From 026d5d7b504e3b7ecab6f4d1c15335695a538d93 Mon Sep 17 00:00:00 2001
From: Dan Andresan <Dan.Andresan@enea.com>
Date: Fri, 26 Oct 2018 11:36:19 +0200
Subject: busybox: Fix CVE-2018-1000517

busybox in the upstream pyro is 1.24.1.

CVE: CVE-2018-1000517
Reference:
https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e

Change-Id: I5a5173db69d7419564989a9fda731ebbbb5aaded
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
Signed-off-by: Adrian Mangeac <adrian.mangeac@enea.com>
---
 ...-check-chunk-length-for-overflowing-off_t.patch | 59 ++++++++++++++++++++++
 recipes-core/busybox/busybox_%.bbappend            | 19 -------
 recipes-core/busybox/busybox_1.24.1.bbappend       | 26 ++++++++++
 3 files changed, 85 insertions(+), 19 deletions(-)
 create mode 100644 recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch
 delete mode 100644 recipes-core/busybox/busybox_%.bbappend
 create mode 100644 recipes-core/busybox/busybox_1.24.1.bbappend

diff --git a/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch b/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch
new file mode 100644
index 0000000..c05c75b
--- /dev/null
+++ b/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch
@@ -0,0 +1,59 @@
+From 7935de14ce61f5a5c1c845925873379ae2e2f45a Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 13:13:07 +0200
+Subject: [PATCH] wget: check chunk length for overflowing off_t
+
+function                                             old     new   delta
+retrieve_file_data                                   428     465     +37
+wget_main                                           2386    2389      +3
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 2/0 up/down: 40/0)               Total: 40 bytes
+
+CVE: CVE-2018-1000517
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e]
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ networking/wget.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/networking/wget.c b/networking/wget.c
+index d4a9c0c..b525d6a 100644
+--- a/networking/wget.c
++++ b/networking/wget.c
+@@ -566,7 +566,7 @@ static FILE* prepare_ftp_session(FILE **dfpp, struct host_info *target, len_and_
+ 	if (ftpcmd("SIZE ", target->path, sfp) == 213) {
+ 		G.content_len = BB_STRTOOFF(G.wget_buf + 4, NULL, 10);
+ 		if (G.content_len < 0 || errno) {
+-			bb_error_msg_and_die("SIZE value is garbage");
++			bb_error_msg_and_die("bad SIZE value '%s'", G.wget_buf + 4);
+ 		}
+ 		G.got_clen = 1;
+ 	}
+@@ -821,12 +821,20 @@ static void NOINLINE retrieve_file_data(FILE *dfp)
+ #endif
+ 		if (!G.chunked)
+ 			break;
+-
+-		fgets_and_trim(dfp); /* Eat empty line */
++		
++		/* Each chunk ends with "\r\n" - eat it */
++		fgets_and_trim(dfp);
+  get_clen:
++		/* chunk size format is "HEXNUM[;name[=val]]\r\n" */
+ 		fgets_and_trim(dfp);
++		errno = 0;
+ 		G.content_len = STRTOOFF(G.wget_buf, NULL, 16);
+-		/* FIXME: error check? */
++		/*
++		 * Had a bug with inputs like "ffffffff0001f400"
++		 * smashing the heap later. Ensure >= 0.
++		 */
++		if (G.content_len < 0 || errno)
++			bb_error_msg_and_die("bad chunk length '%s'", G.wget_buf);
+ 		if (G.content_len == 0)
+ 			break; /* all done! */
+ 		G.got_clen = 1;
+
+
diff --git a/recipes-core/busybox/busybox_%.bbappend b/recipes-core/busybox/busybox_%.bbappend
deleted file mode 100644
index 7b61cf9..0000000
--- a/recipes-core/busybox/busybox_%.bbappend
+++ /dev/null
@@ -1,19 +0,0 @@
-do_prepare_config_append () {
-      sed -i -e 's/# CONFIG_CHRT is not set/CONFIG_CHRT=y/' .config
-      sed -i -e 's/# CONFIG_TASKSET is not set/CONFIG_TASKSET=y/' .config
-      sed -i -e 's/# CONFIG_FEATURE_TASKSET_FANCY is not set/CONFIG_FEATURE_TASKSET_FANCY=y/' .config
-      sed -i -e 's/# CONFIG_HTTPD is not set/CONFIG_HTTPD=y/' .config
-      sed -i -e 's/# CONFIG_FEATURE_HTTPD_RANGES is not set/CONFIG_FEATURE_HTTPD_RANGES=y/' .config
-      sed -i -e 's/# CONFIG_FEATURE_HTTPD_USE_SENDFILE is not set/CONFIG_FEATURE_HTTPD_USE_SENDFILE=y/' .config
-      sed -i -e 's/# CONFIG_FEATURE_HTTPD_SETUID is not set/CONFIG_FEATURE_HTTPD_SETUID=y/' .config
-      sed -i -e 's/# CONFIG_FEATURE_HTTPD_BASIC_AUTH is not set/CONFIG_FEATURE_HTTPD_BASIC_AUTH=y/' .config
-      sed -i -e 's/# CONFIG_FEATURE_HTTPD_AUTH_MD5 is not set/CONFIG_FEATURE_HTTPD_AUTH_MD5=y/' .config
-      sed -i -e 's/# CONFIG_FEATURE_HTTPD_CGI is not set/CONFIG_FEATURE_HTTPD_CGI=y/' .config
-      sed -i -e 's/# CONFIG_FEATURE_HTTPD_CONFIG_WITH_SCRIPT_INTERPR is not set/CONFIG_FEATURE_HTTPD_CONFIG_WITH_SCRIPT_INTERPR=y/' .config
-      sed -i -e 's/# CONFIG_FEATURE_HTTPD_SET_REMOTE_PORT_TO_ENV is not set/CONFIG_FEATURE_HTTPD_SET_REMOTE_PORT_TO_ENV=y/' .config
-      sed -i -e 's/# CONFIG_FEATURE_HTTPD_ENCODE_URL_STR is not set/CONFIG_FEATURE_HTTPD_ENCODE_URL_STR=y/' .config
-      sed -i -e 's/# CONFIG_FEATURE_HTTPD_ERROR_PAGES is not set/CONFIG_FEATURE_HTTPD_ERROR_PAGES=y/' .config
-      sed -i -e 's/# CONFIG_FEATURE_HTTPD_PROXY is not set/CONFIG_FEATURE_HTTPD_PROXY=y/' .config
-      sed -i -e 's/# CONFIG_FEATURE_HTTPD_GZIP is not set/CONFIG_FEATURE_HTTPD_GZIP=y/' .config
-      sed -i -e 's/# CONFIG_FEATURE_TAR_NOPRESERVE_TIME is not set/CONFIG_FEATURE_TAR_NOPRESERVE_TIME=y/' .config
-}
diff --git a/recipes-core/busybox/busybox_1.24.1.bbappend b/recipes-core/busybox/busybox_1.24.1.bbappend
new file mode 100644
index 0000000..6be3e59
--- /dev/null
+++ b/recipes-core/busybox/busybox_1.24.1.bbappend
@@ -0,0 +1,26 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += " \
+        file://CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch \
+        "
+
+do_prepare_config_append () {
+      sed -i -e 's/# CONFIG_CHRT is not set/CONFIG_CHRT=y/' .config
+      sed -i -e 's/# CONFIG_TASKSET is not set/CONFIG_TASKSET=y/' .config
+      sed -i -e 's/# CONFIG_FEATURE_TASKSET_FANCY is not set/CONFIG_FEATURE_TASKSET_FANCY=y/' .config
+      sed -i -e 's/# CONFIG_HTTPD is not set/CONFIG_HTTPD=y/' .config
+      sed -i -e 's/# CONFIG_FEATURE_HTTPD_RANGES is not set/CONFIG_FEATURE_HTTPD_RANGES=y/' .config
+      sed -i -e 's/# CONFIG_FEATURE_HTTPD_USE_SENDFILE is not set/CONFIG_FEATURE_HTTPD_USE_SENDFILE=y/' .config
+      sed -i -e 's/# CONFIG_FEATURE_HTTPD_SETUID is not set/CONFIG_FEATURE_HTTPD_SETUID=y/' .config
+      sed -i -e 's/# CONFIG_FEATURE_HTTPD_BASIC_AUTH is not set/CONFIG_FEATURE_HTTPD_BASIC_AUTH=y/' .config
+      sed -i -e 's/# CONFIG_FEATURE_HTTPD_AUTH_MD5 is not set/CONFIG_FEATURE_HTTPD_AUTH_MD5=y/' .config
+      sed -i -e 's/# CONFIG_FEATURE_HTTPD_CGI is not set/CONFIG_FEATURE_HTTPD_CGI=y/' .config
+      sed -i -e 's/# CONFIG_FEATURE_HTTPD_CONFIG_WITH_SCRIPT_INTERPR is not set/CONFIG_FEATURE_HTTPD_CONFIG_WITH_SCRIPT_INTERPR=y/' .config
+      sed -i -e 's/# CONFIG_FEATURE_HTTPD_SET_REMOTE_PORT_TO_ENV is not set/CONFIG_FEATURE_HTTPD_SET_REMOTE_PORT_TO_ENV=y/' .config
+      sed -i -e 's/# CONFIG_FEATURE_HTTPD_ENCODE_URL_STR is not set/CONFIG_FEATURE_HTTPD_ENCODE_URL_STR=y/' .config
+      sed -i -e 's/# CONFIG_FEATURE_HTTPD_ERROR_PAGES is not set/CONFIG_FEATURE_HTTPD_ERROR_PAGES=y/' .config
+      sed -i -e 's/# CONFIG_FEATURE_HTTPD_PROXY is not set/CONFIG_FEATURE_HTTPD_PROXY=y/' .config
+      sed -i -e 's/# CONFIG_FEATURE_HTTPD_GZIP is not set/CONFIG_FEATURE_HTTPD_GZIP=y/' .config
+      sed -i -e 's/# CONFIG_FEATURE_TAR_NOPRESERVE_TIME is not set/CONFIG_FEATURE_TAR_NOPRESERVE_TIME=y/' .config
+}
-- 
cgit v1.2.3-54-g00ecf