[OE-core] [poky][sumo][PATCH] busybox: Add fix for CVE-2018-1000517

Rahul Taya Wed, 06 Jan 2021 03:23:50 -0800

Applied patch that Ubuntu applied to busybox 1.27.2

The patch is available from file:
http://archive.ubuntu.com/ubuntu/pool/main/b/busybox/busybox_1.27.2-2ubuntu3.2.debian.tar.xz
in path debian/patches/.


The below patch is added:

CVE-2018-1000517.patch

Signed-off-by: Rahul.Taya <rahul.t...@kpit.com>
---
 .../busybox/busybox/CVE-2018-1000517.patch    | 56 +++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.27.2.bb   |  1 +
 2 files changed, 57 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2018-1000517.patch

diff --git a/meta/recipes-core/busybox/busybox/CVE-2018-1000517.patch 
b/meta/recipes-core/busybox/busybox/CVE-2018-1000517.patch
new file mode 100644
index 0000000000..8b1eb3d45c
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2018-1000517.patch
@@ -0,0 +1,56 @@
+Backport of:
+
+From 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.li...@googlemail.com>
+Date: Sun, 8 Apr 2018 18:06:24 +0200
+Subject: wget: check chunk length for overflowing off_t
+
+function                                             old     new   delta
+retrieve_file_data                                   428     465     +37
+wget_main                                           2386    2389      +3
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 2/0 up/down: 40/0)               Total: 40 bytes
+
+Signed-off-by: Denys Vlasenko <vda.li...@googlemail.com>
+CVE-2018-1000517
+[http://archive.ubuntu.com/ubuntu/pool/main/b/busybox/busybox_1.27.2-2ubuntu3.2.debian.tar.xz]
+Upstream-Status: Backport
+---
+ networking/wget.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+Index: busybox-1.27.2/networking/wget.c
+===================================================================
+--- busybox-1.27.2.orig/networking/wget.c      2019-03-06 15:03:11.447280336 
-0500
++++ busybox-1.27.2/networking/wget.c   2019-03-06 15:09:58.757358868 -0500
+@@ -642,7 +642,7 @@ static FILE* prepare_ftp_session(FILE **
+       if (ftpcmd("SIZE ", target->path, sfp) == 213) {
+               G.content_len = BB_STRTOOFF(G.wget_buf + 4, NULL, 10);
+               if (G.content_len < 0 || errno) {
+-                      bb_error_msg_and_die("SIZE value is garbage");
++                      bb_error_msg_and_die("bad SIZE value '%s'", G.wget_buf 
+ 4);
+               }
+               G.got_clen = 1;
+       }
+@@ -925,11 +925,19 @@ static void NOINLINE retrieve_file_data(
+               if (!G.chunked)
+                       break;
+
+-              fgets_and_trim(dfp, NULL); /* Eat empty line */
++              /* Each chunk ends with "\r\n" - eat it */
++              fgets_and_trim(dfp, NULL);
+  get_clen:
++              /* chunk size format is "HEXNUM[;name[=val]]\r\n" */
+               fgets_and_trim(dfp, NULL);
++              errno = 0;
+               G.content_len = STRTOOFF(G.wget_buf, NULL, 16);
+-              /* FIXME: error check? */
++              /*
++               * Had a bug with inputs like "ffffffff0001f400"
++               * smashing the heap later. Ensure >= 0.
++               */
++              if (G.content_len < 0 || errno)
++                      bb_error_msg_and_die("bad chunk length '%s'", 
G.wget_buf);
+               if (G.content_len == 0)
+                       break; /* all done! */
+               G.got_clen = 1;
diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb 
b/meta/recipes-core/busybox/busybox_1.27.2.bb
index 716a0650fc..67ba7fe423 100644
--- a/meta/recipes-core/busybox/busybox_1.27.2.bb
+++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -49,6 +49,7 @@ SRC_URI = 
"http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://busybox-fix-lzma-segfaults.patch \
            file://umount-ignore-c.patch \
            file://CVE-2017-15874.patch \
+           file://CVE-2018-1000517.patch \
 "
 SRC_URI_append_libc-musl = " file://musl.cfg "

--
2.17.1

This message contains information that may be privileged or confidential and is 
the property of the KPIT Technologies Ltd. It is intended only for the person 
to whom it is addressed. If you are not the intended recipient, you are not 
authorized to read, print, retain copy, disseminate, distribute, or use this 
message or any part thereof. If you receive this message in error, please 
notify the sender immediately and delete all copies of this message. KPIT 
Technologies Ltd. does not accept any liability for virus infected mails.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#146427): 
https://lists.openembedded.org/g/openembedded-core/message/146427
Mute This Topic: https://lists.openembedded.org/mt/79472636/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [poky][sumo][PATCH] busybox: Add fix for CVE-2018-1000517

Reply via email to