Package: busybox Version: 1:1.35.0-1 Tags: patch Followup-For: Bug #1010264
Dear Maintainer, I created a patch which corect this issue. The correction contained in this patch was taken from the following posts. http://lists.busybox.net/pipermail/busybox/2022-June/089751.html Could you check this? Best regards, Nobuhiro -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf, arm64, i386 Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages busybox depends on: ii libc6 2.33-7 busybox recommends no packages. busybox suggests no packages. -- no debconf information
>From 8e24308e8a8ebedc07e08255d3efbb00f2b13003 Mon Sep 17 00:00:00 2001 From: Nobuhiro Iwamatsu <iwama...@debian.org> Date: Wed, 6 Jul 2022 15:46:06 +0900 Subject: [PATCH] d/aptches: Fix CVE-2022-28391 These patches fix CVE-2022-28391. These have not been incorporated into the upstream tree yet, but has been posted on the ML[0]. [0]: http://lists.busybox.net/pipermail/busybox/2022-June/089751.html Signed-off-by: Nobuhiro Iwamatsu <iwama...@debian.org> --- ...tr-ensure-only-printable-characters-.patch | 40 +++++++++++ ...e-all-printed-strings-with-printable.patch | 68 +++++++++++++++++++ debian/patches/series | 3 + 3 files changed, 111 insertions(+) create mode 100644 debian/patches/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch create mode 100644 debian/patches/0002-nslookup-sanitize-all-printed-strings-with-printable.patch diff --git a/debian/patches/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch b/debian/patches/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch new file mode 100644 index 000000000..1d1716e3b --- /dev/null +++ b/debian/patches/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch @@ -0,0 +1,40 @@ +From 0c8da1bead8ffaf270b4b723ead2c517371405d7 Mon Sep 17 00:00:00 2001 +From: Ariadne Conill <aria...@dereferenced.org> +Date: Sun, 3 Apr 2022 12:14:33 +0000 +Subject: [PATCH 1/2] libbb: sockaddr2str: ensure only printable characters are + returned for the hostname part + +CVE: Pending +Upstream-Status: Pending +Signed-off-by: Ariadne Conill <aria...@dereferenced.org> +--- + libbb/xconnect.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libbb/xconnect.c b/libbb/xconnect.c +index 0e0b247b8..02c061e67 100644 +--- a/libbb/xconnect.c ++++ b/libbb/xconnect.c +@@ -497,8 +497,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags) + ); + if (rc) + return NULL; ++ /* ensure host contains only printable characters */ + if (flags & IGNORE_PORT) +- return xstrdup(host); ++ return xstrdup(printable_string(host)); + #if ENABLE_FEATURE_IPV6 + if (sa->sa_family == AF_INET6) { + if (strchr(host, ':')) /* heh, it's not a resolved hostname */ +@@ -509,7 +510,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags) + #endif + /* For now we don't support anything else, so it has to be INET */ + /*if (sa->sa_family == AF_INET)*/ +- return xasprintf("%s:%s", host, serv); ++ return xasprintf("%s:%s", printable_string(host), serv); + /*return xstrdup(host);*/ + } + +-- +2.35.1 + diff --git a/debian/patches/0002-nslookup-sanitize-all-printed-strings-with-printable.patch b/debian/patches/0002-nslookup-sanitize-all-printed-strings-with-printable.patch new file mode 100644 index 000000000..01c45c9ba --- /dev/null +++ b/debian/patches/0002-nslookup-sanitize-all-printed-strings-with-printable.patch @@ -0,0 +1,68 @@ +From 812b407e545b70b16cf32aade135b5c32eaf674f Mon Sep 17 00:00:00 2001 +From: Ariadne Conill <aria...@dereferenced.org> +Date: Sun, 3 Apr 2022 12:16:45 +0000 +Subject: [PATCH 2/2] nslookup: sanitize all printed strings with + printable_string + +Otherwise, terminal sequences can be injected, which enables various terminal injection +attacks from DNS results. + +CVE: Pending +Upstream-Status: Pending +Signed-off-by: Ariadne Conill <aria...@dereferenced.org> +--- + networking/nslookup.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/networking/nslookup.c b/networking/nslookup.c +index 6da97baf4..4bdcde1b8 100644 +--- a/networking/nslookup.c ++++ b/networking/nslookup.c +@@ -407,7 +407,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + //printf("Unable to uncompress domain: %s\n", strerror(errno)); + return -1; + } +- printf(format, ns_rr_name(rr), dname); ++ printf(format, ns_rr_name(rr), printable_string(dname)); + break; + + case ns_t_mx: +@@ -422,7 +422,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + //printf("Cannot uncompress MX domain: %s\n", strerror(errno)); + return -1; + } +- printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname); ++ printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname)); + break; + + case ns_t_txt: +@@ -434,7 +434,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + if (n > 0) { + memset(dname, 0, sizeof(dname)); + memcpy(dname, ns_rr_rdata(rr) + 1, n); +- printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname); ++ printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname)); + } + break; + +@@ -454,7 +454,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + } + + printf("%s\tservice = %u %u %u %s\n", ns_rr_name(rr), +- ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), dname); ++ ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), printable_string(dname)); + break; + + case ns_t_soa: +@@ -483,7 +483,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + return -1; + } + +- printf("\tmail addr = %s\n", dname); ++ printf("\tmail addr = %s\n", printable_string(dname)); + cp += n; + + printf("\tserial = %lu\n", ns_get32(cp)); +-- +2.35.1 + diff --git a/debian/patches/series b/debian/patches/series index 88296acca..4c26a198c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -11,3 +11,6 @@ revert-9c143ce52da11ec3d21a3491c3749841d3dc10f0.patch temp-deb-installer-hack.patch install-readlink-in-bin.patch spelling.diff +# patches for CVE-2022-28391 +0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch +0002-nslookup-sanitize-all-printed-strings-with-printable.patch -- 2.36.0
