All of lore.kernel.org
 help / color / mirror / Atom feed
* [poky][sumo][PATCH] busybox: Add fix for CVE-2018-1000517
@ 2021-01-06 11:23 Rahul Taya
  0 siblings, 0 replies; only message in thread
From: Rahul Taya @ 2021-01-06 11:23 UTC (permalink / raw)
  To: Openembedded-core, raj.khem; +Cc: nisha.parrakat, Aditya.Tayade

Applied patch that Ubuntu applied to busybox 1.27.2

The patch is available from file:
http://archive.ubuntu.com/ubuntu/pool/main/b/busybox/busybox_1.27.2-2ubuntu3.2.debian.tar.xz
in path debian/patches/.

The below patch is added:

CVE-2018-1000517.patch

Signed-off-by: Rahul.Taya <Rahul.Taya@kpit.com>
---
 .../busybox/busybox/CVE-2018-1000517.patch    | 56 +++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.27.2.bb   |  1 +
 2 files changed, 57 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2018-1000517.patch

diff --git a/meta/recipes-core/busybox/busybox/CVE-2018-1000517.patch b/meta/recipes-core/busybox/busybox/CVE-2018-1000517.patch
new file mode 100644
index 0000000000..8b1eb3d45c
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2018-1000517.patch
@@ -0,0 +1,56 @@
+Backport of:
+
+From 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Sun, 8 Apr 2018 18:06:24 +0200
+Subject: wget: check chunk length for overflowing off_t
+
+function                                             old     new   delta
+retrieve_file_data                                   428     465     +37
+wget_main                                           2386    2389      +3
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 2/0 up/down: 40/0)               Total: 40 bytes
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+CVE-2018-1000517
+[http://archive.ubuntu.com/ubuntu/pool/main/b/busybox/busybox_1.27.2-2ubuntu3.2.debian.tar.xz]
+Upstream-Status: Backport
+---
+ networking/wget.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+Index: busybox-1.27.2/networking/wget.c
+===================================================================
+--- busybox-1.27.2.orig/networking/wget.c      2019-03-06 15:03:11.447280336 -0500
++++ busybox-1.27.2/networking/wget.c   2019-03-06 15:09:58.757358868 -0500
+@@ -642,7 +642,7 @@ static FILE* prepare_ftp_session(FILE **
+       if (ftpcmd("SIZE ", target->path, sfp) == 213) {
+               G.content_len = BB_STRTOOFF(G.wget_buf + 4, NULL, 10);
+               if (G.content_len < 0 || errno) {
+-                      bb_error_msg_and_die("SIZE value is garbage");
++                      bb_error_msg_and_die("bad SIZE value '%s'", G.wget_buf + 4);
+               }
+               G.got_clen = 1;
+       }
+@@ -925,11 +925,19 @@ static void NOINLINE retrieve_file_data(
+               if (!G.chunked)
+                       break;
+
+-              fgets_and_trim(dfp, NULL); /* Eat empty line */
++              /* Each chunk ends with "\r\n" - eat it */
++              fgets_and_trim(dfp, NULL);
+  get_clen:
++              /* chunk size format is "HEXNUM[;name[=val]]\r\n" */
+               fgets_and_trim(dfp, NULL);
++              errno = 0;
+               G.content_len = STRTOOFF(G.wget_buf, NULL, 16);
+-              /* FIXME: error check? */
++              /*
++               * Had a bug with inputs like "ffffffff0001f400"
++               * smashing the heap later. Ensure >= 0.
++               */
++              if (G.content_len < 0 || errno)
++                      bb_error_msg_and_die("bad chunk length '%s'", G.wget_buf);
+               if (G.content_len == 0)
+                       break; /* all done! */
+               G.got_clen = 1;
diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb
index 716a0650fc..67ba7fe423 100644
--- a/meta/recipes-core/busybox/busybox_1.27.2.bb
+++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -49,6 +49,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://busybox-fix-lzma-segfaults.patch \
            file://umount-ignore-c.patch \
            file://CVE-2017-15874.patch \
+           file://CVE-2018-1000517.patch \
 "
 SRC_URI_append_libc-musl = " file://musl.cfg "

--
2.17.1

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2021-01-06 11:23 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-06 11:23 [poky][sumo][PATCH] busybox: Add fix for CVE-2018-1000517 Rahul Taya

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.