Hi everyone, I've prepared a candidate for busybox, (currently ready for bullseye, next would be buster but as it has a lots of synergy it makes sense to call for testing already now))
As busybox is, well, a very important package I'd appreciate to have some extra quality control on that one, so please lend me some extra pairs of eyes and maybe throw everything that looks like an awk script at it... I've put prebuilt packages here: https://people.debian.org/~tobi/bb/, but of course they can be built using the LTS repo too: https://salsa.debian.org/lts-team/packages/busybox Thnks in advance! Cheers, tobi For full transparency, and in the hope it helps the assemement here are my notes for the journey: Here's a list of CVEs and their status: CVE-2023-42366 unpatched, unanswered upstream patch, see below CVE-2023-42365 patch ready, see below CVE-2023-42364 patch ready, see below CVE-2023-42363 ignore/postpone, see below CVE-2023-39810 unpatched, unanswered upstream feature patch [A] CVE-2022-48174 patch from upstream CVE-2021-42386 patch from Ubuntu CVE-2021-42385 patch from Ubuntu CVE-2021-42384 patch from Ubuntu CVE-2021-42383 unpatched, no patch available. CVE-2021-42382 patch from Ubuntu CVE-2021-42381 patch from Ubuntu CVE-2021-42380 patch from Ubuntu CVE-2021-42379 patch from Ubuntu CVE-2021-42378 patch from Ubuntu CVE-2021-42374 patch from Ubuntu (marked unimportant in the security tracker) CVE-2021-28831 patch from Ubuntu "unanswered" means no reply from upstream. "patch from Ubuntu" means: Those patches are taken from Ubuntu, package versions 1:1.30.1-4ubuntu6.4. CVE-2022-48174 was also originally taken from Ubuntu (d/changelog still credits it,) but sec-tracker now also nows since XMas the (identical) upstream commit as well. CVE-2021-42374 is marked unimportant in the security tracker, but as the patch was readily available from the Ubuntu package and the patch very small, I've decuded to included this fix too. [A] https://lists.busybox.net/pipermail/busybox/2024-August/090865.html CVE-2023-42363 - Use after free in awk: ======================================= This CVE is marked "not affected" by Ubuntu [1] for the ubuntu releases that have 1.30.x (that's also what we have in bullseye, buster) There is a poc on the upstream bug [2], I can get the poc to trigger with the version in bookworm, but not in bullseye and buster. In bullseye and buster ASAN only reports the usual memory leaks, but not a use-after-free. Therefore I have reasons to believe that the bug was introduced later. A git bisect finds [3] as the first commit that makes the poc trigger. The code is touching the same code as the patch does [4], so I think I've found correct commit, but it might be also that this "just" exposed a bug enough to make the poc trigger Even if the code is quite similiar, backporting seems risky, and due to not be able to trigger the poc for 1.30, I'd suggest to "ignore" this issue for bullseye and buster. [1] https://ubuntu.com/security/CVE-2023-42363 [2] https://bugs.busybox.net/show_bug.cgi?id=15865 [3] https://github.com/mirror/busybox/commit/371fe9f71 [4] https://github.com/mirror/busybox/commit/fb08d43d4 CVE-2023-42364 - (Another) Use after free in awk: ================================================= Note: CVE-2023-42365 is fixed with the same patch, they have the same roots. This CVE is marked "not affected" by Ubuntu [5] for the ubuntu releases that have 1.30.x. Also here we've got an poc that can be used for bisecting. Bisecting leads to [6] however, this seems more to be the commit that start exposing the behaviour, as the commit changes the custom memory allocator which previously over-allocated chunks and now stops doing so, so increased the likelyhood to write outside of the buffer. So I believe 1.30.x is affected and backported the upstream patch to 1.30.1, patch is at salsa [7] [5] https://ubuntu.com/security/CVE-2023-42364 [6] https://github.com/mirror/busybox/commit/6cf6f1eaee1f6be2b936c2ff0e5852c00740edb4 [7] https://salsa.debian.org/lts-team/packages/busybox/-/blob/debian/bullseye/debian/patches/CVE-2023-42364-part1.patch https://salsa.debian.org/lts-team/packages/busybox/-/blob/debian/bullseye/debian/patches/CVE-2023-42364-part2.patch CVE-2023-42366 - Heap buffer overflow ===================================== Ubuntu says "vulnerable" for basically every version [8] There is a poc that only works for busybox >= 1.34.0, older versions detects the syntax error in the poc and terminates without being killed by ASAN. (This does of course not mean older versions are immune) There is no upstream patch, only a proposed patch in the ticket [9,10], but the patch did not receive any reply from upstream. The patch indeed seems to make the ASAN killer go away, tested on upstream 1.34.0 with just that patch applied. Bisecting seems to yield anoter red herring, [11], the logic changes the memory allocation strategy and like above the new allocation stratetgy does less over-allocation and possibly just makes is much more unlikely to happen. I'd ignore this issue for the moment, like 2023-42363. [8] https://ubuntu.com/security/CVE-2023-42366 [9] https://bugs.busybox.net/show_bug.cgi?id=15874 [10] https://bugs.busybox.net/attachment.cgi?id=9697 [11] https://github.com/mirror/busybox/commit/8c5da0323bf2da02c40c587c5694b22e3ec623fb pocs ===== on p.d.o there is also a pocs.xz that has the pocs for some CVEs obtained from the upstream bug tracker. One-liner to compile and run one of the pocs (Needs clang and asan.) cat ../pocs/poc-make-patch | patch -p1 && \ export ASAN_OPTIONS=detect_leaks=0 && \ make defconfig && make -j12 && \ export ASAN_OPTIONS="abort_on_error=1 symbolize=0" && \ ./busybox_unstripped awk -f ../pocs/CVE-2023-42366/poc ../pocs/CVE-2023-42366/awk_t1_input Note: for 1.30.1, you'll need to make sure to have https://salsa.debian.org/lts-team/packages/busybox/-/blob/debian/bullseye/debian/patches/cherry-pick.1_31_0-92-gd3539be8f0.remove-stime-function-calls.patch?ref_type=heads applied, or it will FTBFS. -- tobi
signature.asc
Description: PGP signature
