summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRahul Chauhan <rahulk@mvista.com>2020-07-12 07:14:53 +0530
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-07-22 22:46:38 +0100
commite821cfe190cde5b1d4ba1d7b4f4bea4b2174e9ad (patch)
treef6895edd04359eaaa484c65befea42186dc64582
parent4c211b471e1a2c311fbbc8d90a3deee65e300c9f (diff)
downloadpoky-e821cfe190cde5b1d4ba1d7b4f4bea4b2174e9ad.tar.gz
busybox: Security Fix For CVE-2018-1000500
CVE: CVE-2018-1000500 (From OE-Core rev: 1ff4e723ed65ff7ee2921a50ca0c004ea7bb2508) Signed-off-by: Rahul Kumar <rahulk@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch98
-rw-r--r--meta/recipes-core/busybox/busybox_1.31.1.bb1
2 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch b/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch
new file mode 100644
index 0000000000..d1a33e4ab5
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch
@@ -0,0 +1,98 @@
1From 71e7e2fb35c806d20f9739d832cd9ae3a86fdee2 Mon Sep 17 00:00:00 2001
2From: Dimitri John Ledkov <xnox@ubuntu.com>
3Date: Tue, 19 May 2020 18:20:39 +0100
4Subject: [PATCH] wget: implement TLS verification with
5 ENABLE_FEATURE_WGET_OPENSSL
6
7When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
8verification by default. And only ignore verification errors, if
9--no-check-certificate was passed.
10
11Also note, that previously OPENSSL implementation did not implement
12TLS verification, nor printed any warning messages that verification
13was not performed.
14
15Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533
16
17CVE-2018-1000500
18
19Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91]
20CVE: CVE-2018-1000500
21
22Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
23Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
24Signed-off-by: Rahul Kumar <rahulk@mvista.com>
25---
26 networking/wget.c | 20 +++++++++++++++++---
27 1 file changed, 17 insertions(+), 3 deletions(-)
28
29diff --git a/networking/wget.c b/networking/wget.c
30index 9153264..a7e6deb 100644
31--- a/networking/wget.c
32+++ b/networking/wget.c
33@@ -91,6 +91,9 @@
34 //config: patches, but do want to waste bandwidth expaining how wrong
35 //config: it is, you will be ignored.
36 //config:
37+//config: FEATURE_WGET_OPENSSL does implement TLS verification
38+//config: using the certificates available to OpenSSL.
39+//config:
40 //config:config FEATURE_WGET_OPENSSL
41 //config: bool "Try to connect to HTTPS using openssl"
42 //config: default y
43@@ -115,6 +118,9 @@
44 //config: If openssl can't be executed, internal TLS code will be used
45 //config: (if you enabled it); if openssl can be executed but fails later,
46 //config: wget can't detect this, and download will fail.
47+//config:
48+//config: By default TLS verification is performed, unless
49+//config: --no-check-certificate option is passed.
50
51 //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP))
52
53@@ -124,8 +130,11 @@
54 //usage: IF_FEATURE_WGET_LONG_OPTIONS(
55 //usage: "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n"
56 //usage: " [-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n"
57+//usage: IF_FEATURE_WGET_OPENSSL(
58+//usage: " [--no-check-certificate]\n"
59+//usage: )
60 /* Since we ignore these opts, we don't show them in --help */
61-/* //usage: " [--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */
62+/* //usage: " [--no-cache] [--passive-ftp] [-t TRIES]" */
63 /* //usage: " [-nv] [-nc] [-nH] [-np]" */
64 //usage: " [-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
65 //usage: )
66@@ -137,7 +146,9 @@
67 //usage: "Retrieve files via HTTP or FTP\n"
68 //usage: IF_FEATURE_WGET_LONG_OPTIONS(
69 //usage: "\n --spider Only check URL existence: $? is 0 if exists"
70-///////: "\n --no-check-certificate Don't validate the server's certificate"
71+//usage: IF_FEATURE_WGET_OPENSSL(
72+//usage: "\n --no-check-certificate Don't validate the server's certificate"
73+//usage: )
74 //usage: )
75 //usage: "\n -c Continue retrieval of aborted transfer"
76 //usage: "\n -q Quiet"
77@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
78 pid = xvfork();
79 if (pid == 0) {
80 /* Child */
81- char *argv[8];
82+ char *argv[9];
83
84 close(sp[0]);
85 xmove_fd(sp[1], 0);
86@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
87 argv[5] = (char*)"-servername";
88 argv[6] = (char*)servername;
89 }
90+ if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
91+ argv[7] = (char*)"-verify_return_error";
92+ }
93
94 BB_EXECVP(argv[0], argv);
95 xmove_fd(3, 2);
96--
972.7.4
98
diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb b/meta/recipes-core/busybox/busybox_1.31.1.bb
index 2bb1d59ba7..a6b47027af 100644
--- a/meta/recipes-core/busybox/busybox_1.31.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.31.1.bb
@@ -48,6 +48,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
48 file://0001-Remove-syscall-wrappers-around-clock_gettime-closes-.patch \ 48 file://0001-Remove-syscall-wrappers-around-clock_gettime-closes-.patch \
49 file://0001-Remove-stime-function-calls.patch \ 49 file://0001-Remove-stime-function-calls.patch \
50 file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \ 50 file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \
51 file://busybox-CVE-2018-1000500.patch \
51" 52"
52SRC_URI_append_libc-musl = " file://musl.cfg " 53SRC_URI_append_libc-musl = " file://musl.cfg "
53 54