2 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch b/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch
new file mode 100644
index 0000000000..d1a33e4ab5
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch
@@ -0,0 +1,98 @@
+From 71e7e2fb35c806d20f9739d832cd9ae3a86fdee2 Mon Sep 17 00:00:00 2001
+From: Dimitri John Ledkov <xnox@ubuntu.com>
+Date: Tue, 19 May 2020 18:20:39 +0100
+Subject: [PATCH] wget: implement TLS verification with
+ ENABLE_FEATURE_WGET_OPENSSL
+When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
+verification by default. And only ignore verification errors, if
+--no-check-certificate was passed.
+Also note, that previously OPENSSL implementation did not implement
+TLS verification, nor printed any warning messages that verification
+was not performed.
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533
+CVE-2018-1000500
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91]
+CVE: CVE-2018-1000500
+Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Rahul Kumar <rahulk@mvista.com>
+---
+ networking/wget.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+diff --git a/networking/wget.c b/networking/wget.c
+index 9153264..a7e6deb 100644
+--- a/networking/wget.c
+++ b/networking/wget.c
+@@ -91,6 +91,9 @@
+ //config:      patches, but do want to waste bandwidth expaining how wrong
+ //config:      it is, you will be ignored.
+ //config:
+//config:      FEATURE_WGET_OPENSSL does implement TLS verification
+//config:      using the certificates available to OpenSSL.
+//config:
+ //config:config FEATURE_WGET_OPENSSL
+ //config:      bool "Try to connect to HTTPS using openssl"
+ //config:      default y
+@@ -115,6 +118,9 @@
+ //config:      If openssl can't be executed, internal TLS code will be used
+ //config:      (if you enabled it); if openssl can be executed but fails later,
+ //config:      wget can't detect this, and download will fail.
+//config:
+//config:      By default TLS verification is performed, unless
+//config:      --no-check-certificate option is passed.
+ 
+ //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP))
+ 
+@@ -124,8 +130,11 @@
+ //usage:       IF_FEATURE_WGET_LONG_OPTIONS(
+ //usage:       "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n"
+ //usage:       "       [-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n"
+//usage:       IF_FEATURE_WGET_OPENSSL(
+//usage:       "       [--no-check-certificate]\n"
+//usage:       )
+ /* Since we ignore these opts, we don't show them in --help */
+-/* //usage:    "       [--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */
+/* //usage:    "       [--no-cache] [--passive-ftp] [-t TRIES]" */
+ /* //usage:    "       [-nv] [-nc] [-nH] [-np]" */
+ //usage:       "       [-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
+ //usage:       )
+@@ -137,7 +146,9 @@
+ //usage:       "Retrieve files via HTTP or FTP\n"
+ //usage:       IF_FEATURE_WGET_LONG_OPTIONS(
+ //usage:     "\n       --spider        Only check URL existence: $? is 0 if exists"
+-///////:     "\n       --no-check-certificate  Don't validate the server's certificate"
+//usage:       IF_FEATURE_WGET_OPENSSL(
+//usage:     "\n       --no-check-certificate  Don't validate the server's certificate"
+//usage:       )
+ //usage:       )
+ //usage:     "\n       -c              Continue retrieval of aborted transfer"
+ //usage:     "\n       -q              Quiet"
+@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
+        pid = xvfork();
+        if (pid == 0) {
+                /* Child */
+-               char *argv[8];
+               char *argv[9];
+ 
+                close(sp[0]);
+                xmove_fd(sp[1], 0);
+@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
+                        argv[5] = (char*)"-servername";
+                        argv[6] = (char*)servername;
+                }
+               if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
+                       argv[7] = (char*)"-verify_return_error";
+               }
+ 
+                BB_EXECVP(argv[0], argv);
+                xmove_fd(3, 2);
+-- 
+2.7.4
diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb b/meta/recipes-core/busybox/busybox_1.31.1.bb
index 2bb1d59ba7..a6b47027af 100644
--- a/meta/recipes-core/busybox/busybox_1.31.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.31.1.bb
@@ -48,6 +48,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
           file://0001-Remove-syscall-wrappers-around-clock_gettime-closes-.patch \
           file://0001-Remove-stime-function-calls.patch \
           file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \
+           file://busybox-CVE-2018-1000500.patch \
 "
 SRC_URI_append_libc-musl = " file://musl.cfg "

diff --git a/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch b/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch new file mode 100644 index 0000000000..d1a33e4ab5 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch
@@ -0,0 +1,98 @@
		1	From 71e7e2fb35c806d20f9739d832cd9ae3a86fdee2 Mon Sep 17 00:00:00 2001
		2	From: Dimitri John Ledkov <xnox@ubuntu.com>
		3	Date: Tue, 19 May 2020 18:20:39 +0100
		4	Subject: [PATCH] wget: implement TLS verification with
		5	ENABLE_FEATURE_WGET_OPENSSL
		6
		7	When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
		8	verification by default. And only ignore verification errors, if
		9	--no-check-certificate was passed.
		10
		11	Also note, that previously OPENSSL implementation did not implement
		12	TLS verification, nor printed any warning messages that verification
		13	was not performed.
		14
		15	Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533
		16
		17	CVE-2018-1000500
		18
		19	Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91]
		20	CVE: CVE-2018-1000500
		21
		22	Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
		23	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
		24	Signed-off-by: Rahul Kumar <rahulk@mvista.com>
		25	---
		26	networking/wget.c \| 20 +++++++++++++++++---
		27	1 file changed, 17 insertions(+), 3 deletions(-)
		28
		29	diff --git a/networking/wget.c b/networking/wget.c
		30	index 9153264..a7e6deb 100644
		31	--- a/networking/wget.c
		32	+++ b/networking/wget.c
		33	@@ -91,6 +91,9 @@
		34	//config: patches, but do want to waste bandwidth expaining how wrong
		35	//config: it is, you will be ignored.
		36	//config:
		37	+//config: FEATURE_WGET_OPENSSL does implement TLS verification
		38	+//config: using the certificates available to OpenSSL.
		39	+//config:
		40	//config:config FEATURE_WGET_OPENSSL
		41	//config: bool "Try to connect to HTTPS using openssl"
		42	//config: default y
		43	@@ -115,6 +118,9 @@
		44	//config: If openssl can't be executed, internal TLS code will be used
		45	//config: (if you enabled it); if openssl can be executed but fails later,
		46	//config: wget can't detect this, and download will fail.
		47	+//config:
		48	+//config: By default TLS verification is performed, unless
		49	+//config: --no-check-certificate option is passed.
		50
		51	//applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP))
		52
		53	@@ -124,8 +130,11 @@
		54	//usage: IF_FEATURE_WGET_LONG_OPTIONS(
		55	//usage: "[-c\|--continue] [--spider] [-q\|--quiet] [-O\|--output-document FILE]\n"
		56	//usage: " [-o\|--output-file FILE] [--header 'header: value'] [-Y\|--proxy on/off]\n"
		57	+//usage: IF_FEATURE_WGET_OPENSSL(
		58	+//usage: " [--no-check-certificate]\n"
		59	+//usage: )
		60	/* Since we ignore these opts, we don't show them in --help */
		61	-/* //usage: " [--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */
		62	+/* //usage: " [--no-cache] [--passive-ftp] [-t TRIES]" */
		63	/* //usage: " [-nv] [-nc] [-nH] [-np]" */
		64	//usage: " [-P DIR] [-S\|--server-response] [-U\|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
		65	//usage: )
		66	@@ -137,7 +146,9 @@
		67	//usage: "Retrieve files via HTTP or FTP\n"
		68	//usage: IF_FEATURE_WGET_LONG_OPTIONS(
		69	//usage: "\n --spider Only check URL existence: $? is 0 if exists"
		70	-///////: "\n --no-check-certificate Don't validate the server's certificate"
		71	+//usage: IF_FEATURE_WGET_OPENSSL(
		72	+//usage: "\n --no-check-certificate Don't validate the server's certificate"
		73	+//usage: )
		74	//usage: )
		75	//usage: "\n -c Continue retrieval of aborted transfer"
		76	//usage: "\n -q Quiet"
		77	@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
		78	pid = xvfork();
		79	if (pid == 0) {
		80	/* Child */
		81	- char *argv[8];
		82	+ char *argv[9];
		83
		84	close(sp[0]);
		85	xmove_fd(sp[1], 0);
		86	@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
		87	argv[5] = (char*)"-servername";
		88	argv[6] = (char*)servername;
		89	}
		90	+ if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
		91	+ argv[7] = (char*)"-verify_return_error";
		92	+ }
		93
		94	BB_EXECVP(argv[0], argv);
		95	xmove_fd(3, 2);
		96	--
		97	2.7.4
		98


diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb b/meta/recipes-core/busybox/busybox_1.31.1.bb index 2bb1d59ba7..a6b47027af 100644 --- a/meta/recipes-core/busybox/busybox_1.31.1.bb +++ b/meta/recipes-core/busybox/busybox_1.31.1.bb
@@ -48,6 +48,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
48	file://0001-Remove-syscall-wrappers-around-clock_gettime-closes-.patch \	48	file://0001-Remove-syscall-wrappers-around-clock_gettime-closes-.patch \
49	file://0001-Remove-stime-function-calls.patch \	49	file://0001-Remove-stime-function-calls.patch \
50	file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \	50	file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \
		51	file://busybox-CVE-2018-1000500.patch \
51	"	52	"
52	SRC_URI_append_libc-musl = " file://musl.cfg "	53	SRC_URI_append_libc-musl = " file://musl.cfg "
53		54