busybox: fix CVE-2023-39810

Upstream-Status: Backport from https://git.busybox.net/busybox/commit/?id=9a8796436b9b0641e13480811902ea2ac57881d3 (From OE-Core rev: c0b71ec35716a512915b00808a26f77481db0e0a) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2025-05-08 13:29:30 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-05-14 06:38:22 -0700
commit: 03a2733983a61ed7f1e5c008b2090ad15e283765 (patch)
tree: 4227e80a700affb4cca935a95d31395baa6df29b
parent: 9b99800fe71a525514351a4236c11e470fbce35a (diff)
download: poky-03a2733983a61ed7f1e5c008b2090ad15e283765.tar.gz
2 files changed, 132 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2023-39810.patch b/meta/recipes-core/busybox/busybox/CVE-2023-39810.patch
new file mode 100644
index 0000000000..0e7dec4f80
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2023-39810.patch
@@ -0,0 +1,131 @@
+From 9a8796436b9b0641e13480811902ea2ac57881d3 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Wed, 2 Oct 2024 10:12:05 +0200
+Subject: archival: disallow path traversals (CVE-2023-39810)
+Create new configure option for archival/libarchive based extractions to
+disallow path traversals.
+As this is a paranoid option and might introduce backward
+incompatibility, default it to no.
+Fixes: CVE-2023-39810
+Based on the patch by Peter Kaestle <peter.kaestle@nokia.com>
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=9a8796436b9b0641e13480811902ea2ac57881d3]
+CVE: CVE-2023-39810
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ archival/Config.src                        | 11 +++++++++++
+ archival/libarchive/data_extract_all.c     |  8 ++++++++
+ archival/libarchive/unsafe_prefix.c        |  6 +++++-
+ scripts/kconfig/lxdialog/check-lxdialog.sh |  2 +-
+ testsuite/cpio.tests                       | 23 ++++++++++++++++++++++
+ 5 files changed, 48 insertions(+), 2 deletions(-)
+diff --git a/archival/Config.src b/archival/Config.src
+index 6f4f30c..cbcd721 100644
+--- a/archival/Config.src
+++ b/archival/Config.src
+@@ -35,4 +35,15 @@ config FEATURE_LZMA_FAST
+        This option reduces decompression time by about 25% at the cost of
+        a 1K bigger binary.
+ 
+config FEATURE_PATH_TRAVERSAL_PROTECTION
+       bool "Prevent extraction of filenames with /../ path component"
+       default n
+       help
+       busybox tar and unzip remove "PREFIX/../" (if it exists)
+       from extracted names.
+       This option enables this behavior for all other unpacking applets,
+       such as cpio, ar, rpm.
+       GNU cpio 2.15 has NO such sanity check.
+# try other archivers and document their behavior?
+
+ endmenu
+diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c
+index 049c2c1..8a69711 100644
+--- a/archival/libarchive/data_extract_all.c
+++ b/archival/libarchive/data_extract_all.c
+@@ -65,6 +65,14 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
+                } while (--n != 0);
+        }
+ #endif
+#if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION
+       /* Strip leading "/" and up to last "/../" path component */
+       dst_name = (char *)strip_unsafe_prefix(dst_name);
+#endif
+// ^^^ This may be a problem if some applets do need to extract absolute names.
+// (Probably will need to invent ARCHIVE_ALLOW_UNSAFE_NAME flag).
+// You might think that rpm needs it, but in my tests rpm's internal cpio
+// archive has names like "./usr/bin/FOO", not "/usr/bin/FOO".
+ 
+        if (archive_handle->ah_flags & ARCHIVE_CREATE_LEADING_DIRS) {
+                char *slash = strrchr(dst_name, '/');
+diff --git a/archival/libarchive/unsafe_prefix.c b/archival/libarchive/unsafe_prefix.c
+index 33e487b..6670811 100644
+--- a/archival/libarchive/unsafe_prefix.c
+++ b/archival/libarchive/unsafe_prefix.c
+@@ -14,7 +14,11 @@ const char* FAST_FUNC strip_unsafe_prefix(const char *str)
+                        cp++;
+                        continue;
+                }
+-               if (is_prefixed_with(cp, "/../"+1)) {
+               /* We are called lots of times.
+                * is_prefixed_with(cp, "../") is slower than open-coding it,
+                * with minimal code growth (~few bytes).
+                */
+               if (cp[0] == '.' && cp[1] == '.' && cp[2] == '/') {
+                        cp += 3;
+                        continue;
+                }
+diff --git a/scripts/kconfig/lxdialog/check-lxdialog.sh b/scripts/kconfig/lxdialog/check-lxdialog.sh
+index 7003e02..b91a54b 100755
+--- a/scripts/kconfig/lxdialog/check-lxdialog.sh
+++ b/scripts/kconfig/lxdialog/check-lxdialog.sh
+@@ -55,7 +55,7 @@ trap "rm -f $tmp" 0 1 2 3 15
+ check() {
+         $cc -x c - -o $tmp 2>/dev/null <<'EOF'
+ #include CURSES_LOC
+-main() {}
+int main() { return 0; }
+ EOF
+        if [ $? != 0 ]; then
+            echo " *** Unable to find the ncurses libraries or the"       1>&2
+diff --git a/testsuite/cpio.tests b/testsuite/cpio.tests
+index 85e7465..a4462c5 100755
+--- a/testsuite/cpio.tests
+++ b/testsuite/cpio.tests
+@@ -154,6 +154,29 @@ testing "cpio -R with extract" \
+ " "" ""
+ SKIP=
+ 
+# Create an archive containing a file with "../dont_write" filename.
+# See that it will not be allowed to unpack.
+# NB: GNU cpio 2.15 DOES NOT do such checks.
+optional FEATURE_PATH_TRAVERSAL_PROTECTION
+rm -rf cpio.testdir
+mkdir -p cpio.testdir/prepare/inner
+echo "file outside of destination was written" > cpio.testdir/prepare/dont_write
+echo "data" > cpio.testdir/prepare/inner/to_extract
+mkdir -p cpio.testdir/extract
+testing "cpio extract file outside of destination" "\
+(cd cpio.testdir/prepare/inner && echo -e '../dont_write\nto_extract' | cpio -o -H newc) | (cd cpio.testdir/extract && cpio -vi 2>&1)
+echo \$?
+ls cpio.testdir/dont_write 2>&1" \
+"\
+cpio: removing leading '../' from member names
+../dont_write
+to_extract
+1 blocks
+0
+ls: cpio.testdir/dont_write: No such file or directory
+" "" ""
+SKIP=
+
+ # Clean up
+ rm -rf cpio.testdir cpio.testdir2 2>/dev/null
+ 
+-- 
+2.25.1
diff --git a/meta/recipes-core/busybox/busybox_1.35.0.bb b/meta/recipes-core/busybox/busybox_1.35.0.bb
index 6bffbbb5a8..1886410dd2 100644
--- a/meta/recipes-core/busybox/busybox_1.35.0.bb
+++ b/meta/recipes-core/busybox/busybox_1.35.0.bb
@@ -58,6 +58,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
           file://CVE-2023-42364_42365-2.patch \
           file://CVE-2023-42366.patch \
           file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \
+           file://CVE-2023-39810.patch \
           "
 SRC_URI:append:libc-musl = " file://musl.cfg "
author	Hitendra Prajapati <hprajapati@mvista.com>	2025-05-08 13:29:30 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-05-14 06:38:22 -0700
commit	03a2733983a61ed7f1e5c008b2090ad15e283765 (patch)
tree	4227e80a700affb4cca935a95d31395baa6df29b
parent	9b99800fe71a525514351a4236c11e470fbce35a (diff)
download	poky-03a2733983a61ed7f1e5c008b2090ad15e283765.tar.gz

diff --git a/meta/recipes-core/busybox/busybox/CVE-2023-39810.patch b/meta/recipes-core/busybox/busybox/CVE-2023-39810.patch new file mode 100644 index 0000000000..0e7dec4f80 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2023-39810.patch
@@ -0,0 +1,131 @@
		1	From 9a8796436b9b0641e13480811902ea2ac57881d3 Mon Sep 17 00:00:00 2001
		2	From: Denys Vlasenko <vda.linux@googlemail.com>
		3	Date: Wed, 2 Oct 2024 10:12:05 +0200
		4	Subject: archival: disallow path traversals (CVE-2023-39810)
		5
		6	Create new configure option for archival/libarchive based extractions to
		7	disallow path traversals.
		8	As this is a paranoid option and might introduce backward
		9	incompatibility, default it to no.
		10
		11	Fixes: CVE-2023-39810
		12
		13	Based on the patch by Peter Kaestle <peter.kaestle@nokia.com>
		14
		15	Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=9a8796436b9b0641e13480811902ea2ac57881d3]
		16	CVE: CVE-2023-39810
		17	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		18	---
		19	archival/Config.src \| 11 +++++++++++
		20	archival/libarchive/data_extract_all.c \| 8 ++++++++
		21	archival/libarchive/unsafe_prefix.c \| 6 +++++-
		22	scripts/kconfig/lxdialog/check-lxdialog.sh \| 2 +-
		23	testsuite/cpio.tests \| 23 ++++++++++++++++++++++
		24	5 files changed, 48 insertions(+), 2 deletions(-)
		25
		26	diff --git a/archival/Config.src b/archival/Config.src
		27	index 6f4f30c..cbcd721 100644
		28	--- a/archival/Config.src
		29	+++ b/archival/Config.src
		30	@@ -35,4 +35,15 @@ config FEATURE_LZMA_FAST
		31	This option reduces decompression time by about 25% at the cost of
		32	a 1K bigger binary.
		33
		34	+config FEATURE_PATH_TRAVERSAL_PROTECTION
		35	+ bool "Prevent extraction of filenames with /../ path component"
		36	+ default n
		37	+ help
		38	+ busybox tar and unzip remove "PREFIX/../" (if it exists)
		39	+ from extracted names.
		40	+ This option enables this behavior for all other unpacking applets,
		41	+ such as cpio, ar, rpm.
		42	+ GNU cpio 2.15 has NO such sanity check.
		43	+# try other archivers and document their behavior?
		44	+
		45	endmenu
		46	diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c
		47	index 049c2c1..8a69711 100644
		48	--- a/archival/libarchive/data_extract_all.c
		49	+++ b/archival/libarchive/data_extract_all.c
		50	@@ -65,6 +65,14 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
		51	} while (--n != 0);
		52	}
		53	#endif
		54	+#if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION
		55	+ /* Strip leading "/" and up to last "/../" path component */
		56	+ dst_name = (char *)strip_unsafe_prefix(dst_name);
		57	+#endif
		58	+// ^^^ This may be a problem if some applets do need to extract absolute names.
		59	+// (Probably will need to invent ARCHIVE_ALLOW_UNSAFE_NAME flag).
		60	+// You might think that rpm needs it, but in my tests rpm's internal cpio
		61	+// archive has names like "./usr/bin/FOO", not "/usr/bin/FOO".
		62
		63	if (archive_handle->ah_flags & ARCHIVE_CREATE_LEADING_DIRS) {
		64	char *slash = strrchr(dst_name, '/');
		65	diff --git a/archival/libarchive/unsafe_prefix.c b/archival/libarchive/unsafe_prefix.c
		66	index 33e487b..6670811 100644
		67	--- a/archival/libarchive/unsafe_prefix.c
		68	+++ b/archival/libarchive/unsafe_prefix.c
		69	@@ -14,7 +14,11 @@ const char* FAST_FUNC strip_unsafe_prefix(const char *str)
		70	cp++;
		71	continue;
		72	}
		73	- if (is_prefixed_with(cp, "/../"+1)) {
		74	+ /* We are called lots of times.
		75	+ * is_prefixed_with(cp, "../") is slower than open-coding it,
		76	+ * with minimal code growth (~few bytes).
		77	+ */
		78	+ if (cp[0] == '.' && cp[1] == '.' && cp[2] == '/') {
		79	cp += 3;
		80	continue;
		81	}
		82	diff --git a/scripts/kconfig/lxdialog/check-lxdialog.sh b/scripts/kconfig/lxdialog/check-lxdialog.sh
		83	index 7003e02..b91a54b 100755
		84	--- a/scripts/kconfig/lxdialog/check-lxdialog.sh
		85	+++ b/scripts/kconfig/lxdialog/check-lxdialog.sh
		86	@@ -55,7 +55,7 @@ trap "rm -f $tmp" 0 1 2 3 15
		87	check() {
		88	$cc -x c - -o $tmp 2>/dev/null <<'EOF'
		89	#include CURSES_LOC
		90	-main() {}
		91	+int main() { return 0; }
		92	EOF
		93	if [ $? != 0 ]; then
		94	echo " *** Unable to find the ncurses libraries or the" 1>&2
		95	diff --git a/testsuite/cpio.tests b/testsuite/cpio.tests
		96	index 85e7465..a4462c5 100755
		97	--- a/testsuite/cpio.tests
		98	+++ b/testsuite/cpio.tests
		99	@@ -154,6 +154,29 @@ testing "cpio -R with extract" \
		100	" "" ""
		101	SKIP=
		102
		103	+# Create an archive containing a file with "../dont_write" filename.
		104	+# See that it will not be allowed to unpack.
		105	+# NB: GNU cpio 2.15 DOES NOT do such checks.
		106	+optional FEATURE_PATH_TRAVERSAL_PROTECTION
		107	+rm -rf cpio.testdir
		108	+mkdir -p cpio.testdir/prepare/inner
		109	+echo "file outside of destination was written" > cpio.testdir/prepare/dont_write
		110	+echo "data" > cpio.testdir/prepare/inner/to_extract
		111	+mkdir -p cpio.testdir/extract
		112	+testing "cpio extract file outside of destination" "\
		113	+(cd cpio.testdir/prepare/inner && echo -e '../dont_write\nto_extract' \| cpio -o -H newc) \| (cd cpio.testdir/extract && cpio -vi 2>&1)
		114	+echo \$?
		115	+ls cpio.testdir/dont_write 2>&1" \
		116	+"\
		117	+cpio: removing leading '../' from member names
		118	+../dont_write
		119	+to_extract
		120	+1 blocks
		121	+0
		122	+ls: cpio.testdir/dont_write: No such file or directory
		123	+" "" ""
		124	+SKIP=
		125	+
		126	# Clean up
		127	rm -rf cpio.testdir cpio.testdir2 2>/dev/null
		128
		129	--
		130	2.25.1
		131


diff --git a/meta/recipes-core/busybox/busybox_1.35.0.bb b/meta/recipes-core/busybox/busybox_1.35.0.bb index 6bffbbb5a8..1886410dd2 100644 --- a/meta/recipes-core/busybox/busybox_1.35.0.bb +++ b/meta/recipes-core/busybox/busybox_1.35.0.bb
@@ -58,6 +58,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
58	file://CVE-2023-42364_42365-2.patch \	58	file://CVE-2023-42364_42365-2.patch \
59	file://CVE-2023-42366.patch \	59	file://CVE-2023-42366.patch \
60	file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \	60	file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \
		61	file://CVE-2023-39810.patch \
61	"	62	"
62	SRC_URI:append:libc-musl = " file://musl.cfg "	63	SRC_URI:append:libc-musl = " file://musl.cfg "
63		64