summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-core/busybox/busybox/CVE-2016-2147.patch57
-rw-r--r--meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch32
-rw-r--r--meta/recipes-core/busybox/busybox_1.23.2.bb2
3 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch
new file mode 100644
index 0000000000..84cae6aa2c
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch
@@ -0,0 +1,57 @@
1From d474ffc68290e0a83651c4432eeabfa62cd51e87 Mon Sep 17 00:00:00 2001
2From: Denys Vlasenko <vda.linux@googlemail.com>
3Date: Thu, 10 Mar 2016 11:47:58 +0100
4Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name
5
6Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
7
8Upstream-Status: Backport
9CVE: CVE-2016-2147
10
11https://git.busybox.net/busybox/commit/?id=d474ffc
12Signed-off-by: Armin Kuster <akuster@mvista.com>
13
14---
15 networking/udhcp/domain_codec.c | 13 +++++++++----
16 1 file changed, 9 insertions(+), 4 deletions(-)
17
18Index: busybox-1.23.2/networking/udhcp/domain_codec.c
19===================================================================
20--- busybox-1.23.2.orig/networking/udhcp/domain_codec.c
21+++ busybox-1.23.2/networking/udhcp/domain_codec.c
22@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t
23 if (crtpos + *c + 1 > clen) /* label too long? abort */
24 return NULL;
25 if (dst)
26- memcpy(dst + len, c + 1, *c);
27+ /* \3com ---> "com." */
28+ ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.';
29 len += *c + 1;
30 crtpos += *c + 1;
31- if (dst)
32- dst[len - 1] = '.';
33 } else {
34 /* NUL: end of current domain name */
35 if (retpos == 0) {
36@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t
37 crtpos = retpos;
38 retpos = depth = 0;
39 }
40- if (dst)
41+ if (dst && len != 0)
42+ /* \4host\3com\0\4host and we are at \0:
43+ * \3com was converted to "com.", change dot to space.
44+ */
45 dst[len - 1] = ' ';
46 }
47
48@@ -228,6 +230,9 @@ int main(int argc, char **argv)
49 int len;
50 uint8_t *encoded;
51
52+ uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
53+ printf("NUL:'%s'\n", dname_dec(str, 6, ""));
54+
55 #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
56 printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:"));
57 printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));
diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch
new file mode 100644
index 0000000000..1473d46035
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch
@@ -0,0 +1,32 @@
1From 1b7c17391de66502dd7a97c866e0a33681edbb1f Mon Sep 17 00:00:00 2001
2From: Denys Vlasenko <vda.linux@googlemail.com>
3Date: Fri, 11 Mar 2016 00:26:58 +0100
4Subject: [PATCH] udhcpc: fix a warning in debug code
5
6Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
7Upsteam-Status: Backport
8CVE: CVE-2016-2147 regression fix
9
10https://git.busybox.net/busybox/commit/?id=1b7c17
11
12Signed-off-by: Armin Kuster <akuster@mvista.com>
13
14---
15 networking/udhcp/domain_codec.c | 1 +
16 1 file changed, 1 insertion(+)
17
18diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
19index cee31f1..5a923cc 100644
20--- a/networking/udhcp/domain_codec.c
21+++ b/networking/udhcp/domain_codec.c
22@@ -7,6 +7,7 @@
23 * Licensed under GPLv2 or later, see file LICENSE in this source tree.
24 */
25 #ifdef DNS_COMPR_TESTING
26+# define _GNU_SOURCE
27 # define FAST_FUNC /* nothing */
28 # define xmalloc malloc
29 # include <stdlib.h>
30--
312.3.5
32
diff --git a/meta/recipes-core/busybox/busybox_1.23.2.bb b/meta/recipes-core/busybox/busybox_1.23.2.bb
index 955de9c907..7ffa99b0d2 100644
--- a/meta/recipes-core/busybox/busybox_1.23.2.bb
+++ b/meta/recipes-core/busybox/busybox_1.23.2.bb
@@ -42,6 +42,8 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
42 file://sha256sum.cfg \ 42 file://sha256sum.cfg \
43 file://getopts.cfg \ 43 file://getopts.cfg \
44 file://CVE-2016-2148.patch \ 44 file://CVE-2016-2148.patch \
45 file://CVE-2016-2147.patch \
46 file://CVE-2016-2147_2.patch \
45" 47"
46 48
47SRC_URI[tarball.md5sum] = "7925683d7dd105aabe9b6b618d48cc73" 49SRC_URI[tarball.md5sum] = "7925683d7dd105aabe9b6b618d48cc73"