diff options
author | Andrej Valek <andrej.valek@siemens.com> | 2017-04-06 09:07:37 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-05-18 13:07:33 +0100 |
commit | 094b64ea8b68c640590242a0fb062e587485a0b6 (patch) | |
tree | 3a4329a5c73fe61df8f7cffb6a95912b0a9be605 | |
parent | 254336d09ba20d9139bbd0ef5720b43ac52fa671 (diff) | |
download | poky-094b64ea8b68c640590242a0fb062e587485a0b6.tar.gz |
busybox: Security fix CVE-2016-6301
ntpd: NTP server denial of service flaw
CVE: CVE-2016-6301
(From OE-Core rev: dafbf8a9e9ed068ecbf22cc816f9a6a3a2da7aa9)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 301dc9df16cce1f4649f90af47159bc21be0de59)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-core/busybox/busybox/CVE-2016-6301.patch | 37 | ||||
-rw-r--r-- | meta/recipes-core/busybox/busybox_1.24.1.bb | 1 |
2 files changed, 38 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-6301.patch b/meta/recipes-core/busybox/busybox/CVE-2016-6301.patch new file mode 100644 index 0000000000..851bc20f79 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2016-6301.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | busybox1.24.1: Fix CVE-2016-6301 | ||
2 | |||
3 | [No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1363710 | ||
4 | |||
5 | ntpd: NTP server denial of service flaw | ||
6 | |||
7 | The busybox NTP implementation doesn't check the NTP mode of packets | ||
8 | received on the server port and responds to any packet with the right | ||
9 | size. This includes responses from another NTP server. An attacker can | ||
10 | send a packet with a spoofed source address in order to create an | ||
11 | infinite loop of responses between two busybox NTP servers. Adding | ||
12 | more packets to the loop increases the traffic between the servers | ||
13 | until one of them has a fully loaded CPU and/or network. | ||
14 | |||
15 | Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=150dc7a2b483b8338a3e185c478b4b23ee884e71] | ||
16 | CVE: CVE-2016-6301 | ||
17 | Signed-off-by: Andrej Valek <andrej.valek@siemens.com> | ||
18 | Signed-off-by: Pascal Bach <pascal.bach@siemens.com> | ||
19 | |||
20 | diff --git a/networking/ntpd.c b/networking/ntpd.c | ||
21 | index 9732c9b..0f6a55f 100644 | ||
22 | --- a/networking/ntpd.c | ||
23 | +++ b/networking/ntpd.c | ||
24 | @@ -1985,6 +1985,13 @@ recv_and_process_client_pkt(void /*int fd*/) | ||
25 | goto bail; | ||
26 | } | ||
27 | |||
28 | + /* Respond only to client and symmetric active packets */ | ||
29 | + if ((msg.m_status & MODE_MASK) != MODE_CLIENT | ||
30 | + && (msg.m_status & MODE_MASK) != MODE_SYM_ACT | ||
31 | + ) { | ||
32 | + goto bail; | ||
33 | + } | ||
34 | + | ||
35 | query_status = msg.m_status; | ||
36 | query_xmttime = msg.m_xmttime; | ||
37 | |||
diff --git a/meta/recipes-core/busybox/busybox_1.24.1.bb b/meta/recipes-core/busybox/busybox_1.24.1.bb index f6c759584f..cb4568854c 100644 --- a/meta/recipes-core/busybox/busybox_1.24.1.bb +++ b/meta/recipes-core/busybox/busybox_1.24.1.bb | |||
@@ -47,6 +47,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ | |||
47 | file://CVE-2016-2148.patch \ | 47 | file://CVE-2016-2148.patch \ |
48 | file://CVE-2016-2147.patch \ | 48 | file://CVE-2016-2147.patch \ |
49 | file://CVE-2016-2147_2.patch \ | 49 | file://CVE-2016-2147_2.patch \ |
50 | file://CVE-2016-6301.patch \ | ||
50 | file://ip_fix_problem_on_mips64_n64_big_endian_musl_systems.patch \ | 51 | file://ip_fix_problem_on_mips64_n64_big_endian_musl_systems.patch \ |
51 | file://makefile-fix-backport.patch \ | 52 | file://makefile-fix-backport.patch \ |
52 | file://0001-sed-fix-sed-n-flushes-pattern-space-terminates-early.patch \ | 53 | file://0001-sed-fix-sed-n-flushes-pattern-space-terminates-early.patch \ |