main/busybox: security fixes (CVE-2018-20679, CVE-2019-5747)

3 files changed, 204 insertions, 4 deletions

diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD
index e0bd499058..46fca6c603 100644
--- a/main/busybox/APKBUILD
+++ b/main/busybox/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=busybox
 pkgver=1.29.3
-pkgrel=9
+pkgrel=10
 pkgdesc="Size optimized toolbox of many common UNIX utilities"
 url=http://busybox.net
 arch="all"
@@ -37,6 +37,8 @@ source="https://busybox.net/downloads/$pkgname-$pkgver.tar.bz2
 	0001-cp-optional-reflink-support.patch
 	0001-adduser-prevent-creation-from-invalid-entry-without-.patch
 	0001-adduser-default-to-sbin-nologin-as-shell-for-system-.patch
+	CVE-2018-20679.patch
+	CVE-2019-5747.patch
 
 	acpid.logrotate
 	busyboxconfig
@@ -48,10 +50,13 @@ source="https://busybox.net/downloads/$pkgname-$pkgver.tar.bz2
 	"
 
 # secfixes:
+#   1.29.3-r10:
+#     - CVE-2018-20679
+#     - CVE-2019-5747
 #   1.27.2-r4:
-#   - CVE-2017-16544
-#   - CVE-2017-15873
-#   - CVE-2017-15874
+#     - CVE-2017-16544
+#     - CVE-2017-15873
+#     - CVE-2017-15874
 
 builddir="$srcdir"/$pkgname-$pkgver
 
@@ -216,6 +221,8 @@ d8926f0e4ed7d2fe5af89ff2a944d781b45b109c9edf1ef2591e7bce2a8bbadd7c8ca814cb3c928a
 c26e846dc4576a94c376132644ea26755f8cc531fa03b975f2f7e874e2fcbaaca3804ba46849c29b69061b1f411aebedef451418063ec457f88636198dae3be9  0001-cp-optional-reflink-support.patch
 06a341de7b34bbe5d7981366772c2ce46599af3e9640d114aa28f7ba4936489fc00c58d4b09c546409e383ef70ca51da179223a9ef53ed51f3575e652506e08e  0001-adduser-prevent-creation-from-invalid-entry-without-.patch
 a2787a3ecaf6746dadef62166e8ee6ecaa166147e5ad8b917c5838536057c875bab5f9cf40c3e05eba74d575484ac662929ac3799d58432d3a99ac46f364f302  0001-adduser-default-to-sbin-nologin-as-shell-for-system-.patch
+7d94fbd6e25a3d7bbe150fba4edbd18cc29922d5769b63de10d8f1cd65522e5b2a880a275e0970d6180b7519c376c70775d8f88c308ab197e71be1c974c60aea  CVE-2018-20679.patch
+6952770be92a980174691ac65fda778eaafd23bf8da63ad62149f2cb0f289bef216bb512ae5e013328b3bd5289a351124d22dd819b1e3116cc2244b435eb7287  CVE-2019-5747.patch
 aa93095e20de88730f526c6f463cef711b290b9582cdbd8c1ba2bd290019150cbeaa7007c2e15f0362d5b9315dd63f60511878f0ea05e893f4fdfb4a54af3fb1  acpid.logrotate
 924ff0dac14b4f7213618bd1503ae1b251fea9c3ce11dd87a6ad23ac4fca9b3f765afefdc50f39613579f56b200547320977ec815f87f2c69e20b5aeb484116c  busyboxconfig
 74ab7aa1bad3d572869aa5dffae1e3c87d0d24159db5dc8b5521fc652dd32f904d973abd6adf43f21624d53b0844cd66ba93f02f962133a9c432f2ac7bfb42b3  busyboxconfig-extras
diff --git a/main/busybox/CVE-2018-20679.patch b/main/busybox/CVE-2018-20679.patch
new file mode 100644
index 0000000000..bc1a48bf4b
--- /dev/null
+++ b/main/busybox/CVE-2018-20679.patch
@@ -0,0 +1,136 @@
+From 6d3b4bb24da9a07c263f3c1acf8df85382ff562c Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 17 Dec 2018 18:07:18 +0100
+Subject: udhcpc: check that 4-byte options are indeed 4-byte, closes 11506
+
+function                                             old     new   delta
+udhcp_get_option32                                     -      27     +27
+udhcp_get_option                                     231     248     +17
+------------------------------------------------------------------------------
+(add/remove: 1/0 grow/shrink: 1/0 up/down: 44/0)               Total: 44 bytes
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ networking/udhcp/common.c | 19 +++++++++++++++++++
+ networking/udhcp/common.h |  4 ++++
+ networking/udhcp/dhcpc.c  |  6 +++---
+ networking/udhcp/dhcpd.c  |  6 +++---
+ 4 files changed, 29 insertions(+), 6 deletions(-)
+
+diff --git a/networking/udhcp/common.c b/networking/udhcp/common.c
+index e5fd74f91..41b05b855 100644
+--- a/networking/udhcp/common.c
++++ b/networking/udhcp/common.c
+@@ -272,6 +272,15 @@ uint8_t* FAST_FUNC udhcp_get_option(struct dhcp_packet *packet, int code)
+ 			goto complain; /* complain and return NULL */
+ 
+ 		if (optionptr[OPT_CODE] == code) {
++			if (optionptr[OPT_LEN] == 0) {
++				/* So far no valid option with length 0 known.
++				 * Having this check means that searching
++				 * for DHCP_MESSAGE_TYPE need not worry
++				 * that returned pointer might be unsafe
++				 * to dereference.
++				 */
++				goto complain; /* complain and return NULL */
++			}
+ 			log_option("option found", optionptr);
+ 			return optionptr + OPT_DATA;
+ 		}
+@@ -289,6 +298,16 @@ uint8_t* FAST_FUNC udhcp_get_option(struct dhcp_packet *packet, int code)
+ 	return NULL;
+ }
+ 
++uint8_t* FAST_FUNC udhcp_get_option32(struct dhcp_packet *packet, int code)
++{
++	uint8_t *r = udhcp_get_option(packet, code);
++	if (r) {
++		if (r[-1] != 4)
++			r = NULL;
++	}
++	return r;
++}
++
+ /* Return the position of the 'end' option (no bounds checking) */
+ int FAST_FUNC udhcp_end_option(uint8_t *optionptr)
+ {
+diff --git a/networking/udhcp/common.h b/networking/udhcp/common.h
+index 7ad603d33..9511152ff 100644
+--- a/networking/udhcp/common.h
++++ b/networking/udhcp/common.h
+@@ -205,6 +205,10 @@ extern const uint8_t dhcp_option_lengths[] ALIGN1;
+ unsigned FAST_FUNC udhcp_option_idx(const char *name, const char *option_strings);
+ 
+ uint8_t *udhcp_get_option(struct dhcp_packet *packet, int code) FAST_FUNC;
++/* Same as above + ensures that option length is 4 bytes
++ * (returns NULL if size is different)
++ */
++uint8_t *udhcp_get_option32(struct dhcp_packet *packet, int code) FAST_FUNC;
+ int udhcp_end_option(uint8_t *optionptr) FAST_FUNC;
+ void udhcp_add_binary_option(struct dhcp_packet *packet, uint8_t *addopt) FAST_FUNC;
+ #if ENABLE_UDHCPC || ENABLE_UDHCPD
+diff --git a/networking/udhcp/dhcpc.c b/networking/udhcp/dhcpc.c
+index 4b23e4d39..5b3fd531c 100644
+--- a/networking/udhcp/dhcpc.c
++++ b/networking/udhcp/dhcpc.c
+@@ -1691,7 +1691,7 @@ int udhcpc_main(int argc UNUSED_PARAM, char **argv)
+  * They say ISC DHCP client supports this case.
+  */
+ 				server_addr = 0;
+-				temp = udhcp_get_option(&packet, DHCP_SERVER_ID);
++				temp = udhcp_get_option32(&packet, DHCP_SERVER_ID);
+ 				if (!temp) {
+ 					bb_error_msg("no server ID, using 0.0.0.0");
+ 				} else {
+@@ -1718,7 +1718,7 @@ int udhcpc_main(int argc UNUSED_PARAM, char **argv)
+ 				struct in_addr temp_addr;
+ 				uint8_t *temp;
+ 
+-				temp = udhcp_get_option(&packet, DHCP_LEASE_TIME);
++				temp = udhcp_get_option32(&packet, DHCP_LEASE_TIME);
+ 				if (!temp) {
+ 					bb_error_msg("no lease time with ACK, using 1 hour lease");
+ 					lease_seconds = 60 * 60;
+@@ -1813,7 +1813,7 @@ int udhcpc_main(int argc UNUSED_PARAM, char **argv)
+ 					uint32_t svid;
+ 					uint8_t *temp;
+ 
+-					temp = udhcp_get_option(&packet, DHCP_SERVER_ID);
++					temp = udhcp_get_option32(&packet, DHCP_SERVER_ID);
+ 					if (!temp) {
+  non_matching_svid:
+ 						log1("received DHCP NAK with wrong"
+diff --git a/networking/udhcp/dhcpd.c b/networking/udhcp/dhcpd.c
+index a8cd3f03b..477856d11 100644
+--- a/networking/udhcp/dhcpd.c
++++ b/networking/udhcp/dhcpd.c
+@@ -640,7 +640,7 @@ static void add_server_options(struct dhcp_packet *packet)
+ static uint32_t select_lease_time(struct dhcp_packet *packet)
+ {
+ 	uint32_t lease_time_sec = server_config.max_lease_sec;
+-	uint8_t *lease_time_opt = udhcp_get_option(packet, DHCP_LEASE_TIME);
++	uint8_t *lease_time_opt = udhcp_get_option32(packet, DHCP_LEASE_TIME);
+ 	if (lease_time_opt) {
+ 		move_from_unaligned32(lease_time_sec, lease_time_opt);
+ 		lease_time_sec = ntohl(lease_time_sec);
+@@ -987,7 +987,7 @@ int udhcpd_main(int argc UNUSED_PARAM, char **argv)
+ 		}
+ 
+ 		/* Get SERVER_ID if present */
+-		server_id_opt = udhcp_get_option(&packet, DHCP_SERVER_ID);
++		server_id_opt = udhcp_get_option32(&packet, DHCP_SERVER_ID);
+ 		if (server_id_opt) {
+ 			uint32_t server_id_network_order;
+ 			move_from_unaligned32(server_id_network_order, server_id_opt);
+@@ -1011,7 +1011,7 @@ int udhcpd_main(int argc UNUSED_PARAM, char **argv)
+ 		}
+ 
+ 		/* Get REQUESTED_IP if present */
+-		requested_ip_opt = udhcp_get_option(&packet, DHCP_REQUESTED_IP);
++		requested_ip_opt = udhcp_get_option32(&packet, DHCP_REQUESTED_IP);
+ 		if (requested_ip_opt) {
+ 			move_from_unaligned32(requested_nip, requested_ip_opt);
+ 		}
+-- 
+cgit v1.2.1
+
diff --git a/main/busybox/CVE-2019-5747.patch b/main/busybox/CVE-2019-5747.patch
new file mode 100644
index 0000000000..f81f02b30c
--- /dev/null
+++ b/main/busybox/CVE-2019-5747.patch
@@ -0,0 +1,57 @@
+From 74d9f1ba37010face4bd1449df4d60dd84450b06 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 7 Jan 2019 15:33:42 +0100
+Subject: udhcpc: when decoding DHCP_SUBNET, ensure it is 4 bytes long
+
+function                                             old     new   delta
+udhcp_run_script                                     795     801      +6
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ networking/udhcp/common.c | 2 +-
+ networking/udhcp/common.h | 2 +-
+ networking/udhcp/dhcpc.c  | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/networking/udhcp/common.c b/networking/udhcp/common.c
+index 4c2221b77..fc4de5716 100644
+--- a/networking/udhcp/common.c
++++ b/networking/udhcp/common.c
+@@ -302,7 +302,7 @@ uint8_t* FAST_FUNC udhcp_get_option32(struct dhcp_packet *packet, int code)
+ {
+ 	uint8_t *r = udhcp_get_option(packet, code);
+ 	if (r) {
+-		if (r[-1] != 4)
++		if (r[-OPT_DATA + OPT_LEN] != 4)
+ 			r = NULL;
+ 	}
+ 	return r;
+diff --git a/networking/udhcp/common.h b/networking/udhcp/common.h
+index 9511152ff..62f9a2a4a 100644
+--- a/networking/udhcp/common.h
++++ b/networking/udhcp/common.h
+@@ -119,7 +119,7 @@ enum {
+ //#define DHCP_TIME_SERVER      0x04 /* RFC 868 time server (32-bit, 0 = 1.1.1900) */
+ //#define DHCP_NAME_SERVER      0x05 /* IEN 116 _really_ ancient kind of NS */
+ //#define DHCP_DNS_SERVER       0x06
+-//#define DHCP_LOG_SERVER       0x07 /* port 704 UDP log (not syslog)
++//#define DHCP_LOG_SERVER       0x07 /* port 704 UDP log (not syslog) */
+ //#define DHCP_COOKIE_SERVER    0x08 /* "quote of the day" server */
+ //#define DHCP_LPR_SERVER       0x09
+ #define DHCP_HOST_NAME          0x0c /* 12: either client informs server or server gives name to client */
+diff --git a/networking/udhcp/dhcpc.c b/networking/udhcp/dhcpc.c
+index 5b3fd531c..dcec8cdfd 100644
+--- a/networking/udhcp/dhcpc.c
++++ b/networking/udhcp/dhcpc.c
+@@ -531,7 +531,7 @@ static char **fill_envp(struct dhcp_packet *packet)
+ 		temp = udhcp_get_option(packet, code);
+ 		*curr = xmalloc_optname_optval(temp, &dhcp_optflags[i], opt_name);
+ 		putenv(*curr++);
+-		if (code == DHCP_SUBNET) {
++		if (code == DHCP_SUBNET && temp[-OPT_DATA + OPT_LEN] == 4) {
+ 			/* Subnet option: make things like "$ip/$mask" possible */
+ 			uint32_t subnet;
+ 			move_from_unaligned32(subnet, temp);
+-- 
+cgit v1.2.1
+