Applied patch that Ubuntu applied to busybox 1.27.2 The patch is available from file: http://archive.ubuntu.com/ubuntu/pool/main/b/busybox/busybox_1.27.2-2ubuntu3.2.debian.tar.xz in path debian/patches/.
The below patch is added: CVE-2018-20679.patch Signed-off-by: Rahul.Taya <rahul.t...@kpit.com> --- .../busybox/busybox/CVE-2018-20679.patch | 136 ++++++++++++++++++ meta/recipes-core/busybox/busybox_1.27.2.bb | 1 + 2 files changed, 137 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox/CVE-2018-20679.patch diff --git a/meta/recipes-core/busybox/busybox/CVE-2018-20679.patch b/meta/recipes-core/busybox/busybox/CVE-2018-20679.patch new file mode 100644 index 0000000000..963b360e13 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2018-20679.patch @@ -0,0 +1,136 @@ +From 6d3b4bb24da9a07c263f3c1acf8df85382ff562c Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <vda.li...@googlemail.com> +Date: Mon, 17 Dec 2018 18:07:18 +0100 +Subject: udhcpc: check that 4-byte options are indeed 4-byte, closes 11506 + +function old new delta +udhcp_get_option32 - 27 +27 +udhcp_get_option 231 248 +17 +------------------------------------------------------------------------------ +(add/remove: 1/0 grow/shrink: 1/0 up/down: 44/0) Total: 44 bytes + +Signed-off-by: Denys Vlasenko <vda.li...@googlemail.com> +CVE-2018-20679 +[http://archive.ubuntu.com/ubuntu/pool/main/b/busybox/busybox_1.27.2-2ubuntu3.2.debian.tar.xz] +Upstream-Status: Backport +--- + networking/udhcp/common.c | 19 +++++++++++++++++++ + networking/udhcp/common.h | 4 ++++ + networking/udhcp/dhcpc.c | 6 +++--- + networking/udhcp/dhcpd.c | 6 +++--- + 4 files changed, 29 insertions(+), 6 deletions(-) + +Index: busybox-1.27.2/networking/udhcp/common.c +=================================================================== +--- busybox-1.27.2.orig/networking/udhcp/common.c 2019-03-06 15:10:40.241569417 -0500 ++++ busybox-1.27.2/networking/udhcp/common.c 2019-03-06 15:10:40.237569397 -0500 +@@ -270,6 +270,15 @@ uint8_t* FAST_FUNC udhcp_get_option(stru + goto complain; /* complain and return NULL */ + + if (optionptr[OPT_CODE] == code) { ++ if (optionptr[OPT_LEN] == 0) { ++ /* So far no valid option with length 0 known. ++ * Having this check means that searching ++ * for DHCP_MESSAGE_TYPE need not worry ++ * that returned pointer might be unsafe ++ * to dereference. ++ */ ++ goto complain; /* complain and return NULL */ ++ } + log_option("option found", optionptr); + return optionptr + OPT_DATA; + } +@@ -287,6 +296,16 @@ uint8_t* FAST_FUNC udhcp_get_option(stru + return NULL; + } + ++uint8_t* FAST_FUNC udhcp_get_option32(struct dhcp_packet *packet, int code) ++{ ++ uint8_t *r = udhcp_get_option(packet, code); ++ if (r) { ++ if (r[-1] != 4) ++ r = NULL; ++ } ++ return r; ++} ++ + /* Return the position of the 'end' option (no bounds checking) */ + int FAST_FUNC udhcp_end_option(uint8_t *optionptr) + { +Index: busybox-1.27.2/networking/udhcp/common.h +=================================================================== +--- busybox-1.27.2.orig/networking/udhcp/common.h 2019-03-06 15:10:40.241569417 -0500 ++++ busybox-1.27.2/networking/udhcp/common.h 2019-03-06 15:10:40.237569397 -0500 +@@ -200,6 +200,10 @@ extern const uint8_t dhcp_option_lengths + unsigned FAST_FUNC udhcp_option_idx(const char *name, const char *option_strings); + + uint8_t *udhcp_get_option(struct dhcp_packet *packet, int code) FAST_FUNC; ++/* Same as above + ensures that option length is 4 bytes ++ * (returns NULL if size is different) ++ */ ++uint8_t *udhcp_get_option32(struct dhcp_packet *packet, int code) FAST_FUNC; + int udhcp_end_option(uint8_t *optionptr) FAST_FUNC; + void udhcp_add_binary_option(struct dhcp_packet *packet, uint8_t *addopt) FAST_FUNC; + #if ENABLE_UDHCPC || ENABLE_UDHCPD +Index: busybox-1.27.2/networking/udhcp/dhcpc.c +=================================================================== +--- busybox-1.27.2.orig/networking/udhcp/dhcpc.c 2019-03-06 15:10:40.241569417 -0500 ++++ busybox-1.27.2/networking/udhcp/dhcpc.c 2019-03-06 15:10:40.237569397 -0500 +@@ -1706,7 +1706,7 @@ int udhcpc_main(int argc UNUSED_PARAM, c + * They say ISC DHCP client supports this case. + */ + server_addr = 0; +- temp = udhcp_get_option(&packet, DHCP_SERVER_ID); ++ temp = udhcp_get_option32(&packet, DHCP_SERVER_ID); + if (!temp) { + bb_error_msg("no server ID, using 0.0.0.0"); + } else { +@@ -1733,7 +1733,7 @@ int udhcpc_main(int argc UNUSED_PARAM, c + struct in_addr temp_addr; + uint8_t *temp; + +- temp = udhcp_get_option(&packet, DHCP_LEASE_TIME); ++ temp = udhcp_get_option32(&packet, DHCP_LEASE_TIME); + if (!temp) { + bb_error_msg("no lease time with ACK, using 1 hour lease"); + lease_seconds = 60 * 60; +@@ -1825,7 +1825,7 @@ int udhcpc_main(int argc UNUSED_PARAM, c + uint32_t svid; + uint8_t *temp; + +- temp = udhcp_get_option(&packet, DHCP_SERVER_ID); ++ temp = udhcp_get_option32(&packet, DHCP_SERVER_ID); + if (!temp) { + non_matching_svid: + log1("received DHCP NAK with wrong" +Index: busybox-1.27.2/networking/udhcp/dhcpd.c +=================================================================== +--- busybox-1.27.2.orig/networking/udhcp/dhcpd.c 2019-03-06 15:10:40.241569417 -0500 ++++ busybox-1.27.2/networking/udhcp/dhcpd.c 2019-03-06 15:10:40.237569397 -0500 +@@ -637,7 +637,7 @@ static void add_server_options(struct dh + static uint32_t select_lease_time(struct dhcp_packet *packet) + { + uint32_t lease_time_sec = server_config.max_lease_sec; +- uint8_t *lease_time_opt = udhcp_get_option(packet, DHCP_LEASE_TIME); ++ uint8_t *lease_time_opt = udhcp_get_option32(packet, DHCP_LEASE_TIME); + if (lease_time_opt) { + move_from_unaligned32(lease_time_sec, lease_time_opt); + lease_time_sec = ntohl(lease_time_sec); +@@ -966,7 +966,7 @@ int udhcpd_main(int argc UNUSED_PARAM, c + } + + /* Get SERVER_ID if present */ +- server_id_opt = udhcp_get_option(&packet, DHCP_SERVER_ID); ++ server_id_opt = udhcp_get_option32(&packet, DHCP_SERVER_ID); + if (server_id_opt) { + uint32_t server_id_network_order; + move_from_unaligned32(server_id_network_order, server_id_opt); +@@ -990,7 +990,7 @@ int udhcpd_main(int argc UNUSED_PARAM, c + } + + /* Get REQUESTED_IP if present */ +- requested_ip_opt = udhcp_get_option(&packet, DHCP_REQUESTED_IP); ++ requested_ip_opt = udhcp_get_option32(&packet, DHCP_REQUESTED_IP); + if (requested_ip_opt) { + move_from_unaligned32(requested_nip, requested_ip_opt); + } diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb index 716a0650fc..8b08c577ab 100644 --- a/meta/recipes-core/busybox/busybox_1.27.2.bb +++ b/meta/recipes-core/busybox/busybox_1.27.2.bb @@ -49,6 +49,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://busybox-fix-lzma-segfaults.patch \ file://umount-ignore-c.patch \ file://CVE-2017-15874.patch \ + file://CVE-2018-20679.patch \ " SRC_URI_append_libc-musl = " file://musl.cfg " -- 2.17.1 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#146428): https://lists.openembedded.org/g/openembedded-core/message/146428 Mute This Topic: https://lists.openembedded.org/mt/79472647/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
