busybox: Security fix CVE-2016-2147

busybox <= 1.24.2 (From OE-Core rev: 0a977091a4a5ee925b44c60bc4b13557696afadb) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-04-27 13:29:51 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-05-14 09:40:16 +0100
commit: ae691815c8aaa2bd53b9a0b8a20217f377c604b9 (patch)
tree: d4f5e41271b8b12cc312b8f311c1a7ccbfb3f0c1 /meta
parent: ba15486e27410ebf2a22c687a1b0ac4ffa15726b (diff)
download: poky-ae691815c8aaa2bd53b9a0b8a20217f377c604b9.tar.gz
3 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch
new file mode 100644
index 0000000000..84cae6aa2c
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch
@@ -0,0 +1,57 @@
+From d474ffc68290e0a83651c4432eeabfa62cd51e87 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Thu, 10 Mar 2016 11:47:58 +0100
+Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Upstream-Status: Backport
+CVE: CVE-2016-2147
+https://git.busybox.net/busybox/commit/?id=d474ffc
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ networking/udhcp/domain_codec.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+Index: busybox-1.23.2/networking/udhcp/domain_codec.c
+===================================================================
+--- busybox-1.23.2.orig/networking/udhcp/domain_codec.c
+++ busybox-1.23.2/networking/udhcp/domain_codec.c
+@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t
+                                if (crtpos + *c + 1 > clen) /* label too long? abort */
+                                        return NULL;
+                                if (dst)
+-                                       memcpy(dst + len, c + 1, *c);
+                                       /* \3com ---> "com." */
+                                       ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.';
+                                len += *c + 1;
+                                crtpos += *c + 1;
+-                               if (dst)
+-                                       dst[len - 1] = '.';
+                        } else {
+                                /* NUL: end of current domain name */
+                                if (retpos == 0) {
+@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t
+                                        crtpos = retpos;
+                                        retpos = depth = 0;
+                                }
+-                               if (dst)
+                               if (dst && len != 0)
+                                       /* \4host\3com\0\4host and we are at \0:
+                                        * \3com was converted to "com.", change dot to space.
+                                        */
+                                        dst[len - 1] = ' ';
+                        }
+ 
+@@ -228,6 +230,9 @@ int main(int argc, char **argv)
+        int len;
+        uint8_t *encoded;
+ 
+        uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
+        printf("NUL:'%s'\n",   dname_dec(str, 6, ""));
+
+ #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
+        printf("'%s'\n",       DNAME_DEC("\4host\3com\0", "test1:"));
+        printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));
diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch
new file mode 100644
index 0000000000..1473d46035
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch
@@ -0,0 +1,32 @@
+From 1b7c17391de66502dd7a97c866e0a33681edbb1f Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Fri, 11 Mar 2016 00:26:58 +0100
+Subject: [PATCH] udhcpc: fix a warning in debug code
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Upsteam-Status: Backport
+CVE: CVE-2016-2147 regression fix
+https://git.busybox.net/busybox/commit/?id=1b7c17
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ networking/udhcp/domain_codec.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
+index cee31f1..5a923cc 100644
+--- a/networking/udhcp/domain_codec.c
+++ b/networking/udhcp/domain_codec.c
+@@ -7,6 +7,7 @@
+  * Licensed under GPLv2 or later, see file LICENSE in this source tree.
+  */
+ #ifdef DNS_COMPR_TESTING
+# define _GNU_SOURCE
+ # define FAST_FUNC /* nothing */
+ # define xmalloc malloc
+ # include <stdlib.h>
+-- 
+2.3.5
diff --git a/meta/recipes-core/busybox/busybox_1.23.2.bb b/meta/recipes-core/busybox/busybox_1.23.2.bb
index 955de9c907..7ffa99b0d2 100644
--- a/meta/recipes-core/busybox/busybox_1.23.2.bb
+++ b/meta/recipes-core/busybox/busybox_1.23.2.bb
@@ -42,6 +42,8 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
           file://sha256sum.cfg \
           file://getopts.cfg \
           file://CVE-2016-2148.patch \
+           file://CVE-2016-2147.patch \
+           file://CVE-2016-2147_2.patch \
 "
 SRC_URI[tarball.md5sum] = "7925683d7dd105aabe9b6b618d48cc73"
author	Armin Kuster <akuster@mvista.com>	2016-04-27 13:29:51 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-05-14 09:40:16 +0100
commit	ae691815c8aaa2bd53b9a0b8a20217f377c604b9 (patch)
tree	d4f5e41271b8b12cc312b8f311c1a7ccbfb3f0c1 /meta
parent	ba15486e27410ebf2a22c687a1b0ac4ffa15726b (diff)
download	poky-ae691815c8aaa2bd53b9a0b8a20217f377c604b9.tar.gz

diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch new file mode 100644 index 0000000000..84cae6aa2c --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch
@@ -0,0 +1,57 @@
		1	From d474ffc68290e0a83651c4432eeabfa62cd51e87 Mon Sep 17 00:00:00 2001
		2	From: Denys Vlasenko <vda.linux@googlemail.com>
		3	Date: Thu, 10 Mar 2016 11:47:58 +0100
		4	Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name
		5
		6	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
		7
		8	Upstream-Status: Backport
		9	CVE: CVE-2016-2147
		10
		11	https://git.busybox.net/busybox/commit/?id=d474ffc
		12	Signed-off-by: Armin Kuster <akuster@mvista.com>
		13
		14	---
		15	networking/udhcp/domain_codec.c \| 13 +++++++++----
		16	1 file changed, 9 insertions(+), 4 deletions(-)
		17
		18	Index: busybox-1.23.2/networking/udhcp/domain_codec.c
		19	===================================================================
		20	--- busybox-1.23.2.orig/networking/udhcp/domain_codec.c
		21	+++ busybox-1.23.2/networking/udhcp/domain_codec.c
		22	@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t
		23	if (crtpos + c + 1 > clen) / label too long? abort */
		24	return NULL;
		25	if (dst)
		26	- memcpy(dst + len, c + 1, *c);
		27	+ /* \3com ---> "com." */
		28	+ ((char)mempcpy(dst + len, c + 1, c))[0] = '.';
		29	len += *c + 1;
		30	crtpos += *c + 1;
		31	- if (dst)
		32	- dst[len - 1] = '.';
		33	} else {
		34	/* NUL: end of current domain name */
		35	if (retpos == 0) {
		36	@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t
		37	crtpos = retpos;
		38	retpos = depth = 0;
		39	}
		40	- if (dst)
		41	+ if (dst && len != 0)
		42	+ /* \4host\3com\0\4host and we are at \0:
		43	+ * \3com was converted to "com.", change dot to space.
		44	+ */
		45	dst[len - 1] = ' ';
		46	}
		47
		48	@@ -228,6 +230,9 @@ int main(int argc, char **argv)
		49	int len;
		50	uint8_t *encoded;
		51
		52	+ uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
		53	+ printf("NUL:'%s'\n", dname_dec(str, 6, ""));
		54	+
		55	#define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
		56	printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:"));
		57	printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));


diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch new file mode 100644 index 0000000000..1473d46035 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch
@@ -0,0 +1,32 @@
		1	From 1b7c17391de66502dd7a97c866e0a33681edbb1f Mon Sep 17 00:00:00 2001
		2	From: Denys Vlasenko <vda.linux@googlemail.com>
		3	Date: Fri, 11 Mar 2016 00:26:58 +0100
		4	Subject: [PATCH] udhcpc: fix a warning in debug code
		5
		6	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
		7	Upsteam-Status: Backport
		8	CVE: CVE-2016-2147 regression fix
		9
		10	https://git.busybox.net/busybox/commit/?id=1b7c17
		11
		12	Signed-off-by: Armin Kuster <akuster@mvista.com>
		13
		14	---
		15	networking/udhcp/domain_codec.c \| 1 +
		16	1 file changed, 1 insertion(+)
		17
		18	diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
		19	index cee31f1..5a923cc 100644
		20	--- a/networking/udhcp/domain_codec.c
		21	+++ b/networking/udhcp/domain_codec.c
		22	@@ -7,6 +7,7 @@
		23	* Licensed under GPLv2 or later, see file LICENSE in this source tree.
		24	*/
		25	#ifdef DNS_COMPR_TESTING
		26	+# define _GNU_SOURCE
		27	# define FAST_FUNC /* nothing */
		28	# define xmalloc malloc
		29	# include <stdlib.h>
		30	--
		31	2.3.5
		32


diff --git a/meta/recipes-core/busybox/busybox_1.23.2.bb b/meta/recipes-core/busybox/busybox_1.23.2.bb index 955de9c907..7ffa99b0d2 100644 --- a/meta/recipes-core/busybox/busybox_1.23.2.bb +++ b/meta/recipes-core/busybox/busybox_1.23.2.bb
@@ -42,6 +42,8 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
42	file://sha256sum.cfg \	42	file://sha256sum.cfg \
43	file://getopts.cfg \	43	file://getopts.cfg \
44	file://CVE-2016-2148.patch \	44	file://CVE-2016-2148.patch \
		45	file://CVE-2016-2147.patch \
		46	file://CVE-2016-2147_2.patch \
45	"	47	"
46		48
47	SRC_URI[tarball.md5sum] = "7925683d7dd105aabe9b6b618d48cc73"	49	SRC_URI[tarball.md5sum] = "7925683d7dd105aabe9b6b618d48cc73"