diff options
| author | Steve Sakoman <steve@sakoman.com> | 2022-05-10 15:21:48 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-05-14 20:26:34 +0100 |
| commit | d68406497e71921a2caeaa8419535b30834db936 (patch) | |
| tree | af246b5f3ad5345557aabcfd64e726d52280fbc3 | |
| parent | 5daf9735c90906e537155dee74c022831995ca34 (diff) | |
| download | poky-d68406497e71921a2caeaa8419535b30834db936.tar.gz | |
busybox: fix CVE-2022-28391
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code
if netstat is used to print a DNS PTR record's value to a VT compatible
terminal. Alternatively, the attacker could choose to change the terminal's colors.
https://nvd.nist.gov/vuln/detail/CVE-2022-28391
Backported from kirkstone 3e17df4cd17c132dc7732ebd3d1c80c81c85bcc4.
2nd patch adjusted to apply on 1.31.1.
(From OE-Core rev: 0b9cbcc4ceac3938afd1dd6010ce6d9a3da21598)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
3 files changed, 104 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch b/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch new file mode 100644 index 0000000000..18bf5f19e4 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch | |||
| @@ -0,0 +1,38 @@ | |||
| 1 | From c7e181fdf58c392e06ab805e2c044c3e57d5445a Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Ariadne Conill <ariadne@dereferenced.org> | ||
| 3 | Date: Sun, 3 Apr 2022 12:14:33 +0000 | ||
| 4 | Subject: [PATCH] libbb: sockaddr2str: ensure only printable characters are | ||
| 5 | returned for the hostname part | ||
| 6 | |||
| 7 | CVE: CVE-2022-28391 | ||
| 8 | Upstream-Status: Pending | ||
| 9 | Signed-off-by: Ariadne Conill <ariadne@dereferenced.org> | ||
| 10 | Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
| 11 | --- | ||
| 12 | libbb/xconnect.c | 5 +++-- | ||
| 13 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
| 14 | |||
| 15 | diff --git a/libbb/xconnect.c b/libbb/xconnect.c | ||
| 16 | index eb2871cb1..b5520bb21 100644 | ||
| 17 | --- a/libbb/xconnect.c | ||
| 18 | +++ b/libbb/xconnect.c | ||
| 19 | @@ -501,8 +501,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags) | ||
| 20 | ); | ||
| 21 | if (rc) | ||
| 22 | return NULL; | ||
| 23 | + /* ensure host contains only printable characters */ | ||
| 24 | if (flags & IGNORE_PORT) | ||
| 25 | - return xstrdup(host); | ||
| 26 | + return xstrdup(printable_string(host)); | ||
| 27 | #if ENABLE_FEATURE_IPV6 | ||
| 28 | if (sa->sa_family == AF_INET6) { | ||
| 29 | if (strchr(host, ':')) /* heh, it's not a resolved hostname */ | ||
| 30 | @@ -513,7 +514,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags) | ||
| 31 | #endif | ||
| 32 | /* For now we don't support anything else, so it has to be INET */ | ||
| 33 | /*if (sa->sa_family == AF_INET)*/ | ||
| 34 | - return xasprintf("%s:%s", host, serv); | ||
| 35 | + return xasprintf("%s:%s", printable_string(host), serv); | ||
| 36 | /*return xstrdup(host);*/ | ||
| 37 | } | ||
| 38 | |||
diff --git a/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch new file mode 100644 index 0000000000..2c9da33a51 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch | |||
| @@ -0,0 +1,64 @@ | |||
| 1 | From f8ad7c331b25ba90fd296b37c443b4114cb196e2 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Ariadne Conill <ariadne@dereferenced.org> | ||
| 3 | Date: Sun, 3 Apr 2022 12:16:45 +0000 | ||
| 4 | Subject: [PATCH] nslookup: sanitize all printed strings with printable_string | ||
| 5 | |||
| 6 | Otherwise, terminal sequences can be injected, which enables various terminal injection | ||
| 7 | attacks from DNS results. | ||
| 8 | |||
| 9 | MJ: One chunk wasn't applicable on 1.31.1 version, because parsing of | ||
| 10 | SRV records was added only in newer 1.32.0 with: | ||
| 11 | commit 6b4960155e94076bf25518e4e268a7a5f849308e | ||
| 12 | Author: Jo-Philipp Wich <jo@mein.io> | ||
| 13 | Date: Thu Jun 27 17:27:29 2019 +0200 | ||
| 14 | |||
| 15 | nslookup: implement support for SRV records | ||
| 16 | |||
| 17 | CVE: CVE-2022-28391 | ||
| 18 | Upstream-Status: Pending | ||
| 19 | Signed-off-by: Ariadne Conill <ariadne@dereferenced.org> | ||
| 20 | Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
| 21 | --- | ||
| 22 | networking/nslookup.c | 8 ++++---- | ||
| 23 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
| 24 | |||
| 25 | diff --git a/networking/nslookup.c b/networking/nslookup.c | ||
| 26 | index 24e09d4f0..89b9c8a13 100644 | ||
| 27 | --- a/networking/nslookup.c | ||
| 28 | +++ b/networking/nslookup.c | ||
| 29 | @@ -404,7 +404,7 @@ static int parse_reply(const unsigned char *msg, size_t len) | ||
| 30 | //printf("Unable to uncompress domain: %s\n", strerror(errno)); | ||
| 31 | return -1; | ||
| 32 | } | ||
| 33 | - printf(format, ns_rr_name(rr), dname); | ||
| 34 | + printf(format, ns_rr_name(rr), printable_string(dname)); | ||
| 35 | break; | ||
| 36 | |||
| 37 | case ns_t_mx: | ||
| 38 | @@ -419,7 +419,7 @@ static int parse_reply(const unsigned char *msg, size_t len) | ||
| 39 | //printf("Cannot uncompress MX domain: %s\n", strerror(errno)); | ||
| 40 | return -1; | ||
| 41 | } | ||
| 42 | - printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname); | ||
| 43 | + printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname)); | ||
| 44 | break; | ||
| 45 | |||
| 46 | case ns_t_txt: | ||
| 47 | @@ -431,7 +431,7 @@ static int parse_reply(const unsigned char *msg, size_t len) | ||
| 48 | if (n > 0) { | ||
| 49 | memset(dname, 0, sizeof(dname)); | ||
| 50 | memcpy(dname, ns_rr_rdata(rr) + 1, n); | ||
| 51 | - printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname); | ||
| 52 | + printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname)); | ||
| 53 | } | ||
| 54 | break; | ||
| 55 | |||
| 56 | @@ -461,7 +461,7 @@ static int parse_reply(const unsigned char *msg, size_t len) | ||
| 57 | return -1; | ||
| 58 | } | ||
| 59 | |||
| 60 | - printf("\tmail addr = %s\n", dname); | ||
| 61 | + printf("\tmail addr = %s\n", printable_string(dname)); | ||
| 62 | cp += n; | ||
| 63 | |||
| 64 | printf("\tserial = %lu\n", ns_get32(cp)); | ||
diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb b/meta/recipes-core/busybox/busybox_1.31.1.bb index 38b448b3e1..d062f0f7dd 100644 --- a/meta/recipes-core/busybox/busybox_1.31.1.bb +++ b/meta/recipes-core/busybox/busybox_1.31.1.bb | |||
| @@ -55,6 +55,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ | |||
| 55 | file://CVE-2021-42374.patch \ | 55 | file://CVE-2021-42374.patch \ |
| 56 | file://CVE-2021-42376.patch \ | 56 | file://CVE-2021-42376.patch \ |
| 57 | file://CVE-2021-423xx-awk.patch \ | 57 | file://CVE-2021-423xx-awk.patch \ |
| 58 | file://0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch \ | ||
| 59 | file://0002-nslookup-sanitize-all-printed-strings-with-printable.patch \ | ||
| 58 | " | 60 | " |
| 59 | SRC_URI_append_libc-musl = " file://musl.cfg " | 61 | SRC_URI_append_libc-musl = " file://musl.cfg " |
| 60 | 62 | ||