diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-01-24 07:43:25 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-01-24 07:44:28 +0000 |
| commit | cf43a775225bcace5eda5940576e46caac38d471 (patch) | |
| tree | c7d73af801ca0ac3f379243fca248b681fd2233c /main/busybox | |
| parent | c9b2b9e92aba1c076f42ef780daede87d6ca9908 (diff) | |
| download | aports-cf43a775225bcace5eda5940576e46caac38d471.tar.bz2 aports-cf43a775225bcace5eda5940576e46caac38d471.tar.xz | |
main/busybox: security fixes (CVE-2018-20679, CVE-2019-5747)
Diffstat (limited to 'main/busybox')
| -rw-r--r-- | main/busybox/APKBUILD | 15 | ||||
| -rw-r--r-- | main/busybox/CVE-2018-20679.patch | 136 | ||||
| -rw-r--r-- | main/busybox/CVE-2019-5747.patch | 57 |
3 files changed, 204 insertions, 4 deletions
diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD index e0bd499058..46fca6c603 100644 --- a/main/busybox/APKBUILD +++ b/main/busybox/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=busybox pkgver=1.29.3 -pkgrel=9 +pkgrel=10 pkgdesc="Size optimized toolbox of many common UNIX utilities" url=http://busybox.net arch="all" @@ -37,6 +37,8 @@ source="https://busybox.net/downloads/$pkgname-$pkgver.tar.bz2 0001-cp-optional-reflink-support.patch 0001-adduser-prevent-creation-from-invalid-entry-without-.patch 0001-adduser-default-to-sbin-nologin-as-shell-for-system-.patch + CVE-2018-20679.patch + CVE-2019-5747.patch acpid.logrotate busyboxconfig @@ -48,10 +50,13 @@ source="https://busybox.net/downloads/$pkgname-$pkgver.tar.bz2 " # secfixes: +# 1.29.3-r10: +# - CVE-2018-20679 +# - CVE-2019-5747 # 1.27.2-r4: -# - CVE-2017-16544 -# - CVE-2017-15873 -# - CVE-2017-15874 +# - CVE-2017-16544 +# - CVE-2017-15873 +# - CVE-2017-15874 builddir="$srcdir"/$pkgname-$pkgver @@ -216,6 +221,8 @@ d8926f0e4ed7d2fe5af89ff2a944d781b45b109c9edf1ef2591e7bce2a8bbadd7c8ca814cb3c928a c26e846dc4576a94c376132644ea26755f8cc531fa03b975f2f7e874e2fcbaaca3804ba46849c29b69061b1f411aebedef451418063ec457f88636198dae3be9 0001-cp-optional-reflink-support.patch 06a341de7b34bbe5d7981366772c2ce46599af3e9640d114aa28f7ba4936489fc00c58d4b09c546409e383ef70ca51da179223a9ef53ed51f3575e652506e08e 0001-adduser-prevent-creation-from-invalid-entry-without-.patch a2787a3ecaf6746dadef62166e8ee6ecaa166147e5ad8b917c5838536057c875bab5f9cf40c3e05eba74d575484ac662929ac3799d58432d3a99ac46f364f302 0001-adduser-default-to-sbin-nologin-as-shell-for-system-.patch +7d94fbd6e25a3d7bbe150fba4edbd18cc29922d5769b63de10d8f1cd65522e5b2a880a275e0970d6180b7519c376c70775d8f88c308ab197e71be1c974c60aea CVE-2018-20679.patch +6952770be92a980174691ac65fda778eaafd23bf8da63ad62149f2cb0f289bef216bb512ae5e013328b3bd5289a351124d22dd819b1e3116cc2244b435eb7287 CVE-2019-5747.patch aa93095e20de88730f526c6f463cef711b290b9582cdbd8c1ba2bd290019150cbeaa7007c2e15f0362d5b9315dd63f60511878f0ea05e893f4fdfb4a54af3fb1 acpid.logrotate 924ff0dac14b4f7213618bd1503ae1b251fea9c3ce11dd87a6ad23ac4fca9b3f765afefdc50f39613579f56b200547320977ec815f87f2c69e20b5aeb484116c busyboxconfig 74ab7aa1bad3d572869aa5dffae1e3c87d0d24159db5dc8b5521fc652dd32f904d973abd6adf43f21624d53b0844cd66ba93f02f962133a9c432f2ac7bfb42b3 busyboxconfig-extras diff --git a/main/busybox/CVE-2018-20679.patch b/main/busybox/CVE-2018-20679.patch new file mode 100644 index 0000000000..bc1a48bf4b --- /dev/null +++ b/main/busybox/CVE-2018-20679.patch @@ -0,0 +1,136 @@ +From 6d3b4bb24da9a07c263f3c1acf8df85382ff562c Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <vda.linux@googlemail.com> +Date: Mon, 17 Dec 2018 18:07:18 +0100 +Subject: udhcpc: check that 4-byte options are indeed 4-byte, closes 11506 + +function old new delta +udhcp_get_option32 - 27 +27 +udhcp_get_option 231 248 +17 +------------------------------------------------------------------------------ +(add/remove: 1/0 grow/shrink: 1/0 up/down: 44/0) Total: 44 bytes + +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> +--- + networking/udhcp/common.c | 19 +++++++++++++++++++ + networking/udhcp/common.h | 4 ++++ + networking/udhcp/dhcpc.c | 6 +++--- + networking/udhcp/dhcpd.c | 6 +++--- + 4 files changed, 29 insertions(+), 6 deletions(-) + +diff --git a/networking/udhcp/common.c b/networking/udhcp/common.c +index e5fd74f91..41b05b855 100644 +--- a/networking/udhcp/common.c ++++ b/networking/udhcp/common.c +@@ -272,6 +272,15 @@ uint8_t* FAST_FUNC udhcp_get_option(struct dhcp_packet *packet, int code) + goto complain; /* complain and return NULL */ + + if (optionptr[OPT_CODE] == code) { ++ if (optionptr[OPT_LEN] == 0) { ++ /* So far no valid option with length 0 known. ++ * Having this check means that searching ++ * for DHCP_MESSAGE_TYPE need not worry ++ * that returned pointer might be unsafe ++ * to dereference. ++ */ ++ goto complain; /* complain and return NULL */ ++ } + log_option("option found", optionptr); + return optionptr + OPT_DATA; + } +@@ -289,6 +298,16 @@ uint8_t* FAST_FUNC udhcp_get_option(struct dhcp_packet *packet, int code) + return NULL; + } + ++uint8_t* FAST_FUNC udhcp_get_option32(struct dhcp_packet *packet, int code) ++{ ++ uint8_t *r = udhcp_get_option(packet, code); ++ if (r) { ++ if (r[-1] != 4) ++ r = NULL; ++ } ++ return r; ++} ++ + /* Return the position of the 'end' option (no bounds checking) */ + int FAST_FUNC udhcp_end_option(uint8_t *optionptr) + { +diff --git a/networking/udhcp/common.h b/networking/udhcp/common.h +index 7ad603d33..9511152ff 100644 +--- a/networking/udhcp/common.h ++++ b/networking/udhcp/common.h +@@ -205,6 +205,10 @@ extern const uint8_t dhcp_option_lengths[] ALIGN1; + unsigned FAST_FUNC udhcp_option_idx(const char *name, const char *option_strings); + + uint8_t *udhcp_get_option(struct dhcp_packet *packet, int code) FAST_FUNC; ++/* Same as above + ensures that option length is 4 bytes ++ * (returns NULL if size is different) ++ */ ++uint8_t *udhcp_get_option32(struct dhcp_packet *packet, int code) FAST_FUNC; + int udhcp_end_option(uint8_t *optionptr) FAST_FUNC; + void udhcp_add_binary_option(struct dhcp_packet *packet, uint8_t *addopt) FAST_FUNC; + #if ENABLE_UDHCPC || ENABLE_UDHCPD +diff --git a/networking/udhcp/dhcpc.c b/networking/udhcp/dhcpc.c +index 4b23e4d39..5b3fd531c 100644 +--- a/networking/udhcp/dhcpc.c ++++ b/networking/udhcp/dhcpc.c +@@ -1691,7 +1691,7 @@ int udhcpc_main(int argc UNUSED_PARAM, char **argv) + * They say ISC DHCP client supports this case. + */ + server_addr = 0; +- temp = udhcp_get_option(&packet, DHCP_SERVER_ID); ++ temp = udhcp_get_option32(&packet, DHCP_SERVER_ID); + if (!temp) { + bb_error_msg("no server ID, using 0.0.0.0"); + } else { +@@ -1718,7 +1718,7 @@ int udhcpc_main(int argc UNUSED_PARAM, char **argv) + struct in_addr temp_addr; + uint8_t *temp; + +- temp = udhcp_get_option(&packet, DHCP_LEASE_TIME); ++ temp = udhcp_get_option32(&packet, DHCP_LEASE_TIME); + if (!temp) { + bb_error_msg("no lease time with ACK, using 1 hour lease"); + lease_seconds = 60 * 60; +@@ -1813,7 +1813,7 @@ int udhcpc_main(int argc UNUSED_PARAM, char **argv) + uint32_t svid; + uint8_t *temp; + +- temp = udhcp_get_option(&packet, DHCP_SERVER_ID); ++ temp = udhcp_get_option32(&packet, DHCP_SERVER_ID); + if (!temp) { + non_matching_svid: + log1("received DHCP NAK with wrong" +diff --git a/networking/udhcp/dhcpd.c b/networking/udhcp/dhcpd.c +index a8cd3f03b..477856d11 100644 +--- a/networking/udhcp/dhcpd.c ++++ b/networking/udhcp/dhcpd.c +@@ -640,7 +640,7 @@ static void add_server_options(struct dhcp_packet *packet) + static uint32_t select_lease_time(struct dhcp_packet *packet) + { + uint32_t lease_time_sec = server_config.max_lease_sec; +- uint8_t *lease_time_opt = udhcp_get_option(packet, DHCP_LEASE_TIME); ++ uint8_t *lease_time_opt = udhcp_get_option32(packet, DHCP_LEASE_TIME); + if (lease_time_opt) { + move_from_unaligned32(lease_time_sec, lease_time_opt); + lease_time_sec = ntohl(lease_time_sec); +@@ -987,7 +987,7 @@ int udhcpd_main(int argc UNUSED_PARAM, char **argv) + } + + /* Get SERVER_ID if present */ +- server_id_opt = udhcp_get_option(&packet, DHCP_SERVER_ID); ++ server_id_opt = udhcp_get_option32(&packet, DHCP_SERVER_ID); + if (server_id_opt) { + uint32_t server_id_network_order; + move_from_unaligned32(server_id_network_order, server_id_opt); +@@ -1011,7 +1011,7 @@ int udhcpd_main(int argc UNUSED_PARAM, char **argv) + } + + /* Get REQUESTED_IP if present */ +- requested_ip_opt = udhcp_get_option(&packet, DHCP_REQUESTED_IP); ++ requested_ip_opt = udhcp_get_option32(&packet, DHCP_REQUESTED_IP); + if (requested_ip_opt) { + move_from_unaligned32(requested_nip, requested_ip_opt); + } +-- +cgit v1.2.1 + diff --git a/main/busybox/CVE-2019-5747.patch b/main/busybox/CVE-2019-5747.patch new file mode 100644 index 0000000000..f81f02b30c --- /dev/null +++ b/main/busybox/CVE-2019-5747.patch @@ -0,0 +1,57 @@ +From 74d9f1ba37010face4bd1449df4d60dd84450b06 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <vda.linux@googlemail.com> +Date: Mon, 7 Jan 2019 15:33:42 +0100 +Subject: udhcpc: when decoding DHCP_SUBNET, ensure it is 4 bytes long + +function old new delta +udhcp_run_script 795 801 +6 + +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> +--- + networking/udhcp/common.c | 2 +- + networking/udhcp/common.h | 2 +- + networking/udhcp/dhcpc.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/networking/udhcp/common.c b/networking/udhcp/common.c +index 4c2221b77..fc4de5716 100644 +--- a/networking/udhcp/common.c ++++ b/networking/udhcp/common.c +@@ -302,7 +302,7 @@ uint8_t* FAST_FUNC udhcp_get_option32(struct dhcp_packet *packet, int code) + { + uint8_t *r = udhcp_get_option(packet, code); + if (r) { +- if (r[-1] != 4) ++ if (r[-OPT_DATA + OPT_LEN] != 4) + r = NULL; + } + return r; +diff --git a/networking/udhcp/common.h b/networking/udhcp/common.h +index 9511152ff..62f9a2a4a 100644 +--- a/networking/udhcp/common.h ++++ b/networking/udhcp/common.h +@@ -119,7 +119,7 @@ enum { + //#define DHCP_TIME_SERVER 0x04 /* RFC 868 time server (32-bit, 0 = 1.1.1900) */ + //#define DHCP_NAME_SERVER 0x05 /* IEN 116 _really_ ancient kind of NS */ + //#define DHCP_DNS_SERVER 0x06 +-//#define DHCP_LOG_SERVER 0x07 /* port 704 UDP log (not syslog) ++//#define DHCP_LOG_SERVER 0x07 /* port 704 UDP log (not syslog) */ + //#define DHCP_COOKIE_SERVER 0x08 /* "quote of the day" server */ + //#define DHCP_LPR_SERVER 0x09 + #define DHCP_HOST_NAME 0x0c /* 12: either client informs server or server gives name to client */ +diff --git a/networking/udhcp/dhcpc.c b/networking/udhcp/dhcpc.c +index 5b3fd531c..dcec8cdfd 100644 +--- a/networking/udhcp/dhcpc.c ++++ b/networking/udhcp/dhcpc.c +@@ -531,7 +531,7 @@ static char **fill_envp(struct dhcp_packet *packet) + temp = udhcp_get_option(packet, code); + *curr = xmalloc_optname_optval(temp, &dhcp_optflags[i], opt_name); + putenv(*curr++); +- if (code == DHCP_SUBNET) { ++ if (code == DHCP_SUBNET && temp[-OPT_DATA + OPT_LEN] == 4) { + /* Subnet option: make things like "$ip/$mask" possible */ + uint32_t subnet; + move_from_unaligned32(subnet, temp); +-- +cgit v1.2.1 + |