1 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2019-5747.patch b/meta/recipes-core/busybox/busybox/CVE-2019-5747.patch
new file mode 100644
index 0000000000..4225b11e56
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2019-5747.patch
@@ -0,0 +1,60 @@
+From 74d9f1ba37010face4bd1449df4d60dd84450b06 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 7 Jan 2019 15:33:42 +0100
+Subject: [PATCH] udhcpc: when decoding DHCP_SUBNET, ensure it is 4 bytes long
+function                                             old     new   delta
+udhcp_run_script                                     795     801      +6
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Upstream-Status: Backport
+CVE: CVE-2019-5747
+Affects < 1.30.0
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ networking/udhcp/common.c | 2 +-
+ networking/udhcp/common.h | 2 +-
+ networking/udhcp/dhcpc.c  | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+Index: busybox-1.29.3/networking/udhcp/common.c
+===================================================================
+--- busybox-1.29.3.orig/networking/udhcp/common.c
+++ busybox-1.29.3/networking/udhcp/common.c
+@@ -300,7 +300,7 @@ uint8_t* FAST_FUNC udhcp_get_option32(st
+ {
+        uint8_t *r = udhcp_get_option(packet, code);
+        if (r) {
+-               if (r[-1] != 4)
+               if (r[-OPT_DATA + OPT_LEN] != 4)
+                        r = NULL;
+        }
+        return r;
+Index: busybox-1.29.3/networking/udhcp/common.h
+===================================================================
+--- busybox-1.29.3.orig/networking/udhcp/common.h
+++ busybox-1.29.3/networking/udhcp/common.h
+@@ -119,7 +119,7 @@ enum {
+ //#define DHCP_TIME_SERVER      0x04 /* RFC 868 time server (32-bit, 0 = 1.1.1900) */
+ //#define DHCP_NAME_SERVER      0x05 /* IEN 116 _really_ ancient kind of NS */
+ //#define DHCP_DNS_SERVER       0x06
+-//#define DHCP_LOG_SERVER       0x07 /* port 704 UDP log (not syslog)
+//#define DHCP_LOG_SERVER       0x07 /* port 704 UDP log (not syslog) */
+ //#define DHCP_COOKIE_SERVER    0x08 /* "quote of the day" server */
+ //#define DHCP_LPR_SERVER       0x09
+ #define DHCP_HOST_NAME          0x0c /* either client informs server or server gives name to client */
+Index: busybox-1.29.3/networking/udhcp/dhcpc.c
+===================================================================
+--- busybox-1.29.3.orig/networking/udhcp/dhcpc.c
+++ busybox-1.29.3/networking/udhcp/dhcpc.c
+@@ -526,7 +526,7 @@ static char **fill_envp(struct dhcp_pack
+                temp = udhcp_get_option(packet, code);
+                *curr = xmalloc_optname_optval(temp, &dhcp_optflags[i], opt_name);
+                putenv(*curr++);
+-               if (code == DHCP_SUBNET) {
+               if (code == DHCP_SUBNET && temp[-OPT_DATA + OPT_LEN] == 4) {
+                        /* Subnet option: make things like "$ip/$mask" possible */
+                        uint32_t subnet;
+                        move_from_unaligned32(subnet, temp);

diff --git a/meta/recipes-core/busybox/busybox/CVE-2019-5747.patch b/meta/recipes-core/busybox/busybox/CVE-2019-5747.patch new file mode 100644 index 0000000000..4225b11e56 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2019-5747.patch
@@ -0,0 +1,60 @@
	1	From 74d9f1ba37010face4bd1449df4d60dd84450b06 Mon Sep 17 00:00:00 2001
	2	From: Denys Vlasenko <vda.linux@googlemail.com>
	3	Date: Mon, 7 Jan 2019 15:33:42 +0100
	4	Subject: [PATCH] udhcpc: when decoding DHCP_SUBNET, ensure it is 4 bytes long
	5
	6	function old new delta
	7	udhcp_run_script 795 801 +6
	8
	9	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
	10
	11	Upstream-Status: Backport
	12	CVE: CVE-2019-5747
	13	Affects < 1.30.0
	14	Signed-off-by: Armin Kuster <akuster@mvista.com>
	15
	16	---
	17	networking/udhcp/common.c \| 2 +-
	18	networking/udhcp/common.h \| 2 +-
	19	networking/udhcp/dhcpc.c \| 2 +-
	20	3 files changed, 3 insertions(+), 3 deletions(-)
	21
	22	Index: busybox-1.29.3/networking/udhcp/common.c
	23	===================================================================
	24	--- busybox-1.29.3.orig/networking/udhcp/common.c
	25	+++ busybox-1.29.3/networking/udhcp/common.c
	26	@@ -300,7 +300,7 @@ uint8_t* FAST_FUNC udhcp_get_option32(st
	27	{
	28	uint8_t *r = udhcp_get_option(packet, code);
	29	if (r) {
	30	- if (r[-1] != 4)
	31	+ if (r[-OPT_DATA + OPT_LEN] != 4)
	32	r = NULL;
	33	}
	34	return r;
	35	Index: busybox-1.29.3/networking/udhcp/common.h
	36	===================================================================
	37	--- busybox-1.29.3.orig/networking/udhcp/common.h
	38	+++ busybox-1.29.3/networking/udhcp/common.h
	39	@@ -119,7 +119,7 @@ enum {
	40	//#define DHCP_TIME_SERVER 0x04 /* RFC 868 time server (32-bit, 0 = 1.1.1900) */
	41	//#define DHCP_NAME_SERVER 0x05 /* IEN 116 _really_ ancient kind of NS */
	42	//#define DHCP_DNS_SERVER 0x06
	43	-//#define DHCP_LOG_SERVER 0x07 /* port 704 UDP log (not syslog)
	44	+//#define DHCP_LOG_SERVER 0x07 /* port 704 UDP log (not syslog) */
	45	//#define DHCP_COOKIE_SERVER 0x08 /* "quote of the day" server */
	46	//#define DHCP_LPR_SERVER 0x09
	47	#define DHCP_HOST_NAME 0x0c /* either client informs server or server gives name to client */
	48	Index: busybox-1.29.3/networking/udhcp/dhcpc.c
	49	===================================================================
	50	--- busybox-1.29.3.orig/networking/udhcp/dhcpc.c
	51	+++ busybox-1.29.3/networking/udhcp/dhcpc.c
	52	@@ -526,7 +526,7 @@ static char **fill_envp(struct dhcp_pack
	53	temp = udhcp_get_option(packet, code);
	54	*curr = xmalloc_optname_optval(temp, &dhcp_optflags[i], opt_name);
	55	putenv(*curr++);
	56	- if (code == DHCP_SUBNET) {
	57	+ if (code == DHCP_SUBNET && temp[-OPT_DATA + OPT_LEN] == 4) {
	58	/* Subnet option: make things like "$ip/$mask" possible */
	59	uint32_t subnet;
	60	move_from_unaligned32(subnet, temp);