diff options
| -rw-r--r-- | main/busybox/0001-wget-print-warning-when-internal-tls-is-used.patch | 87 | ||||
| -rw-r--r-- | main/busybox/APKBUILD | 3 |
2 files changed, 90 insertions, 0 deletions
diff --git a/main/busybox/0001-wget-print-warning-when-internal-tls-is-used.patch b/main/busybox/0001-wget-print-warning-when-internal-tls-is-used.patch new file mode 100644 index 0000000000..5a027c1bf5 --- /dev/null +++ b/main/busybox/0001-wget-print-warning-when-internal-tls-is-used.patch @@ -0,0 +1,87 @@ +From 76026fa8c9a62423e359b992b16b6e0bbdd4e5a1 Mon Sep 17 00:00:00 2001 +From: Jakub Jirutka <jakub@jirutka.cz> +Date: Thu, 24 May 2018 02:19:23 +0200 +Subject: [PATCH] wget: print warning when internal TLS is used + +Internal TLS code (FEATURE_WGET_HTTPS) does not implement verification +of the server's certificate. It is documented in the code, but not +even mentioned in the --help message, so users typically don't know +about this behaviour. That's a crime against security! + +This patch changes this behaviour for the case when both +FEATURE_WGET_LONG_OPTIONS and FEATURE_WGET_HTTPS are enabled - +before initializing a TLS connection using the internal TLS code (i.e. +without certificate validation) warning message is printed, unless the +user specified option "--no-check-certificate". + +See-Also: http://lists.busybox.net/pipermail/busybox/2018-May/086444.html +--- + networking/wget.c | 30 +++++++++++++++++++----------- + 1 file changed, 19 insertions(+), 11 deletions(-) + +diff --git a/networking/wget.c b/networking/wget.c +--- a/networking/wget.c ++++ b/networking/wget.c +@@ -135,18 +135,21 @@ + //usage:#define wget_full_usage "\n\n" + //usage: "Retrieve files via HTTP or FTP\n" + //usage: IF_FEATURE_WGET_LONG_OPTIONS( +-//usage: "\n --spider Only check URL existence: $? is 0 if exists" ++//usage: "\n --spider Only check URL existence: $? is 0 if exists" ++//usage: IF_FEATURE_WGET_HTTPS( ++//usage: "\n --no-check-certificate Don't validate the server's certificate" ++//usage: ) + //usage: ) +-//usage: "\n -c Continue retrieval of aborted transfer" +-//usage: "\n -q Quiet" +-//usage: "\n -P DIR Save to DIR (default .)" +-//usage: "\n -S Show server response" ++//usage: "\n -c Continue retrieval of aborted transfer" ++//usage: "\n -q Quiet" ++//usage: "\n -P DIR Save to DIR (default .)" ++//usage: "\n -S Show server response" + //usage: IF_FEATURE_WGET_TIMEOUT( +-//usage: "\n -T SEC Network read timeout is SEC seconds" ++//usage: "\n -T SEC Network read timeout is SEC seconds" + //usage: ) +-//usage: "\n -O FILE Save to FILE ('-' for stdout)" +-//usage: "\n -U STR Use STR for User-Agent header" +-//usage: "\n -Y on/off Use proxy" ++//usage: "\n -O FILE Save to FILE ('-' for stdout)" ++//usage: "\n -U STR Use STR for User-Agent header" ++//usage: "\n -Y on/off Use proxy" + + #include "libbb.h" + +@@ -267,6 +270,7 @@ + WGET_OPT_HEADER = (1 << 10) * ENABLE_FEATURE_WGET_LONG_OPTIONS, + WGET_OPT_POST_DATA = (1 << 11) * ENABLE_FEATURE_WGET_LONG_OPTIONS, + WGET_OPT_SPIDER = (1 << 12) * ENABLE_FEATURE_WGET_LONG_OPTIONS, ++ WGET_OPT_NO_CHECK_CERT = (1 << 13) * ENABLE_FEATURE_WGET_LONG_OPTIONS, + }; + + enum { +@@ -765,6 +769,11 @@ + int pid; + char *servername, *p; + ++#if ENABLE_FEATURE_WGET_LONG_OPTIONS ++ if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) ++ bb_error_msg("WARNING: SSL/TLS certificate is not being validated!"); ++#endif ++ + servername = xstrdup(host); + p = strrchr(servername, ':'); + if (p) *p = '\0'; +@@ -1353,10 +1362,9 @@ + "header\0" Required_argument "\xff" + "post-data\0" Required_argument "\xfe" + "spider\0" No_argument "\xfd" ++ "no-check-certificate\0" No_argument "\xfc" + /* Ignored (we always use PASV): */ + IF_DESKTOP( "passive-ftp\0" No_argument "\xf0") +- /* Ignored (we don't do ssl) */ +-IF_DESKTOP( "no-check-certificate\0" No_argument "\xf0") + /* Ignored (we don't support caching) */ + IF_DESKTOP( "no-cache\0" No_argument "\xf0") + IF_DESKTOP( "no-verbose\0" No_argument "\xf0") diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD index dbc9d9866e..6549f14841 100644 --- a/main/busybox/APKBUILD +++ b/main/busybox/APKBUILD @@ -44,6 +44,8 @@ source="http://busybox.net/downloads/$pkgname-$pkgver.tar.bz2 top-buffer-overflow.patch + 0001-wget-print-warning-when-internal-tls-is-used.patch + acpid.logrotate busyboxconfig busyboxconfig-extras @@ -207,6 +209,7 @@ a09a64b3bce8048c58a68dcd2dd9e63c911009c06195d6bb4e5aecfb5700e479c25b34635c608991 93b3188fe3397899a625c203bcc03ddedadb96cceeb38ecad3ad3395d75fdfa7e1ba7cfc34eb8ebc7c70165ae967da474735247bf114398bea00440e90b1bef7 0015-CVE-2017-15874.patch de61c39a31a7b43d3e23c48e1712faf1a468781a3b18872a937bf507980c474f3d66af815fb1708d282e53def32502f033bb2283926a506cb8f138e0667b1ebd 0001-ash-introduce-a-config-option-to-search-current.patch 524e858b52cb31fb8d24e8c7f18606fff349aeab6a14da9cca3902641f6127980daed73c53586c6e8b41eecda06cdb29c40ff1dde2dc82a318c2649680458921 top-buffer-overflow.patch +38973e70fc77450ba1bf4d2aa7db5425d57f18eab9ae5676d457294ade12ae6b44300ae41f100f452e2efa1d027612fa501c9ac0f95ce340519e1dce497e4971 0001-wget-print-warning-when-internal-tls-is-used.patch a9b1403c844c51934637215307dd9e2adb9458921047acff0d86dcf229b6e0027f4b2c6cdaa25a58407aad9d098fb5685d58eb5ff8d2aa3de4912cdea21fe54c acpid.logrotate c201ba9316450bac561a2ec831cabd6e98149e387721a140c95a2b441ed8d7589fb12cab9760315bfef491280e7638781e68905feed9a6fcfc55c0d864608964 busyboxconfig 7759d1611ce72f7aa9e4afbd48f410806b3bd59701fe8a570675898c504c0e15f85bacbc1578f87345197844ee6175117d348acc4fe29a742b7ac96b84fe7386 busyboxconfig-extras |