diff options
Diffstat (limited to 'meta/recipes-core/busybox')
-rw-r--r-- | meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch | 98 | ||||
-rw-r--r-- | meta/recipes-core/busybox/busybox_1.31.1.bb | 1 |
2 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch b/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch new file mode 100644 index 0000000000..d1a33e4ab5 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch | |||
@@ -0,0 +1,98 @@ | |||
1 | From 71e7e2fb35c806d20f9739d832cd9ae3a86fdee2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Dimitri John Ledkov <xnox@ubuntu.com> | ||
3 | Date: Tue, 19 May 2020 18:20:39 +0100 | ||
4 | Subject: [PATCH] wget: implement TLS verification with | ||
5 | ENABLE_FEATURE_WGET_OPENSSL | ||
6 | |||
7 | When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS | ||
8 | verification by default. And only ignore verification errors, if | ||
9 | --no-check-certificate was passed. | ||
10 | |||
11 | Also note, that previously OPENSSL implementation did not implement | ||
12 | TLS verification, nor printed any warning messages that verification | ||
13 | was not performed. | ||
14 | |||
15 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533 | ||
16 | |||
17 | CVE-2018-1000500 | ||
18 | |||
19 | Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91] | ||
20 | CVE: CVE-2018-1000500 | ||
21 | |||
22 | Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> | ||
23 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> | ||
24 | Signed-off-by: Rahul Kumar <rahulk@mvista.com> | ||
25 | --- | ||
26 | networking/wget.c | 20 +++++++++++++++++--- | ||
27 | 1 file changed, 17 insertions(+), 3 deletions(-) | ||
28 | |||
29 | diff --git a/networking/wget.c b/networking/wget.c | ||
30 | index 9153264..a7e6deb 100644 | ||
31 | --- a/networking/wget.c | ||
32 | +++ b/networking/wget.c | ||
33 | @@ -91,6 +91,9 @@ | ||
34 | //config: patches, but do want to waste bandwidth expaining how wrong | ||
35 | //config: it is, you will be ignored. | ||
36 | //config: | ||
37 | +//config: FEATURE_WGET_OPENSSL does implement TLS verification | ||
38 | +//config: using the certificates available to OpenSSL. | ||
39 | +//config: | ||
40 | //config:config FEATURE_WGET_OPENSSL | ||
41 | //config: bool "Try to connect to HTTPS using openssl" | ||
42 | //config: default y | ||
43 | @@ -115,6 +118,9 @@ | ||
44 | //config: If openssl can't be executed, internal TLS code will be used | ||
45 | //config: (if you enabled it); if openssl can be executed but fails later, | ||
46 | //config: wget can't detect this, and download will fail. | ||
47 | +//config: | ||
48 | +//config: By default TLS verification is performed, unless | ||
49 | +//config: --no-check-certificate option is passed. | ||
50 | |||
51 | //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP)) | ||
52 | |||
53 | @@ -124,8 +130,11 @@ | ||
54 | //usage: IF_FEATURE_WGET_LONG_OPTIONS( | ||
55 | //usage: "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n" | ||
56 | //usage: " [-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n" | ||
57 | +//usage: IF_FEATURE_WGET_OPENSSL( | ||
58 | +//usage: " [--no-check-certificate]\n" | ||
59 | +//usage: ) | ||
60 | /* Since we ignore these opts, we don't show them in --help */ | ||
61 | -/* //usage: " [--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */ | ||
62 | +/* //usage: " [--no-cache] [--passive-ftp] [-t TRIES]" */ | ||
63 | /* //usage: " [-nv] [-nc] [-nH] [-np]" */ | ||
64 | //usage: " [-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..." | ||
65 | //usage: ) | ||
66 | @@ -137,7 +146,9 @@ | ||
67 | //usage: "Retrieve files via HTTP or FTP\n" | ||
68 | //usage: IF_FEATURE_WGET_LONG_OPTIONS( | ||
69 | //usage: "\n --spider Only check URL existence: $? is 0 if exists" | ||
70 | -///////: "\n --no-check-certificate Don't validate the server's certificate" | ||
71 | +//usage: IF_FEATURE_WGET_OPENSSL( | ||
72 | +//usage: "\n --no-check-certificate Don't validate the server's certificate" | ||
73 | +//usage: ) | ||
74 | //usage: ) | ||
75 | //usage: "\n -c Continue retrieval of aborted transfer" | ||
76 | //usage: "\n -q Quiet" | ||
77 | @@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) | ||
78 | pid = xvfork(); | ||
79 | if (pid == 0) { | ||
80 | /* Child */ | ||
81 | - char *argv[8]; | ||
82 | + char *argv[9]; | ||
83 | |||
84 | close(sp[0]); | ||
85 | xmove_fd(sp[1], 0); | ||
86 | @@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) | ||
87 | argv[5] = (char*)"-servername"; | ||
88 | argv[6] = (char*)servername; | ||
89 | } | ||
90 | + if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) { | ||
91 | + argv[7] = (char*)"-verify_return_error"; | ||
92 | + } | ||
93 | |||
94 | BB_EXECVP(argv[0], argv); | ||
95 | xmove_fd(3, 2); | ||
96 | -- | ||
97 | 2.7.4 | ||
98 | |||
diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb b/meta/recipes-core/busybox/busybox_1.31.1.bb index 2bb1d59ba7..a6b47027af 100644 --- a/meta/recipes-core/busybox/busybox_1.31.1.bb +++ b/meta/recipes-core/busybox/busybox_1.31.1.bb | |||
@@ -48,6 +48,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ | |||
48 | file://0001-Remove-syscall-wrappers-around-clock_gettime-closes-.patch \ | 48 | file://0001-Remove-syscall-wrappers-around-clock_gettime-closes-.patch \ |
49 | file://0001-Remove-stime-function-calls.patch \ | 49 | file://0001-Remove-stime-function-calls.patch \ |
50 | file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \ | 50 | file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \ |
51 | file://busybox-CVE-2018-1000500.patch \ | ||
51 | " | 52 | " |
52 | SRC_URI_append_libc-musl = " file://musl.cfg " | 53 | SRC_URI_append_libc-musl = " file://musl.cfg " |
53 | 54 | ||