2 files changed, 38 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-6301.patch b/meta/recipes-core/busybox/busybox/CVE-2016-6301.patch
new file mode 100644
index 0000000000..851bc20f79
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2016-6301.patch
@@ -0,0 +1,37 @@
+busybox1.24.1: Fix CVE-2016-6301
+[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1363710
+ntpd: NTP server denial of service flaw
+The busybox NTP implementation doesn't check the NTP mode of packets
+received on the server port and responds to any packet with the right
+size. This includes responses from another NTP server. An attacker can
+send a packet with a spoofed source address in order to create an
+infinite loop of responses between two busybox NTP servers. Adding
+more packets to the loop increases the traffic between the servers
+until one of them has a fully loaded CPU and/or network.
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=150dc7a2b483b8338a3e185c478b4b23ee884e71]
+CVE: CVE-2016-6301
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
+diff --git a/networking/ntpd.c b/networking/ntpd.c
+index 9732c9b..0f6a55f 100644
+--- a/networking/ntpd.c
+++ b/networking/ntpd.c
+@@ -1985,6 +1985,13 @@ recv_and_process_client_pkt(void /*int fd*/)
+                goto bail;
+        }
+ 
+       /* Respond only to client and symmetric active packets */
+       if ((msg.m_status & MODE_MASK) != MODE_CLIENT
+        && (msg.m_status & MODE_MASK) != MODE_SYM_ACT
+       ) {
+               goto bail;
+       }
+
+        query_status = msg.m_status;
+        query_xmttime = msg.m_xmttime;
+ 
diff --git a/meta/recipes-core/busybox/busybox_1.24.1.bb b/meta/recipes-core/busybox/busybox_1.24.1.bb
index 41fc64175e..6013ec9e5d 100644
--- a/meta/recipes-core/busybox/busybox_1.24.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.24.1.bb
@@ -47,6 +47,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
           file://CVE-2016-2148.patch \
           file://CVE-2016-2147.patch \
           file://CVE-2016-2147_2.patch \
+           file://CVE-2016-6301.patch \
           file://ip_fix_problem_on_mips64_n64_big_endian_musl_systems.patch \
           file://makefile-fix-backport.patch \
           file://0001-sed-fix-sed-n-flushes-pattern-space-terminates-early.patch \

diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-6301.patch b/meta/recipes-core/busybox/busybox/CVE-2016-6301.patch new file mode 100644 index 0000000000..851bc20f79 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2016-6301.patch
@@ -0,0 +1,37 @@
		1	busybox1.24.1: Fix CVE-2016-6301
		2
		3	[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1363710
		4
		5	ntpd: NTP server denial of service flaw
		6
		7	The busybox NTP implementation doesn't check the NTP mode of packets
		8	received on the server port and responds to any packet with the right
		9	size. This includes responses from another NTP server. An attacker can
		10	send a packet with a spoofed source address in order to create an
		11	infinite loop of responses between two busybox NTP servers. Adding
		12	more packets to the loop increases the traffic between the servers
		13	until one of them has a fully loaded CPU and/or network.
		14
		15	Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=150dc7a2b483b8338a3e185c478b4b23ee884e71]
		16	CVE: CVE-2016-6301
		17	Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
		18	Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
		19
		20	diff --git a/networking/ntpd.c b/networking/ntpd.c
		21	index 9732c9b..0f6a55f 100644
		22	--- a/networking/ntpd.c
		23	+++ b/networking/ntpd.c
		24	@@ -1985,6 +1985,13 @@ recv_and_process_client_pkt(void /int fd/)
		25	goto bail;
		26	}
		27
		28	+ /* Respond only to client and symmetric active packets */
		29	+ if ((msg.m_status & MODE_MASK) != MODE_CLIENT
		30	+ && (msg.m_status & MODE_MASK) != MODE_SYM_ACT
		31	+ ) {
		32	+ goto bail;
		33	+ }
		34	+
		35	query_status = msg.m_status;
		36	query_xmttime = msg.m_xmttime;
		37


diff --git a/meta/recipes-core/busybox/busybox_1.24.1.bb b/meta/recipes-core/busybox/busybox_1.24.1.bb index 41fc64175e..6013ec9e5d 100644 --- a/meta/recipes-core/busybox/busybox_1.24.1.bb +++ b/meta/recipes-core/busybox/busybox_1.24.1.bb
@@ -47,6 +47,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
47	file://CVE-2016-2148.patch \	47	file://CVE-2016-2148.patch \
48	file://CVE-2016-2147.patch \	48	file://CVE-2016-2147.patch \
49	file://CVE-2016-2147_2.patch \	49	file://CVE-2016-2147_2.patch \
		50	file://CVE-2016-6301.patch \
50	file://ip_fix_problem_on_mips64_n64_big_endian_musl_systems.patch \	51	file://ip_fix_problem_on_mips64_n64_big_endian_musl_systems.patch \
51	file://makefile-fix-backport.patch \	52	file://makefile-fix-backport.patch \
52	file://0001-sed-fix-sed-n-flushes-pattern-space-terminates-early.patch \	53	file://0001-sed-fix-sed-n-flushes-pattern-space-terminates-early.patch \