Le dimanche 12 janvier 2025, 16:50:05 UTC Tobias Frost a écrit : Hi
I have reviewed patches only against upstream for now CVE-2023-42364-part2.patch; I think you could remove the why comment + if (t_info == TI_TERNARY) /* "?" operator */ //TODO: why? Other patches seems ok I share your analysis > Hi everyone, > > I've prepared a candidate for busybox, (currently ready for bullseye, > next would be buster but as it has a lots of synergy it makes sense to > call for testing already now)) > > As busybox is, well, a very important package I'd appreciate to have > some extra quality control on that one, so please lend me some extra > pairs of eyes and maybe throw everything that looks like an awk script > at it... > > I've put prebuilt packages here: https://people.debian.org/~tobi/bb/, > but of course they can be built using the LTS repo too: > https://salsa.debian.org/lts-team/packages/busybox > > Thnks in advance! > > Cheers, > tobi > > > > > For full transparency, and in the hope it helps the assemement here are > my notes for the journey: > > > Here's a list of CVEs and their status: > > CVE-2023-42366 unpatched, unanswered upstream patch, see below > CVE-2023-42365 patch ready, see below > CVE-2023-42364 patch ready, see below > CVE-2023-42363 ignore/postpone, see below > CVE-2023-39810 unpatched, unanswered upstream feature patch [A] > CVE-2022-48174 patch from upstream > CVE-2021-42386 patch from Ubuntu > CVE-2021-42385 patch from Ubuntu > CVE-2021-42384 patch from Ubuntu > CVE-2021-42383 unpatched, no patch available. > CVE-2021-42382 patch from Ubuntu > CVE-2021-42381 patch from Ubuntu > CVE-2021-42380 patch from Ubuntu > CVE-2021-42379 patch from Ubuntu > CVE-2021-42378 patch from Ubuntu > CVE-2021-42374 patch from Ubuntu (marked unimportant in the security > tracker) > CVE-2021-28831 patch from Ubuntu > > "unanswered" means no reply from upstream. > > "patch from Ubuntu" means: Those patches are taken from Ubuntu, package > versions 1:1.30.1-4ubuntu6.4. > > CVE-2022-48174 was also originally taken from Ubuntu (d/changelog still > credits it,) but sec-tracker now also nows since XMas the (identical) > upstream commit as well. > > CVE-2021-42374 is marked unimportant in the security tracker, but as the > patch was readily available from the Ubuntu package and the patch very > small, > I've decuded to included this fix too. > > [A] https://lists.busybox.net/pipermail/busybox/2024-August/090865.html > > > CVE-2023-42363 - Use after free in awk: > ======================================= > > This CVE is marked "not affected" by Ubuntu [1] for the ubuntu releases > that have 1.30.x (that's also what we have in bullseye, buster) > > There is a poc on the upstream bug [2], I can get the poc to trigger > with the version in bookworm, but not in bullseye and buster. In > bullseye and buster ASAN only reports the usual memory leaks, but not a > use-after-free. > Therefore I have reasons to believe that the bug was introduced later. > > A git bisect finds [3] as the first commit that makes the poc trigger. > > The code is touching the same code as the patch does [4], so I think > I've found correct commit, but it might be also that this "just" exposed > a bug enough to make the poc trigger > > Even if the code is quite similiar, backporting seems risky, and due to > not be able to trigger the poc for 1.30, I'd suggest to "ignore" this > issue for bullseye and buster. > > [1] https://ubuntu.com/security/CVE-2023-42363 > [2] https://bugs.busybox.net/show_bug.cgi?id=15865 > [3] https://github.com/mirror/busybox/commit/371fe9f71 > [4] https://github.com/mirror/busybox/commit/fb08d43d4 > ok > > > CVE-2023-42364 - (Another) Use after free in awk: > ================================================= > > Note: CVE-2023-42365 is fixed with the same patch, they have the same > roots. > > This CVE is marked "not affected" by Ubuntu [5] for the ubuntu releases > that have 1.30.x. > > Also here we've got an poc that can be used for bisecting. > > Bisecting leads to [6] however, this seems more to be the commit that > start exposing the behaviour, as the commit changes the custom memory > allocator which previously over-allocated chunks and now stops doing so, > so increased the likelyhood to write outside of the buffer. > > So I believe 1.30.x is affected and backported the upstream patch to > 1.30.1, patch is at salsa [7] > > > [5] https://ubuntu.com/security/CVE-2023-42364 > [6] > https://github.com/mirror/busybox/commit/6cf6f1eaee1f6be2b936c2ff0e5852c00740edb4 > [7] > https://salsa.debian.org/lts-team/packages/busybox/-/blob/debian/bullseye/debian/patches/CVE-2023-42364-part1.patch > > https://salsa.debian.org/lts-team/packages/busybox/-/blob/debian/bullseye/debian/patches/CVE-2023-42364-part2.patch > > > > CVE-2023-42366 - Heap buffer overflow > ===================================== > > Ubuntu says "vulnerable" for basically every version [8] > > There is a poc that only works for busybox >= 1.34.0, older versions > detects the syntax error in the poc and terminates without being killed > by ASAN. (This does of course not mean older versions are immune) > > There is no upstream patch, only a proposed patch in the ticket [9,10], > but the patch did not receive any reply from upstream. The patch indeed > seems to make the ASAN killer go away, tested on upstream 1.34.0 with > just that patch applied. > > Bisecting seems to yield anoter red herring, [11], the logic changes the > memory allocation strategy and like above the new allocation stratetgy > does less over-allocation and possibly just makes is much more unlikely > to happen. > > I'd ignore this issue for the moment, like 2023-42363. > > [8] https://ubuntu.com/security/CVE-2023-42366 > [9] https://bugs.busybox.net/show_bug.cgi?id=15874 > [10] https://bugs.busybox.net/attachment.cgi?id=9697 > [11] > https://github.com/mirror/busybox/commit/8c5da0323bf2da02c40c587c5694b22e3ec623fb > > > pocs > ===== > > on p.d.o there is also a pocs.xz that has the pocs for some CVEs > obtained from the upstream bug tracker. > > One-liner to compile and run one of the pocs (Needs clang and asan.) > > cat ../pocs/poc-make-patch | patch -p1 && \ > export ASAN_OPTIONS=detect_leaks=0 && \ > make defconfig && make -j12 && \ > export ASAN_OPTIONS="abort_on_error=1 symbolize=0" && \ > ./busybox_unstripped awk -f ../pocs/CVE-2023-42366/poc > ../pocs/CVE-2023-42366/awk_t1_input > > Note: for 1.30.1, you'll need to make sure to have > https://salsa.debian.org/lts-team/packages/busybox/-/blob/debian/bullseye/debian/patches/cherry-pick.1_31_0-92-gd3539be8f0.remove-stime-function-calls.patch?ref_type=heads > applied, or it will FTBFS. > >
signature.asc
Description: This is a digitally signed message part.
