From d68406497e71921a2caeaa8419535b30834db936 Mon Sep 17 00:00:00 2001 From: Steve Sakoman Date: Tue, 10 May 2022 15:21:48 +0200 Subject: busybox: fix CVE-2022-28391 BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. https://nvd.nist.gov/vuln/detail/CVE-2022-28391 Backported from kirkstone 3e17df4cd17c132dc7732ebd3d1c80c81c85bcc4. 2nd patch adjusted to apply on 1.31.1. (From OE-Core rev: 0b9cbcc4ceac3938afd1dd6010ce6d9a3da21598) Signed-off-by: Steve Sakoman Signed-off-by: Richard Purdie Signed-off-by: Martin Jansa Signed-off-by: Steve Sakoman Signed-off-by: Richard Purdie --- ...ddr2str-ensure-only-printable-characters-.patch | 38 +++++++++++++ ...nitize-all-printed-strings-with-printable.patch | 64 ++++++++++++++++++++++ meta/recipes-core/busybox/busybox_1.31.1.bb | 2 + 3 files changed, 104 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch create mode 100644 meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch diff --git a/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch b/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch new file mode 100644 index 0000000000..18bf5f19e4 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch @@ -0,0 +1,38 @@ +From c7e181fdf58c392e06ab805e2c044c3e57d5445a Mon Sep 17 00:00:00 2001 +From: Ariadne Conill +Date: Sun, 3 Apr 2022 12:14:33 +0000 +Subject: [PATCH] libbb: sockaddr2str: ensure only printable characters are + returned for the hostname part + +CVE: CVE-2022-28391 +Upstream-Status: Pending +Signed-off-by: Ariadne Conill +Signed-off-by: Steve Sakoman +--- + libbb/xconnect.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libbb/xconnect.c b/libbb/xconnect.c +index eb2871cb1..b5520bb21 100644 +--- a/libbb/xconnect.c ++++ b/libbb/xconnect.c +@@ -501,8 +501,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags) + ); + if (rc) + return NULL; ++ /* ensure host contains only printable characters */ + if (flags & IGNORE_PORT) +- return xstrdup(host); ++ return xstrdup(printable_string(host)); + #if ENABLE_FEATURE_IPV6 + if (sa->sa_family == AF_INET6) { + if (strchr(host, ':')) /* heh, it's not a resolved hostname */ +@@ -513,7 +514,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags) + #endif + /* For now we don't support anything else, so it has to be INET */ + /*if (sa->sa_family == AF_INET)*/ +- return xasprintf("%s:%s", host, serv); ++ return xasprintf("%s:%s", printable_string(host), serv); + /*return xstrdup(host);*/ + } + diff --git a/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch new file mode 100644 index 0000000000..2c9da33a51 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch @@ -0,0 +1,64 @@ +From f8ad7c331b25ba90fd296b37c443b4114cb196e2 Mon Sep 17 00:00:00 2001 +From: Ariadne Conill +Date: Sun, 3 Apr 2022 12:16:45 +0000 +Subject: [PATCH] nslookup: sanitize all printed strings with printable_string + +Otherwise, terminal sequences can be injected, which enables various terminal injection +attacks from DNS results. + +MJ: One chunk wasn't applicable on 1.31.1 version, because parsing of +SRV records was added only in newer 1.32.0 with: + commit 6b4960155e94076bf25518e4e268a7a5f849308e + Author: Jo-Philipp Wich + Date: Thu Jun 27 17:27:29 2019 +0200 + + nslookup: implement support for SRV records + +CVE: CVE-2022-28391 +Upstream-Status: Pending +Signed-off-by: Ariadne Conill +Signed-off-by: Steve Sakoman +--- + networking/nslookup.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/networking/nslookup.c b/networking/nslookup.c +index 24e09d4f0..89b9c8a13 100644 +--- a/networking/nslookup.c ++++ b/networking/nslookup.c +@@ -404,7 +404,7 @@ static int parse_reply(const unsigned char *msg, size_t len) + //printf("Unable to uncompress domain: %s\n", strerror(errno)); + return -1; + } +- printf(format, ns_rr_name(rr), dname); ++ printf(format, ns_rr_name(rr), printable_string(dname)); + break; + + case ns_t_mx: +@@ -419,7 +419,7 @@ static int parse_reply(const unsigned char *msg, size_t len) + //printf("Cannot uncompress MX domain: %s\n", strerror(errno)); + return -1; + } +- printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname); ++ printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname)); + break; + + case ns_t_txt: +@@ -431,7 +431,7 @@ static int parse_reply(const unsigned char *msg, size_t len) + if (n > 0) { + memset(dname, 0, sizeof(dname)); + memcpy(dname, ns_rr_rdata(rr) + 1, n); +- printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname); ++ printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname)); + } + break; + +@@ -461,7 +461,7 @@ static int parse_reply(const unsigned char *msg, size_t len) + return -1; + } + +- printf("\tmail addr = %s\n", dname); ++ printf("\tmail addr = %s\n", printable_string(dname)); + cp += n; + + printf("\tserial = %lu\n", ns_get32(cp)); diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb b/meta/recipes-core/busybox/busybox_1.31.1.bb index 38b448b3e1..d062f0f7dd 100644 --- a/meta/recipes-core/busybox/busybox_1.31.1.bb +++ b/meta/recipes-core/busybox/busybox_1.31.1.bb @@ -55,6 +55,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://CVE-2021-42374.patch \ file://CVE-2021-42376.patch \ file://CVE-2021-423xx-awk.patch \ + file://0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch \ + file://0002-nslookup-sanitize-all-printed-strings-with-printable.patch \ " SRC_URI_append_libc-musl = " file://musl.cfg " -- cgit v1.2.3-54-g00ecf