2 files changed, 482 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2011-5325.patch b/meta/recipes-core/busybox/busybox/CVE-2011-5325.patch
new file mode 100755
index 0000000000..0926107bea
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2011-5325.patch
@@ -0,0 +1,481 @@
+busybox-1.27.2: Fix CVE-2011-5325
+[No upstream tracking] -- https://bugs.busybox.net/show_bug.cgi?id=8411
+libarchive: do not extract unsafe symlinks
+Prevent unsafe links extracting unless env variable $EXTRACT_UNSAFE_SYMLINKS=1
+is not set. Untarring file with -C DESTDIR parameter could be extracted with
+unwanted symlinks. This doesn't feel right, and IIRC GNU tar doesn't do that.
+Include necessary changes from previous commits.
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=bc9bbeb2b81001e8731cd2ae501c8fccc8d87cc7]
+CVE: CVE-2011-5325
+bug: 8411
+Signed-off-by: Radovan Scasny <radovan.scasny@siemens.com>
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+diff --git a/archival/libarchive/Kbuild.src b/archival/libarchive/Kbuild.src
+index 942e755..e1a8a75 100644
+--- a/archival/libarchive/Kbuild.src
+++ b/archival/libarchive/Kbuild.src
+@@ -12,6 +12,8 @@ COMMON_FILES:= \
+        data_extract_all.o \
+        data_extract_to_stdout.o \
+ \
+       unsafe_symlink_target.o \
+\
+        filter_accept_all.o \
+        filter_accept_list.o \
+        filter_accept_reject_list.o \
+diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c
+index 1830ffb..b828b65 100644
+--- a/archival/libarchive/data_extract_all.c
+++ b/archival/libarchive/data_extract_all.c
+@@ -128,10 +128,9 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
+                res = link(hard_link, dst_name);
+                if (res != 0 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)) {
+                        /* shared message */
+-                       bb_perror_msg("can't create %slink "
+-                                       "%s to %s", "hard",
+-                                       dst_name,
+-                                       hard_link);
+                       bb_perror_msg("can't create %slink '%s' to '%s'",
+                                        "hard", dst_name, hard_link
+                       );
+                }
+                /* Hardlinks have no separate mode/ownership, skip chown/chmod */
+                goto ret;
+@@ -178,15 +177,17 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
+        case S_IFLNK:
+                /* Symlink */
+ //TODO: what if file_header->link_target == NULL (say, corrupted tarball?)
+-               res = symlink(file_header->link_target, dst_name);
+-               if (res != 0
+-                && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)
+-               ) {
+-                       /* shared message */
+-                       bb_perror_msg("can't create %slink "
+-                               "%s to %s", "sym",
+-                               dst_name,
+-                               file_header->link_target);
+               if (!unsafe_symlink_target(file_header->link_target)) {
+                       res = symlink(file_header->link_target, dst_name);
+                       if (res != 0
+                               && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)
+                       ) {
+                                               /* shared message */
+                                               bb_perror_msg("can't create %slink '%s' to '%s'",
+                                                       "sym",
+                                                       dst_name, file_header->link_target
+                                               );
+                       }
+                }
+                break;
+        case S_IFSOCK:
+diff --git a/archival/libarchive/unsafe_symlink_target.c b/archival/libarchive/unsafe_symlink_target.c
+new file mode 100644
+index 0000000..ee46e28
+--- /dev/null
+++ b/archival/libarchive/unsafe_symlink_target.c
+@@ -0,0 +1,48 @@
+/* vi: set sw=4 ts=4: */
+/*
+ * Licensed under GPLv2 or later, see file LICENSE in this source tree.
+ */
+#include "libbb.h"
+#include "bb_archive.h"
+
+int FAST_FUNC unsafe_symlink_target(const char *target)
+{
+       const char *dot;
+
+       if (target[0] == '/') {
+               const char *var;
+unsafe:
+               var = getenv("EXTRACT_UNSAFE_SYMLINKS");
+               if (var) {
+                       if (LONE_CHAR(var, '1'))
+                               return 0; /* pretend it's safe */
+                       return 1; /* "UNSAFE!" */
+               }
+               bb_error_msg("skipping unsafe symlink to '%s' in archive,"
+                       " set %s=1 to extract",
+                       target,
+                       "EXTRACT_UNSAFE_SYMLINKS"
+               );
+               /* Prevent further messages */
+               setenv("EXTRACT_UNSAFE_SYMLINKS", "0", 0);
+               return 1; /* "UNSAFE!" */
+       }
+
+       dot = target;
+       for (;;) {
+               dot = strchr(dot, '.');
+                       if (!dot)
+                               return 0; /* safe target */
+
+                       /* Is it a path component starting with ".."? */
+                       if ((dot[1] == '.')
+                               && (dot == target || dot[-1] == '/')
+                                       /* Is it exactly ".."? */
+                               && (dot[2] == '/' || dot[2] == '\0')
+                       ) {
+                               goto unsafe;
+                       }
+                       /* NB: it can even be trailing ".", should only add 1 */
+                       dot += 1;
+       }
+}
+\ No newline at end of file
+diff --git a/archival/unzip.c b/archival/unzip.c
+index 9037262..270e261 100644
+--- a/archival/unzip.c
+++ b/archival/unzip.c
+@@ -335,6 +335,44 @@ static void unzip_create_leading_dirs(const char *fn)
+        free(name);
+ }
+ 
+static void unzip_extract_symlink(zip_header_t *zip, const char *dst_fn)
+{
+       char *target;
+
+       if (zip->fmt.ucmpsize > 0xfff) /* no funny business please */
+               bb_error_msg_and_die("bad archive");
+
+       if (zip->fmt.method == 0) {
+               /* Method 0 - stored (not compressed) */
+               target = xzalloc(zip->fmt.ucmpsize + 1);
+               xread(zip_fd, target, zip->fmt.ucmpsize);
+       } else {
+#if 1
+               bb_error_msg_and_die("compressed symlink is not supported");
+#else
+               transformer_state_t xstate;
+               init_transformer_state(&xstate);
+               xstate.mem_output_size_max = zip->fmt.ucmpsize;
+               /* ...unpack... */
+               if (!xstate.mem_output_buf)
+                       WTF();
+               target = xstate.mem_output_buf;
+               target = xrealloc(target, xstate.mem_output_size + 1);
+               target[xstate.mem_output_size] = '\0';
+#endif
+       }
+       if (!unsafe_symlink_target(target)) {
+//TODO: libbb candidate
+               if (symlink(target, dst_fn)) {
+                       /* shared message */
+                       bb_perror_msg_and_die("can't create %slink '%s' to '%s'",
+                               "sym", dst_fn, target
+                       );
+               }
+       }
+       free(target);
+}
+
+ static void unzip_extract(zip_header_t *zip, int dst_fd)
+ {
+        transformer_state_t xstate;
+@@ -813,7 +851,7 @@ int unzip_main(int argc, char **argv)
+                }
+  check_file:
+                /* Extract file */
+-               if (stat(dst_fn, &stat_buf) == -1) {
+               if (lstat(dst_fn, &stat_buf) == -1) {
+                        /* File does not exist */
+                        if (errno != ENOENT) {
+                                bb_perror_msg_and_die("can't stat '%s'", dst_fn);
+@@ -834,6 +872,7 @@ int unzip_main(int argc, char **argv)
+                        goto do_open_and_extract;
+                printf("replace %s? [y]es, [n]o, [A]ll, [N]one, [r]ename: ", dst_fn);
+                my_fgets80(key_buf);
+//TODO: redo lstat + ISREG check! user input could have taken a long time!
+ 
+                switch (key_buf[0]) {
+                case 'A':
+@@ -842,7 +881,8 @@ int unzip_main(int argc, char **argv)
+  do_open_and_extract:
+                        unzip_create_leading_dirs(dst_fn);
+ #if ENABLE_FEATURE_UNZIP_CDF
+-                       dst_fd = xopen3(dst_fn, O_WRONLY | O_CREAT | O_TRUNC, file_mode);
+                       if (!S_ISLNK(file_mode))
+                               dst_fd = xopen3(dst_fn, O_WRONLY | O_CREAT | O_TRUNC, file_mode);
+ #else
+                        dst_fd = xopen(dst_fn, O_WRONLY | O_CREAT | O_TRUNC);
+ #endif
+@@ -852,10 +892,18 @@ int unzip_main(int argc, char **argv)
+                                        ? " extracting: %s\n"
+                                        : */ "  inflating: %s\n", dst_fn);
+                        }
+-                       unzip_extract(&zip, dst_fd);
+-                       if (dst_fd != STDOUT_FILENO) {
+-                               /* closing STDOUT is potentially bad for future business */
+-                               close(dst_fd);
+#if ENABLE_FEATURE_UNZIP_CDF
+                       if (S_ISLNK(file_mode)) {
+                               if (dst_fd != STDOUT_FILENO) /* no -p */
+                                       unzip_extract_symlink(&zip, dst_fn);
+                       } else
+#endif
+                       {
+                               unzip_extract(&zip, dst_fd);
+                               if (dst_fd != STDOUT_FILENO) {
+                                       /* closing STDOUT is potentially bad for future business */
+                                       close(dst_fd);
+                               };
+                        }
+                        break;
+ 
+diff --git a/coreutils/link.c b/coreutils/link.c
+index ac3ef85..aab249d 100644
+--- a/coreutils/link.c
+++ b/coreutils/link.c
+@@ -32,9 +32,8 @@ int link_main(int argc UNUSED_PARAM, char **argv)
+        argv += optind;
+        if (link(argv[0], argv[1]) != 0) {
+                /* shared message */
+-               bb_perror_msg_and_die("can't create %slink "
+-                                       "%s to %s", "hard",
+-                                       argv[1], argv[0]
+               bb_perror_msg_and_die("can't create %slink '%s' to '%s'",
+                                       "hard", argv[1], argv[0]
+                );
+        }
+        return EXIT_SUCCESS;
+diff --git a/include/bb_archive.h b/include/bb_archive.h
+index 2b9c5f0..1e4da3c 100644
+--- a/include/bb_archive.h
+++ b/include/bb_archive.h
+@@ -196,6 +196,7 @@ void seek_by_jump(int fd, off_t amount) FAST_FUNC;
+ void seek_by_read(int fd, off_t amount) FAST_FUNC;
+ 
+ const char *strip_unsafe_prefix(const char *str) FAST_FUNC;
+int unsafe_symlink_target(const char *target) FAST_FUNC;
+ 
+ void data_align(archive_handle_t *archive_handle, unsigned boundary) FAST_FUNC;
+ const llist_t *find_list_entry(const llist_t *list, const char *filename) FAST_FUNC;
+diff --git a/libbb/copy_file.c b/libbb/copy_file.c
+index 23c0f83..be90066 100644
+--- a/libbb/copy_file.c
+++ b/libbb/copy_file.c
+@@ -371,7 +371,10 @@ int FAST_FUNC copy_file(const char *source, const char *dest, int flags)
+                        int r = symlink(lpath, dest);
+                        free(lpath);
+                        if (r < 0) {
+-                               bb_perror_msg("can't create symlink '%s'", dest);
+                               /* shared message */
+                               bb_perror_msg("can't create %slink '%s' to '%s'",
+                                       "sym", dest, lpath
+                               );
+                                return -1;
+                        }
+                        if (flags & FILEUTILS_PRESERVE_STATUS)
+diff --git a/testsuite/tar.tests b/testsuite/tar.tests
+index 9f7ce15..b7cd74c 100755
+--- a/testsuite/tar.tests
+++ b/testsuite/tar.tests
+@@ -10,9 +10,6 @@ unset LC_COLLATE
+ unset LC_ALL
+ umask 022
+ 
+-rm -rf tar.tempdir 2>/dev/null
+-mkdir tar.tempdir && cd tar.tempdir || exit 1
+-
+ # testing "test name" "script" "expected result" "file input" "stdin"
+ 
+ testing "Empty file is not a tarball" '\
+@@ -53,6 +50,7 @@ dd if=/dev/zero bs=512 count=20 2>/dev/null | tar xvf - 2>&1; echo $?
+ "" ""
+ SKIP=
+ 
+mkdir tar.tempdir && cd tar.tempdir || exit 1
+ # "tar cf test.tar input input_dir/ input_hard1 input_hard2 input_hard1 input_dir/ input":
+ # GNU tar 1.26 records as hardlinks:
+ #  input_hard2 -> input_hard1
+@@ -64,7 +62,6 @@ SKIP=
+ # We also don't use "hrw-r--r--" notation for hardlinks in "tar tv" listing.
+ optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES
+ testing "tar hardlinks and repeated files" '\
+-rm -rf input_* test.tar 2>/dev/null
+ >input_hard1
+ ln input_hard1 input_hard2
+ mkdir input_dir
+@@ -95,10 +92,11 @@ drwxr-xr-x input_dir
+ " \
+ "" ""
+ SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+ 
+mkdir tar.tempdir && cd tar.tempdir || exit 1
+ optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES
+ testing "tar hardlinks mode" '\
+-rm -rf input_* test.tar 2>/dev/null
+ >input_hard1
+ chmod 741 input_hard1
+ ln input_hard1 input_hard2
+@@ -128,10 +126,11 @@ Ok: 0
+ " \
+ "" ""
+ SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+ 
+mkdir tar.tempdir && cd tar.tempdir || exit 1
+ optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES
+ testing "tar symlinks mode" '\
+-rm -rf input_* test.tar 2>/dev/null
+ >input_file
+ chmod 741 input_file
+ ln -s input_file input_soft
+@@ -159,10 +158,11 @@ lrwxrwxrwx input_file
+ " \
+ "" ""
+ SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+ 
+mkdir tar.tempdir && cd tar.tempdir || exit 1
+ optional FEATURE_TAR_CREATE FEATURE_TAR_LONG_OPTIONS
+ testing "tar --overwrite" "\
+-rm -rf input_* test.tar 2>/dev/null
+ ln input input_hard
+ tar cf test.tar input_hard
+ echo WRONG >input
+@@ -174,12 +174,13 @@ Ok
+ " \
+ "Ok\n" ""
+ SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+ 
+mkdir tar.tempdir && cd tar.tempdir || exit 1
+ test x"$SKIP_KNOWN_BUGS" = x"" && {
+ # Needs to be run under non-root for meaningful test
+ optional FEATURE_TAR_CREATE
+ testing "tar writing into read-only dir" '\
+-rm -rf input_* test.tar 2>/dev/null
+ mkdir input_dir
+ >input_dir/input_file
+ chmod 550 input_dir
+@@ -201,7 +202,9 @@ dr-xr-x--- input_dir
+ "" ""
+ SKIP=
+ }
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+ 
+mkdir tar.tempdir && cd tar.tempdir || exit 1
+ # Had a bug where on extract autodetect first "switched off" -z
+ # and then failed to recognize .tgz extension
+ optional FEATURE_TAR_CREATE FEATURE_SEAMLESS_GZ GUNZIP
+@@ -217,7 +220,9 @@ Ok
+ " \
+ "" ""
+ SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+ 
+mkdir tar.tempdir && cd tar.tempdir || exit 1
+ # Do we detect XZ-compressed data (even w/o .tar.xz or txz extension)?
+ # (the uuencoded hello_world.txz contains one empty file named "hello_world")
+ optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_XZ
+@@ -236,7 +241,9 @@ AAAEWVo=
+ ====
+ "
+ SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+ 
+mkdir tar.tempdir && cd tar.tempdir || exit 1
+ # On extract, everything up to and including last ".." component is stripped
+ optional FEATURE_TAR_CREATE
+ testing "tar strips /../ on extract" "\
+@@ -255,7 +262,9 @@ Ok
+ " \
+ "" ""
+ SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+ 
+mkdir tar.tempdir && cd tar.tempdir || exit 1
+ # attack.tar.bz2 has symlink pointing to a system file
+ # followed by a regular file with the same name
+ # containing "root::0:0::/root:/bin/sh":
+@@ -270,6 +279,7 @@ optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_BZ2
+ testing "tar does not extract into symlinks" "\
+ >>/tmp/passwd && uudecode -o input && tar xf input 2>&1 && rm passwd; cat /tmp/passwd; echo \$?
+ " "\
+tar: skipping unsafe symlink to '/tmp/passwd' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
+ 0
+ " \
+ "" "\
+@@ -281,12 +291,15 @@ l4/V8LDoe90yiWJhOJvIypgEfxdyRThQkBVn/bI=
+ ====
+ "
+ SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+
+mkdir tar.tempdir && cd tar.tempdir || exit 1
+ # And same with -k
+ optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_BZ2
+ testing "tar -k does not extract into symlinks" "\
+ >>/tmp/passwd && uudecode -o input && tar xf input -k 2>&1 && rm passwd; cat /tmp/passwd; echo \$?
+ " "\
+-tar: can't open 'passwd': File exists
+tar: skipping unsafe symlink to '/tmp/passwd' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
+ 0
+ " \
+ "" "\
+@@ -298,7 +311,9 @@ l4/V8LDoe90yiWJhOJvIypgEfxdyRThQkBVn/bI=
+ ====
+ "
+ SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+ 
+mkdir tar.tempdir && cd tar.tempdir || exit 1
+ optional UNICODE_SUPPORT FEATURE_TAR_GNU_EXTENSIONS FEATURE_SEAMLESS_BZ2 FEATURE_TAR_AUTODETECT
+ testing "Pax-encoded UTF8 names and symlinks" '\
+ tar xvf ../tar.utf8.tar.bz2 2>&1; echo $?
+@@ -309,17 +324,45 @@ rm -rf etc usr
+ ' "\
+ etc/ssl/certs/3b2716e5.0
+ etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
+tar: skipping unsafe symlink to '/usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
+ etc/ssl/certs/f80cc7f6.0
+ usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
+ 0
+ etc/ssl/certs/3b2716e5.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
+-etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem -> /usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
+ etc/ssl/certs/f80cc7f6.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
+ " \
+ "" ""
+ SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+ 
+-
+-cd .. && rm -rf tar.tempdir || exit 1
+mkdir tar.tempdir && cd tar.tempdir || exit 1
+optional UUDECODE FEATURE_SEAMLESS_BZ2 FEATURE_TAR_AUTODETECT
+testing "Symlink attack: create symlink and then write through it" '\
+exec 2>&1
+uudecode -o input && tar xvf input; echo $?
+ls /tmp/bb_test_evilfile
+ls bb_test_evilfile
+ls symlink/bb_test_evilfile
+' "\
+anything.txt
+symlink
+tar: skipping unsafe symlink to '/tmp' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
+symlink/bb_test_evilfile
+0
+ls: /tmp/bb_test_evilfile: No such file or directory
+ls: bb_test_evilfile: No such file or directory
+symlink/bb_test_evilfile
+" \
+"" "\
+begin-base64 644 tar_symlink_attack.tar.bz2
+QlpoOTFBWSZTWZgs7bQAALT/hMmQAFBAAf+AEMAGJPPv32AAAIAIMAC5thlR
+omAjAmCMADQT1BqNE0AEwAAjAEwElTKeo9NTR6h6gaeoA0DQNLVdwZZ5iNTk
+AQwCAV6S00QFJYhrlfFkVCEDEGtgNVqYrI0uK3ggnt30gqk4e1TTQm5QIAKa
+SJqzRGSFLMmOloHSAcvLiFxxRiQtQZF+qPxbo173ZDISOAoNoPN4PQPhBhKS
+n8fYaKlioCTzL2oXYczyUUIP4u5IpwoSEwWdtoA=
+====
+"
+SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+ 
+ exit $FAILCOUNT
diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb
index 47b4f48761..575127ec42 100644
--- a/meta/recipes-core/busybox/busybox_1.27.2.bb
+++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -42,6 +42,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
           file://rcK \
           file://runlevel \
           file://makefile-libbb-race.patch \
+           file://CVE-2011-5325.patch \
 "
 SRC_URI_append_libc-musl = " file://musl.cfg "

diff --git a/meta/recipes-core/busybox/busybox/CVE-2011-5325.patch b/meta/recipes-core/busybox/busybox/CVE-2011-5325.patch new file mode 100755 index 0000000000..0926107bea --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2011-5325.patch
@@ -0,0 +1,481 @@
		1	busybox-1.27.2: Fix CVE-2011-5325
		2
		3	[No upstream tracking] -- https://bugs.busybox.net/show_bug.cgi?id=8411
		4
		5	libarchive: do not extract unsafe symlinks
		6
		7	Prevent unsafe links extracting unless env variable $EXTRACT_UNSAFE_SYMLINKS=1
		8	is not set. Untarring file with -C DESTDIR parameter could be extracted with
		9	unwanted symlinks. This doesn't feel right, and IIRC GNU tar doesn't do that.
		10	Include necessary changes from previous commits.
		11
		12	Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=bc9bbeb2b81001e8731cd2ae501c8fccc8d87cc7]
		13	CVE: CVE-2011-5325
		14	bug: 8411
		15	Signed-off-by: Radovan Scasny <radovan.scasny@siemens.com>
		16	Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
		17
		18	diff --git a/archival/libarchive/Kbuild.src b/archival/libarchive/Kbuild.src
		19	index 942e755..e1a8a75 100644
		20	--- a/archival/libarchive/Kbuild.src
		21	+++ b/archival/libarchive/Kbuild.src
		22	@@ -12,6 +12,8 @@ COMMON_FILES:= \
		23	data_extract_all.o \
		24	data_extract_to_stdout.o \
		25	\
		26	+ unsafe_symlink_target.o \
		27	+\
		28	filter_accept_all.o \
		29	filter_accept_list.o \
		30	filter_accept_reject_list.o \
		31	diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c
		32	index 1830ffb..b828b65 100644
		33	--- a/archival/libarchive/data_extract_all.c
		34	+++ b/archival/libarchive/data_extract_all.c
		35	@@ -128,10 +128,9 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
		36	res = link(hard_link, dst_name);
		37	if (res != 0 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)) {
		38	/* shared message */
		39	- bb_perror_msg("can't create %slink "
		40	- "%s to %s", "hard",
		41	- dst_name,
		42	- hard_link);
		43	+ bb_perror_msg("can't create %slink '%s' to '%s'",
		44	+ "hard", dst_name, hard_link
		45	+ );
		46	}
		47	/* Hardlinks have no separate mode/ownership, skip chown/chmod */
		48	goto ret;
		49	@@ -178,15 +177,17 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
		50	case S_IFLNK:
		51	/* Symlink */
		52	//TODO: what if file_header->link_target == NULL (say, corrupted tarball?)
		53	- res = symlink(file_header->link_target, dst_name);
		54	- if (res != 0
		55	- && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)
		56	- ) {
		57	- /* shared message */
		58	- bb_perror_msg("can't create %slink "
		59	- "%s to %s", "sym",
		60	- dst_name,
		61	- file_header->link_target);
		62	+ if (!unsafe_symlink_target(file_header->link_target)) {
		63	+ res = symlink(file_header->link_target, dst_name);
		64	+ if (res != 0
		65	+ && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)
		66	+ ) {
		67	+ /* shared message */
		68	+ bb_perror_msg("can't create %slink '%s' to '%s'",
		69	+ "sym",
		70	+ dst_name, file_header->link_target
		71	+ );
		72	+ }
		73	}
		74	break;
		75	case S_IFSOCK:
		76	diff --git a/archival/libarchive/unsafe_symlink_target.c b/archival/libarchive/unsafe_symlink_target.c
		77	new file mode 100644
		78	index 0000000..ee46e28
		79	--- /dev/null
		80	+++ b/archival/libarchive/unsafe_symlink_target.c
		81	@@ -0,0 +1,48 @@
		82	+/* vi: set sw=4 ts=4: */
		83	+/*
		84	+ * Licensed under GPLv2 or later, see file LICENSE in this source tree.
		85	+ */
		86	+#include "libbb.h"
		87	+#include "bb_archive.h"
		88	+
		89	+int FAST_FUNC unsafe_symlink_target(const char *target)
		90	+{
		91	+ const char *dot;
		92	+
		93	+ if (target[0] == '/') {
		94	+ const char *var;
		95	+unsafe:
		96	+ var = getenv("EXTRACT_UNSAFE_SYMLINKS");
		97	+ if (var) {
		98	+ if (LONE_CHAR(var, '1'))
		99	+ return 0; /* pretend it's safe */
		100	+ return 1; /* "UNSAFE!" */
		101	+ }
		102	+ bb_error_msg("skipping unsafe symlink to '%s' in archive,"
		103	+ " set %s=1 to extract",
		104	+ target,
		105	+ "EXTRACT_UNSAFE_SYMLINKS"
		106	+ );
		107	+ /* Prevent further messages */
		108	+ setenv("EXTRACT_UNSAFE_SYMLINKS", "0", 0);
		109	+ return 1; /* "UNSAFE!" */
		110	+ }
		111	+
		112	+ dot = target;
		113	+ for (;;) {
		114	+ dot = strchr(dot, '.');
		115	+ if (!dot)
		116	+ return 0; /* safe target */
		117	+
		118	+ /* Is it a path component starting with ".."? */
		119	+ if ((dot[1] == '.')
		120	+ && (dot == target \|\| dot[-1] == '/')
		121	+ /* Is it exactly ".."? */
		122	+ && (dot[2] == '/' \|\| dot[2] == '\0')
		123	+ ) {
		124	+ goto unsafe;
		125	+ }
		126	+ /* NB: it can even be trailing ".", should only add 1 */
		127	+ dot += 1;
		128	+ }
		129	+}
		130	\ No newline at end of file
		131	diff --git a/archival/unzip.c b/archival/unzip.c
		132	index 9037262..270e261 100644
		133	--- a/archival/unzip.c
		134	+++ b/archival/unzip.c
		135	@@ -335,6 +335,44 @@ static void unzip_create_leading_dirs(const char *fn)
		136	free(name);
		137	}
		138
		139	+static void unzip_extract_symlink(zip_header_t zip, const char dst_fn)
		140	+{
		141	+ char *target;
		142	+
		143	+ if (zip->fmt.ucmpsize > 0xfff) /* no funny business please */
		144	+ bb_error_msg_and_die("bad archive");
		145	+
		146	+ if (zip->fmt.method == 0) {
		147	+ /* Method 0 - stored (not compressed) */
		148	+ target = xzalloc(zip->fmt.ucmpsize + 1);
		149	+ xread(zip_fd, target, zip->fmt.ucmpsize);
		150	+ } else {
		151	+#if 1
		152	+ bb_error_msg_and_die("compressed symlink is not supported");
		153	+#else
		154	+ transformer_state_t xstate;
		155	+ init_transformer_state(&xstate);
		156	+ xstate.mem_output_size_max = zip->fmt.ucmpsize;
		157	+ /* ...unpack... */
		158	+ if (!xstate.mem_output_buf)
		159	+ WTF();
		160	+ target = xstate.mem_output_buf;
		161	+ target = xrealloc(target, xstate.mem_output_size + 1);
		162	+ target[xstate.mem_output_size] = '\0';
		163	+#endif
		164	+ }
		165	+ if (!unsafe_symlink_target(target)) {
		166	+//TODO: libbb candidate
		167	+ if (symlink(target, dst_fn)) {
		168	+ /* shared message */
		169	+ bb_perror_msg_and_die("can't create %slink '%s' to '%s'",
		170	+ "sym", dst_fn, target
		171	+ );
		172	+ }
		173	+ }
		174	+ free(target);
		175	+}
		176	+
		177	static void unzip_extract(zip_header_t *zip, int dst_fd)
		178	{
		179	transformer_state_t xstate;
		180	@@ -813,7 +851,7 @@ int unzip_main(int argc, char **argv)
		181	}
		182	check_file:
		183	/* Extract file */
		184	- if (stat(dst_fn, &stat_buf) == -1) {
		185	+ if (lstat(dst_fn, &stat_buf) == -1) {
		186	/* File does not exist */
		187	if (errno != ENOENT) {
		188	bb_perror_msg_and_die("can't stat '%s'", dst_fn);
		189	@@ -834,6 +872,7 @@ int unzip_main(int argc, char **argv)
		190	goto do_open_and_extract;
		191	printf("replace %s? [y]es, [n]o, [A]ll, [N]one, [r]ename: ", dst_fn);
		192	my_fgets80(key_buf);
		193	+//TODO: redo lstat + ISREG check! user input could have taken a long time!
		194
		195	switch (key_buf[0]) {
		196	case 'A':
		197	@@ -842,7 +881,8 @@ int unzip_main(int argc, char **argv)
		198	do_open_and_extract:
		199	unzip_create_leading_dirs(dst_fn);
		200	#if ENABLE_FEATURE_UNZIP_CDF
		201	- dst_fd = xopen3(dst_fn, O_WRONLY \| O_CREAT \| O_TRUNC, file_mode);
		202	+ if (!S_ISLNK(file_mode))
		203	+ dst_fd = xopen3(dst_fn, O_WRONLY \| O_CREAT \| O_TRUNC, file_mode);
		204	#else
		205	dst_fd = xopen(dst_fn, O_WRONLY \| O_CREAT \| O_TRUNC);
		206	#endif
		207	@@ -852,10 +892,18 @@ int unzip_main(int argc, char **argv)
		208	? " extracting: %s\n"
		209	: */ " inflating: %s\n", dst_fn);
		210	}
		211	- unzip_extract(&zip, dst_fd);
		212	- if (dst_fd != STDOUT_FILENO) {
		213	- /* closing STDOUT is potentially bad for future business */
		214	- close(dst_fd);
		215	+#if ENABLE_FEATURE_UNZIP_CDF
		216	+ if (S_ISLNK(file_mode)) {
		217	+ if (dst_fd != STDOUT_FILENO) /* no -p */
		218	+ unzip_extract_symlink(&zip, dst_fn);
		219	+ } else
		220	+#endif
		221	+ {
		222	+ unzip_extract(&zip, dst_fd);
		223	+ if (dst_fd != STDOUT_FILENO) {
		224	+ /* closing STDOUT is potentially bad for future business */
		225	+ close(dst_fd);
		226	+ };
		227	}
		228	break;
		229
		230	diff --git a/coreutils/link.c b/coreutils/link.c
		231	index ac3ef85..aab249d 100644
		232	--- a/coreutils/link.c
		233	+++ b/coreutils/link.c
		234	@@ -32,9 +32,8 @@ int link_main(int argc UNUSED_PARAM, char **argv)
		235	argv += optind;
		236	if (link(argv[0], argv[1]) != 0) {
		237	/* shared message */
		238	- bb_perror_msg_and_die("can't create %slink "
		239	- "%s to %s", "hard",
		240	- argv[1], argv[0]
		241	+ bb_perror_msg_and_die("can't create %slink '%s' to '%s'",
		242	+ "hard", argv[1], argv[0]
		243	);
		244	}
		245	return EXIT_SUCCESS;
		246	diff --git a/include/bb_archive.h b/include/bb_archive.h
		247	index 2b9c5f0..1e4da3c 100644
		248	--- a/include/bb_archive.h
		249	+++ b/include/bb_archive.h
		250	@@ -196,6 +196,7 @@ void seek_by_jump(int fd, off_t amount) FAST_FUNC;
		251	void seek_by_read(int fd, off_t amount) FAST_FUNC;
		252
		253	const char strip_unsafe_prefix(const char str) FAST_FUNC;
		254	+int unsafe_symlink_target(const char *target) FAST_FUNC;
		255
		256	void data_align(archive_handle_t *archive_handle, unsigned boundary) FAST_FUNC;
		257	const llist_t find_list_entry(const llist_t list, const char *filename) FAST_FUNC;
		258	diff --git a/libbb/copy_file.c b/libbb/copy_file.c
		259	index 23c0f83..be90066 100644
		260	--- a/libbb/copy_file.c
		261	+++ b/libbb/copy_file.c
		262	@@ -371,7 +371,10 @@ int FAST_FUNC copy_file(const char source, const char dest, int flags)
		263	int r = symlink(lpath, dest);
		264	free(lpath);
		265	if (r < 0) {
		266	- bb_perror_msg("can't create symlink '%s'", dest);
		267	+ /* shared message */
		268	+ bb_perror_msg("can't create %slink '%s' to '%s'",
		269	+ "sym", dest, lpath
		270	+ );
		271	return -1;
		272	}
		273	if (flags & FILEUTILS_PRESERVE_STATUS)
		274	diff --git a/testsuite/tar.tests b/testsuite/tar.tests
		275	index 9f7ce15..b7cd74c 100755
		276	--- a/testsuite/tar.tests
		277	+++ b/testsuite/tar.tests
		278	@@ -10,9 +10,6 @@ unset LC_COLLATE
		279	unset LC_ALL
		280	umask 022
		281
		282	-rm -rf tar.tempdir 2>/dev/null
		283	-mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
		284	-
		285	# testing "test name" "script" "expected result" "file input" "stdin"
		286
		287	testing "Empty file is not a tarball" '\
		288	@@ -53,6 +50,7 @@ dd if=/dev/zero bs=512 count=20 2>/dev/null \| tar xvf - 2>&1; echo $?
		289	"" ""
		290	SKIP=
		291
		292	+mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
		293	# "tar cf test.tar input input_dir/ input_hard1 input_hard2 input_hard1 input_dir/ input":
		294	# GNU tar 1.26 records as hardlinks:
		295	# input_hard2 -> input_hard1
		296	@@ -64,7 +62,6 @@ SKIP=
		297	# We also don't use "hrw-r--r--" notation for hardlinks in "tar tv" listing.
		298	optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES
		299	testing "tar hardlinks and repeated files" '\
		300	-rm -rf input_* test.tar 2>/dev/null
		301	>input_hard1
		302	ln input_hard1 input_hard2
		303	mkdir input_dir
		304	@@ -95,10 +92,11 @@ drwxr-xr-x input_dir
		305	" \
		306	"" ""
		307	SKIP=
		308	+cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
		309
		310	+mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
		311	optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES
		312	testing "tar hardlinks mode" '\
		313	-rm -rf input_* test.tar 2>/dev/null
		314	>input_hard1
		315	chmod 741 input_hard1
		316	ln input_hard1 input_hard2
		317	@@ -128,10 +126,11 @@ Ok: 0
		318	" \
		319	"" ""
		320	SKIP=
		321	+cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
		322
		323	+mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
		324	optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES
		325	testing "tar symlinks mode" '\
		326	-rm -rf input_* test.tar 2>/dev/null
		327	>input_file
		328	chmod 741 input_file
		329	ln -s input_file input_soft
		330	@@ -159,10 +158,11 @@ lrwxrwxrwx input_file
		331	" \
		332	"" ""
		333	SKIP=
		334	+cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
		335
		336	+mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
		337	optional FEATURE_TAR_CREATE FEATURE_TAR_LONG_OPTIONS
		338	testing "tar --overwrite" "\
		339	-rm -rf input_* test.tar 2>/dev/null
		340	ln input input_hard
		341	tar cf test.tar input_hard
		342	echo WRONG >input
		343	@@ -174,12 +174,13 @@ Ok
		344	" \
		345	"Ok\n" ""
		346	SKIP=
		347	+cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
		348
		349	+mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
		350	test x"$SKIP_KNOWN_BUGS" = x"" && {
		351	# Needs to be run under non-root for meaningful test
		352	optional FEATURE_TAR_CREATE
		353	testing "tar writing into read-only dir" '\
		354	-rm -rf input_* test.tar 2>/dev/null
		355	mkdir input_dir
		356	>input_dir/input_file
		357	chmod 550 input_dir
		358	@@ -201,7 +202,9 @@ dr-xr-x--- input_dir
		359	"" ""
		360	SKIP=
		361	}
		362	+cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
		363
		364	+mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
		365	# Had a bug where on extract autodetect first "switched off" -z
		366	# and then failed to recognize .tgz extension
		367	optional FEATURE_TAR_CREATE FEATURE_SEAMLESS_GZ GUNZIP
		368	@@ -217,7 +220,9 @@ Ok
		369	" \
		370	"" ""
		371	SKIP=
		372	+cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
		373
		374	+mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
		375	# Do we detect XZ-compressed data (even w/o .tar.xz or txz extension)?
		376	# (the uuencoded hello_world.txz contains one empty file named "hello_world")
		377	optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_XZ
		378	@@ -236,7 +241,9 @@ AAAEWVo=
		379	====
		380	"
		381	SKIP=
		382	+cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
		383
		384	+mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
		385	# On extract, everything up to and including last ".." component is stripped
		386	optional FEATURE_TAR_CREATE
		387	testing "tar strips /../ on extract" "\
		388	@@ -255,7 +262,9 @@ Ok
		389	" \
		390	"" ""
		391	SKIP=
		392	+cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
		393
		394	+mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
		395	# attack.tar.bz2 has symlink pointing to a system file
		396	# followed by a regular file with the same name
		397	# containing "root::0:0::/root:/bin/sh":
		398	@@ -270,6 +279,7 @@ optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_BZ2
		399	testing "tar does not extract into symlinks" "\
		400	>>/tmp/passwd && uudecode -o input && tar xf input 2>&1 && rm passwd; cat /tmp/passwd; echo \$?
		401	" "\
		402	+tar: skipping unsafe symlink to '/tmp/passwd' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
		403	0
		404	" \
		405	"" "\
		406	@@ -281,12 +291,15 @@ l4/V8LDoe90yiWJhOJvIypgEfxdyRThQkBVn/bI=
		407	====
		408	"
		409	SKIP=
		410	+cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
		411	+
		412	+mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
		413	# And same with -k
		414	optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_BZ2
		415	testing "tar -k does not extract into symlinks" "\
		416	>>/tmp/passwd && uudecode -o input && tar xf input -k 2>&1 && rm passwd; cat /tmp/passwd; echo \$?
		417	" "\
		418	-tar: can't open 'passwd': File exists
		419	+tar: skipping unsafe symlink to '/tmp/passwd' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
		420	0
		421	" \
		422	"" "\
		423	@@ -298,7 +311,9 @@ l4/V8LDoe90yiWJhOJvIypgEfxdyRThQkBVn/bI=
		424	====
		425	"
		426	SKIP=
		427	+cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
		428
		429	+mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
		430	optional UNICODE_SUPPORT FEATURE_TAR_GNU_EXTENSIONS FEATURE_SEAMLESS_BZ2 FEATURE_TAR_AUTODETECT
		431	testing "Pax-encoded UTF8 names and symlinks" '\
		432	tar xvf ../tar.utf8.tar.bz2 2>&1; echo $?
		433	@@ -309,17 +324,45 @@ rm -rf etc usr
		434	' "\
		435	etc/ssl/certs/3b2716e5.0
		436	etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
		437	+tar: skipping unsafe symlink to '/usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
		438	etc/ssl/certs/f80cc7f6.0
		439	usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
		440	0
		441	etc/ssl/certs/3b2716e5.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
		442	-etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem -> /usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
		443	etc/ssl/certs/f80cc7f6.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
		444	" \
		445	"" ""
		446	SKIP=
		447	+cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
		448
		449	-
		450	-cd .. && rm -rf tar.tempdir \|\| exit 1
		451	+mkdir tar.tempdir && cd tar.tempdir \|\| exit 1
		452	+optional UUDECODE FEATURE_SEAMLESS_BZ2 FEATURE_TAR_AUTODETECT
		453	+testing "Symlink attack: create symlink and then write through it" '\
		454	+exec 2>&1
		455	+uudecode -o input && tar xvf input; echo $?
		456	+ls /tmp/bb_test_evilfile
		457	+ls bb_test_evilfile
		458	+ls symlink/bb_test_evilfile
		459	+' "\
		460	+anything.txt
		461	+symlink
		462	+tar: skipping unsafe symlink to '/tmp' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
		463	+symlink/bb_test_evilfile
		464	+0
		465	+ls: /tmp/bb_test_evilfile: No such file or directory
		466	+ls: bb_test_evilfile: No such file or directory
		467	+symlink/bb_test_evilfile
		468	+" \
		469	+"" "\
		470	+begin-base64 644 tar_symlink_attack.tar.bz2
		471	+QlpoOTFBWSZTWZgs7bQAALT/hMmQAFBAAf+AEMAGJPPv32AAAIAIMAC5thlR
		472	+omAjAmCMADQT1BqNE0AEwAAjAEwElTKeo9NTR6h6gaeoA0DQNLVdwZZ5iNTk
		473	+AQwCAV6S00QFJYhrlfFkVCEDEGtgNVqYrI0uK3ggnt30gqk4e1TTQm5QIAKa
		474	+SJqzRGSFLMmOloHSAcvLiFxxRiQtQZF+qPxbo173ZDISOAoNoPN4PQPhBhKS
		475	+n8fYaKlioCTzL2oXYczyUUIP4u5IpwoSEwWdtoA=
		476	+====
		477	+"
		478	+SKIP=
		479	+cd .. \|\| exit 1; rm -rf tar.tempdir 2>/dev/null
		480
		481	exit $FAILCOUNT


diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb index 47b4f48761..575127ec42 100644 --- a/meta/recipes-core/busybox/busybox_1.27.2.bb +++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -42,6 +42,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
42	file://rcK \	42	file://rcK \
43	file://runlevel \	43	file://runlevel \
44	file://makefile-libbb-race.patch \	44	file://makefile-libbb-race.patch \
		45	file://CVE-2011-5325.patch \
45	"	46	"
46	SRC_URI_append_libc-musl = " file://musl.cfg "	47	SRC_URI_append_libc-musl = " file://musl.cfg "
47		48