From 8a7a392ef37b3d5bd8ef81ab17d976696ad64dfe Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Wed, 27 Apr 2016 17:47:22 -0700 Subject: busybox: Security fix CVE-2016-2147 busybox <= 1.24.2 Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- .../busybox/busybox/CVE-2016-2147.patch | 57 ++++++++++++++++++++++ .../busybox/busybox/CVE-2016-2147_2.patch | 32 ++++++++++++ meta/recipes-core/busybox/busybox_1.24.1.bb | 2 + 3 files changed, 91 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox/CVE-2016-2147.patch create mode 100644 meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch (limited to 'meta/recipes-core') diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch new file mode 100644 index 0000000000..84cae6aa2c --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch @@ -0,0 +1,57 @@ +From d474ffc68290e0a83651c4432eeabfa62cd51e87 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Thu, 10 Mar 2016 11:47:58 +0100 +Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name + +Signed-off-by: Denys Vlasenko + +Upstream-Status: Backport +CVE: CVE-2016-2147 + +https://git.busybox.net/busybox/commit/?id=d474ffc +Signed-off-by: Armin Kuster + +--- + networking/udhcp/domain_codec.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +Index: busybox-1.23.2/networking/udhcp/domain_codec.c +=================================================================== +--- busybox-1.23.2.orig/networking/udhcp/domain_codec.c ++++ busybox-1.23.2/networking/udhcp/domain_codec.c +@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t + if (crtpos + *c + 1 > clen) /* label too long? abort */ + return NULL; + if (dst) +- memcpy(dst + len, c + 1, *c); ++ /* \3com ---> "com." */ ++ ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.'; + len += *c + 1; + crtpos += *c + 1; +- if (dst) +- dst[len - 1] = '.'; + } else { + /* NUL: end of current domain name */ + if (retpos == 0) { +@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t + crtpos = retpos; + retpos = depth = 0; + } +- if (dst) ++ if (dst && len != 0) ++ /* \4host\3com\0\4host and we are at \0: ++ * \3com was converted to "com.", change dot to space. ++ */ + dst[len - 1] = ' '; + } + +@@ -228,6 +230,9 @@ int main(int argc, char **argv) + int len; + uint8_t *encoded; + ++ uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 }; ++ printf("NUL:'%s'\n", dname_dec(str, 6, "")); ++ + #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre)) + printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:")); + printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", "")); diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch new file mode 100644 index 0000000000..1473d46035 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch @@ -0,0 +1,32 @@ +From 1b7c17391de66502dd7a97c866e0a33681edbb1f Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Fri, 11 Mar 2016 00:26:58 +0100 +Subject: [PATCH] udhcpc: fix a warning in debug code + +Signed-off-by: Denys Vlasenko +Upsteam-Status: Backport +CVE: CVE-2016-2147 regression fix + +https://git.busybox.net/busybox/commit/?id=1b7c17 + +Signed-off-by: Armin Kuster + +--- + networking/udhcp/domain_codec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c +index cee31f1..5a923cc 100644 +--- a/networking/udhcp/domain_codec.c ++++ b/networking/udhcp/domain_codec.c +@@ -7,6 +7,7 @@ + * Licensed under GPLv2 or later, see file LICENSE in this source tree. + */ + #ifdef DNS_COMPR_TESTING ++# define _GNU_SOURCE + # define FAST_FUNC /* nothing */ + # define xmalloc malloc + # include +-- +2.3.5 + diff --git a/meta/recipes-core/busybox/busybox_1.24.1.bb b/meta/recipes-core/busybox/busybox_1.24.1.bb index 61fc878697..82fc64f326 100644 --- a/meta/recipes-core/busybox/busybox_1.24.1.bb +++ b/meta/recipes-core/busybox/busybox_1.24.1.bb @@ -45,6 +45,8 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://rcK \ file://runlevel \ file://CVE-2016-2148.patch \ + file://CVE-2016-2147.patch \ + file://CVE-2016-2147_2.patch \ " SRC_URI_append_libc-musl = " file://musl.cfg " -- cgit v1.2.3