sysmo-bts
/
generic-poky
9
0
Fork 0
Code Pull Requests Releases Activity

busybox: Security fix CVE-2016-2147 

busybox <= 1.24.2

(From OE-Core rev: 8a7a392ef37b3d5bd8ef81ab17d976696ad64dfe)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster 2016-04-27 17:47:22 -07:00 committed by Richard Purdie
parent 2928ca48e9
commit 9f3d7ae8f6
3 changed files with 91 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
meta/recipes-core/busybox/busybox/CVE-2016-2147.patch Normal file
View File

@ -0,0 +1,57 @@
From d474ffc68290e0a83651c4432eeabfa62cd51e87 Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Thu, 10 Mar 2016 11:47:58 +0100
Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Upstream-Status: Backport
CVE: CVE-2016-2147
https://git.busybox.net/busybox/commit/?id=d474ffc
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
networking/udhcp/domain_codec.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
Index: busybox-1.23.2/networking/udhcp/domain_codec.c
===================================================================
--- busybox-1.23.2.orig/networking/udhcp/domain_codec.c
+++ busybox-1.23.2/networking/udhcp/domain_codec.c
@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t
if (crtpos + *c + 1 > clen) /* label too long? abort */
return NULL;
if (dst)
- memcpy(dst + len, c + 1, *c);
+ /* \3com ---> "com." */
+ ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.';
len += *c + 1;
crtpos += *c + 1;
- if (dst)
- dst[len - 1] = '.';
} else {
/* NUL: end of current domain name */
if (retpos == 0) {
@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t
crtpos = retpos;
retpos = depth = 0;
}
- if (dst)
+ if (dst && len != 0)
+ /* \4host\3com\0\4host and we are at \0:
+ * \3com was converted to "com.", change dot to space.
+ */
dst[len - 1] = ' ';
}
@@ -228,6 +230,9 @@ int main(int argc, char **argv)
int len;
uint8_t *encoded;
+ uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
+ printf("NUL:'%s'\n", dname_dec(str, 6, ""));
+
#define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:"));
printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));

32
meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch Normal file
View File

@ -0,0 +1,32 @@
From 1b7c17391de66502dd7a97c866e0a33681edbb1f Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Fri, 11 Mar 2016 00:26:58 +0100
Subject: [PATCH] udhcpc: fix a warning in debug code
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Upsteam-Status: Backport
CVE: CVE-2016-2147 regression fix
https://git.busybox.net/busybox/commit/?id=1b7c17
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
networking/udhcp/domain_codec.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
index cee31f1..5a923cc 100644
--- a/networking/udhcp/domain_codec.c
+++ b/networking/udhcp/domain_codec.c
@@ -7,6 +7,7 @@
* Licensed under GPLv2 or later, see file LICENSE in this source tree.
*/
#ifdef DNS_COMPR_TESTING
+# define _GNU_SOURCE
# define FAST_FUNC /* nothing */
# define xmalloc malloc
# include <stdlib.h>
--
2.3.5

2
meta/recipes-core/busybox/busybox_1.24.1.bb
View File

@ -45,6 +45,8 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://rcK \
file://runlevel \
file://CVE-2016-2148.patch \
file://CVE-2016-2147.patch \
file://CVE-2016-2147_2.patch \
"
SRC_URI_append_libc-musl = " file://musl.cfg "