2 files changed, 66 insertions, 0 deletions
diff --git a/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch b/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch
new file mode 100644
index 0000000..c05c75b
--- /dev/null
+++ b/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch
@@ -0,0 +1,59 @@
+From 7935de14ce61f5a5c1c845925873379ae2e2f45a Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 13:13:07 +0200
+Subject: [PATCH] wget: check chunk length for overflowing off_t
+function                                             old     new   delta
+retrieve_file_data                                   428     465     +37
+wget_main                                           2386    2389      +3
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 2/0 up/down: 40/0)               Total: 40 bytes
+CVE: CVE-2018-1000517
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e]
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ networking/wget.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+diff --git a/networking/wget.c b/networking/wget.c
+index d4a9c0c..b525d6a 100644
+--- a/networking/wget.c
+++ b/networking/wget.c
+@@ -566,7 +566,7 @@ static FILE* prepare_ftp_session(FILE **dfpp, struct host_info *target, len_and_
+        if (ftpcmd("SIZE ", target->path, sfp) == 213) {
+                G.content_len = BB_STRTOOFF(G.wget_buf + 4, NULL, 10);
+                if (G.content_len < 0 || errno) {
+-                       bb_error_msg_and_die("SIZE value is garbage");
+                       bb_error_msg_and_die("bad SIZE value '%s'", G.wget_buf + 4);
+                }
+                G.got_clen = 1;
+        }
+@@ -821,12 +821,20 @@ static void NOINLINE retrieve_file_data(FILE *dfp)
+ #endif
+                if (!G.chunked)
+                        break;
+-
+-               fgets_and_trim(dfp); /* Eat empty line */
+               
+               /* Each chunk ends with "\r\n" - eat it */
+               fgets_and_trim(dfp);
+  get_clen:
+               /* chunk size format is "HEXNUM[;name[=val]]\r\n" */
+                fgets_and_trim(dfp);
+               errno = 0;
+                G.content_len = STRTOOFF(G.wget_buf, NULL, 16);
+-               /* FIXME: error check? */
+               /*
+                * Had a bug with inputs like "ffffffff0001f400"
+                * smashing the heap later. Ensure >= 0.
+                */
+               if (G.content_len < 0 || errno)
+                       bb_error_msg_and_die("bad chunk length '%s'", G.wget_buf);
+                if (G.content_len == 0)
+                        break; /* all done! */
+                G.got_clen = 1;
diff --git a/recipes-core/busybox/busybox_%.bbappend b/recipes-core/busybox/busybox_1.24.1.bbappend
index 7b61cf9..6be3e59 100644
--- a/recipes-core/busybox/busybox_%.bbappend
+++ b/recipes-core/busybox/busybox_1.24.1.bbappend
@@ -1,3 +1,10 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+SRC_URI += " \
+        file://CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch \
+        "
 do_prepare_config_append () {
      sed -i -e 's/# CONFIG_CHRT is not set/CONFIG_CHRT=y/' .config
      sed -i -e 's/# CONFIG_TASKSET is not set/CONFIG_TASKSET=y/' .config

diff --git a/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch b/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch new file mode 100644 index 0000000..c05c75b --- /dev/null +++ b/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch
@@ -0,0 +1,59 @@
		1	From 7935de14ce61f5a5c1c845925873379ae2e2f45a Mon Sep 17 00:00:00 2001
		2	From: Andreas Wellving <andreas.wellving@enea.com>
		3	Date: Mon, 22 Oct 2018 13:13:07 +0200
		4	Subject: [PATCH] wget: check chunk length for overflowing off_t
		5
		6	function old new delta
		7	retrieve_file_data 428 465 +37
		8	wget_main 2386 2389 +3
		9	------------------------------------------------------------------------------
		10	(add/remove: 0/0 grow/shrink: 2/0 up/down: 40/0) Total: 40 bytes
		11
		12	CVE: CVE-2018-1000517
		13	Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e]
		14
		15	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
		16	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		17	---
		18	networking/wget.c \| 16 ++++++++++++----
		19	1 file changed, 12 insertions(+), 4 deletions(-)
		20
		21	diff --git a/networking/wget.c b/networking/wget.c
		22	index d4a9c0c..b525d6a 100644
		23	--- a/networking/wget.c
		24	+++ b/networking/wget.c
		25	@@ -566,7 +566,7 @@ static FILE* prepare_ftp_session(FILE *dfpp, struct host_info target, len_and_
		26	if (ftpcmd("SIZE ", target->path, sfp) == 213) {
		27	G.content_len = BB_STRTOOFF(G.wget_buf + 4, NULL, 10);
		28	if (G.content_len < 0 \|\| errno) {
		29	- bb_error_msg_and_die("SIZE value is garbage");
		30	+ bb_error_msg_and_die("bad SIZE value '%s'", G.wget_buf + 4);
		31	}
		32	G.got_clen = 1;
		33	}
		34	@@ -821,12 +821,20 @@ static void NOINLINE retrieve_file_data(FILE *dfp)
		35	#endif
		36	if (!G.chunked)
		37	break;
		38	-
		39	- fgets_and_trim(dfp); /* Eat empty line */
		40	+
		41	+ /* Each chunk ends with "\r\n" - eat it */
		42	+ fgets_and_trim(dfp);
		43	get_clen:
		44	+ /* chunk size format is "HEXNUM[;name[=val]]\r\n" */
		45	fgets_and_trim(dfp);
		46	+ errno = 0;
		47	G.content_len = STRTOOFF(G.wget_buf, NULL, 16);
		48	- /* FIXME: error check? */
		49	+ /*
		50	+ * Had a bug with inputs like "ffffffff0001f400"
		51	+ * smashing the heap later. Ensure >= 0.
		52	+ */
		53	+ if (G.content_len < 0 \|\| errno)
		54	+ bb_error_msg_and_die("bad chunk length '%s'", G.wget_buf);
		55	if (G.content_len == 0)
		56	break; /* all done! */
		57	G.got_clen = 1;
		58
		59


diff --git a/recipes-core/busybox/busybox_%.bbappend b/recipes-core/busybox/busybox_1.24.1.bbappend index 7b61cf9..6be3e59 100644 --- a/recipes-core/busybox/busybox_%.bbappend +++ b/recipes-core/busybox/busybox_1.24.1.bbappend
@@ -1,3 +1,10 @@
		1	# look for files in the layer first
		2	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
		3
		4	SRC_URI += " \
		5	file://CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch \
		6	"
		7
1	do_prepare_config_append () {	8	do_prepare_config_append () {
2	sed -i -e 's/# CONFIG_CHRT is not set/CONFIG_CHRT=y/' .config	9	sed -i -e 's/# CONFIG_CHRT is not set/CONFIG_CHRT=y/' .config
3	sed -i -e 's/# CONFIG_TASKSET is not set/CONFIG_TASKSET=y/' .config	10	sed -i -e 's/# CONFIG_TASKSET is not set/CONFIG_TASKSET=y/' .config