busybox: Security fix CVE-2016-2147

busybox <= 1.24.2 (From OE-Core rev: 8a7a392ef37b3d5bd8ef81ab17d976696ad64dfe) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-04-27 17:47:22 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-04-29 07:41:43 +0100
commit: 9f3d7ae8f6329a92018aae82211b51e3b14b2bea (patch)
tree: 1fd2eb8c6d8cf939952413d495d69224abc78881 /meta/recipes-core/busybox/busybox
parent: 2928ca48e98f064aacf8c121a2425224c83596a5 (diff)
download: poky-9f3d7ae8f6329a92018aae82211b51e3b14b2bea.tar.gz
2 files changed, 89 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch
new file mode 100644
index 0000000000..84cae6aa2c
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch
@@ -0,0 +1,57 @@
+From d474ffc68290e0a83651c4432eeabfa62cd51e87 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Thu, 10 Mar 2016 11:47:58 +0100
+Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Upstream-Status: Backport
+CVE: CVE-2016-2147
+https://git.busybox.net/busybox/commit/?id=d474ffc
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ networking/udhcp/domain_codec.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+Index: busybox-1.23.2/networking/udhcp/domain_codec.c
+===================================================================
+--- busybox-1.23.2.orig/networking/udhcp/domain_codec.c
+++ busybox-1.23.2/networking/udhcp/domain_codec.c
+@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t
+                                if (crtpos + *c + 1 > clen) /* label too long? abort */
+                                        return NULL;
+                                if (dst)
+-                                       memcpy(dst + len, c + 1, *c);
+                                       /* \3com ---> "com." */
+                                       ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.';
+                                len += *c + 1;
+                                crtpos += *c + 1;
+-                               if (dst)
+-                                       dst[len - 1] = '.';
+                        } else {
+                                /* NUL: end of current domain name */
+                                if (retpos == 0) {
+@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t
+                                        crtpos = retpos;
+                                        retpos = depth = 0;
+                                }
+-                               if (dst)
+                               if (dst && len != 0)
+                                       /* \4host\3com\0\4host and we are at \0:
+                                        * \3com was converted to "com.", change dot to space.
+                                        */
+                                        dst[len - 1] = ' ';
+                        }
+ 
+@@ -228,6 +230,9 @@ int main(int argc, char **argv)
+        int len;
+        uint8_t *encoded;
+ 
+        uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
+        printf("NUL:'%s'\n",   dname_dec(str, 6, ""));
+
+ #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
+        printf("'%s'\n",       DNAME_DEC("\4host\3com\0", "test1:"));
+        printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));
diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch
new file mode 100644
index 0000000000..1473d46035
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch
@@ -0,0 +1,32 @@
+From 1b7c17391de66502dd7a97c866e0a33681edbb1f Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Fri, 11 Mar 2016 00:26:58 +0100
+Subject: [PATCH] udhcpc: fix a warning in debug code
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Upsteam-Status: Backport
+CVE: CVE-2016-2147 regression fix
+https://git.busybox.net/busybox/commit/?id=1b7c17
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ networking/udhcp/domain_codec.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
+index cee31f1..5a923cc 100644
+--- a/networking/udhcp/domain_codec.c
+++ b/networking/udhcp/domain_codec.c
+@@ -7,6 +7,7 @@
+  * Licensed under GPLv2 or later, see file LICENSE in this source tree.
+  */
+ #ifdef DNS_COMPR_TESTING
+# define _GNU_SOURCE
+ # define FAST_FUNC /* nothing */
+ # define xmalloc malloc
+ # include <stdlib.h>
+-- 
+2.3.5
author	Armin Kuster <akuster@mvista.com>	2016-04-27 17:47:22 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-04-29 07:41:43 +0100
commit	9f3d7ae8f6329a92018aae82211b51e3b14b2bea (patch)
tree	1fd2eb8c6d8cf939952413d495d69224abc78881 /meta/recipes-core/busybox/busybox
parent	2928ca48e98f064aacf8c121a2425224c83596a5 (diff)
download	poky-9f3d7ae8f6329a92018aae82211b51e3b14b2bea.tar.gz

diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch new file mode 100644 index 0000000000..84cae6aa2c --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch
@@ -0,0 +1,57 @@
	1	From d474ffc68290e0a83651c4432eeabfa62cd51e87 Mon Sep 17 00:00:00 2001
	2	From: Denys Vlasenko <vda.linux@googlemail.com>
	3	Date: Thu, 10 Mar 2016 11:47:58 +0100
	4	Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name
	5
	6	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
	7
	8	Upstream-Status: Backport
	9	CVE: CVE-2016-2147
	10
	11	https://git.busybox.net/busybox/commit/?id=d474ffc
	12	Signed-off-by: Armin Kuster <akuster@mvista.com>
	13
	14	---
	15	networking/udhcp/domain_codec.c \| 13 +++++++++----
	16	1 file changed, 9 insertions(+), 4 deletions(-)
	17
	18	Index: busybox-1.23.2/networking/udhcp/domain_codec.c
	19	===================================================================
	20	--- busybox-1.23.2.orig/networking/udhcp/domain_codec.c
	21	+++ busybox-1.23.2/networking/udhcp/domain_codec.c
	22	@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t
	23	if (crtpos + c + 1 > clen) / label too long? abort */
	24	return NULL;
	25	if (dst)
	26	- memcpy(dst + len, c + 1, *c);
	27	+ /* \3com ---> "com." */
	28	+ ((char)mempcpy(dst + len, c + 1, c))[0] = '.';
	29	len += *c + 1;
	30	crtpos += *c + 1;
	31	- if (dst)
	32	- dst[len - 1] = '.';
	33	} else {
	34	/* NUL: end of current domain name */
	35	if (retpos == 0) {
	36	@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t
	37	crtpos = retpos;
	38	retpos = depth = 0;
	39	}
	40	- if (dst)
	41	+ if (dst && len != 0)
	42	+ /* \4host\3com\0\4host and we are at \0:
	43	+ * \3com was converted to "com.", change dot to space.
	44	+ */
	45	dst[len - 1] = ' ';
	46	}
	47
	48	@@ -228,6 +230,9 @@ int main(int argc, char **argv)
	49	int len;
	50	uint8_t *encoded;
	51
	52	+ uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
	53	+ printf("NUL:'%s'\n", dname_dec(str, 6, ""));
	54	+
	55	#define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
	56	printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:"));
	57	printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));


diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch new file mode 100644 index 0000000000..1473d46035 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch
@@ -0,0 +1,32 @@
	1	From 1b7c17391de66502dd7a97c866e0a33681edbb1f Mon Sep 17 00:00:00 2001
	2	From: Denys Vlasenko <vda.linux@googlemail.com>
	3	Date: Fri, 11 Mar 2016 00:26:58 +0100
	4	Subject: [PATCH] udhcpc: fix a warning in debug code
	5
	6	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
	7	Upsteam-Status: Backport
	8	CVE: CVE-2016-2147 regression fix
	9
	10	https://git.busybox.net/busybox/commit/?id=1b7c17
	11
	12	Signed-off-by: Armin Kuster <akuster@mvista.com>
	13
	14	---
	15	networking/udhcp/domain_codec.c \| 1 +
	16	1 file changed, 1 insertion(+)
	17
	18	diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
	19	index cee31f1..5a923cc 100644
	20	--- a/networking/udhcp/domain_codec.c
	21	+++ b/networking/udhcp/domain_codec.c
	22	@@ -7,6 +7,7 @@
	23	* Licensed under GPLv2 or later, see file LICENSE in this source tree.
	24	*/
	25	#ifdef DNS_COMPR_TESTING
	26	+# define _GNU_SOURCE
	27	# define FAST_FUNC /* nothing */
	28	# define xmalloc malloc
	29	# include <stdlib.h>
	30	--
	31	2.3.5
	32