From: "Rahul Taya" <Rahul.Taya@kpit.com>
To: Openembedded-core@lists.openembedded.org, raj.khem@gmail.com
Cc: nisha.parrakat@kpit.com, Aditya.Tayade@kpit.com
Subject: [poky][sumo][PATCH] busybox: Add fix for CVE-2018-1000517
Date: Wed, 6 Jan 2021 16:53:14 +0530 [thread overview]
Message-ID: <20210106112314.30270-1-Rahul.Taya@kpit.com> (raw)
Applied patch that Ubuntu applied to busybox 1.27.2
The patch is available from file:
http://archive.ubuntu.com/ubuntu/pool/main/b/busybox/busybox_1.27.2-2ubuntu3.2.debian.tar.xz
in path debian/patches/.
The below patch is added:
CVE-2018-1000517.patch
Signed-off-by: Rahul.Taya <Rahul.Taya@kpit.com>
---
.../busybox/busybox/CVE-2018-1000517.patch | 56 +++++++++++++++++++
meta/recipes-core/busybox/busybox_1.27.2.bb | 1 +
2 files changed, 57 insertions(+)
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2018-1000517.patch
diff --git a/meta/recipes-core/busybox/busybox/CVE-2018-1000517.patch b/meta/recipes-core/busybox/busybox/CVE-2018-1000517.patch
new file mode 100644
index 0000000000..8b1eb3d45c
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2018-1000517.patch
@@ -0,0 +1,56 @@
+Backport of:
+
+From 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Sun, 8 Apr 2018 18:06:24 +0200
+Subject: wget: check chunk length for overflowing off_t
+
+function old new delta
+retrieve_file_data 428 465 +37
+wget_main 2386 2389 +3
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 2/0 up/down: 40/0) Total: 40 bytes
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+CVE-2018-1000517
+[http://archive.ubuntu.com/ubuntu/pool/main/b/busybox/busybox_1.27.2-2ubuntu3.2.debian.tar.xz]
+Upstream-Status: Backport
+---
+ networking/wget.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+Index: busybox-1.27.2/networking/wget.c
+===================================================================
+--- busybox-1.27.2.orig/networking/wget.c 2019-03-06 15:03:11.447280336 -0500
++++ busybox-1.27.2/networking/wget.c 2019-03-06 15:09:58.757358868 -0500
+@@ -642,7 +642,7 @@ static FILE* prepare_ftp_session(FILE **
+ if (ftpcmd("SIZE ", target->path, sfp) == 213) {
+ G.content_len = BB_STRTOOFF(G.wget_buf + 4, NULL, 10);
+ if (G.content_len < 0 || errno) {
+- bb_error_msg_and_die("SIZE value is garbage");
++ bb_error_msg_and_die("bad SIZE value '%s'", G.wget_buf + 4);
+ }
+ G.got_clen = 1;
+ }
+@@ -925,11 +925,19 @@ static void NOINLINE retrieve_file_data(
+ if (!G.chunked)
+ break;
+
+- fgets_and_trim(dfp, NULL); /* Eat empty line */
++ /* Each chunk ends with "\r\n" - eat it */
++ fgets_and_trim(dfp, NULL);
+ get_clen:
++ /* chunk size format is "HEXNUM[;name[=val]]\r\n" */
+ fgets_and_trim(dfp, NULL);
++ errno = 0;
+ G.content_len = STRTOOFF(G.wget_buf, NULL, 16);
+- /* FIXME: error check? */
++ /*
++ * Had a bug with inputs like "ffffffff0001f400"
++ * smashing the heap later. Ensure >= 0.
++ */
++ if (G.content_len < 0 || errno)
++ bb_error_msg_and_die("bad chunk length '%s'", G.wget_buf);
+ if (G.content_len == 0)
+ break; /* all done! */
+ G.got_clen = 1;
diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb
index 716a0650fc..67ba7fe423 100644
--- a/meta/recipes-core/busybox/busybox_1.27.2.bb
+++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -49,6 +49,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://busybox-fix-lzma-segfaults.patch \
file://umount-ignore-c.patch \
file://CVE-2017-15874.patch \
+ file://CVE-2018-1000517.patch \
"
SRC_URI_append_libc-musl = " file://musl.cfg "
--
2.17.1
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
reply other threads:[~2021-01-06 11:23 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210106112314.30270-1-Rahul.Taya@kpit.com \
--to=rahul.taya@kpit.com \
--cc=Aditya.Tayade@kpit.com \
--cc=Openembedded-core@lists.openembedded.org \
--cc=nisha.parrakat@kpit.com \
--cc=raj.khem@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.