diff options
-rw-r--r-- | meta/recipes-core/busybox/busybox/CVE-2016-2147.patch | 57 | ||||
-rw-r--r-- | meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch | 32 | ||||
-rw-r--r-- | meta/recipes-core/busybox/busybox_1.24.1.bb | 2 |
3 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch new file mode 100644 index 0000000000..84cae6aa2c --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From d474ffc68290e0a83651c4432eeabfa62cd51e87 Mon Sep 17 00:00:00 2001 | ||
2 | From: Denys Vlasenko <vda.linux@googlemail.com> | ||
3 | Date: Thu, 10 Mar 2016 11:47:58 +0100 | ||
4 | Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name | ||
5 | |||
6 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | CVE: CVE-2016-2147 | ||
10 | |||
11 | https://git.busybox.net/busybox/commit/?id=d474ffc | ||
12 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
13 | |||
14 | --- | ||
15 | networking/udhcp/domain_codec.c | 13 +++++++++---- | ||
16 | 1 file changed, 9 insertions(+), 4 deletions(-) | ||
17 | |||
18 | Index: busybox-1.23.2/networking/udhcp/domain_codec.c | ||
19 | =================================================================== | ||
20 | --- busybox-1.23.2.orig/networking/udhcp/domain_codec.c | ||
21 | +++ busybox-1.23.2/networking/udhcp/domain_codec.c | ||
22 | @@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t | ||
23 | if (crtpos + *c + 1 > clen) /* label too long? abort */ | ||
24 | return NULL; | ||
25 | if (dst) | ||
26 | - memcpy(dst + len, c + 1, *c); | ||
27 | + /* \3com ---> "com." */ | ||
28 | + ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.'; | ||
29 | len += *c + 1; | ||
30 | crtpos += *c + 1; | ||
31 | - if (dst) | ||
32 | - dst[len - 1] = '.'; | ||
33 | } else { | ||
34 | /* NUL: end of current domain name */ | ||
35 | if (retpos == 0) { | ||
36 | @@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t | ||
37 | crtpos = retpos; | ||
38 | retpos = depth = 0; | ||
39 | } | ||
40 | - if (dst) | ||
41 | + if (dst && len != 0) | ||
42 | + /* \4host\3com\0\4host and we are at \0: | ||
43 | + * \3com was converted to "com.", change dot to space. | ||
44 | + */ | ||
45 | dst[len - 1] = ' '; | ||
46 | } | ||
47 | |||
48 | @@ -228,6 +230,9 @@ int main(int argc, char **argv) | ||
49 | int len; | ||
50 | uint8_t *encoded; | ||
51 | |||
52 | + uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 }; | ||
53 | + printf("NUL:'%s'\n", dname_dec(str, 6, "")); | ||
54 | + | ||
55 | #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre)) | ||
56 | printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:")); | ||
57 | printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", "")); | ||
diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch new file mode 100644 index 0000000000..1473d46035 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | From 1b7c17391de66502dd7a97c866e0a33681edbb1f Mon Sep 17 00:00:00 2001 | ||
2 | From: Denys Vlasenko <vda.linux@googlemail.com> | ||
3 | Date: Fri, 11 Mar 2016 00:26:58 +0100 | ||
4 | Subject: [PATCH] udhcpc: fix a warning in debug code | ||
5 | |||
6 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> | ||
7 | Upsteam-Status: Backport | ||
8 | CVE: CVE-2016-2147 regression fix | ||
9 | |||
10 | https://git.busybox.net/busybox/commit/?id=1b7c17 | ||
11 | |||
12 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
13 | |||
14 | --- | ||
15 | networking/udhcp/domain_codec.c | 1 + | ||
16 | 1 file changed, 1 insertion(+) | ||
17 | |||
18 | diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c | ||
19 | index cee31f1..5a923cc 100644 | ||
20 | --- a/networking/udhcp/domain_codec.c | ||
21 | +++ b/networking/udhcp/domain_codec.c | ||
22 | @@ -7,6 +7,7 @@ | ||
23 | * Licensed under GPLv2 or later, see file LICENSE in this source tree. | ||
24 | */ | ||
25 | #ifdef DNS_COMPR_TESTING | ||
26 | +# define _GNU_SOURCE | ||
27 | # define FAST_FUNC /* nothing */ | ||
28 | # define xmalloc malloc | ||
29 | # include <stdlib.h> | ||
30 | -- | ||
31 | 2.3.5 | ||
32 | |||
diff --git a/meta/recipes-core/busybox/busybox_1.24.1.bb b/meta/recipes-core/busybox/busybox_1.24.1.bb index 61fc878697..82fc64f326 100644 --- a/meta/recipes-core/busybox/busybox_1.24.1.bb +++ b/meta/recipes-core/busybox/busybox_1.24.1.bb | |||
@@ -45,6 +45,8 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ | |||
45 | file://rcK \ | 45 | file://rcK \ |
46 | file://runlevel \ | 46 | file://runlevel \ |
47 | file://CVE-2016-2148.patch \ | 47 | file://CVE-2016-2148.patch \ |
48 | file://CVE-2016-2147.patch \ | ||
49 | file://CVE-2016-2147_2.patch \ | ||
48 | " | 50 | " |
49 | SRC_URI_append_libc-musl = " file://musl.cfg " | 51 | SRC_URI_append_libc-musl = " file://musl.cfg " |
50 | 52 | ||