util-linux: Fix CVE-2024-28085

wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover. References: https://nvd.nist.gov/vuln/detail/CVE-2024-28085 (From OE-Core rev: b40a77416f73955833faeddf6091a99ff9837199) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Soumya Sambu <soumya.sambu@windriver.com> 2024-06-07 12:41:23 +0000
committer: Steve Sakoman <steve@sakoman.com> 2024-06-14 05:19:22 -0700
commit: 750ceb4b76b3e37e7bc041a8612d6ebe57d78cac (patch)
tree: 920e8377c4aed3a4ebf31adbdbe6ba019931a916
parent: 125ca0ff2fd3f9ee22eb788d49318e4becd02d8a (diff)
download: poky-750ceb4b76b3e37e7bc041a8612d6ebe57d78cac.tar.gz
3 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc
index d506783f9a..48520ef951 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -40,6 +40,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
           file://avoid_parallel_tests.patch \
           file://0001-login-utils-include-libgen.h-for-basename-API.patch \
           file://fcntl-lock.c \
+           file://CVE-2024-28085-0001.patch \
+           file://CVE-2024-28085-0002.patch \
           "
 SRC_URI[sha256sum] = "7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f"
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch
new file mode 100644
index 0000000000..af39931b3f
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch
@@ -0,0 +1,36 @@
+From 07f0f0f5bd1e5e2268257ae1ff6d76a9b6c6ea8b Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Wed, 17 Jan 2024 12:37:08 +0100
+Subject: [PATCH] wall: fix calloc cal [-Werror=calloc-transposed-args]
+term-utils/wall.c:143:37: error: xcalloc sizes specified with sizeof in the earlier argument and not in the later argument [-Werror=calloc-transposed-args]
+  143 |         buf->groups = xcalloc(sizeof(*buf->groups), buf->ngroups);
+      |                                     ^
+term-utils/wall.c:143:37: note: earlier argument should specify number of elements, later size of each element
+Signed-off-by: Karel Zak <kzak@redhat.com>
+CVE: CVE-2024-28085
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/07f0f0f5bd1e5e2268257ae1ff6d76a9b6c6ea8b]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ term-utils/wall.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/term-utils/wall.c b/term-utils/wall.c
+index 377db45..85c006a 100644
+--- a/term-utils/wall.c
+++ b/term-utils/wall.c
+@@ -135,7 +135,7 @@ static struct group_workspace *init_group_workspace(const char *group)
+        buf->requested_group = get_group_gid(group);
+        buf->ngroups = sysconf(_SC_NGROUPS_MAX) + 1;  /* room for the primary gid */
+-       buf->groups = xcalloc(sizeof(*buf->groups), buf->ngroups);
+       buf->groups = xcalloc(buf->ngroups, sizeof(*buf->groups));
+        return buf;
+ }
+--
+2.40.0
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch
new file mode 100644
index 0000000000..a2b914d580
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch
@@ -0,0 +1,34 @@
+From 404b0781f52f7c045ca811b2dceec526408ac253 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 21 Mar 2024 11:16:20 +0100
+Subject: [PATCH] wall: fix escape sequence Injection [CVE-2024-28085]
+Let's use for all cases the same output function.
+Reported-by: Skyler Ferrante <sjf5462@rit.edu>
+Signed-off-by: Karel Zak <kzak@redhat.com>
+CVE: CVE-2024-28085
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/404b0781f52f7c045ca811b2dceec526408ac253]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ term-utils/wall.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/term-utils/wall.c b/term-utils/wall.c
+index 85c006a..0212c03 100644
+--- a/term-utils/wall.c
+++ b/term-utils/wall.c
+@@ -328,7 +328,7 @@ static char *makemsg(char *fname, char **mvec, int mvecsz,
+                int i;
+                for (i = 0; i < mvecsz; i++) {
+-                       fputs(mvec[i], fs);
+                       fputs_careful(mvec[i], fs, '^', true, TERM_WIDTH);
+                        if (i < mvecsz - 1)
+                                fputc(' ', fs);
+                }
+--
+2.40.0
author	Soumya Sambu <soumya.sambu@windriver.com>	2024-06-07 12:41:23 +0000
committer	Steve Sakoman <steve@sakoman.com>	2024-06-14 05:19:22 -0700
commit	750ceb4b76b3e37e7bc041a8612d6ebe57d78cac (patch)
tree	920e8377c4aed3a4ebf31adbdbe6ba019931a916
parent	125ca0ff2fd3f9ee22eb788d49318e4becd02d8a (diff)
download	poky-750ceb4b76b3e37e7bc041a8612d6ebe57d78cac.tar.gz

diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc index d506783f9a..48520ef951 100644 --- a/meta/recipes-core/util-linux/util-linux.inc +++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -40,6 +40,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
40	file://avoid_parallel_tests.patch \	40	file://avoid_parallel_tests.patch \
41	file://0001-login-utils-include-libgen.h-for-basename-API.patch \	41	file://0001-login-utils-include-libgen.h-for-basename-API.patch \
42	file://fcntl-lock.c \	42	file://fcntl-lock.c \
		43	file://CVE-2024-28085-0001.patch \
		44	file://CVE-2024-28085-0002.patch \
43	"	45	"
44		46
45	SRC_URI[sha256sum] = "7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f"	47	SRC_URI[sha256sum] = "7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f"


diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch new file mode 100644 index 0000000000..af39931b3f --- /dev/null +++ b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch
@@ -0,0 +1,36 @@
		1	From 07f0f0f5bd1e5e2268257ae1ff6d76a9b6c6ea8b Mon Sep 17 00:00:00 2001
		2	From: Karel Zak <kzak@redhat.com>
		3	Date: Wed, 17 Jan 2024 12:37:08 +0100
		4	Subject: [PATCH] wall: fix calloc cal [-Werror=calloc-transposed-args]
		5
		6	term-utils/wall.c:143:37: error: xcalloc sizes specified with sizeof in the earlier argument and not in the later argument [-Werror=calloc-transposed-args]
		7	143 \| buf->groups = xcalloc(sizeof(*buf->groups), buf->ngroups);
		8	\| ^
		9	term-utils/wall.c:143:37: note: earlier argument should specify number of elements, later size of each element
		10
		11	Signed-off-by: Karel Zak <kzak@redhat.com>
		12
		13	CVE: CVE-2024-28085
		14
		15	Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/07f0f0f5bd1e5e2268257ae1ff6d76a9b6c6ea8b]
		16
		17	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		18	---
		19	term-utils/wall.c \| 2 +-
		20	1 file changed, 1 insertion(+), 1 deletion(-)
		21
		22	diff --git a/term-utils/wall.c b/term-utils/wall.c
		23	index 377db45..85c006a 100644
		24	--- a/term-utils/wall.c
		25	+++ b/term-utils/wall.c
		26	@@ -135,7 +135,7 @@ static struct group_workspace init_group_workspace(const char group)
		27
		28	buf->requested_group = get_group_gid(group);
		29	buf->ngroups = sysconf(_SC_NGROUPS_MAX) + 1; /* room for the primary gid */
		30	- buf->groups = xcalloc(sizeof(*buf->groups), buf->ngroups);
		31	+ buf->groups = xcalloc(buf->ngroups, sizeof(*buf->groups));
		32
		33	return buf;
		34	}
		35	--
		36	2.40.0


diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch new file mode 100644 index 0000000000..a2b914d580 --- /dev/null +++ b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch
@@ -0,0 +1,34 @@
		1	From 404b0781f52f7c045ca811b2dceec526408ac253 Mon Sep 17 00:00:00 2001
		2	From: Karel Zak <kzak@redhat.com>
		3	Date: Thu, 21 Mar 2024 11:16:20 +0100
		4	Subject: [PATCH] wall: fix escape sequence Injection [CVE-2024-28085]
		5
		6	Let's use for all cases the same output function.
		7
		8	Reported-by: Skyler Ferrante <sjf5462@rit.edu>
		9	Signed-off-by: Karel Zak <kzak@redhat.com>
		10
		11	CVE: CVE-2024-28085
		12
		13	Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/404b0781f52f7c045ca811b2dceec526408ac253]
		14
		15	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		16	---
		17	term-utils/wall.c \| 2 +-
		18	1 file changed, 1 insertion(+), 1 deletion(-)
		19
		20	diff --git a/term-utils/wall.c b/term-utils/wall.c
		21	index 85c006a..0212c03 100644
		22	--- a/term-utils/wall.c
		23	+++ b/term-utils/wall.c
		24	@@ -328,7 +328,7 @@ static char makemsg(char fname, char **mvec, int mvecsz,
		25	int i;
		26
		27	for (i = 0; i < mvecsz; i++) {
		28	- fputs(mvec[i], fs);
		29	+ fputs_careful(mvec[i], fs, '^', true, TERM_WIDTH);
		30	if (i < mvecsz - 1)
		31	fputc(' ', fs);
		32	}
		33	--
		34	2.40.0