[OE-core][master][kirkstone] busybox: fix CVE-2022-28391

[OE-core][master][kirkstone] busybox: fix CVE-2022-28391

[Steve Sakoman]

BusyBox through 1.35.0 allows remote attackers to execute arbitrary code
if netstat is used to print a DNS PTR record's value to a VT compatible
terminal. Alternatively, the attacker could choose to change the terminal's colors.

https://nvd.nist.gov/vuln/detail/CVE-2022-28391

Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...tr-ensure-only-printable-characters-.patch | 41 +++++++++++
 ...e-all-printed-strings-with-printable.patch | 69 +++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.35.0.bb   |  2 +
 3 files changed, 112 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
 create mode 100644 meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch

diff --git a/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch b/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
new file mode 100644
index 0000000000..4635250170
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
@@ -0,0 +1,41 @@
+From 0c8da1bead8ffaf270b4b723ead2c517371405d7 Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Sun, 3 Apr 2022 12:14:33 +0000
+Subject: [PATCH 1/2] libbb: sockaddr2str: ensure only printable characters are
+ returned for the hostname part
+
+CVE: CVE-2022-28391
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ libbb/xconnect.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libbb/xconnect.c b/libbb/xconnect.c
+index 0e0b247b8..02c061e67 100644
+--- a/libbb/xconnect.c
++++ b/libbb/xconnect.c
+@@ -497,8 +497,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
+ 	);
+ 	if (rc)
+ 		return NULL;
++	/* ensure host contains only printable characters */
+ 	if (flags & IGNORE_PORT)
+-		return xstrdup(host);
++		return xstrdup(printable_string(host));
+ #if ENABLE_FEATURE_IPV6
+ 	if (sa->sa_family == AF_INET6) {
+ 		if (strchr(host, ':')) /* heh, it's not a resolved hostname */
+@@ -509,7 +510,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
+ #endif
+ 	/* For now we don't support anything else, so it has to be INET */
+ 	/*if (sa->sa_family == AF_INET)*/
+-		return xasprintf("%s:%s", host, serv);
++		return xasprintf("%s:%s", printable_string(host), serv);
+ 	/*return xstrdup(host);*/
+ }
+ 
+-- 
+2.35.1
+
diff --git a/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
new file mode 100644
index 0000000000..0d7409ddc3
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
@@ -0,0 +1,69 @@
+From 812b407e545b70b16cf32aade135b5c32eaf674f Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Sun, 3 Apr 2022 12:16:45 +0000
+Subject: [PATCH 2/2] nslookup: sanitize all printed strings with
+ printable_string
+
+Otherwise, terminal sequences can be injected, which enables various terminal injection
+attacks from DNS results.
+
+CVE: CVE-2022-28391
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ networking/nslookup.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/networking/nslookup.c b/networking/nslookup.c
+index 6da97baf4..4bdcde1b8 100644
+--- a/networking/nslookup.c
++++ b/networking/nslookup.c
+@@ -407,7 +407,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ 				//printf("Unable to uncompress domain: %s\n", strerror(errno));
+ 				return -1;
+ 			}
+-			printf(format, ns_rr_name(rr), dname);
++			printf(format, ns_rr_name(rr), printable_string(dname));
+ 			break;
+ 
+ 		case ns_t_mx:
+@@ -422,7 +422,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ 				//printf("Cannot uncompress MX domain: %s\n", strerror(errno));
+ 				return -1;
+ 			}
+-			printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname);
++			printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname));
+ 			break;
+ 
+ 		case ns_t_txt:
+@@ -434,7 +434,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ 			if (n > 0) {
+ 				memset(dname, 0, sizeof(dname));
+ 				memcpy(dname, ns_rr_rdata(rr) + 1, n);
+-				printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname);
++				printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname));
+ 			}
+ 			break;
+ 
+@@ -454,7 +454,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ 			}
+ 
+ 			printf("%s\tservice = %u %u %u %s\n", ns_rr_name(rr),
+-				ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), dname);
++				ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), printable_string(dname));
+ 			break;
+ 
+ 		case ns_t_soa:
+@@ -483,7 +483,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ 				return -1;
+ 			}
+ 
+-			printf("\tmail addr = %s\n", dname);
++			printf("\tmail addr = %s\n", printable_string(dname));
+ 			cp += n;
+ 
+ 			printf("\tserial = %lu\n", ns_get32(cp));
+-- 
+2.35.1
+
diff --git a/meta/recipes-core/busybox/busybox_1.35.0.bb b/meta/recipes-core/busybox/busybox_1.35.0.bb
index ab11f3d89a..f2f1b35902 100644
--- a/meta/recipes-core/busybox/busybox_1.35.0.bb
+++ b/meta/recipes-core/busybox/busybox_1.35.0.bb
@@ -47,6 +47,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://0001-testsuite-use-www.example.org-for-wget-test-cases.patch \
            file://0001-du-l-works-fix-to-use-145-instead-of-144.patch \
            file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \
+           file://0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch \
+           file://0002-nslookup-sanitize-all-printed-strings-with-printable.patch \
            "
 SRC_URI:append:libc-musl = " file://musl.cfg "
 
-- 
2.25.1

[OE-core][master][kirkstone] lua: fix CVE-2022-28805

[Steve Sakoman]

singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup
call, leading to a heap-based buffer over-read that might affect a system that
compiles untrusted Lua code.

https://nvd.nist.gov/vuln/detail/CVE-2022-28805

Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../lua/lua/CVE-2022-28805.patch              | 26 +++++++++++++++++++
 meta/recipes-devtools/lua/lua_5.4.4.bb        |  1 +
 2 files changed, 27 insertions(+)
 create mode 100644 meta/recipes-devtools/lua/lua/CVE-2022-28805.patch

diff --git a/meta/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta/recipes-devtools/lua/lua/CVE-2022-28805.patch
new file mode 100644
index 0000000000..8a1a69d60e
--- /dev/null
+++ b/meta/recipes-devtools/lua/lua/CVE-2022-28805.patch
@@ -0,0 +1,26 @@
+From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Tue, 15 Feb 2022 12:28:46 -0300
+Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
+
+CVE: CVE-2022-28805
+
+Upstream-Status: Backport from upstream: https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ src/lparser.c         |  1 +
+ 1 files changed, 1 insertions(+)
+
+diff --git a/src/lparser.c b/src/lparser.c
+index 3abe3d751..a5cd55257 100644
+--- a/src/lparser.c
++++ b/src/lparser.c
+@@ -468,6 +468,7 @@ static void singlevar (LexState *ls, expdesc *var) {
+     expdesc key;
+     singlevaraux(fs, ls->envn, var, 1);  /* get environment variable */
+     lua_assert(var->k != VVOID);  /* this one must exist */
++    luaK_exp2anyregup(fs, var);  /* but could be a constant */
+     codestring(&key, varname);  /* key is variable name */
+     luaK_indexed(fs, var, &key);  /* env[varname] */
+   }
diff --git a/meta/recipes-devtools/lua/lua_5.4.4.bb b/meta/recipes-devtools/lua/lua_5.4.4.bb
index f50328ecfd..d704841378 100644
--- a/meta/recipes-devtools/lua/lua_5.4.4.bb
+++ b/meta/recipes-devtools/lua/lua_5.4.4.bb
@@ -6,6 +6,7 @@ HOMEPAGE = "http://www.lua.org/"
 
 SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
            file://lua.pc.in \
+           file://CVE-2022-28805.patch \
            ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'http://www.lua.org/tests/lua-${PV_testsuites}-tests.tar.gz;name=tarballtest file://run-ptest ', '', d)} \
            "
 
-- 
2.25.1

Re: [OE-core][master][kirkstone] lua: fix CVE-2022-28805

[Richard Purdie]

On Mon, 2022-04-18 at 09:04 -1000, Steve Sakoman wrote:
> singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup
> call, leading to a heap-based buffer over-read that might affect a system that
> compiles untrusted Lua code.
> 
> https://nvd.nist.gov/vuln/detail/CVE-2022-28805
> 
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  .../lua/lua/CVE-2022-28805.patch              | 26 +++++++++++++++++++
>  meta/recipes-devtools/lua/lua_5.4.4.bb        |  1 +
>  2 files changed, 27 insertions(+)
>  create mode 100644 meta/recipes-devtools/lua/lua/CVE-2022-28805.patch
> 
> diff --git a/meta/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta/recipes-devtools/lua/lua/CVE-2022-28805.patch
> new file mode 100644
> index 0000000000..8a1a69d60e
> --- /dev/null
> +++ b/meta/recipes-devtools/lua/lua/CVE-2022-28805.patch
> @@ -0,0 +1,26 @@
> +From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
> +From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
> +Date: Tue, 15 Feb 2022 12:28:46 -0300
> +Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
> +
> +CVE: CVE-2022-28805
> +
> +Upstream-Status: Backport from upstream: https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa

For consistency this should be:

Upstream-Status: Backport
[https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa]

:)

I tweaked the patch.

Cheers,

Richard

Re: [master][kirkstone] lua: fix CVE-2022-28805

[Ranjitsinh Rathod]

[-- Attachment #1: Type: text/plain, Size: 150 bytes --]

Hi Steve,

Can you please cherry-pick this on the dunfell branch as well for this Lua CVE? or should I send a patch for this?

Ranjitsinh Rathod

[-- Attachment #2: Type: text/html, Size: 166 bytes --]

Re: [OE-core] [master][kirkstone] lua: fix CVE-2022-28805

[Steve Sakoman]

On Sun, Apr 24, 2022 at 8:15 PM Ranjitsinh Rathod
<ranjitsinhrathod1991@gmail.com> wrote:
>
> Hi Steve,
>
> Can you please cherry-pick this on the dunfell branch as well for this Lua CVE? or should I send a patch for this?

Yes, of course!  Thanks for the reminder.

Steve

Re: [OE-core] [master][kirkstone] lua: fix CVE-2022-28805

[Steve Sakoman]

On Mon, Apr 25, 2022 at 3:57 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> On Sun, Apr 24, 2022 at 8:15 PM Ranjitsinh Rathod
> <ranjitsinhrathod1991@gmail.com> wrote:
> >
> > Hi Steve,
> >
> > Can you please cherry-pick this on the dunfell branch as well for this Lua CVE? or should I send a patch for this?
>
> Yes, of course!  Thanks for the reminder.

Heh, now I know why I "forgot" to take this patch in dunfell -- there
is no lua recipe in dunfell :-)

It was moved from meta-oe to oe-core post dunfell release. So, you
should probably submit this patch for the meta-openembedded dunfell
branch using the meta-openembedded mailing list!

Steve

Steve

Re: [OE-core] [master][kirkstone] lua: fix CVE-2022-28805

[Ranjitsinh Rathod]

[-- Attachment #1.1: Type: text/plain, Size: 2329 bytes --]

Hi Steve,

Sure, will send it for meta-openembedded.


Thanks,

Best Regards,

Ranjitsinh Rathod
Technical Leader |  | KPIT Technologies Ltd.
Cellphone: +91-84606 92403
__________________________________________
KPIT<http://www.kpit.com/> | Follow us on LinkedIn<http://www.kpit.com/linkedin>

[cid:021bb66e-f527-4295-80da-cd103cd54e81]<https://www.kpit.com/TheNewBrand>

________________________________
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> on behalf of Steve Sakoman via lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
Sent: Monday, April 25, 2022 8:38 PM
To: steve@sakoman.com <steve@sakoman.com>
Cc: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [master][kirkstone] lua: fix CVE-2022-28805

Caution: This email originated from outside of the KPIT. Do not click links or open attachments unless you recognize the sender and know the content is safe.

On Mon, Apr 25, 2022 at 3:57 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> On Sun, Apr 24, 2022 at 8:15 PM Ranjitsinh Rathod
> <ranjitsinhrathod1991@gmail.com> wrote:
> >
> > Hi Steve,
> >
> > Can you please cherry-pick this on the dunfell branch as well for this Lua CVE? or should I send a patch for this?
>
> Yes, of course!  Thanks for the reminder.

Heh, now I know why I "forgot" to take this patch in dunfell -- there
is no lua recipe in dunfell :-)

It was moved from meta-oe to oe-core post dunfell release. So, you
should probably submit this patch for the meta-openembedded dunfell
branch using the meta-openembedded mailing list!

Steve

Steve
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

[-- Attachment #1.2: Type: text/html, Size: 6808 bytes --]

[-- Attachment #2: Outlook-ncjb4mhf.png --]
[-- Type: image/png, Size: 22485 bytes --]