aboutsummaryrefslogtreecommitdiffstats
path: root/main/busybox
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2016-03-22 11:39:58 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2016-03-22 11:43:05 +0000
commit6ad5097ddbca9754f6a9aa3833090534baff76a6 (patch)
tree62def94fdc4971425ab9bc7da37c2fa50d737045 /main/busybox
parentce1b9f834595b6c8853588d9fbb58a1988320936 (diff)
downloadaports-6ad5097ddbca9754f6a9aa3833090534baff76a6.tar.bz2
aports-6ad5097ddbca9754f6a9aa3833090534baff76a6.tar.xz
main/busybox: upgrade to 1.24.2, fix CVE-2016-2147,CVE-2016-2148
Diffstat (limited to 'main/busybox')
-rw-r--r--main/busybox/APKBUILD26
-rw-r--r--main/busybox/busybox-1.24.1-unzip-regression.patch135
-rw-r--r--main/busybox/busybox-1.24.1-unzip.patch110
-rw-r--r--main/busybox/busybox-1.24.2-CVE-2016-2147.patch72
-rw-r--r--main/busybox/busybox-1.24.2-CVE-2016-2148.patch55
5 files changed, 140 insertions, 258 deletions
diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD
index 86f8bc866d..6b3873f793 100644
--- a/main/busybox/APKBUILD
+++ b/main/busybox/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Łukasz Jendrysik <scadu@yandex.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=busybox
-pkgver=1.24.1
-pkgrel=9
+pkgver=1.24.2
+pkgrel=0
pkgdesc="Size optimized toolbox of many common UNIX utilities"
url=http://busybox.net
arch="all"
@@ -21,8 +21,8 @@ source="http://busybox.net/downloads/$pkgname-$pkgver.tar.bz2
loginutils-sha512.patch
udhcpc-discover-retries.patch
- busybox-1.24.1-unzip.patch
- busybox-1.24.1-unzip-regression.patch
+ busybox-1.24.2-CVE-2016-2147.patch
+ busybox-1.24.2-CVE-2016-2148.patch
0001-ifupdown-pass-interface-device-name-for-ipv6-route-c.patch
0001-ifupdown-use-x-hostname-NAME-with-udhcpc.patch
@@ -155,15 +155,15 @@ static() {
"$subpkgdir"/bin/busybox.static
}
-md5sums="be98a40cadf84ce2d6b05fa41a275c6a busybox-1.24.1.tar.bz2
+md5sums="2eaae519cac1143bcf583636a745381f busybox-1.24.2.tar.bz2
f56a969a04ab631f97148095e9788929 bbsuid.c
d64b58a30892c558bdbab7f0d0997577 nologin.c
4c0f3b486eaa0674961b7ddcd0c60a9b busybox-1.11.1-bb.patch
c5a8dbc8696db6da9c4624b0e11d8fba bb-app-location.patch
8c42c9ef0f0419c314c86bcaf7796106 loginutils-sha512.patch
91a7584a562a72ba886936558e576bbd udhcpc-discover-retries.patch
-b7fef73cb77824525ef08fd8b2571961 busybox-1.24.1-unzip.patch
-023c0e0f9df375715f40792bedec8f4b busybox-1.24.1-unzip-regression.patch
+c45a85f5ced712743efbb683900f8c1d busybox-1.24.2-CVE-2016-2147.patch
+850a57ca2871e370b4916161a0320a3f busybox-1.24.2-CVE-2016-2148.patch
d6f0ecf89f7633753d8998abe7e06e7e 0001-ifupdown-pass-interface-device-name-for-ipv6-route-c.patch
e1c183cbe1ca18a0fa0d9597314076c9 0001-ifupdown-use-x-hostname-NAME-with-udhcpc.patch
69fa40bee9abec058427bf67fde1b61e 0001-diff-add-support-for-no-dereference.patch
@@ -181,15 +181,15 @@ a4d1cf64fd1835a284ccc6dbc78e3ce0 0001-ash-fix-error-during-recursive-processing
4046b78ee6a25259954797d73b94f4bd acpid.logrotate
78724c22bb072eedf42fd17452bfe4d3 busyboxconfig
befaac2c59c380e36a452b3f1c1d4a3a glibc.patch"
-sha256sums="37d03132cc078937360b392170b7a1d0e5b322eee9f57c0b82292a8b1f0afe3d busybox-1.24.1.tar.bz2
+sha256sums="e71ef53ec656f31c42633918d301405d40dea1d97eca12f272217ae4a971c855 busybox-1.24.2.tar.bz2
8961852c990be4f8cd92f1d9ad474631d44270c9d0f35bf433b21fd0854a90dd bbsuid.c
9bbf0bec82e6d6907474958f3be048c54657fbf49207810b7e4d4d6146f0069d nologin.c
327bb8049e2726351a5c8b6b2cef864f6ce58725d4453983f97092ea73656ccc busybox-1.11.1-bb.patch
576366b4d50f1078da6c0364ef70415de92d97c93c64f4d790b11d7a34cdccd2 bb-app-location.patch
57674b20158c0b266ed028b0c65299f9cbcad7d33d19c9fcc403d3967daba493 loginutils-sha512.patch
90825a443339f1c8c249d05f7b025ce53e374d305f8e113d98d45146b105494d udhcpc-discover-retries.patch
-dffbce75bfa9fc4a9bb9f74b3ee1e40477037cf9bbbeed60d6cd7a272ef2fb3f busybox-1.24.1-unzip.patch
-be9845c458bd8c671a16abf6ae1161c0a839b20db795ef8d6d4b08f70a9c214a busybox-1.24.1-unzip-regression.patch
+7cedbcfe2744a7efc1d811372932bc8ef610b8bbdfe34d28ba5a0b5d582b885d busybox-1.24.2-CVE-2016-2147.patch
+0d42e12334ff14616ce9dc22f02f15c8f3df3ef3334c9ef81abd29d21b5ac687 busybox-1.24.2-CVE-2016-2148.patch
666d0e9c5a4b37aca84d88138736012527d97de578f81b719bf913f558823e18 0001-ifupdown-pass-interface-device-name-for-ipv6-route-c.patch
53563c6dc4db13004d0b37f7bf1748e861b5a5c4244c1d34f102c23b689420c5 0001-ifupdown-use-x-hostname-NAME-with-udhcpc.patch
70180473e3939402e460b25de8273a5ce7f62b130a9efe31f33d847b2406ac92 0001-diff-add-support-for-no-dereference.patch
@@ -207,15 +207,15 @@ f712ce190ce86084d56977e125d1561615394f3d9b840e926537868260e19d79 0001-ash-backp
f7cbeb5a5a47395ad30454ce8262abcd3e91c33ef803c2ae31a9258d7142dd48 acpid.logrotate
529499778b833285d1cf821ef45dc1ef74f536fea010a43688e0bbab48c4c3a7 busyboxconfig
c604ef791c31d35a8c5ee4558d21428a46f37a6d762c4a7e29864f4037fc44a0 glibc.patch"
-sha512sums="3afc757ebaae61ae13c2c69097ee734717434f9e658eb77093a8b7b49af3326cbca2d723483ff84a1da99544b822fd2b47d9a97c68f09962e11754e5daf124ca busybox-1.24.1.tar.bz2
+sha512sums="4d20fb68ee440be2855231c7fd5f3cb9dd9bfcc1a688f0b59cd3f7a55c8819e9cc44bd15f91500713571f2a84e5e44adc0fa8ae0ae3ebf63961dfc9e1c9ef8e0 busybox-1.24.2.tar.bz2
02390d45b381daeccab0a06c2542ecd9a182ce07362b83fa39843b4c9efef4ac21b8a3dcf4371da4093c861ac06ed096f62fae88398f6ab16952e114897a7c66 bbsuid.c
4e7c291a70e879b74c0fc07c54a73ef50537d8be68fee6b2d409425c07afd2d67f9b6afcd8c33a7971014913cc5de85e45079681c9e77200c6cc2f34acfba6d2 nologin.c
eb7cce973bfd53ce3350713437b9e2751becfb8dfb10b14f27c4f812297c403b90f80dc2906179d499e8dffbe6df8aa37ae27625c552162923d59fe35b55b32b busybox-1.11.1-bb.patch
5c42b05be69c834c9fd5372c6b0d55a6399c74146a94ea09eae7285dd4fa75d1bde38bf7ab73e98638f65eb72db02115453cbdfe85a0085d742940366f617c7d bb-app-location.patch
69af4800fcf765b4ae029daced7ff171b6b04d810c94a987c7ba848e275a27b77b18b38df1b85f4a12c4a47ed42f62e0768260eb1198e2aff1c3cea898b85c61 loginutils-sha512.patch
34415fe69f6b8d42756046aa8e6d9e4f64a3b0ceb9f57c4c988e35870fe975f05d0ac76f1f9a712196e9c59e67aa2a54abf398242009134fb3aca342c25a3646 udhcpc-discover-retries.patch
-b8e67db3969d97e3c5cb19c7eb6b5588ffe6083a9ec63bb6e5ad2a399d473b6efc659a045375f20bbb896b956bc274206cc1659b595c1378beaa9034186459b3 busybox-1.24.1-unzip.patch
-2df0585545f9cf78eb773e9695f18117f2e2ea3b5259bf3479c4ed6e870e0624718f16fcc1a888a110cbaa0d3d477a5431e82e162c4e4a63a2c8d46eda670b5d busybox-1.24.1-unzip-regression.patch
+1268f11089ab5bc4d296995ff8216a8f2f6fbb644d20f04502f92fcadd1cafade43eb6e613fe4b9ab7e475e2bcc3b85ae8196d78c4d56a62db2ce0f3564ba644 busybox-1.24.2-CVE-2016-2147.patch
+0ffdfa24d5943a15d924fdd42b5d410c0a215d0cad1753caf6c6aba7d0e5be7a883b561a683a4ac8b906e96b1839f4e6f235501c1467afe50508284f51e42c0c busybox-1.24.2-CVE-2016-2148.patch
9c836f85d5bc3b33d459394679a93635658c59fb744e266109f84531d391880926d62d671f8ccef56d3b744f0bcc54a8ad2789931e50dcbc40d5d94158bcc503 0001-ifupdown-pass-interface-device-name-for-ipv6-route-c.patch
b1a1cc2ada657a3d3364c8c96853575d73784e769cd8768c170c27a3e59abd2beace75dff6d5047c4391725e961d93149f9c3f45ed75fb1c582bf18b818282c9 0001-ifupdown-use-x-hostname-NAME-with-udhcpc.patch
a35b66cd28b79ccc14b47315ac94677fdf8c14d8a6e8956707e71fb50d453dfc5b4b822832cd1faecfe9bf79e687f9b25a1357e0a88db530044c5f8514701c98 0001-diff-add-support-for-no-dereference.patch
diff --git a/main/busybox/busybox-1.24.1-unzip-regression.patch b/main/busybox/busybox-1.24.1-unzip-regression.patch
deleted file mode 100644
index 58d7b7c6bb..0000000000
--- a/main/busybox/busybox-1.24.1-unzip-regression.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-From 092fabcf1df5d46cd22be4ffcd3b871f6180eb9c Mon Sep 17 00:00:00 2001
-From: Denys Vlasenko <vda.linux@googlemail.com>
-Date: Fri, 30 Oct 2015 23:41:53 +0100
-Subject: [PATCH] [g]unzip: fix recent breakage.
-
-Also, do emit error message we so painstakingly pass from gzip internals
-
-Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-(cherry picked from commit 6bd3fff51aa74e2ee2d87887b12182a3b09792ef)
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- archival/libarchive/decompress_gunzip.c | 33 +++++++++++++++++++++------------
- testsuite/unzip.tests | 1 +
- 2 files changed, 22 insertions(+), 12 deletions(-)
-
-diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
-index c76fd31..357c9bf 100644
---- a/archival/libarchive/decompress_gunzip.c
-+++ b/archival/libarchive/decompress_gunzip.c
-@@ -309,8 +309,7 @@ static int huft_build(const unsigned *b, const unsigned n,
- huft_t *q; /* points to current table */
- huft_t r; /* table entry for structure assignment */
- huft_t *u[BMAX]; /* table stack */
-- unsigned v[N_MAX]; /* values in order of bit length */
-- unsigned v_end;
-+ unsigned v[N_MAX + 1]; /* values in order of bit length. last v[] is never used */
- int ws[BMAX + 1]; /* bits decoded stack */
- int w; /* bits decoded */
- unsigned x[BMAX + 1]; /* bit offsets, then code stack */
-@@ -365,15 +364,17 @@ static int huft_build(const unsigned *b, const unsigned n,
- *xp++ = j;
- }
-
-- /* Make a table of values in order of bit lengths */
-+ /* Make a table of values in order of bit lengths.
-+ * To detect bad input, unused v[i]'s are set to invalid value UINT_MAX.
-+ * In particular, last v[i] is never filled and must not be accessed.
-+ */
-+ memset(v, 0xff, sizeof(v));
- p = b;
- i = 0;
-- v_end = 0;
- do {
- j = *p++;
- if (j != 0) {
- v[x[j]++] = i;
-- v_end = x[j];
- }
- } while (++i < n);
-
-@@ -435,7 +436,9 @@ static int huft_build(const unsigned *b, const unsigned n,
-
- /* set up table entry in r */
- r.b = (unsigned char) (k - w);
-- if (p >= v + v_end) { // Was "if (p >= v + n)" but v[] can be shorter!
-+ if (/*p >= v + n || -- redundant, caught by the second check: */
-+ *p == UINT_MAX /* do we access uninited v[i]? (see memset(v))*/
-+ ) {
- r.e = 99; /* out of values--invalid code */
- } else if (*p < s) {
- r.e = (unsigned char) (*p < 256 ? 16 : 15); /* 256 is EOB code */
-@@ -520,8 +523,9 @@ static NOINLINE int inflate_codes(STATE_PARAM_ONLY)
- e = t->e;
- if (e > 16)
- do {
-- if (e == 99)
-- abort_unzip(PASS_STATE_ONLY);;
-+ if (e == 99) {
-+ abort_unzip(PASS_STATE_ONLY);
-+ }
- bb >>= t->b;
- k -= t->b;
- e -= 16;
-@@ -557,8 +561,9 @@ static NOINLINE int inflate_codes(STATE_PARAM_ONLY)
- e = t->e;
- if (e > 16)
- do {
-- if (e == 99)
-+ if (e == 99) {
- abort_unzip(PASS_STATE_ONLY);
-+ }
- bb >>= t->b;
- k -= t->b;
- e -= 16;
-@@ -824,8 +829,9 @@ static int inflate_block(STATE_PARAM smallint *e)
-
- b_dynamic >>= 4;
- k_dynamic -= 4;
-- if (nl > 286 || nd > 30)
-+ if (nl > 286 || nd > 30) {
- abort_unzip(PASS_STATE_ONLY); /* bad lengths */
-+ }
-
- /* read in bit-length-code lengths */
- for (j = 0; j < nb; j++) {
-@@ -906,12 +912,14 @@ static int inflate_block(STATE_PARAM smallint *e)
- bl = lbits;
-
- i = huft_build(ll, nl, 257, cplens, cplext, &inflate_codes_tl, &bl);
-- if (i != 0)
-+ if (i != 0) {
- abort_unzip(PASS_STATE_ONLY);
-+ }
- bd = dbits;
- i = huft_build(ll + nl, nd, 0, cpdist, cpdext, &inflate_codes_td, &bd);
-- if (i != 0)
-+ if (i != 0) {
- abort_unzip(PASS_STATE_ONLY);
-+ }
-
- /* set up data for inflate_codes() */
- inflate_codes_setup(PASS_STATE bl, bd);
-@@ -999,6 +1007,7 @@ inflate_unzip_internal(STATE_PARAM transformer_state_t *xstate)
- error_msg = "corrupted data";
- if (setjmp(error_jmp)) {
- /* Error from deep inside zip machinery */
-+ bb_error_msg(error_msg);
- n = -1;
- goto ret;
- }
-diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests
-index ca0a458..d8738a3 100755
---- a/testsuite/unzip.tests
-+++ b/testsuite/unzip.tests
-@@ -34,6 +34,7 @@ rm foo.zip
- testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \
- "Archive: bad.zip
- inflating: ]3j½r«IK-%Ix
-+unzip: corrupted data
- unzip: inflate error
- 1
- " \
---
-2.6.2
-
diff --git a/main/busybox/busybox-1.24.1-unzip.patch b/main/busybox/busybox-1.24.1-unzip.patch
deleted file mode 100644
index 77f02c116c..0000000000
--- a/main/busybox/busybox-1.24.1-unzip.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From 1de25a6e87e0e627aa34298105a3d17c60a1f44e Mon Sep 17 00:00:00 2001
-From: Denys Vlasenko <vda.linux@googlemail.com>
-Date: Mon, 26 Oct 2015 19:33:05 +0100
-Subject: [PATCH] unzip: test for bad archive SEGVing
-
-function old new delta
-huft_build 1296 1300 +4
-
-Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
----
- archival/libarchive/decompress_gunzip.c | 11 +++++++----
- testsuite/unzip.tests | 23 ++++++++++++++++++++++-
- 2 files changed, 29 insertions(+), 5 deletions(-)
-
-diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
-index 7b6f459..30bf451 100644
---- a/archival/libarchive/decompress_gunzip.c
-+++ b/archival/libarchive/decompress_gunzip.c
-@@ -305,11 +305,12 @@ static int huft_build(const unsigned *b, const unsigned n,
- unsigned i; /* counter, current code */
- unsigned j; /* counter */
- int k; /* number of bits in current code */
-- unsigned *p; /* pointer into c[], b[], or v[] */
-+ const unsigned *p; /* pointer into c[], b[], or v[] */
- huft_t *q; /* points to current table */
- huft_t r; /* table entry for structure assignment */
- huft_t *u[BMAX]; /* table stack */
- unsigned v[N_MAX]; /* values in order of bit length */
-+ unsigned v_end;
- int ws[BMAX + 1]; /* bits decoded stack */
- int w; /* bits decoded */
- unsigned x[BMAX + 1]; /* bit offsets, then code stack */
-@@ -324,7 +325,7 @@ static int huft_build(const unsigned *b, const unsigned n,
-
- /* Generate counts for each bit length */
- memset(c, 0, sizeof(c));
-- p = (unsigned *) b; /* cast allows us to reuse p for pointing to b */
-+ p = b;
- i = n;
- do {
- c[*p]++; /* assume all entries <= BMAX */
-@@ -365,12 +366,14 @@ static int huft_build(const unsigned *b, const unsigned n,
- }
-
- /* Make a table of values in order of bit lengths */
-- p = (unsigned *) b;
-+ p = b;
- i = 0;
-+ v_end = 0;
- do {
- j = *p++;
- if (j != 0) {
- v[x[j]++] = i;
-+ v_end = x[j];
- }
- } while (++i < n);
-
-@@ -432,7 +435,7 @@ static int huft_build(const unsigned *b, const unsigned n,
-
- /* set up table entry in r */
- r.b = (unsigned char) (k - w);
-- if (p >= v + n) {
-+ if (p >= v + v_end) { // Was "if (p >= v + n)" but v[] can be shorter!
- r.e = 99; /* out of values--invalid code */
- } else if (*p < s) {
- r.e = (unsigned char) (*p < 256 ? 16 : 15); /* 256 is EOB code */
-diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests
-index 8677a03..ca0a458 100755
---- a/testsuite/unzip.tests
-+++ b/testsuite/unzip.tests
-@@ -7,7 +7,7 @@
-
- . ./testing.sh
-
--# testing "test name" "options" "expected result" "file input" "stdin"
-+# testing "test name" "commands" "expected result" "file input" "stdin"
- # file input will be file called "input"
- # test can create a file "actual" instead of writing to stdout
-
-@@ -30,6 +30,27 @@ testing "unzip (subdir only)" "unzip -q foo.zip foo/ && test -d foo && test ! -f
- rmdir foo
- rm foo.zip
-
-+# File containing some damaged encrypted stream
-+testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \
-+"Archive: bad.zip
-+ inflating: ]3j½r«IK-%Ix
-+unzip: inflate error
-+1
-+" \
-+"" "\
-+begin-base64 644 bad.zip
-+UEsDBBQAAgkIAAAAIQA5AAAANwAAADwAAAAQAAcAXTNqwr1ywqtJGxJLLSVJ
-+eCkBD0AdKBk8JzQsIj01JC0/ORJQSwMEFAECCAAAAAAhADoAAAAPAAAANgAA
-+AAwAAQASw73Ct1DCokohPXQiNjoUNTUiHRwgLT4WHlBLAQIQABQAAggIAAAA
-+oQA5AAAANwAAADwAAAAQQAcADAAAACwAMgCAAAAAAABdM2rCvXLCq0kbEkst
-+JUl4KQEPQB0oGSY4Cz4QNgEnJSYIPVBLAQIAABQAAggAAAAAIQAqAAAADwAA
-+BDYAAAAMAAEADQAAADIADQAAAEEAAAASw73Ct1DKokohPXQiNzA+FAI1HCcW
-+NzITNFBLBQUKAC4JAA04Cw0EOhZQSwUGAQAABAIAAgCZAAAAeQAAAAIALhM=
-+====
-+"
-+
-+rm *
-+
- # Clean up scratch directory.
-
- cd ..
---
-2.6.2
-
diff --git a/main/busybox/busybox-1.24.2-CVE-2016-2147.patch b/main/busybox/busybox-1.24.2-CVE-2016-2147.patch
new file mode 100644
index 0000000000..2187c9b673
--- /dev/null
+++ b/main/busybox/busybox-1.24.2-CVE-2016-2147.patch
@@ -0,0 +1,72 @@
+From 3c4de6e36c4d387a648622e7b828a05f2b1b47e6 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Fri, 26 Feb 2016 15:54:56 +0100
+Subject: [PATCH] udhcpc: fix OPTION_6RD parsing (could overflow its malloced
+ buffer)
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+(cherry picked from commit 352f79acbd759c14399e39baef21fc4ffe180ac2)
+---
+ networking/udhcp/common.c | 15 +++++++++++++--
+ networking/udhcp/dhcpc.c | 4 ++--
+ 2 files changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/networking/udhcp/common.c b/networking/udhcp/common.c
+index bc41c8d..680852c 100644
+--- a/networking/udhcp/common.c
++++ b/networking/udhcp/common.c
+@@ -142,7 +142,7 @@ const char dhcp_option_strings[] ALIGN1 =
+ * udhcp_str2optset: to determine how many bytes to allocate.
+ * xmalloc_optname_optval: to estimate string length
+ * from binary option length: (option[LEN] / dhcp_option_lengths[opt_type])
+- * is the number of elements, multiply in by one element's string width
++ * is the number of elements, multiply it by one element's string width
+ * (len_of_option_as_string[opt_type]) and you know how wide string you need.
+ */
+ const uint8_t dhcp_option_lengths[] ALIGN1 = {
+@@ -162,7 +162,18 @@ const uint8_t dhcp_option_lengths[] ALIGN1 = {
+ [OPTION_S32] = 4,
+ /* Just like OPTION_STRING, we use minimum length here */
+ [OPTION_STATIC_ROUTES] = 5,
+- [OPTION_6RD] = 22, /* ignored by udhcp_str2optset */
++ [OPTION_6RD] = 12, /* ignored by udhcp_str2optset */
++ /* The above value was chosen as follows:
++ * len_of_option_as_string[] for this option is >60: it's a string of the form
++ * "32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 ".
++ * Each additional ipv4 address takes 4 bytes in binary option and appends
++ * another "255.255.255.255 " 16-byte string. We can set [OPTION_6RD] = 4
++ * but this severely overestimates string length: instead of 16 bytes,
++ * it adds >60 for every 4 bytes in binary option.
++ * We cheat and declare here that option is in units of 12 bytes.
++ * This adds more than 60 bytes for every three ipv4 addresses - more than enough.
++ * (Even 16 instead of 12 should work, but let's be paranoid).
++ */
+ };
+
+
+diff --git a/networking/udhcp/dhcpc.c b/networking/udhcp/dhcpc.c
+index 915f659..2332b57 100644
+--- a/networking/udhcp/dhcpc.c
++++ b/networking/udhcp/dhcpc.c
+@@ -113,7 +113,7 @@ static const uint8_t len_of_option_as_string[] = {
+ [OPTION_IP ] = sizeof("255.255.255.255 "),
+ [OPTION_IP_PAIR ] = sizeof("255.255.255.255 ") * 2,
+ [OPTION_STATIC_ROUTES ] = sizeof("255.255.255.255/32 255.255.255.255 "),
+- [OPTION_6RD ] = sizeof("32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
++ [OPTION_6RD ] = sizeof("132 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
+ [OPTION_STRING ] = 1,
+ [OPTION_STRING_HOST ] = 1,
+ #if ENABLE_FEATURE_UDHCP_RFC3397
+@@ -220,7 +220,7 @@ static NOINLINE char *xmalloc_optname_optval(uint8_t *option, const struct dhcp_
+ type = optflag->flags & OPTION_TYPE_MASK;
+ optlen = dhcp_option_lengths[type];
+ upper_length = len_of_option_as_string[type]
+- * ((unsigned)(len + optlen - 1) / (unsigned)optlen);
++ * ((unsigned)(len + optlen) / (unsigned)optlen);
+
+ dest = ret = xmalloc(upper_length + strlen(opt_name) + 2);
+ dest += sprintf(ret, "%s=", opt_name);
+--
+2.7.4
+
diff --git a/main/busybox/busybox-1.24.2-CVE-2016-2148.patch b/main/busybox/busybox-1.24.2-CVE-2016-2148.patch
new file mode 100644
index 0000000000..08e08bec17
--- /dev/null
+++ b/main/busybox/busybox-1.24.2-CVE-2016-2148.patch
@@ -0,0 +1,55 @@
+From 3a76bb5136d05f94ee62e377aa723e63444912c7 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Thu, 10 Mar 2016 11:47:58 +0100
+Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+(cherry picked from commit d474ffc68290e0a83651c4432eeabfa62cd51e87)
+---
+ networking/udhcp/domain_codec.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
+index c1325d8..8429367 100644
+--- a/networking/udhcp/domain_codec.c
++++ b/networking/udhcp/domain_codec.c
+@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre)
+ if (crtpos + *c + 1 > clen) /* label too long? abort */
+ return NULL;
+ if (dst)
+- memcpy(dst + len, c + 1, *c);
++ /* \3com ---> "com." */
++ ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.';
+ len += *c + 1;
+ crtpos += *c + 1;
+- if (dst)
+- dst[len - 1] = '.';
+ } else {
+ /* NUL: end of current domain name */
+ if (retpos == 0) {
+@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre)
+ crtpos = retpos;
+ retpos = depth = 0;
+ }
+- if (dst)
++ if (dst && len != 0)
++ /* \4host\3com\0\4host and we are at \0:
++ * \3com was converted to "com.", change dot to space.
++ */
+ dst[len - 1] = ' ';
+ }
+
+@@ -228,6 +230,9 @@ int main(int argc, char **argv)
+ int len;
+ uint8_t *encoded;
+
++ uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
++ printf("NUL:'%s'\n", dname_dec(str, 6, ""));
++
+ #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
+ printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:"));
+ printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));
+--
+2.7.4
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-18 01:46:31 +0000