busybox: Security fix CVE-2016-2147

busybox <= 1.24.2 (From OE-Core rev: 8a7a392ef37b3d5bd8ef81ab17d976696ad64dfe) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-04-27 17:47:22 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-04-29 07:41:43 +0100
commit: 9f3d7ae8f6329a92018aae82211b51e3b14b2bea (patch)
tree: 1fd2eb8c6d8cf939952413d495d69224abc78881 /meta/recipes-core
parent: 2928ca48e98f064aacf8c121a2425224c83596a5 (diff)
download: poky-9f3d7ae8f6329a92018aae82211b51e3b14b2bea.tar.gz
3 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch
new file mode 100644
index 0000000000..84cae6aa2c
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch
@@ -0,0 +1,57 @@
+From d474ffc68290e0a83651c4432eeabfa62cd51e87 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Thu, 10 Mar 2016 11:47:58 +0100
+Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Upstream-Status: Backport
+CVE: CVE-2016-2147
+https://git.busybox.net/busybox/commit/?id=d474ffc
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ networking/udhcp/domain_codec.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+Index: busybox-1.23.2/networking/udhcp/domain_codec.c
+===================================================================
+--- busybox-1.23.2.orig/networking/udhcp/domain_codec.c
+++ busybox-1.23.2/networking/udhcp/domain_codec.c
+@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t
+                                if (crtpos + *c + 1 > clen) /* label too long? abort */
+                                        return NULL;
+                                if (dst)
+-                                       memcpy(dst + len, c + 1, *c);
+                                       /* \3com ---> "com." */
+                                       ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.';
+                                len += *c + 1;
+                                crtpos += *c + 1;
+-                               if (dst)
+-                                       dst[len - 1] = '.';
+                        } else {
+                                /* NUL: end of current domain name */
+                                if (retpos == 0) {
+@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t
+                                        crtpos = retpos;
+                                        retpos = depth = 0;
+                                }
+-                               if (dst)
+                               if (dst && len != 0)
+                                       /* \4host\3com\0\4host and we are at \0:
+                                        * \3com was converted to "com.", change dot to space.
+                                        */
+                                        dst[len - 1] = ' ';
+                        }
+ 
+@@ -228,6 +230,9 @@ int main(int argc, char **argv)
+        int len;
+        uint8_t *encoded;
+ 
+        uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
+        printf("NUL:'%s'\n",   dname_dec(str, 6, ""));
+
+ #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
+        printf("'%s'\n",       DNAME_DEC("\4host\3com\0", "test1:"));
+        printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));
diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch
new file mode 100644
index 0000000000..1473d46035
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch
@@ -0,0 +1,32 @@
+From 1b7c17391de66502dd7a97c866e0a33681edbb1f Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Fri, 11 Mar 2016 00:26:58 +0100
+Subject: [PATCH] udhcpc: fix a warning in debug code
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Upsteam-Status: Backport
+CVE: CVE-2016-2147 regression fix
+https://git.busybox.net/busybox/commit/?id=1b7c17
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ networking/udhcp/domain_codec.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
+index cee31f1..5a923cc 100644
+--- a/networking/udhcp/domain_codec.c
+++ b/networking/udhcp/domain_codec.c
+@@ -7,6 +7,7 @@
+  * Licensed under GPLv2 or later, see file LICENSE in this source tree.
+  */
+ #ifdef DNS_COMPR_TESTING
+# define _GNU_SOURCE
+ # define FAST_FUNC /* nothing */
+ # define xmalloc malloc
+ # include <stdlib.h>
+-- 
+2.3.5
diff --git a/meta/recipes-core/busybox/busybox_1.24.1.bb b/meta/recipes-core/busybox/busybox_1.24.1.bb
index 61fc878697..82fc64f326 100644
--- a/meta/recipes-core/busybox/busybox_1.24.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.24.1.bb
@@ -45,6 +45,8 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
           file://rcK \
           file://runlevel \
           file://CVE-2016-2148.patch \
+           file://CVE-2016-2147.patch \
+           file://CVE-2016-2147_2.patch \
 "
 SRC_URI_append_libc-musl = " file://musl.cfg "
author	Armin Kuster <akuster@mvista.com>	2016-04-27 17:47:22 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-04-29 07:41:43 +0100
commit	9f3d7ae8f6329a92018aae82211b51e3b14b2bea (patch)
tree	1fd2eb8c6d8cf939952413d495d69224abc78881 /meta/recipes-core
parent	2928ca48e98f064aacf8c121a2425224c83596a5 (diff)
download	poky-9f3d7ae8f6329a92018aae82211b51e3b14b2bea.tar.gz

diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch new file mode 100644 index 0000000000..84cae6aa2c --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch
@@ -0,0 +1,57 @@
		1	From d474ffc68290e0a83651c4432eeabfa62cd51e87 Mon Sep 17 00:00:00 2001
		2	From: Denys Vlasenko <vda.linux@googlemail.com>
		3	Date: Thu, 10 Mar 2016 11:47:58 +0100
		4	Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name
		5
		6	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
		7
		8	Upstream-Status: Backport
		9	CVE: CVE-2016-2147
		10
		11	https://git.busybox.net/busybox/commit/?id=d474ffc
		12	Signed-off-by: Armin Kuster <akuster@mvista.com>
		13
		14	---
		15	networking/udhcp/domain_codec.c \| 13 +++++++++----
		16	1 file changed, 9 insertions(+), 4 deletions(-)
		17
		18	Index: busybox-1.23.2/networking/udhcp/domain_codec.c
		19	===================================================================
		20	--- busybox-1.23.2.orig/networking/udhcp/domain_codec.c
		21	+++ busybox-1.23.2/networking/udhcp/domain_codec.c
		22	@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t
		23	if (crtpos + c + 1 > clen) / label too long? abort */
		24	return NULL;
		25	if (dst)
		26	- memcpy(dst + len, c + 1, *c);
		27	+ /* \3com ---> "com." */
		28	+ ((char)mempcpy(dst + len, c + 1, c))[0] = '.';
		29	len += *c + 1;
		30	crtpos += *c + 1;
		31	- if (dst)
		32	- dst[len - 1] = '.';
		33	} else {
		34	/* NUL: end of current domain name */
		35	if (retpos == 0) {
		36	@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t
		37	crtpos = retpos;
		38	retpos = depth = 0;
		39	}
		40	- if (dst)
		41	+ if (dst && len != 0)
		42	+ /* \4host\3com\0\4host and we are at \0:
		43	+ * \3com was converted to "com.", change dot to space.
		44	+ */
		45	dst[len - 1] = ' ';
		46	}
		47
		48	@@ -228,6 +230,9 @@ int main(int argc, char **argv)
		49	int len;
		50	uint8_t *encoded;
		51
		52	+ uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
		53	+ printf("NUL:'%s'\n", dname_dec(str, 6, ""));
		54	+
		55	#define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
		56	printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:"));
		57	printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));


diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch new file mode 100644 index 0000000000..1473d46035 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch
@@ -0,0 +1,32 @@
		1	From 1b7c17391de66502dd7a97c866e0a33681edbb1f Mon Sep 17 00:00:00 2001
		2	From: Denys Vlasenko <vda.linux@googlemail.com>
		3	Date: Fri, 11 Mar 2016 00:26:58 +0100
		4	Subject: [PATCH] udhcpc: fix a warning in debug code
		5
		6	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
		7	Upsteam-Status: Backport
		8	CVE: CVE-2016-2147 regression fix
		9
		10	https://git.busybox.net/busybox/commit/?id=1b7c17
		11
		12	Signed-off-by: Armin Kuster <akuster@mvista.com>
		13
		14	---
		15	networking/udhcp/domain_codec.c \| 1 +
		16	1 file changed, 1 insertion(+)
		17
		18	diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
		19	index cee31f1..5a923cc 100644
		20	--- a/networking/udhcp/domain_codec.c
		21	+++ b/networking/udhcp/domain_codec.c
		22	@@ -7,6 +7,7 @@
		23	* Licensed under GPLv2 or later, see file LICENSE in this source tree.
		24	*/
		25	#ifdef DNS_COMPR_TESTING
		26	+# define _GNU_SOURCE
		27	# define FAST_FUNC /* nothing */
		28	# define xmalloc malloc
		29	# include <stdlib.h>
		30	--
		31	2.3.5
		32


diff --git a/meta/recipes-core/busybox/busybox_1.24.1.bb b/meta/recipes-core/busybox/busybox_1.24.1.bb index 61fc878697..82fc64f326 100644 --- a/meta/recipes-core/busybox/busybox_1.24.1.bb +++ b/meta/recipes-core/busybox/busybox_1.24.1.bb
@@ -45,6 +45,8 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
45	file://rcK \	45	file://rcK \
46	file://runlevel \	46	file://runlevel \
47	file://CVE-2016-2148.patch \	47	file://CVE-2016-2148.patch \
		48	file://CVE-2016-2147.patch \
		49	file://CVE-2016-2147_2.patch \
48	"	50	"
49	SRC_URI_append_libc-musl = " file://musl.cfg "	51	SRC_URI_append_libc-musl = " file://musl.cfg "
50		52