/udhcp/dhcpc.c | 4 ++--
+ 2 files changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/networking/udhcp/common.c b/networking/udhcp/common.c
+index bc41c8d..680852c 100644
+--- a/networking/udhcp/common.c
++++ b/networking/udhcp/common.c
+@@ -142,7 +142,7 @@ const char dhcp_option_strings[] ALIGN1 =
+ * udhcp_str2optset: to determine how many bytes to allocate.
+ * xmalloc_optname_optval: to estimate string length
+ * from binary option length: (option[LEN] / dhcp_option_lengths[opt_type])
+- * is the number of elements, multiply in by one element's string width
++ * is the number of elements, multiply it by one element's string width
+ * (len_of_option_as_string[opt_type]) and you know how wide string you need.
+ */
+ const uint8_t dhcp_option_lengths[] ALIGN1 = {
+@@ -162,7 +162,18 @@ const uint8_t dhcp_option_lengths[] ALIGN1 = {
+ [OPTION_S32] = 4,
+ /* Just like OPTION_STRING, we use minimum length here */
+ [OPTION_STATIC_ROUTES] = 5,
+- [OPTION_6RD] = 22, /* ignored by udhcp_str2optset */
++ [OPTION_6RD] = 12, /* ignored by udhcp_str2optset */
++ /* The above value was chosen as follows:
++ * len_of_option_as_string[] for this option is >60: it's a string of the form
++ * "32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 ".
++ * Each additional ipv4 address takes 4 bytes in binary option and appends
++ * another "255.255.255.255 " 16-byte string. We can set [OPTION_6RD] = 4
++ * but this severely overestimates string length: instead of 16 bytes,
++ * it adds >60 for every 4 bytes in binary option.
++ * We cheat and declare here that option is in units of 12 bytes.
++ * This adds more than 60 bytes for every three ipv4 addresses - more than enough.
++ * (Even 16 instead of 12 should work, but let's be paranoid).
++ */
+ };
+
+
+diff --git a/networking/udhcp/dhcpc.c b/networking/udhcp/dhcpc.c
+index 915f659..2332b57 100644
+--- a/networking/udhcp/dhcpc.c
++++ b/networking/udhcp/dhcpc.c
+@@ -113,7 +113,7 @@ static const uint8_t len_of_option_as_string[] = {
+ [OPTION_IP ] = sizeof("255.255.255.255 "),
+ [OPTION_IP_PAIR ] = sizeof("255.255.255.255 ") * 2,
+ [OPTION_STATIC_ROUTES ] = sizeof("255.255.255.255/32 255.255.255.255 "),
+- [OPTION_6RD ] = sizeof("32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
++ [OPTION_6RD ] = sizeof("132 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
+ [OPTION_STRING ] = 1,
+ [OPTION_STRING_HOST ] = 1,
+ #if ENABLE_FEATURE_UDHCP_RFC3397
+@@ -220,7 +220,7 @@ static NOINLINE char *xmalloc_optname_optval(uint8_t *option, const struct dhcp_
+ type = optflag->flags & OPTION_TYPE_MASK;
+ optlen = dhcp_option_lengths[type];
+ upper_length = len_of_option_as_string[type]
+- * ((unsigned)(len + optlen - 1) / (unsigned)optlen);
++ * ((unsigned)(len + optlen) / (unsigned)optlen);
+
+ dest = ret = xmalloc(upper_length + strlen(opt_name) + 2);
+ dest += sprintf(ret, "%s=", opt_name);
+--
+2.7.4
+
diff --git a/package/busybox/0004-truncate-open-mode.patch b/package/busybox/0004-truncate-open-mode.patch
deleted file mode 100644
index f0dc6d1..0000000
--- a/package/busybox/0004-truncate-open-mode.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From be729c1d3b5c923f10871dd68ea94156d0f8c803 Mon Sep 17 00:00:00 2001
-From: Ari Sundholm <ari@tuxera.com>
-Date: Mon, 4 Jan 2016 15:40:37 +0200
-Subject: [PATCH] truncate: always set mode when opening file to avoid fortify
- errors
-
-Busybox crashes due to no mode being given when opening:
-$ ./busybox truncate -s 1M foo
-*** invalid open64 call: O_CREAT without mode ***: ./busybox terminated
-======= Backtrace: =========
-/lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7f66d921338f]
-/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f66d92aac9c]
-/lib/x86_64-linux-gnu/libc.so.6(+0xeb6aa)[0x7f66d928b6aa]
-./busybox[0x4899f9]
-======= Memory map: ========
-00400000-004d0000 r-xp 00000000 00:1a 137559 /home/ari/busybox/busybox
-006cf000-006d0000 r--p 000cf000 00:1a 137559 /home/ari/busybox/busybox
-006d0000-006d1000 rw-p 000d0000 00:1a 137559 /home/ari/busybox/busybox
-006d1000-006d4000 rw-p 00000000 00:00 0
-014e7000-01508000 rw-p 00000000 00:00 0 [heap]
-7f66d8f8a000-7f66d8fa0000 r-xp 00000000 08:07 1579008 /lib/x86_64-linux-gnu/libgcc_s.so.1
-7f66d8fa0000-7f66d919f000 ---p 00016000 08:07 1579008 /lib/x86_64-linux-gnu/libgcc_s.so.1
-7f66d919f000-7f66d91a0000 rw-p 00015000 08:07 1579008 /lib/x86_64-linux-gnu/libgcc_s.so.1
-7f66d91a0000-7f66d935b000 r-xp 00000000 08:07 1578994 /lib/x86_64-linux-gnu/libc-2.19.so
-7f66d935b000-7f66d955a000 ---p 001bb000 08:07 1578994 /lib/x86_64-linux-gnu/libc-2.19.so
-7f66d955a000-7f66d955e000 r--p 001ba000 08:07 1578994 /lib/x86_64-linux-gnu/libc-2.19.so
-7f66d955e000-7f66d9560000 rw-p 001be000 08:07 1578994 /lib/x86_64-linux-gnu/libc-2.19.so
-7f66d9560000-7f66d9565000 rw-p 00000000 00:00 0
-7f66d9565000-7f66d966a000 r-xp 00000000 08:07 1579020 /lib/x86_64-linux-gnu/libm-2.19.so
-7f66d966a000-7f66d9869000 ---p 00105000 08:07 1579020 /lib/x86_64-linux-gnu/libm-2.19.so
-7f66d9869000-7f66d986a000 r--p 00104000 08:07 1579020 /lib/x86_64-linux-gnu/libm-2.19.so
-7f66d986a000-7f66d986b000 rw-p 00105000 08:07 1579020 /lib/x86_64-linux-gnu/libm-2.19.so
-7f66d986b000-7f66d988e000 r-xp 00000000 08:07 1578981 /lib/x86_64-linux-gnu/ld-2.19.so
-7f66d9a64000-7f66d9a67000 rw-p 00000000 00:00 0
-7f66d9a8a000-7f66d9a8d000 rw-p 00000000 00:00 0
-7f66d9a8d000-7f66d9a8e000 r--p 00022000 08:07 1578981 /lib/x86_64-linux-gnu/ld-2.19.so
-7f66d9a8e000-7f66d9a8f000 rw-p 00023000 08:07 1578981 /lib/x86_64-linux-gnu/ld-2.19.so
-7f66d9a8f000-7f66d9a90000 rw-p 00000000 00:00 0
-7ffc47761000-7ffc47782000 rw-p 00000000 00:00 0 [stack]
-7ffc477ab000-7ffc477ad000 r-xp 00000000 00:00 0 [vdso]
-ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
-Aborted (core dumped)
-$
-
-Fix this by simply always setting the mode, as it doesn't hurt even
-when O_CREAT is not specified.
-
-This bug is a regression introduced in fc3e40e, as xopen(), which
-was originally used, would automatically set the mode.
-
-Signed-off-by: Ari Sundholm <ari@tuxera.com>
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
-(cherry picked from commit e111a1640494fe87fc913f94fae3bb805de0fc99)
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
----
- coreutils/truncate.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/coreutils/truncate.c b/coreutils/truncate.c
-index e5fa656..4c997bf 100644
---- a/coreutils/truncate.c
-+++ b/coreutils/truncate.c
-@@ -64,7 +64,7 @@ int truncate_main(int argc UNUSED_PARAM, char **argv)
-
- argv += optind;
- while (*argv) {
-- int fd = open(*argv, flags);
-+ int fd = open(*argv, flags, 0666);
- if (fd < 0) {
- if (errno != ENOENT || !(opts & OPT_NOCREATE)) {
- bb_perror_msg("%s: open", *argv);
---
-2.6.2
-
diff --git a/package/busybox/0005-fix-CVE-2016-2148.patch b/package/busybox/0005-fix-CVE-2016-2148.patch
new file mode 100644
index 0000000..93eff48
--- /dev/null
+++ b/package/busybox/0005-fix-CVE-2016-2148.patch
@@ -0,0 +1,56 @@
+From 3a76bb5136d05f94ee62e377aa723e63444912c7 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Thu, 10 Mar 2016 11:47:58 +0100
+Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+(cherry picked from commit d474ffc68290e0a83651c4432eeabfa62cd51e87)
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+---
+ networking/udhcp/domain_codec.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
+index c1325d8..8429367 100644
+--- a/networking/udhcp/domain_codec.c
++++ b/networking/udhcp/domain_codec.c
+@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre)
+ if (crtpos + *c + 1 > clen) /* label too long? abort */
+ return NULL;
+ if (dst)
+- memcpy(dst + len, c + 1, *c);
++ /* \3com ---> "com." */
++ ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.';
+ len += *c + 1;
+ crtpos += *c + 1;
+- if (dst)
+- dst[len - 1] = '.';
+ } else {
+ /* NUL: end of current domain name */
+ if (retpos == 0) {
+@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre)
+ crtpos = retpos;
+ retpos = depth = 0;
+ }
+- if (dst)
++ if (dst && len != 0)
++ /* \4host\3com\0\4host and we are at \0:
++ * \3com was converted to "com.", change dot to space.
++ */
+ dst[len - 1] = ' ';
+ }
+
+@@ -228,6 +230,9 @@ int main(int argc, char **argv)
+ int len;
+ uint8_t *encoded;
+
++ uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
++ printf("NUL:'%s'\n", dname_dec(str, 6, ""));
++
+ #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
+ printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:"));
+ printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));
+--
+2.7.4
+
diff --git a/package/busybox/busybox.hash b/package/busybox/busybox.hash
index 99fb8e4..7486aeb 100644
--- a/package/busybox/busybox.hash
+++ b/package/busybox/busybox.hash
@@ -1,3 +1,3 @@
-# From http://busybox.net/downloads/busybox-1.24.1.tar.bz2.sign
-md5 be98a40cadf84ce2d6b05fa41a275c6a busybox-1.24.1.tar.bz2
-sha1 157d14d24748b4505b1a418535688706a2b81680 busybox-1.24.1.tar.bz2
+# From http://busybox.net/downloads/busybox-1.24.2.tar.bz2.sign
+md5 2eaae519cac1143bcf583636a745381f busybox-1.24.2.tar.bz2
+sha1 03e6cfc8ddb2f709f308719a9b9f4818bc0a28d0 busybox-1.24.2.tar.bz2
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index 7c904c8..c7fb8b4 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -4,7 +4,7 @@
#
################################################################################
-BUSYBOX_VERSION = 1.24.1
+BUSYBOX_VERSION = 1.24.2
BUSYBOX_SITE = http://www.busybox.net/downloads
BUSYBOX_SOURCE = busybox-$(BUSYBOX_VERSION).tar.bz2
BUSYBOX_LICENSE = GPLv2
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2016-03-25 22:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-25 22:36 [Buildroot] [git commit] busybox: security bump to version 1.24.2 Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.