Re: [OE-core][hardknott][PATCH 1/3] busybox: Fix for CVE-2021-42374

From: "Mittal, Anuj" <anuj.mittal@intel.com>
To: "Qi.Chen@windriver.com" <Qi.Chen@windriver.com>,
	"openembedded-core@lists.openembedded.org"
	<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][hardknott][PATCH 1/3] busybox: Fix for CVE-2021-42374
Date: Wed, 22 Dec 2021 02:36:31 +0000	[thread overview]
Message-ID: <50395e355ce40923537e2db7a157dd1448b60c7f.camel@intel.com> (raw)
In-Reply-To: <20211222021125.55893-1-Qi.Chen@windriver.com>

I think we can just upgrade to 1.33.2 that has all of these except the
awk changes.

https://git.busybox.net/busybox/log/?h=1_33_stable

I had sent a patch for the upgrade.

https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/hardknott-next

Can you please rebase on top of that?

Thanks,

Anuj

On Tue, 2021-12-21 at 18:11 -0800, Chen Qi wrote:
> From: Pavel Zhukov <pavel.zhukov@huawei.com>
> 
> An out-of-bounds heap read in unlzma leads to information leak and
> denial of service when crafted LZMA-compressed input is decompressed.
> This can be triggered by any applet/format that internally supports
> LZMA compression.
> 
> Reference:
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42374
> 
> (From OE-Core rev: 297719989ebe8ce7d50e3991cba3e268938690ce)
> 
> Signed-off-by: Pavel Zhukov <pavel.zhukov@huawei.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
>  .../busybox/busybox/CVE-2021-42374.patch      | 53
> +++++++++++++++++++
>  meta/recipes-core/busybox/busybox_1.33.1.bb   |  1 +
>  2 files changed, 54 insertions(+)
>  create mode 100644 meta/recipes-core/busybox/busybox/CVE-2021-
> 42374.patch
> 
> diff --git a/meta/recipes-core/busybox/busybox/CVE-2021-42374.patch
> b/meta/recipes-core/busybox/busybox/CVE-2021-42374.patch
> new file mode 100644
> index 0000000000..aef8a3db85
> --- /dev/null
> +++ b/meta/recipes-core/busybox/busybox/CVE-2021-42374.patch
> @@ -0,0 +1,53 @@
> +From 04f052c56ded5ab6a904e3a264a73dc0412b2e78 Mon Sep 17 00:00:00
> 2001
> +From: Denys Vlasenko <vda.linux@googlemail.com>
> +Date: Tue, 15 Jun 2021 15:07:57 +0200
> +Subject: [PATCH] unlzma: fix a case where we could read before
> beginning of
> + buffer
> +Cc: pavel@zhukoff.net
> +
> +Testcase:
> +
> +  21 01 01 00 00 00 00 00 e7 01 01 01 ef 00 df b6
> +  00 17 02 10 11 0f ff 00 16 00 00
> +
> +Unfortunately, the bug is not reliably causing a segfault,
> +the behavior depends on what's in memory before the buffer.
> +
> +function                                             old     new  
> delta
> +unpack_lzma_stream                                  2762   
> 2768      +6
> +
> +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
> +
> +Signed-off-by: Pavel Zhukov <pavel.zhukov@huawei.com>
> +
> +CVE: CVE-2021-42374
> +Upstream-Status: Backport
> [https://git.busybox.net/busybox/commit/?h=1_33_stable&id=d326be2850e
> a2bd78fe2c22d6c45c3b861d82937]
> +Comment: testdata dropped because of binary format
> +
> +---
> + archival/libarchive/decompress_unlzma.c |   5 ++++-
> + testsuite/unlzma.tests                  |  17 +++++++++++++----
> + testsuite/unlzma_issue_3.lzma           | Bin 0 -> 27 bytes
> + 3 files changed, 17 insertions(+), 5 deletions(-)
> + create mode 100644 testsuite/unlzma_issue_3.lzma
> +
> +diff --git a/archival/libarchive/decompress_unlzma.c
> b/archival/libarchive/decompress_unlzma.c
> +index
> 0744f231a1d64d92676b0cada2342f88f3b39b31..fb5aac8fe9ea0c53e0c2d7a7cbd
> 05a753e39bc9d 100644
> +--- a/archival/libarchive/decompress_unlzma.c
> ++++ b/archival/libarchive/decompress_unlzma.c
> +@@ -290,8 +290,11 @@ unpack_lzma_stream(transformer_state_t *xstate)
> +                               uint32_t pos;
> + 
> +                               pos = buffer_pos - rep0;
> +-                              if ((int32_t)pos < 0)
> ++                              if ((int32_t)pos < 0) {
> +                                       pos += header.dict_size;
> ++                                      if ((int32_t)pos < 0)
> ++                                              goto bad;
> ++                              }
> +                               match_byte = buffer[pos];
> +                               do {
> +                                       int bit;
> +-- 
> +2.34.0
> +
> diff --git a/meta/recipes-core/busybox/busybox_1.33.1.bb
> b/meta/recipes-core/busybox/busybox_1.33.1.bb
> index 4002d6a5c6..5f574e7f49 100644
> --- a/meta/recipes-core/busybox/busybox_1.33.1.bb
> +++ b/meta/recipes-core/busybox/busybox_1.33.1.bb
> @@ -48,6 +48,7 @@ SRC_URI =
> "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
>            
> file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch
>  \
>            
> file://0001-gen_build_files-Use-C-locale-when-calling-sed-on-glo.patch
>  \
>             file://0001-mktemp-add-tmpdir-option.patch \
> +           file://CVE-2021-42374.patch \
>             "
>  SRC_URI_append_libc-musl = " file://musl.cfg "
>  
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#159934):
> https://lists.openembedded.org/g/openembedded-core/message/159934
> Mute This Topic: https://lists.openembedded.org/mt/87890999/3616702
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe:
> https://lists.openembedded.org/g/openembedded-core/unsub [
> anuj.mittal@intel.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 