* [poky][sumo][PATCH] busybox: Add fix for CVE-2018-1000517
@ 2021-01-06 11:23 Rahul Taya
0 siblings, 0 replies; only message in thread
From: Rahul Taya @ 2021-01-06 11:23 UTC (permalink / raw)
To: Openembedded-core, raj.khem; +Cc: nisha.parrakat, Aditya.Tayade
Applied patch that Ubuntu applied to busybox 1.27.2
The patch is available from file:
http://archive.ubuntu.com/ubuntu/pool/main/b/busybox/busybox_1.27.2-2ubuntu3.2.debian.tar.xz
in path debian/patches/.
The below patch is added:
CVE-2018-1000517.patch
Signed-off-by: Rahul.Taya <Rahul.Taya@kpit.com>
---
.../busybox/busybox/CVE-2018-1000517.patch | 56 +++++++++++++++++++
meta/recipes-core/busybox/busybox_1.27.2.bb | 1 +
2 files changed, 57 insertions(+)
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2018-1000517.patch
diff --git a/meta/recipes-core/busybox/busybox/CVE-2018-1000517.patch b/meta/recipes-core/busybox/busybox/CVE-2018-1000517.patch
new file mode 100644
index 0000000000..8b1eb3d45c
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2018-1000517.patch
@@ -0,0 +1,56 @@
+Backport of:
+
+From 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Sun, 8 Apr 2018 18:06:24 +0200
+Subject: wget: check chunk length for overflowing off_t
+
+function old new delta
+retrieve_file_data 428 465 +37
+wget_main 2386 2389 +3
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 2/0 up/down: 40/0) Total: 40 bytes
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+CVE-2018-1000517
+[http://archive.ubuntu.com/ubuntu/pool/main/b/busybox/busybox_1.27.2-2ubuntu3.2.debian.tar.xz]
+Upstream-Status: Backport
+---
+ networking/wget.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+Index: busybox-1.27.2/networking/wget.c
+===================================================================
+--- busybox-1.27.2.orig/networking/wget.c 2019-03-06 15:03:11.447280336 -0500
++++ busybox-1.27.2/networking/wget.c 2019-03-06 15:09:58.757358868 -0500
+@@ -642,7 +642,7 @@ static FILE* prepare_ftp_session(FILE **
+ if (ftpcmd("SIZE ", target->path, sfp) == 213) {
+ G.content_len = BB_STRTOOFF(G.wget_buf + 4, NULL, 10);
+ if (G.content_len < 0 || errno) {
+- bb_error_msg_and_die("SIZE value is garbage");
++ bb_error_msg_and_die("bad SIZE value '%s'", G.wget_buf + 4);
+ }
+ G.got_clen = 1;
+ }
+@@ -925,11 +925,19 @@ static void NOINLINE retrieve_file_data(
+ if (!G.chunked)
+ break;
+
+- fgets_and_trim(dfp, NULL); /* Eat empty line */
++ /* Each chunk ends with "\r\n" - eat it */
++ fgets_and_trim(dfp, NULL);
+ get_clen:
++ /* chunk size format is "HEXNUM[;name[=val]]\r\n" */
+ fgets_and_trim(dfp, NULL);
++ errno = 0;
+ G.content_len = STRTOOFF(G.wget_buf, NULL, 16);
+- /* FIXME: error check? */
++ /*
++ * Had a bug with inputs like "ffffffff0001f400"
++ * smashing the heap later. Ensure >= 0.
++ */
++ if (G.content_len < 0 || errno)
++ bb_error_msg_and_die("bad chunk length '%s'", G.wget_buf);
+ if (G.content_len == 0)
+ break; /* all done! */
+ G.got_clen = 1;
diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb
index 716a0650fc..67ba7fe423 100644
--- a/meta/recipes-core/busybox/busybox_1.27.2.bb
+++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -49,6 +49,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://busybox-fix-lzma-segfaults.patch \
file://umount-ignore-c.patch \
file://CVE-2017-15874.patch \
+ file://CVE-2018-1000517.patch \
"
SRC_URI_append_libc-musl = " file://musl.cfg "
--
2.17.1
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-01-06 11:23 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-06 11:23 [poky][sumo][PATCH] busybox: Add fix for CVE-2018-1000517 Rahul Taya
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.