summaryrefslogtreecommitdiffstats
path: root/recipes-core/busybox
diff options
context:
space:
mode:
Diffstat (limited to 'recipes-core/busybox')
-rw-r--r--recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch59
-rw-r--r--recipes-core/busybox/busybox_1.24.1.bbappend (renamed from recipes-core/busybox/busybox_%.bbappend)7
2 files changed, 66 insertions, 0 deletions
diff --git a/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch b/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch
new file mode 100644
index 0000000..c05c75b
--- /dev/null
+++ b/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch
@@ -0,0 +1,59 @@
1From 7935de14ce61f5a5c1c845925873379ae2e2f45a Mon Sep 17 00:00:00 2001
2From: Andreas Wellving <andreas.wellving@enea.com>
3Date: Mon, 22 Oct 2018 13:13:07 +0200
4Subject: [PATCH] wget: check chunk length for overflowing off_t
5
6function old new delta
7retrieve_file_data 428 465 +37
8wget_main 2386 2389 +3
9------------------------------------------------------------------------------
10(add/remove: 0/0 grow/shrink: 2/0 up/down: 40/0) Total: 40 bytes
11
12CVE: CVE-2018-1000517
13Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e]
14
15Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
16Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
17---
18 networking/wget.c | 16 ++++++++++++----
19 1 file changed, 12 insertions(+), 4 deletions(-)
20
21diff --git a/networking/wget.c b/networking/wget.c
22index d4a9c0c..b525d6a 100644
23--- a/networking/wget.c
24+++ b/networking/wget.c
25@@ -566,7 +566,7 @@ static FILE* prepare_ftp_session(FILE **dfpp, struct host_info *target, len_and_
26 if (ftpcmd("SIZE ", target->path, sfp) == 213) {
27 G.content_len = BB_STRTOOFF(G.wget_buf + 4, NULL, 10);
28 if (G.content_len < 0 || errno) {
29- bb_error_msg_and_die("SIZE value is garbage");
30+ bb_error_msg_and_die("bad SIZE value '%s'", G.wget_buf + 4);
31 }
32 G.got_clen = 1;
33 }
34@@ -821,12 +821,20 @@ static void NOINLINE retrieve_file_data(FILE *dfp)
35 #endif
36 if (!G.chunked)
37 break;
38-
39- fgets_and_trim(dfp); /* Eat empty line */
40+
41+ /* Each chunk ends with "\r\n" - eat it */
42+ fgets_and_trim(dfp);
43 get_clen:
44+ /* chunk size format is "HEXNUM[;name[=val]]\r\n" */
45 fgets_and_trim(dfp);
46+ errno = 0;
47 G.content_len = STRTOOFF(G.wget_buf, NULL, 16);
48- /* FIXME: error check? */
49+ /*
50+ * Had a bug with inputs like "ffffffff0001f400"
51+ * smashing the heap later. Ensure >= 0.
52+ */
53+ if (G.content_len < 0 || errno)
54+ bb_error_msg_and_die("bad chunk length '%s'", G.wget_buf);
55 if (G.content_len == 0)
56 break; /* all done! */
57 G.got_clen = 1;
58
59
diff --git a/recipes-core/busybox/busybox_%.bbappend b/recipes-core/busybox/busybox_1.24.1.bbappend
index 7b61cf9..6be3e59 100644
--- a/recipes-core/busybox/busybox_%.bbappend
+++ b/recipes-core/busybox/busybox_1.24.1.bbappend
@@ -1,3 +1,10 @@
1# look for files in the layer first
2FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
3
4SRC_URI += " \
5 file://CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch \
6 "
7
1do_prepare_config_append () { 8do_prepare_config_append () {
2 sed -i -e 's/# CONFIG_CHRT is not set/CONFIG_CHRT=y/' .config 9 sed -i -e 's/# CONFIG_CHRT is not set/CONFIG_CHRT=y/' .config
3 sed -i -e 's/# CONFIG_TASKSET is not set/CONFIG_TASKSET=y/' .config 10 sed -i -e 's/# CONFIG_TASKSET is not set/CONFIG_TASKSET=y/' .config