1 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
new file mode 100644
index 0000000000..1dbc3388a4
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
@@ -0,0 +1,69 @@
+From 812b407e545b70b16cf32aade135b5c32eaf674f Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Sun, 3 Apr 2022 12:16:45 +0000
+Subject: [PATCH 2/2] nslookup: sanitize all printed strings with
+ printable_string
+Otherwise, terminal sequences can be injected, which enables various terminal injection
+attacks from DNS results.
+CVE: CVE-2022-28391
+Upstream-Status: Submitted [https://bugs.busybox.net/show_bug.cgi?id=15001]
+Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ networking/nslookup.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+diff --git a/networking/nslookup.c b/networking/nslookup.c
+index 6da97baf4..4bdcde1b8 100644
+--- a/networking/nslookup.c
+++ b/networking/nslookup.c
+@@ -407,7 +407,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+                                //printf("Unable to uncompress domain: %s\n", strerror(errno));
+                                return -1;
+                        }
+-                       printf(format, ns_rr_name(rr), dname);
+                       printf(format, ns_rr_name(rr), printable_string(dname));
+                        break;
+ 
+                case ns_t_mx:
+@@ -422,7 +422,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+                                //printf("Cannot uncompress MX domain: %s\n", strerror(errno));
+                                return -1;
+                        }
+-                       printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname);
+                       printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname));
+                        break;
+ 
+                case ns_t_txt:
+@@ -434,7 +434,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+                        if (n > 0) {
+                                memset(dname, 0, sizeof(dname));
+                                memcpy(dname, ns_rr_rdata(rr) + 1, n);
+-                               printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname);
+                               printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname));
+                        }
+                        break;
+ 
+@@ -454,7 +454,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+                        }
+ 
+                        printf("%s\tservice = %u %u %u %s\n", ns_rr_name(rr),
+-                               ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), dname);
+                               ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), printable_string(dname));
+                        break;
+ 
+                case ns_t_soa:
+@@ -483,7 +483,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+                                return -1;
+                        }
+ 
+-                       printf("\tmail addr = %s\n", dname);
+                       printf("\tmail addr = %s\n", printable_string(dname));
+                        cp += n;
+ 
+                        printf("\tserial = %lu\n", ns_get32(cp));
+-- 
+2.35.1

diff --git a/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch new file mode 100644 index 0000000000..1dbc3388a4 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
@@ -0,0 +1,69 @@
	1	From 812b407e545b70b16cf32aade135b5c32eaf674f Mon Sep 17 00:00:00 2001
	2	From: Ariadne Conill <ariadne@dereferenced.org>
	3	Date: Sun, 3 Apr 2022 12:16:45 +0000
	4	Subject: [PATCH 2/2] nslookup: sanitize all printed strings with
	5	printable_string
	6
	7	Otherwise, terminal sequences can be injected, which enables various terminal injection
	8	attacks from DNS results.
	9
	10	CVE: CVE-2022-28391
	11	Upstream-Status: Submitted [https://bugs.busybox.net/show_bug.cgi?id=15001]
	12	Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
	13	Signed-off-by: Steve Sakoman <steve@sakoman.com>
	14	---
	15	networking/nslookup.c \| 10 +++++-----
	16	1 file changed, 5 insertions(+), 5 deletions(-)
	17
	18	diff --git a/networking/nslookup.c b/networking/nslookup.c
	19	index 6da97baf4..4bdcde1b8 100644
	20	--- a/networking/nslookup.c
	21	+++ b/networking/nslookup.c
	22	@@ -407,7 +407,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
	23	//printf("Unable to uncompress domain: %s\n", strerror(errno));
	24	return -1;
	25	}
	26	- printf(format, ns_rr_name(rr), dname);
	27	+ printf(format, ns_rr_name(rr), printable_string(dname));
	28	break;
	29
	30	case ns_t_mx:
	31	@@ -422,7 +422,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
	32	//printf("Cannot uncompress MX domain: %s\n", strerror(errno));
	33	return -1;
	34	}
	35	- printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname);
	36	+ printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname));
	37	break;
	38
	39	case ns_t_txt:
	40	@@ -434,7 +434,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
	41	if (n > 0) {
	42	memset(dname, 0, sizeof(dname));
	43	memcpy(dname, ns_rr_rdata(rr) + 1, n);
	44	- printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname);
	45	+ printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname));
	46	}
	47	break;
	48
	49	@@ -454,7 +454,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
	50	}
	51
	52	printf("%s\tservice = %u %u %u %s\n", ns_rr_name(rr),
	53	- ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), dname);
	54	+ ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), printable_string(dname));
	55	break;
	56
	57	case ns_t_soa:
	58	@@ -483,7 +483,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
	59	return -1;
	60	}
	61
	62	- printf("\tmail addr = %s\n", dname);
	63	+ printf("\tmail addr = %s\n", printable_string(dname));
	64	cp += n;
	65
	66	printf("\tserial = %lu\n", ns_get32(cp));
	67	--
	68	2.35.1
	69