main/busybox: security fix for CVE-2014-9645

fixes #3877
author: Natanael Copa <ncopa@alpinelinux.org> 2015-03-20 11:08:30 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2015-03-20 11:08:56 +0000
commit: 124a4339b2e307db023572e5c771b425b7aebe86 (patch)
tree: 8418d91d07f0e73d47d98b739bb0185ad5d3014f
parent: 4a321833b7471a885bde7c6edeb027d98dac5a06 (diff)
download: aports-124a4339b2e307db023572e5c771b425b7aebe86.tar.bz2
aports-124a4339b2e307db023572e5c771b425b7aebe86.tar.xz
2 files changed, 211 insertions, 1 deletions
diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD
index dd21d7af6..10a8392ed 100644
--- a/main/busybox/APKBUILD
+++ b/main/busybox/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=busybox
 pkgver=1.22.1
-pkgrel=14
+pkgrel=15
 pkgdesc="Size optimized toolbox of many common UNIX utilities"
 url=http://busybox.net
 arch="all"
@@ -40,6 +40,7 @@ source="http://busybox.net/downloads/$pkgname-$pkgver.tar.bz2
 	1000-fbsplash-use-virtual-y-size-in-mmap-size-calculation.patch
 	1001-fbsplash-support-console-switching.patch
 	1002-fbsplash-support-image-and-bar-alignment-and-positio.patch
+	CVE-2014-9645.patch
 
 	busyboxconfig
 	glibc.patch"
@@ -143,6 +144,7 @@ f2821edec523aadb36c3973d14386c1c  fix-top.patch
 699ce5aa1095ba4419cd595cec8a8f75  1000-fbsplash-use-virtual-y-size-in-mmap-size-calculation.patch
 b56d306ccba574da78dff060b7330806  1001-fbsplash-support-console-switching.patch
 4fe5f9e973674c7db3d07f295c363a7c  1002-fbsplash-support-image-and-bar-alignment-and-positio.patch
+be99c5fc740231791797681a997f8667  CVE-2014-9645.patch
 2fe6e74affe7d4e5e112035cead59432  busyboxconfig
 befaac2c59c380e36a452b3f1c1d4a3a  glibc.patch"
 sha256sums="ae0b029d0a9e4dd71a077a790840e496dd838998e4571b87b60fed7462b6678b  busybox-1.22.1.tar.bz2
@@ -169,6 +171,7 @@ d4673907d58ce80e78a3bfe3c2414b15e7a2b072cfea0c87c2ae9f709744b9ec  fix-top.patch
 043963183cad556bdae5d5608180f0cb76cf7eede175cd97aa002a787780500f  1000-fbsplash-use-virtual-y-size-in-mmap-size-calculation.patch
 b8b0b16ed67b0159256193b1d2108b8ef9aa8a334ab81e463bb970c71257da9a  1001-fbsplash-support-console-switching.patch
 e1f3fad8e21dfd72cfcae7ab3ba31d7938e964e0f9ec08b2da0b14d462435424  1002-fbsplash-support-image-and-bar-alignment-and-positio.patch
+106594ae7780edd08c44edb61f57384b6b988c6e5566cc5567a9347e1eee5c09  CVE-2014-9645.patch
 9bfb197fb57f9b3ac5b7a8800dfda6e5f7bee10db5e892d58176fa3733fe5229  busyboxconfig
 c604ef791c31d35a8c5ee4558d21428a46f37a6d762c4a7e29864f4037fc44a0  glibc.patch"
 sha512sums="3e99fe373d638f714c3a61e1b02493d85ca532f472df038f7557db518ded38347072882ed568852941be7aac46fc34007257b4287375335ff5a09b60b295ce80  busybox-1.22.1.tar.bz2
@@ -195,5 +198,6 @@ a35b66cd28b79ccc14b47315ac94677fdf8c14d8a6e8956707e71fb50d453dfc5b4b822832cd1fae
 2a8e9360e1cedd26bdb70d8cc036ef0abc7588bf2eee147c1c7436d7a40763f8e31d346b980145a36649130a2f811d299e4f46f7e1b60a8165a60ae9e79727d5  1000-fbsplash-use-virtual-y-size-in-mmap-size-calculation.patch
 a181dd54e8e11cf1199edb1b1fcd4b7402bbf142593b6014f32c6815bb7093b56899ad0fcc9f73c382f56203ac5274fb3d51fa070feb541436f23c31680f1a69  1001-fbsplash-support-console-switching.patch
 c33073416f7da2805a20f3f456f869217171c8fbfdef85f4ae481307aeb1e1b5717084bbbc619010fa5500c3f3f49b6468d5c122024fcc49d637c82427a3f553  1002-fbsplash-support-image-and-bar-alignment-and-positio.patch
+b2df8bca8705fcb48135e6e3e83a0705f3474dc904852a623d641a7d78ea5403e329e457147eed2fc76c7730d682a0b12bc005841357ba118ce71f2c2f5ae2f8  CVE-2014-9645.patch
 35ab915e729e73c4909793f58530edcfc10f10d750df0d41913892137f799f773a7bb476e29ed742c86d0f279603f85ed9bf5c660714571bc5f5179ea852aade  busyboxconfig
 1d2739379dab1deb3eae7cffd4845300eb7d30f7343b4a1209b21a5680860d55080ad45fdefe098b249ce3040c01951fa7f0a79cd447b2d7b260eb000099d9dc  glibc.patch"
diff --git a/main/busybox/CVE-2014-9645.patch b/main/busybox/CVE-2014-9645.patch
new file mode 100644
index 000000000..5661a960a
--- /dev/null
+++ b/main/busybox/CVE-2014-9645.patch
@@ -0,0 +1,206 @@
+diff --git a/modutils/depmod.c b/modutils/depmod.c
+index aa228ec..37a8482 100644
+--- a/modutils/depmod.c
++++ b/modutils/depmod.c
+@@ -33,7 +33,6 @@ typedef struct module_info {
+ static int FAST_FUNC parse_module(const char *fname, struct stat *sb UNUSED_PARAM,
+ 				void *data, int depth UNUSED_PARAM)
+ {
+-	char modname[MODULE_NAME_LEN];
+ 	module_info **first = (module_info **) data;
+ 	char *image, *ptr;
+ 	module_info *info;
+@@ -51,7 +50,10 @@ static int FAST_FUNC parse_module(const char *fname, struct stat *sb UNUSED_PARA
+ 
+ 	info->dnext = info->dprev = info;
+ 	info->name = xstrdup(fname + 2); /* skip "./" */
+-	info->modname = xstrdup(filename2modname(fname, modname));
++	info->modname = filename2modname(
++			bb_get_last_path_component_nostrip(fname),
++			NULL
++	);
+ 	for (ptr = image; ptr < image + len - 10; ptr++) {
+ 		if (strncmp(ptr, "depends=", 8) == 0) {
+ 			char *u;
+@@ -242,17 +244,19 @@ int depmod_main(int argc UNUSED_PARAM, char **argv)
+ 	if (!(option_mask32 & OPT_n))
+ 		xfreopen_write("modules.alias", stdout);
+ 	for (m = modules; m != NULL; m = m->next) {
++		char modname[MODULE_NAME_LEN];
+ 		const char *fname = bb_basename(m->name);
+-		int fnlen = strchrnul(fname, '.') - fname;
++		filename2modname(fname, modname);
+ 		while (m->aliases) {
+-			/* Last word can well be m->modname instead,
+-			 * but depmod from module-init-tools 3.4
+-			 * uses module basename, i.e., no s/-/_/g.
+-			 * (pathname and .ko.* are still stripped)
+-			 * Mimicking that... */
+-			printf("alias %s %.*s\n",
++			/*
++			 * Last word used to be a basename
++			 * (filename with path and .ko.* stripped)
++			 * at the time of module-init-tools 3.4.
++			 * kmod v.12 uses module name, i.e., s/-/_/g.
++			 */
++			printf("alias %s %s\n",
+ 				(char*)llist_pop(&m->aliases),
+-				fnlen, fname);
++				modname);
+ 		}
+ 	}
+ #endif
+@@ -260,12 +264,13 @@ int depmod_main(int argc UNUSED_PARAM, char **argv)
+ 	if (!(option_mask32 & OPT_n))
+ 		xfreopen_write("modules.symbols", stdout);
+ 	for (m = modules; m != NULL; m = m->next) {
++		char modname[MODULE_NAME_LEN];
+ 		const char *fname = bb_basename(m->name);
+-		int fnlen = strchrnul(fname, '.') - fname;
++		filename2modname(fname, modname);
+ 		while (m->symbols) {
+-			printf("alias symbol:%s %.*s\n",
++			printf("alias symbol:%s %s\n",
+ 				(char*)llist_pop(&m->symbols),
+-				fnlen, fname);
++				modname);
+ 		}
+ 	}
+ #endif
+diff --git a/modutils/modinfo.c b/modutils/modinfo.c
+index 7c978d1..ee37930 100644
+--- a/modutils/modinfo.c
++++ b/modutils/modinfo.c
+@@ -34,14 +34,14 @@ struct modinfo_env {
+ 	int tags;
+ };
+ 
+-static int display(const char *data, const char *pattern, int flag)
++static void display(const char *data, const char *pattern, int flag)
+ {
+ 	if (flag) {
+ 		int n = printf("%s:", pattern);
+ 		while (n++ < 16)
+ 			bb_putchar(' ');
+ 	}
+-	return printf("%s%c", data, (option_mask32 & OPT_0) ? '\0' : '\n');
++	printf("%s%c", data, (option_mask32 & OPT_0) ? '\0' : '\n');
+ }
+ 
+ static void modinfo(const char *path, const char *version,
+@@ -104,7 +104,8 @@ static void modinfo(const char *path, const char *version,
+ 				/* field prefixes are 0x80 or 0x00 */
+ 				if ((ptr[-1] & 0x7F) == '\0') {
+ 					ptr += length + 1;
+-					ptr += display(ptr, pattern, (1<<j) != tags);
++					display(ptr, pattern, (1<<j) != tags);
++					ptr += strlen(ptr);
+ 				}
+ 			}
+ 			++ptr;
+@@ -153,7 +154,7 @@ int modinfo_main(int argc UNUSED_PARAM, char **argv)
+ 		if (colon == NULL)
+ 			continue;
+ 		*colon = '\0';
+-		filename2modname(tokens[0], name);
++		filename2modname(bb_basename(tokens[0]), name);
+ 		for (i = 0; argv[i]; i++) {
+ 			if (fnmatch(argv[i], name, 0) == 0) {
+ 				modinfo(tokens[0], uts.release, &env);
+diff --git a/modutils/modprobe.c b/modutils/modprobe.c
+index 7f7446d..0e8aa9e 100644
+--- a/modutils/modprobe.c
++++ b/modutils/modprobe.c
+@@ -229,9 +232,14 @@ static ALWAYS_INLINE struct module_entry *get_or_add_modentry(const char *module
+ {
+ 	return helper_get_module(module, 1);
+ }
+-static ALWAYS_INLINE struct module_entry *get_modentry(const char *module)
++/* So far this function always gets a module pathname, never an alias name.
++ * The crucial difference is that pathname needs dirname stripping,
++ * while alias name must NOT do it!
++ * Testcase where dirname stripping is likely to go wrong: "modprobe devname:snd/timer"
++ */
++static ALWAYS_INLINE struct module_entry *get_modentry(const char *pathname)
+ {
+-	return helper_get_module(module, 0);
++	return helper_get_module(bb_get_last_path_component_nostrip(pathname), 0);
+ }
+ 
+ static void add_probe(const char *name)
+@@ -417,7 +425,7 @@ static int do_modprobe(struct module_entry *m)
+ 
+ 		rc = 0;
+ 		fn = llist_pop(&m->deps); /* we leak it */
+-		m2 = get_or_add_modentry(fn);
++		m2 = get_or_add_modentry(bb_get_last_path_component_nostrip(fn));
+ 
+ 		if (option_mask32 & OPT_REMOVE) {
+ 			/* modprobe -r */
+@@ -499,7 +507,7 @@ static void load_modules_dep(void)
+ 		colon = last_char_is(tokens[0], ':');
+ 		if (colon == NULL)
+ 			continue;
+-		*colon = 0;
++		*colon = '\0';
+ 
+ 		m = get_modentry(tokens[0]);
+ 		if (m == NULL)
+@@ -546,7 +554,6 @@ int modprobe_main(int argc UNUSED_PARAM, char **argv)
+ 
+ 	if (opt & OPT_LIST_ONLY) {
+ 		int i;
+-		char name[MODULE_NAME_LEN];
+ 		char *colon, *tokens[2];
+ 		parser_t *p = config_open2(CONFIG_DEFAULT_DEPMOD_FILE, xfopen_for_read);
+ 
+@@ -558,10 +565,14 @@ int modprobe_main(int argc UNUSED_PARAM, char **argv)
+ 			if (!colon)
+ 				continue;
+ 			*colon = '\0';
+-			filename2modname(tokens[0], name);
+ 			if (!argv[0])
+ 				puts(tokens[0]);
+ 			else {
++				char name[MODULE_NAME_LEN];
++				filename2modname(
++					bb_get_last_path_component_nostrip(tokens[0]),
++					name
++				);
+ 				for (i = 0; argv[i]; i++) {
+ 					if (fnmatch(argv[i], name, 0) == 0) {
+ 						puts(tokens[0]);
+diff --git a/modutils/modutils.c b/modutils/modutils.c
+index 6187ca7..84300d9 100644
+--- a/modutils/modutils.c
++++ b/modutils/modutils.c
+@@ -47,18 +47,26 @@ int FAST_FUNC string_to_llist(char *string, llist_t **llist, const char *delim)
+ 
+ char* FAST_FUNC filename2modname(const char *filename, char *modname)
+ {
++	char local_modname[MODULE_NAME_LEN];
+ 	int i;
+-	char *from;
++	const char *from;
+ 
+ 	if (filename == NULL)
+ 		return NULL;
+ 	if (modname == NULL)
+-		modname = xmalloc(MODULE_NAME_LEN);
+-	from = bb_get_last_path_component_nostrip(filename);
++		modname = local_modname;
++	// Disabled since otherwise "modprobe dir/name" would work
++	// as if it is "modprobe name". It is unclear why
++	// 'basenamization' was here in the first place.
++	//from = bb_get_last_path_component_nostrip(filename);
++	from = filename;
+ 	for (i = 0; i < (MODULE_NAME_LEN-1) && from[i] != '\0' && from[i] != '.'; i++)
+ 		modname[i] = (from[i] == '-') ? '_' : from[i];
+ 	modname[i] = '\0';
+ 
++	if (modname == local_modname)
++		return xstrdup(modname);
++
+ 	return modname;
+ }
+
author	Natanael Copa <ncopa@alpinelinux.org>	2015-03-20 11:08:30 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2015-03-20 11:08:56 +0000
commit	124a4339b2e307db023572e5c771b425b7aebe86 (patch)
tree	8418d91d07f0e73d47d98b739bb0185ad5d3014f
parent	4a321833b7471a885bde7c6edeb027d98dac5a06 (diff)
download	aports-124a4339b2e307db023572e5c771b425b7aebe86.tar.bz2 aports-124a4339b2e307db023572e5c771b425b7aebe86.tar.xz