diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2017-11-23 09:39:43 +0100 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2017-11-23 09:54:33 +0100 |
commit | 9c61af0b67fd73d23389d1016d69758729dfe193 (patch) | |
tree | b6171ab214fed7058e0cdd00eabed3d09c8a8d9d | |
parent | 17f5b0b8cb4daab681a3b9c2aca7d363aaa53641 (diff) | |
download | aports-9c61af0b67fd73d23389d1016d69758729dfe193.tar.bz2 aports-9c61af0b67fd73d23389d1016d69758729dfe193.tar.xz |
main/busybox: secfixes for CVE-2017-15873,CVE-2017-16544
fixes #8191
-rw-r--r-- | main/busybox/APKBUILD | 14 | ||||
-rw-r--r-- | main/busybox/CVE-2017-15873.patch | 210 | ||||
-rw-r--r-- | main/busybox/CVE-2017-16544.patch | 40 |
3 files changed, 263 insertions, 1 deletions
diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD index 872cd75c22..fe615c73d5 100644 --- a/main/busybox/APKBUILD +++ b/main/busybox/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=busybox pkgver=1.24.2 -pkgrel=1 +pkgrel=2 pkgdesc="Size optimized toolbox of many common UNIX utilities" url=http://busybox.net arch="all" @@ -45,6 +45,9 @@ source="http://busybox.net/downloads/$pkgname-$pkgver.tar.bz2 0001-ash-backport-fix-for-here-document-issues.patch 0001-ash-fix-error-during-recursive-processing-of-here-do.patch + CVE-2017-15873.patch + CVE-2017-16544.patch + acpid.logrotate busyboxconfig glibc.patch @@ -52,6 +55,9 @@ source="http://busybox.net/downloads/$pkgname-$pkgver.tar.bz2 " # secfixes: +# 1.24.2-r2: +# - CVE-2017-15873 +# - CVE-2017-16544 # 1.24.2-r1: # - CVE-2016-6301 @@ -186,6 +192,8 @@ f7c45568bdb0d2295c43108691e78a40 3002-libbb-allow_blank-argument-for-ask_and_ch f82d49c891c02516462db3cda29ccca7 3003-su-FEATURE_SU_NULLOK_SECURE.patch 5f03ee6f3e93bbc6aedff0777b227810 0001-ash-backport-fix-for-here-document-issues.patch a4d1cf64fd1835a284ccc6dbc78e3ce0 0001-ash-fix-error-during-recursive-processing-of-here-do.patch +15509e6feeda066d5277fc6359e9cf93 CVE-2017-15873.patch +c4fe22721f51afb20573dcc3aa39d681 CVE-2017-16544.patch 4046b78ee6a25259954797d73b94f4bd acpid.logrotate 5cddea6331e6aff69869568b679186ec busyboxconfig befaac2c59c380e36a452b3f1c1d4a3a glibc.patch @@ -213,6 +221,8 @@ ce24e38be870c90bdcb90e7b0445067adf7be0fac6b1154d2364a4db9ee3a9d8 3002-libbb-all d7b18672334ddeee7fbd6c0e92f26c5d2ef49ddefebf0b7f6eff8dc1ad8d3f7e 3003-su-FEATURE_SU_NULLOK_SECURE.patch f712ce190ce86084d56977e125d1561615394f3d9b840e926537868260e19d79 0001-ash-backport-fix-for-here-document-issues.patch 1d3f8f7b6d0972f8e56437fce8efbafe70e2d869fbe82f06eba11e0103fce224 0001-ash-fix-error-during-recursive-processing-of-here-do.patch +ee0369ad00c843cd815c03769ee1acadfc979c590c8d61495cd067f245624f63 CVE-2017-15873.patch +31194ef9226d5f80146cc9bc33374ba82e789aee14043bb5bf385c681b8edfe0 CVE-2017-16544.patch f7cbeb5a5a47395ad30454ce8262abcd3e91c33ef803c2ae31a9258d7142dd48 acpid.logrotate ddc0c2e87e37a5e6cc878c5c5c14093c43b361a4d32eee813e0f0b01900efb9e busyboxconfig c604ef791c31d35a8c5ee4558d21428a46f37a6d762c4a7e29864f4037fc44a0 glibc.patch @@ -240,6 +250,8 @@ ed8d060b85d4da1681eb35ba64c5b249391e6a7edbeb55b8952897f08fe9bafac33593992772d80a c6579970450e7c711461ab1953f534ae855c4a355b4a452b3fc52a286355c87e41f8951b1b5217d0f659e3173ace8718d42dad3dcc878899cf9decdf4d3fe238 3003-su-FEATURE_SU_NULLOK_SECURE.patch d55cab6ed08434e2a278edf1be6171b921bcaee47598988e4de6b390a01569e10394c54d5d4a27e6eba251ce68df5cc1ece358be32a9c31bdf1f7e9147cf5180 0001-ash-backport-fix-for-here-document-issues.patch c14a632f9477c13ea99b24a73c81c9c44ead8b536970acd758e739b43a6260860039674341192ce7bb20a9204ee7d93dcd9541e526f2437d4d2d88637b400867 0001-ash-fix-error-during-recursive-processing-of-here-do.patch +e41b5378572b540c02fdc191fb33d10b4ba7500da943bd3edc311b74c92214753ce2cea0afad68cec946db3618523f4a422bff243a3ed772097fbac91f85ab78 CVE-2017-15873.patch +c988edc761b39099b54c45c6656813183bcd725de2f013ecdccd0f2dfef7b9724242196450d9a958e51aeacd64be9a1b6f342a3f8d23fe2944ffc4099007122d CVE-2017-16544.patch dadb4c953ebc755b88ee95c1489feb0c2d352f6e44abc716166024e6eea11ab9d10c84fad62c081775834d205cb04aa1be3c994676c88f4284495c54b9188e8b acpid.logrotate 249f9c4769b7e20149109810bed8ed48c87e7e67817f27fbb620857bb3db1857f2d1616c4badba5c9eb2b6a1a14a15e89327b8c5f3c2d3ea15d09e252bab2a20 busyboxconfig 1d2739379dab1deb3eae7cffd4845300eb7d30f7343b4a1209b21a5680860d55080ad45fdefe098b249ce3040c01951fa7f0a79cd447b2d7b260eb000099d9dc glibc.patch diff --git a/main/busybox/CVE-2017-15873.patch b/main/busybox/CVE-2017-15873.patch new file mode 100644 index 0000000000..485aef39d3 --- /dev/null +++ b/main/busybox/CVE-2017-15873.patch @@ -0,0 +1,210 @@ +From 3cd642df5f6c274c762c2b1388bdccc9d74f1db2 Mon Sep 17 00:00:00 2001 +From: Rostislav Skudnov <rostislav@tuxera.com> +Date: Wed, 1 Feb 2017 18:35:13 +0000 +Subject: [PATCH 1/2] Replace int -> uint to avoid signed integer overflow + +An example of such an error (should be compiled with DEBUG_SANITIZE): + +runtime error: left shift of 1 by 31 places cannot be represented in +type 'int' + +Signed-off-by: Rostislav Skudnov <rostislav@tuxera.com> +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> +--- + archival/libarchive/decompress_bunzip2.c | 6 +++--- + libbb/crc32.c | 2 +- + libbb/getopt32.c | 4 ++-- + libbb/pw_encrypt.c | 2 +- + miscutils/rx.c | 2 +- + 5 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/archival/libarchive/decompress_bunzip2.c b/archival/libarchive/decompress_bunzip2.c +index fe5953da2..4fb989c29 100644 +--- a/archival/libarchive/decompress_bunzip2.c ++++ b/archival/libarchive/decompress_bunzip2.c +@@ -134,7 +134,7 @@ static unsigned get_bits(bunzip_data *bd, int bits_wanted) + + /* Avoid 32-bit overflow (dump bit buffer to top of output) */ + if (bit_count >= 24) { +- bits = bd->inbufBits & ((1 << bit_count) - 1); ++ bits = bd->inbufBits & ((1U << bit_count) - 1); + bits_wanted -= bit_count; + bits <<= bits_wanted; + bit_count = 0; +@@ -158,11 +158,11 @@ static int get_next_block(bunzip_data *bd) + { + struct group_data *hufGroup; + int dbufCount, dbufSize, groupCount, *base, *limit, selector, +- i, j, t, runPos, symCount, symTotal, nSelectors, byteCount[256]; ++ i, j, runPos, symCount, symTotal, nSelectors, byteCount[256]; + int runCnt = runCnt; /* for compiler */ + uint8_t uc, symToByte[256], mtfSymbol[256], *selectors; + uint32_t *dbuf; +- unsigned origPtr; ++ unsigned origPtr, t; + + dbuf = bd->dbuf; + dbufSize = bd->dbufSize; +diff --git a/libbb/crc32.c b/libbb/crc32.c +index ac9836cc9..0711ca84e 100644 +--- a/libbb/crc32.c ++++ b/libbb/crc32.c +@@ -24,7 +24,7 @@ uint32_t* FAST_FUNC crc32_filltable(uint32_t *crc_table, int endian) + { + uint32_t polynomial = endian ? 0x04c11db7 : 0xedb88320; + uint32_t c; +- int i, j; ++ unsigned i, j; + + if (!crc_table) + crc_table = xmalloc(256 * sizeof(uint32_t)); +diff --git a/libbb/getopt32.c b/libbb/getopt32.c +index 15b6efc09..497fc016f 100644 +--- a/libbb/getopt32.c ++++ b/libbb/getopt32.c +@@ -404,7 +404,7 @@ getopt32(char **argv, const char *applet_opts, ...) + if (c >= 32) + break; + on_off->opt_char = *s; +- on_off->switch_on = (1 << c); ++ on_off->switch_on = (1U << c); + if (*++s == ':') { + on_off->optarg = va_arg(p, void **); + if (s[1] == '+' || s[1] == '*') { +@@ -454,7 +454,7 @@ getopt32(char **argv, const char *applet_opts, ...) + if (c >= 32) + break; + on_off->opt_char = l_o->val; +- on_off->switch_on = (1 << c); ++ on_off->switch_on = (1U << c); + if (l_o->has_arg != no_argument) + on_off->optarg = va_arg(p, void **); + c++; +diff --git a/libbb/pw_encrypt.c b/libbb/pw_encrypt.c +index 4cdc2de76..fe06a8fe6 100644 +--- a/libbb/pw_encrypt.c ++++ b/libbb/pw_encrypt.c +@@ -30,7 +30,7 @@ static int i64c(int i) + int FAST_FUNC crypt_make_salt(char *p, int cnt /*, int x */) + { + /* was: x += ... */ +- int x = getpid() + monotonic_us(); ++ unsigned x = getpid() + monotonic_us(); + do { + /* x = (x*1664525 + 1013904223) % 2^32 generator is lame + * (low-order bit is not "random", etc...), +diff --git a/miscutils/rx.c b/miscutils/rx.c +index 660f66a89..86627e1b5 100644 +--- a/miscutils/rx.c ++++ b/miscutils/rx.c +@@ -94,7 +94,7 @@ static int receive(/*int read_fd, */int file_fd) + int blockBegin; + int blockNo, blockNoOnesCompl; + int cksum_or_crc; +- int expected; ++ unsigned expected; + int i, j; + + blockBegin = read_byte(timeout); +-- +2.15.0 + + +From 2be3fc2e5407081a597a99e3a71d55fd673de50f Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <vda.linux@googlemail.com> +Date: Sun, 22 Oct 2017 18:23:23 +0200 +Subject: [PATCH 2/2] bunzip2: fix runCnt overflow from bug 10431 + +This particular corrupted file can be dealth with by using "unsigned". +If there will be cases where it genuinely overflows, there is a disabled +code to deal with that too. + +function old new delta +get_next_block 1678 1667 -11 + +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> +--- + archival/libarchive/decompress_bunzip2.c | 30 +++++++++++++++++++----------- + 1 file changed, 19 insertions(+), 11 deletions(-) + +diff --git a/archival/libarchive/decompress_bunzip2.c b/archival/libarchive/decompress_bunzip2.c +index 4fb989c29..2da5d59ac 100644 +--- a/archival/libarchive/decompress_bunzip2.c ++++ b/archival/libarchive/decompress_bunzip2.c +@@ -157,15 +157,15 @@ static unsigned get_bits(bunzip_data *bd, int bits_wanted) + static int get_next_block(bunzip_data *bd) + { + struct group_data *hufGroup; +- int dbufCount, dbufSize, groupCount, *base, *limit, selector, +- i, j, runPos, symCount, symTotal, nSelectors, byteCount[256]; +- int runCnt = runCnt; /* for compiler */ ++ int groupCount, *base, *limit, selector, ++ i, j, symCount, symTotal, nSelectors, byteCount[256]; + uint8_t uc, symToByte[256], mtfSymbol[256], *selectors; + uint32_t *dbuf; + unsigned origPtr, t; ++ unsigned dbufCount, runPos; ++ unsigned runCnt = runCnt; /* for compiler */ + + dbuf = bd->dbuf; +- dbufSize = bd->dbufSize; + selectors = bd->selectors; + + /* In bbox, we are ok with aborting through setjmp which is set up in start_bunzip */ +@@ -188,7 +188,7 @@ static int get_next_block(bunzip_data *bd) + it didn't actually work. */ + if (get_bits(bd, 1)) return RETVAL_OBSOLETE_INPUT; + origPtr = get_bits(bd, 24); +- if ((int)origPtr > dbufSize) return RETVAL_DATA_ERROR; ++ if (origPtr > bd->dbufSize) return RETVAL_DATA_ERROR; + + /* mapping table: if some byte values are never used (encoding things + like ascii text), the compression code removes the gaps to have fewer +@@ -436,7 +436,14 @@ static int get_next_block(bunzip_data *bd) + symbols, but a run of length 0 doesn't mean anything in this + context). Thus space is saved. */ + runCnt += (runPos << nextSym); /* +runPos if RUNA; +2*runPos if RUNB */ +- if (runPos < dbufSize) runPos <<= 1; ++//The 32-bit overflow of runCnt wasn't yet seen, but probably can happen. ++//This would be the fix (catches too large count way before it can overflow): ++// if (runCnt > bd->dbufSize) { ++// dbg("runCnt:%u > dbufSize:%u RETVAL_DATA_ERROR", ++// runCnt, bd->dbufSize); ++// return RETVAL_DATA_ERROR; ++// } ++ if (runPos < bd->dbufSize) runPos <<= 1; + goto end_of_huffman_loop; + } + +@@ -446,14 +453,15 @@ static int get_next_block(bunzip_data *bd) + literal used is the one at the head of the mtfSymbol array.) */ + if (runPos != 0) { + uint8_t tmp_byte; +- if (dbufCount + runCnt > dbufSize) { +- dbg("dbufCount:%d+runCnt:%d %d > dbufSize:%d RETVAL_DATA_ERROR", +- dbufCount, runCnt, dbufCount + runCnt, dbufSize); ++ if (dbufCount + runCnt > bd->dbufSize) { ++ dbg("dbufCount:%u+runCnt:%u %u > dbufSize:%u RETVAL_DATA_ERROR", ++ dbufCount, runCnt, dbufCount + runCnt, bd->dbufSize); + return RETVAL_DATA_ERROR; + } + tmp_byte = symToByte[mtfSymbol[0]]; + byteCount[tmp_byte] += runCnt; +- while (--runCnt >= 0) dbuf[dbufCount++] = (uint32_t)tmp_byte; ++ while ((int)--runCnt >= 0) ++ dbuf[dbufCount++] = (uint32_t)tmp_byte; + runPos = 0; + } + +@@ -467,7 +475,7 @@ static int get_next_block(bunzip_data *bd) + first symbol in the mtf array, position 0, would have been handled + as part of a run above. Therefore 1 unused mtf position minus + 2 non-literal nextSym values equals -1.) */ +- if (dbufCount >= dbufSize) return RETVAL_DATA_ERROR; ++ if (dbufCount >= bd->dbufSize) return RETVAL_DATA_ERROR; + i = nextSym - 1; + uc = mtfSymbol[i]; + +-- +2.15.0 + diff --git a/main/busybox/CVE-2017-16544.patch b/main/busybox/CVE-2017-16544.patch new file mode 100644 index 0000000000..27f101ccad --- /dev/null +++ b/main/busybox/CVE-2017-16544.patch @@ -0,0 +1,40 @@ +From deece5e2f1b9a521955a8939175d28a440735c61 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <vda.linux@googlemail.com> +Date: Tue, 7 Nov 2017 18:09:29 +0100 +Subject: [PATCH] lineedit: do not tab-complete any strings which have control + characters + +function old new delta +add_match 41 68 +27 + +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> +--- + libbb/lineedit.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/libbb/lineedit.c b/libbb/lineedit.c +index 31e392147..269009114 100644 +--- a/libbb/lineedit.c ++++ b/libbb/lineedit.c +@@ -633,6 +633,18 @@ static void free_tab_completion_data(void) + + static void add_match(char *matched) + { ++ unsigned char *p = (unsigned char*)matched; ++ while (*p) { ++ /* ESC attack fix: drop any string with control chars */ ++ if (*p < ' ' ++ || (!ENABLE_UNICODE_SUPPORT && *p >= 0x7f) ++ || (ENABLE_UNICODE_SUPPORT && *p == 0x7f) ++ ) { ++ free(matched); ++ return; ++ } ++ p++; ++ } + matches = xrealloc_vector(matches, 4, num_matches); + matches[num_matches] = matched; + num_matches++; +-- +2.15.0 + |