diff options
author | Steve Sakoman <steve@sakoman.com> | 2022-04-18 09:04:07 -1000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-04-19 14:02:13 +0100 |
commit | 8f48f1014f90c3ceacd8be367c209f941a3622ba (patch) | |
tree | 71bbf93b63bc0163e98d4b13f2270cc151c2e976 /meta/recipes-core/busybox | |
parent | 57a32692b7e34002c1475763f3b90650b595b851 (diff) | |
download | poky-8f48f1014f90c3ceacd8be367c209f941a3622ba.tar.gz |
busybox: fix CVE-2022-28391
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code
if netstat is used to print a DNS PTR record's value to a VT compatible
terminal. Alternatively, the attacker could choose to change the terminal's colors.
https://nvd.nist.gov/vuln/detail/CVE-2022-28391
(From OE-Core rev: 3e17df4cd17c132dc7732ebd3d1c80c81c85bcc4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/busybox')
3 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch b/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch new file mode 100644 index 0000000000..4635250170 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From 0c8da1bead8ffaf270b4b723ead2c517371405d7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ariadne Conill <ariadne@dereferenced.org> | ||
3 | Date: Sun, 3 Apr 2022 12:14:33 +0000 | ||
4 | Subject: [PATCH 1/2] libbb: sockaddr2str: ensure only printable characters are | ||
5 | returned for the hostname part | ||
6 | |||
7 | CVE: CVE-2022-28391 | ||
8 | Upstream-Status: Pending | ||
9 | Signed-off-by: Ariadne Conill <ariadne@dereferenced.org> | ||
10 | Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
11 | --- | ||
12 | libbb/xconnect.c | 5 +++-- | ||
13 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
14 | |||
15 | diff --git a/libbb/xconnect.c b/libbb/xconnect.c | ||
16 | index 0e0b247b8..02c061e67 100644 | ||
17 | --- a/libbb/xconnect.c | ||
18 | +++ b/libbb/xconnect.c | ||
19 | @@ -497,8 +497,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags) | ||
20 | ); | ||
21 | if (rc) | ||
22 | return NULL; | ||
23 | + /* ensure host contains only printable characters */ | ||
24 | if (flags & IGNORE_PORT) | ||
25 | - return xstrdup(host); | ||
26 | + return xstrdup(printable_string(host)); | ||
27 | #if ENABLE_FEATURE_IPV6 | ||
28 | if (sa->sa_family == AF_INET6) { | ||
29 | if (strchr(host, ':')) /* heh, it's not a resolved hostname */ | ||
30 | @@ -509,7 +510,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags) | ||
31 | #endif | ||
32 | /* For now we don't support anything else, so it has to be INET */ | ||
33 | /*if (sa->sa_family == AF_INET)*/ | ||
34 | - return xasprintf("%s:%s", host, serv); | ||
35 | + return xasprintf("%s:%s", printable_string(host), serv); | ||
36 | /*return xstrdup(host);*/ | ||
37 | } | ||
38 | |||
39 | -- | ||
40 | 2.35.1 | ||
41 | |||
diff --git a/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch new file mode 100644 index 0000000000..0d7409ddc3 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From 812b407e545b70b16cf32aade135b5c32eaf674f Mon Sep 17 00:00:00 2001 | ||
2 | From: Ariadne Conill <ariadne@dereferenced.org> | ||
3 | Date: Sun, 3 Apr 2022 12:16:45 +0000 | ||
4 | Subject: [PATCH 2/2] nslookup: sanitize all printed strings with | ||
5 | printable_string | ||
6 | |||
7 | Otherwise, terminal sequences can be injected, which enables various terminal injection | ||
8 | attacks from DNS results. | ||
9 | |||
10 | CVE: CVE-2022-28391 | ||
11 | Upstream-Status: Pending | ||
12 | Signed-off-by: Ariadne Conill <ariadne@dereferenced.org> | ||
13 | Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
14 | --- | ||
15 | networking/nslookup.c | 10 +++++----- | ||
16 | 1 file changed, 5 insertions(+), 5 deletions(-) | ||
17 | |||
18 | diff --git a/networking/nslookup.c b/networking/nslookup.c | ||
19 | index 6da97baf4..4bdcde1b8 100644 | ||
20 | --- a/networking/nslookup.c | ||
21 | +++ b/networking/nslookup.c | ||
22 | @@ -407,7 +407,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) | ||
23 | //printf("Unable to uncompress domain: %s\n", strerror(errno)); | ||
24 | return -1; | ||
25 | } | ||
26 | - printf(format, ns_rr_name(rr), dname); | ||
27 | + printf(format, ns_rr_name(rr), printable_string(dname)); | ||
28 | break; | ||
29 | |||
30 | case ns_t_mx: | ||
31 | @@ -422,7 +422,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) | ||
32 | //printf("Cannot uncompress MX domain: %s\n", strerror(errno)); | ||
33 | return -1; | ||
34 | } | ||
35 | - printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname); | ||
36 | + printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname)); | ||
37 | break; | ||
38 | |||
39 | case ns_t_txt: | ||
40 | @@ -434,7 +434,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) | ||
41 | if (n > 0) { | ||
42 | memset(dname, 0, sizeof(dname)); | ||
43 | memcpy(dname, ns_rr_rdata(rr) + 1, n); | ||
44 | - printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname); | ||
45 | + printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname)); | ||
46 | } | ||
47 | break; | ||
48 | |||
49 | @@ -454,7 +454,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) | ||
50 | } | ||
51 | |||
52 | printf("%s\tservice = %u %u %u %s\n", ns_rr_name(rr), | ||
53 | - ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), dname); | ||
54 | + ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), printable_string(dname)); | ||
55 | break; | ||
56 | |||
57 | case ns_t_soa: | ||
58 | @@ -483,7 +483,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) | ||
59 | return -1; | ||
60 | } | ||
61 | |||
62 | - printf("\tmail addr = %s\n", dname); | ||
63 | + printf("\tmail addr = %s\n", printable_string(dname)); | ||
64 | cp += n; | ||
65 | |||
66 | printf("\tserial = %lu\n", ns_get32(cp)); | ||
67 | -- | ||
68 | 2.35.1 | ||
69 | |||
diff --git a/meta/recipes-core/busybox/busybox_1.35.0.bb b/meta/recipes-core/busybox/busybox_1.35.0.bb index ab11f3d89a..f2f1b35902 100644 --- a/meta/recipes-core/busybox/busybox_1.35.0.bb +++ b/meta/recipes-core/busybox/busybox_1.35.0.bb | |||
@@ -47,6 +47,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ | |||
47 | file://0001-testsuite-use-www.example.org-for-wget-test-cases.patch \ | 47 | file://0001-testsuite-use-www.example.org-for-wget-test-cases.patch \ |
48 | file://0001-du-l-works-fix-to-use-145-instead-of-144.patch \ | 48 | file://0001-du-l-works-fix-to-use-145-instead-of-144.patch \ |
49 | file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \ | 49 | file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \ |
50 | file://0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch \ | ||
51 | file://0002-nslookup-sanitize-all-printed-strings-with-printable.patch \ | ||
50 | " | 52 | " |
51 | SRC_URI:append:libc-musl = " file://musl.cfg " | 53 | SRC_URI:append:libc-musl = " file://musl.cfg " |
52 | 54 | ||