[OE-core] [master][krogoth][PATCH 3/4] busybox: Security fix CVE-2016-2147

Armin Kuster akuster808 at gmail.com
Thu Apr 28 00:47:22 UTC 2016 

From: Armin Kuster <akuster at mvista.com>

busybox <= 1.24.2

Signed-off-by: Armin Kuster <akuster at mvista.com>
---
 .../busybox/busybox/CVE-2016-2147.patch            | 57 ++++++++++++++++++++++
 .../busybox/busybox/CVE-2016-2147_2.patch          | 32 ++++++++++++
 meta/recipes-core/busybox/busybox_1.24.1.bb        |  2 +
 3 files changed, 91 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2016-2147.patch
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch

diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch
new file mode 100644
index 0000000..84cae6a
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch
@@ -0,0 +1,57 @@
+From d474ffc68290e0a83651c4432eeabfa62cd51e87 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux at googlemail.com>
+Date: Thu, 10 Mar 2016 11:47:58 +0100
+Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name
+
+Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2016-2147
+
+https://git.busybox.net/busybox/commit/?id=d474ffc
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ networking/udhcp/domain_codec.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+Index: busybox-1.23.2/networking/udhcp/domain_codec.c
+===================================================================
+--- busybox-1.23.2.orig/networking/udhcp/domain_codec.c
++++ busybox-1.23.2/networking/udhcp/domain_codec.c
+@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t
+ 				if (crtpos + *c + 1 > clen) /* label too long? abort */
+ 					return NULL;
+ 				if (dst)
+-					memcpy(dst + len, c + 1, *c);
++					/* \3com ---> "com." */
++					((char*)mempcpy(dst + len, c + 1, *c))[0] = '.';
+ 				len += *c + 1;
+ 				crtpos += *c + 1;
+-				if (dst)
+-					dst[len - 1] = '.';
+ 			} else {
+ 				/* NUL: end of current domain name */
+ 				if (retpos == 0) {
+@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t
+ 					crtpos = retpos;
+ 					retpos = depth = 0;
+ 				}
+-				if (dst)
++				if (dst && len != 0)
++					/* \4host\3com\0\4host and we are at \0:
++					 * \3com was converted to "com.", change dot to space.
++					 */
+ 					dst[len - 1] = ' ';
+ 			}
+ 
+@@ -228,6 +230,9 @@ int main(int argc, char **argv)
+ 	int len;
+ 	uint8_t *encoded;
+ 
++        uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
++        printf("NUL:'%s'\n",   dname_dec(str, 6, ""));
++
+ #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
+ 	printf("'%s'\n",       DNAME_DEC("\4host\3com\0", "test1:"));
+ 	printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));
diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch
new file mode 100644
index 0000000..1473d46
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch
@@ -0,0 +1,32 @@
+From 1b7c17391de66502dd7a97c866e0a33681edbb1f Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux at googlemail.com>
+Date: Fri, 11 Mar 2016 00:26:58 +0100
+Subject: [PATCH] udhcpc: fix a warning in debug code
+
+Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
+Upsteam-Status: Backport
+CVE: CVE-2016-2147 regression fix
+
+https://git.busybox.net/busybox/commit/?id=1b7c17
+
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ networking/udhcp/domain_codec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
+index cee31f1..5a923cc 100644
+--- a/networking/udhcp/domain_codec.c
++++ b/networking/udhcp/domain_codec.c
+@@ -7,6 +7,7 @@
+  * Licensed under GPLv2 or later, see file LICENSE in this source tree.
+  */
+ #ifdef DNS_COMPR_TESTING
++# define _GNU_SOURCE
+ # define FAST_FUNC /* nothing */
+ # define xmalloc malloc
+ # include <stdlib.h>
+-- 
+2.3.5
+
diff --git a/meta/recipes-core/busybox/busybox_1.24.1.bb b/meta/recipes-core/busybox/busybox_1.24.1.bb
index 61fc878..82fc64f 100644
--- a/meta/recipes-core/busybox/busybox_1.24.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.24.1.bb
@@ -45,6 +45,8 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://rcK \
            file://runlevel \
            file://CVE-2016-2148.patch \
+           file://CVE-2016-2147.patch \
+           file://CVE-2016-2147_2.patch \
 "
 SRC_URI_append_libc-musl = " file://musl.cfg "
 
-- 
2.3.5

More information about the Openembedded-core mailing list