mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-08 17:19:20 +00:00
Code Issues Projects Releases Wiki Activity

busybox: update to 1.29.2

Browse Source 
- refresh busybox-udhcpc-no_deconfig.patch
  - remove obsolete patches which are included in this update
  - update defconfig
  - Add newly required virtual/crypt depends [RB]

(From OE-Core rev: b9c7fdd4b204ab1c2466e9ec5d933bbc635fcc4f)

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Andrej Valek
2018-08-30 18:02:44 +02:00
committed by Richard Purdie
parent 5b2a6e0edc
commit 29108755c1
10 changed files with 67 additions and 803 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-core/busybox/busybox-inittab_1.27.2.bb → meta/recipes-core/busybox/busybox-inittab_1.29.2.bb
View File
meta/recipes-core/busybox/busybox.inc
+1 -1
View File
@@ -3,7 +3,7 @@ DESCRIPTION = "BusyBox combines tiny versions of many common UNIX utilities into
HOMEPAGE = "http://www.busybox.net"
BUGTRACKER = "https://bugs.busybox.net/"
DEPENDS += "kern-tools-native"
DEPENDS += "kern-tools-native virtual/crypt"
# bzip2 applet in busybox is based on lightly-modified bzip2 source
# the GPL is version 2 only
meta/recipes-core/busybox/busybox/CVE-2011-5325.patch
-481
View File
@@ -1,481 +0,0 @@
busybox-1.27.2: Fix CVE-2011-5325
[No upstream tracking] -- https://bugs.busybox.net/show_bug.cgi?id=8411
libarchive: do not extract unsafe symlinks
Prevent unsafe links extracting unless env variable $EXTRACT_UNSAFE_SYMLINKS=1
is not set. Untarring file with -C DESTDIR parameter could be extracted with
unwanted symlinks. This doesn't feel right, and IIRC GNU tar doesn't do that.
Include necessary changes from previous commits.
Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=bc9bbeb2b81001e8731cd2ae501c8fccc8d87cc7]
CVE: CVE-2011-5325
bug: 8411
Signed-off-by: Radovan Scasny <radovan.scasny@siemens.com>
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
diff --git a/archival/libarchive/Kbuild.src b/archival/libarchive/Kbuild.src
index 942e755..e1a8a75 100644
--- a/archival/libarchive/Kbuild.src
+++ b/archival/libarchive/Kbuild.src
@@ -12,6 +12,8 @@ COMMON_FILES:= \
data_extract_all.o \
data_extract_to_stdout.o \
\
+ unsafe_symlink_target.o \
+\
filter_accept_all.o \
filter_accept_list.o \
filter_accept_reject_list.o \
diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c
index 1830ffb..b828b65 100644
--- a/archival/libarchive/data_extract_all.c
+++ b/archival/libarchive/data_extract_all.c
@@ -128,10 +128,9 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
res = link(hard_link, dst_name);
if (res != 0 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)) {
/* shared message */
- bb_perror_msg("can't create %slink "
- "%s to %s", "hard",
- dst_name,
- hard_link);
+ bb_perror_msg("can't create %slink '%s' to '%s'",
+ "hard", dst_name, hard_link
+ );
}
/* Hardlinks have no separate mode/ownership, skip chown/chmod */
goto ret;
@@ -178,15 +177,17 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
case S_IFLNK:
/* Symlink */
//TODO: what if file_header->link_target == NULL (say, corrupted tarball?)
- res = symlink(file_header->link_target, dst_name);
- if (res != 0
- && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)
- ) {
- /* shared message */
- bb_perror_msg("can't create %slink "
- "%s to %s", "sym",
- dst_name,
- file_header->link_target);
+ if (!unsafe_symlink_target(file_header->link_target)) {
+ res = symlink(file_header->link_target, dst_name);
+ if (res != 0
+ && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)
+ ) {
+ /* shared message */
+ bb_perror_msg("can't create %slink '%s' to '%s'",
+ "sym",
+ dst_name, file_header->link_target
+ );
+ }
}
break;
case S_IFSOCK:
diff --git a/archival/libarchive/unsafe_symlink_target.c b/archival/libarchive/unsafe_symlink_target.c
new file mode 100644
index 0000000..ee46e28
--- /dev/null
+++ b/archival/libarchive/unsafe_symlink_target.c
@@ -0,0 +1,48 @@
+/* vi: set sw=4 ts=4: */
+/*
+ * Licensed under GPLv2 or later, see file LICENSE in this source tree.
+ */
+#include "libbb.h"
+#include "bb_archive.h"
+
+int FAST_FUNC unsafe_symlink_target(const char *target)
+{
+ const char *dot;
+
+ if (target[0] == '/') {
+ const char *var;
+unsafe:
+ var = getenv("EXTRACT_UNSAFE_SYMLINKS");
+ if (var) {
+ if (LONE_CHAR(var, '1'))
+ return 0; /* pretend it's safe */
+ return 1; /* "UNSAFE!" */
+ }
+ bb_error_msg("skipping unsafe symlink to '%s' in archive,"
+ " set %s=1 to extract",
+ target,
+ "EXTRACT_UNSAFE_SYMLINKS"
+ );
+ /* Prevent further messages */
+ setenv("EXTRACT_UNSAFE_SYMLINKS", "0", 0);
+ return 1; /* "UNSAFE!" */
+ }
+
+ dot = target;
+ for (;;) {
+ dot = strchr(dot, '.');
+ if (!dot)
+ return 0; /* safe target */
+
+ /* Is it a path component starting with ".."? */
+ if ((dot[1] == '.')
+ && (dot == target || dot[-1] == '/')
+ /* Is it exactly ".."? */
+ && (dot[2] == '/' || dot[2] == '\0')
+ ) {
+ goto unsafe;
+ }
+ /* NB: it can even be trailing ".", should only add 1 */
+ dot += 1;
+ }
+}
\ No newline at end of file
diff --git a/archival/unzip.c b/archival/unzip.c
index 9037262..270e261 100644
--- a/archival/unzip.c
+++ b/archival/unzip.c
@@ -335,6 +335,44 @@ static void unzip_create_leading_dirs(const char *fn)
free(name);
}
+static void unzip_extract_symlink(zip_header_t *zip, const char *dst_fn)
+{
+ char *target;
+
+ if (zip->fmt.ucmpsize > 0xfff) /* no funny business please */
+ bb_error_msg_and_die("bad archive");
+
+ if (zip->fmt.method == 0) {
+ /* Method 0 - stored (not compressed) */
+ target = xzalloc(zip->fmt.ucmpsize + 1);
+ xread(zip_fd, target, zip->fmt.ucmpsize);
+ } else {
+#if 1
+ bb_error_msg_and_die("compressed symlink is not supported");
+#else
+ transformer_state_t xstate;
+ init_transformer_state(&xstate);
+ xstate.mem_output_size_max = zip->fmt.ucmpsize;
+ /* ...unpack... */
+ if (!xstate.mem_output_buf)
+ WTF();
+ target = xstate.mem_output_buf;
+ target = xrealloc(target, xstate.mem_output_size + 1);
+ target[xstate.mem_output_size] = '\0';
+#endif
+ }
+ if (!unsafe_symlink_target(target)) {
+//TODO: libbb candidate
+ if (symlink(target, dst_fn)) {
+ /* shared message */
+ bb_perror_msg_and_die("can't create %slink '%s' to '%s'",
+ "sym", dst_fn, target
+ );
+ }
+ }
+ free(target);
+}
+
static void unzip_extract(zip_header_t *zip, int dst_fd)
{
transformer_state_t xstate;
@@ -813,7 +851,7 @@ int unzip_main(int argc, char **argv)
}
check_file:
/* Extract file */
- if (stat(dst_fn, &stat_buf) == -1) {
+ if (lstat(dst_fn, &stat_buf) == -1) {
/* File does not exist */
if (errno != ENOENT) {
bb_perror_msg_and_die("can't stat '%s'", dst_fn);
@@ -834,6 +872,7 @@ int unzip_main(int argc, char **argv)
goto do_open_and_extract;
printf("replace %s? [y]es, [n]o, [A]ll, [N]one, [r]ename: ", dst_fn);
my_fgets80(key_buf);
+//TODO: redo lstat + ISREG check! user input could have taken a long time!
switch (key_buf[0]) {
case 'A':
@@ -842,7 +881,8 @@ int unzip_main(int argc, char **argv)
do_open_and_extract:
unzip_create_leading_dirs(dst_fn);
#if ENABLE_FEATURE_UNZIP_CDF
- dst_fd = xopen3(dst_fn, O_WRONLY | O_CREAT | O_TRUNC, file_mode);
+ if (!S_ISLNK(file_mode))
+ dst_fd = xopen3(dst_fn, O_WRONLY | O_CREAT | O_TRUNC, file_mode);
#else
dst_fd = xopen(dst_fn, O_WRONLY | O_CREAT | O_TRUNC);
#endif
@@ -852,10 +892,18 @@ int unzip_main(int argc, char **argv)
? " extracting: %s\n"
: */ " inflating: %s\n", dst_fn);
}
- unzip_extract(&zip, dst_fd);
- if (dst_fd != STDOUT_FILENO) {
- /* closing STDOUT is potentially bad for future business */
- close(dst_fd);
+#if ENABLE_FEATURE_UNZIP_CDF
+ if (S_ISLNK(file_mode)) {
+ if (dst_fd != STDOUT_FILENO) /* no -p */
+ unzip_extract_symlink(&zip, dst_fn);
+ } else
+#endif
+ {
+ unzip_extract(&zip, dst_fd);
+ if (dst_fd != STDOUT_FILENO) {
+ /* closing STDOUT is potentially bad for future business */
+ close(dst_fd);
+ };
}
break;
diff --git a/coreutils/link.c b/coreutils/link.c
index ac3ef85..aab249d 100644
--- a/coreutils/link.c
+++ b/coreutils/link.c
@@ -32,9 +32,8 @@ int link_main(int argc UNUSED_PARAM, char **argv)
argv += optind;
if (link(argv[0], argv[1]) != 0) {
/* shared message */
- bb_perror_msg_and_die("can't create %slink "
- "%s to %s", "hard",
- argv[1], argv[0]
+ bb_perror_msg_and_die("can't create %slink '%s' to '%s'",
+ "hard", argv[1], argv[0]
);
}
return EXIT_SUCCESS;
diff --git a/include/bb_archive.h b/include/bb_archive.h
index 2b9c5f0..1e4da3c 100644
--- a/include/bb_archive.h
+++ b/include/bb_archive.h
@@ -196,6 +196,7 @@ void seek_by_jump(int fd, off_t amount) FAST_FUNC;
void seek_by_read(int fd, off_t amount) FAST_FUNC;
const char *strip_unsafe_prefix(const char *str) FAST_FUNC;
+int unsafe_symlink_target(const char *target) FAST_FUNC;
void data_align(archive_handle_t *archive_handle, unsigned boundary) FAST_FUNC;
const llist_t *find_list_entry(const llist_t *list, const char *filename) FAST_FUNC;
diff --git a/libbb/copy_file.c b/libbb/copy_file.c
index 23c0f83..be90066 100644
--- a/libbb/copy_file.c
+++ b/libbb/copy_file.c
@@ -371,7 +371,10 @@ int FAST_FUNC copy_file(const char *source, const char *dest, int flags)
int r = symlink(lpath, dest);
free(lpath);
if (r < 0) {
- bb_perror_msg("can't create symlink '%s'", dest);
+ /* shared message */
+ bb_perror_msg("can't create %slink '%s' to '%s'",
+ "sym", dest, lpath
+ );
return -1;
}
if (flags & FILEUTILS_PRESERVE_STATUS)
diff --git a/testsuite/tar.tests b/testsuite/tar.tests
index 9f7ce15..b7cd74c 100755
--- a/testsuite/tar.tests
+++ b/testsuite/tar.tests
@@ -10,9 +10,6 @@ unset LC_COLLATE
unset LC_ALL
umask 022
-rm -rf tar.tempdir 2>/dev/null
-mkdir tar.tempdir && cd tar.tempdir || exit 1
-
# testing "test name" "script" "expected result" "file input" "stdin"
testing "Empty file is not a tarball" '\
@@ -53,6 +50,7 @@ dd if=/dev/zero bs=512 count=20 2>/dev/null | tar xvf - 2>&1; echo $?
"" ""
SKIP=
+mkdir tar.tempdir && cd tar.tempdir || exit 1
# "tar cf test.tar input input_dir/ input_hard1 input_hard2 input_hard1 input_dir/ input":
# GNU tar 1.26 records as hardlinks:
# input_hard2 -> input_hard1
@@ -64,7 +62,6 @@ SKIP=
# We also don't use "hrw-r--r--" notation for hardlinks in "tar tv" listing.
optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES
testing "tar hardlinks and repeated files" '\
-rm -rf input_* test.tar 2>/dev/null
>input_hard1
ln input_hard1 input_hard2
mkdir input_dir
@@ -95,10 +92,11 @@ drwxr-xr-x input_dir
" \
"" ""
SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES
testing "tar hardlinks mode" '\
-rm -rf input_* test.tar 2>/dev/null
>input_hard1
chmod 741 input_hard1
ln input_hard1 input_hard2
@@ -128,10 +126,11 @@ Ok: 0
" \
"" ""
SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES
testing "tar symlinks mode" '\
-rm -rf input_* test.tar 2>/dev/null
>input_file
chmod 741 input_file
ln -s input_file input_soft
@@ -159,10 +158,11 @@ lrwxrwxrwx input_file
" \
"" ""
SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
optional FEATURE_TAR_CREATE FEATURE_TAR_LONG_OPTIONS
testing "tar --overwrite" "\
-rm -rf input_* test.tar 2>/dev/null
ln input input_hard
tar cf test.tar input_hard
echo WRONG >input
@@ -174,12 +174,13 @@ Ok
" \
"Ok\n" ""
SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
test x"$SKIP_KNOWN_BUGS" = x"" && {
# Needs to be run under non-root for meaningful test
optional FEATURE_TAR_CREATE
testing "tar writing into read-only dir" '\
-rm -rf input_* test.tar 2>/dev/null
mkdir input_dir
>input_dir/input_file
chmod 550 input_dir
@@ -201,7 +202,9 @@ dr-xr-x--- input_dir
"" ""
SKIP=
}
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
# Had a bug where on extract autodetect first "switched off" -z
# and then failed to recognize .tgz extension
optional FEATURE_TAR_CREATE FEATURE_SEAMLESS_GZ GUNZIP
@@ -217,7 +220,9 @@ Ok
" \
"" ""
SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
# Do we detect XZ-compressed data (even w/o .tar.xz or txz extension)?
# (the uuencoded hello_world.txz contains one empty file named "hello_world")
optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_XZ
@@ -236,7 +241,9 @@ AAAEWVo=
====
"
SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
# On extract, everything up to and including last ".." component is stripped
optional FEATURE_TAR_CREATE
testing "tar strips /../ on extract" "\
@@ -255,7 +262,9 @@ Ok
" \
"" ""
SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
# attack.tar.bz2 has symlink pointing to a system file
# followed by a regular file with the same name
# containing "root::0:0::/root:/bin/sh":
@@ -270,6 +279,7 @@ optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_BZ2
testing "tar does not extract into symlinks" "\
>>/tmp/passwd && uudecode -o input && tar xf input 2>&1 && rm passwd; cat /tmp/passwd; echo \$?
" "\
+tar: skipping unsafe symlink to '/tmp/passwd' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
0
" \
"" "\
@@ -281,12 +291,15 @@ l4/V8LDoe90yiWJhOJvIypgEfxdyRThQkBVn/bI=
====
"
SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+
+mkdir tar.tempdir && cd tar.tempdir || exit 1
# And same with -k
optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_BZ2
testing "tar -k does not extract into symlinks" "\
>>/tmp/passwd && uudecode -o input && tar xf input -k 2>&1 && rm passwd; cat /tmp/passwd; echo \$?
" "\
-tar: can't open 'passwd': File exists
+tar: skipping unsafe symlink to '/tmp/passwd' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
0
" \
"" "\
@@ -298,7 +311,9 @@ l4/V8LDoe90yiWJhOJvIypgEfxdyRThQkBVn/bI=
====
"
SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
+mkdir tar.tempdir && cd tar.tempdir || exit 1
optional UNICODE_SUPPORT FEATURE_TAR_GNU_EXTENSIONS FEATURE_SEAMLESS_BZ2 FEATURE_TAR_AUTODETECT
testing "Pax-encoded UTF8 names and symlinks" '\
tar xvf ../tar.utf8.tar.bz2 2>&1; echo $?
@@ -309,17 +324,45 @@ rm -rf etc usr
' "\
etc/ssl/certs/3b2716e5.0
etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
+tar: skipping unsafe symlink to '/usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
etc/ssl/certs/f80cc7f6.0
usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
0
etc/ssl/certs/3b2716e5.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
-etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem -> /usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
etc/ssl/certs/f80cc7f6.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
" \
"" ""
SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
-
-cd .. && rm -rf tar.tempdir || exit 1
+mkdir tar.tempdir && cd tar.tempdir || exit 1
+optional UUDECODE FEATURE_SEAMLESS_BZ2 FEATURE_TAR_AUTODETECT
+testing "Symlink attack: create symlink and then write through it" '\
+exec 2>&1
+uudecode -o input && tar xvf input; echo $?
+ls /tmp/bb_test_evilfile
+ls bb_test_evilfile
+ls symlink/bb_test_evilfile
+' "\
+anything.txt
+symlink
+tar: skipping unsafe symlink to '/tmp' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
+symlink/bb_test_evilfile
+0
+ls: /tmp/bb_test_evilfile: No such file or directory
+ls: bb_test_evilfile: No such file or directory
+symlink/bb_test_evilfile
+" \
+"" "\
+begin-base64 644 tar_symlink_attack.tar.bz2
+QlpoOTFBWSZTWZgs7bQAALT/hMmQAFBAAf+AEMAGJPPv32AAAIAIMAC5thlR
+omAjAmCMADQT1BqNE0AEwAAjAEwElTKeo9NTR6h6gaeoA0DQNLVdwZZ5iNTk
+AQwCAV6S00QFJYhrlfFkVCEDEGtgNVqYrI0uK3ggnt30gqk4e1TTQm5QIAKa
+SJqzRGSFLMmOloHSAcvLiFxxRiQtQZF+qPxbo173ZDISOAoNoPN4PQPhBhKS
+n8fYaKlioCTzL2oXYczyUUIP4u5IpwoSEwWdtoA=
+====
+"
+SKIP=
+cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null
exit $FAILCOUNT
meta/recipes-core/busybox/busybox/CVE-2017-15873.patch
-95
View File
@@ -1,95 +0,0 @@
busybox-1.27.2: Fix CVE-2017-15873
[No upstream tracking] -- https://bugs.busybox.net/show_bug.cgi?id=10431
bunzip2: fix runCnt overflow
The get_next_block function in archival/libarchive/decompress_bunzip2.c
in BusyBox 1.27.2 has an Integer Overflow that may lead to a write
access violation.
Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=0402cb32df015d9372578e3db27db47b33d5c7b0]
CVE: CVE-2017-15873
bug: 10431
Signed-off-by: Radovan Scasny <radovan.scasny@siemens.com>
diff --git a/archival/libarchive/decompress_bunzip2.c b/archival/libarchive/decompress_bunzip2.c
index 7cd18f5..bec89ed 100644
--- a/archival/libarchive/decompress_bunzip2.c
+++ b/archival/libarchive/decompress_bunzip2.c
@@ -156,15 +156,15 @@ static unsigned get_bits(bunzip_data *bd, int bits_wanted)
static int get_next_block(bunzip_data *bd)
{
struct group_data *hufGroup;
- int dbufCount, dbufSize, groupCount, *base, *limit, selector,
- i, j, runPos, symCount, symTotal, nSelectors, byteCount[256];
- int runCnt = runCnt; /* for compiler */
+ int groupCount, *base, *limit, selector,
+ i, j, symCount, symTotal, nSelectors, byteCount[256];
uint8_t uc, symToByte[256], mtfSymbol[256], *selectors;
uint32_t *dbuf;
unsigned origPtr, t;
+ unsigned dbufCount, runPos;
+ unsigned runCnt = runCnt; /* for compiler */
dbuf = bd->dbuf;
- dbufSize = bd->dbufSize;
selectors = bd->selectors;
/* In bbox, we are ok with aborting through setjmp which is set up in start_bunzip */
@@ -187,7 +187,7 @@ static int get_next_block(bunzip_data *bd)
it didn't actually work. */
if (get_bits(bd, 1)) return RETVAL_OBSOLETE_INPUT;
origPtr = get_bits(bd, 24);
- if ((int)origPtr > dbufSize) return RETVAL_DATA_ERROR;
+ if (origPtr > bd->dbufSize) return RETVAL_DATA_ERROR;
/* mapping table: if some byte values are never used (encoding things
like ascii text), the compression code removes the gaps to have fewer
@@ -435,7 +435,14 @@ static int get_next_block(bunzip_data *bd)
symbols, but a run of length 0 doesn't mean anything in this
context). Thus space is saved. */
runCnt += (runPos << nextSym); /* +runPos if RUNA; +2*runPos if RUNB */
- if (runPos < dbufSize) runPos <<= 1;
+//The 32-bit overflow of runCnt wasn't yet seen, but probably can happen.
+//This would be the fix (catches too large count way before it can overflow):
+// if (runCnt > bd->dbufSize) {
+// dbg("runCnt:%u > dbufSize:%u RETVAL_DATA_ERROR",
+// runCnt, bd->dbufSize);
+// return RETVAL_DATA_ERROR;
+// }
+ if (runPos < bd->dbufSize) runPos <<= 1;
goto end_of_huffman_loop;
}
@@ -445,14 +452,15 @@ static int get_next_block(bunzip_data *bd)
literal used is the one at the head of the mtfSymbol array.) */
if (runPos != 0) {
uint8_t tmp_byte;
- if (dbufCount + runCnt > dbufSize) {
- dbg("dbufCount:%d+runCnt:%d %d > dbufSize:%d RETVAL_DATA_ERROR",
- dbufCount, runCnt, dbufCount + runCnt, dbufSize);
+ if (dbufCount + runCnt > bd->dbufSize) {
+ dbg("dbufCount:%u+runCnt:%u %u > dbufSize:%u RETVAL_DATA_ERROR",
+ dbufCount, runCnt, dbufCount + runCnt, bd->dbufSize);
return RETVAL_DATA_ERROR;
}
tmp_byte = symToByte[mtfSymbol[0]];
byteCount[tmp_byte] += runCnt;
- while (--runCnt >= 0) dbuf[dbufCount++] = (uint32_t)tmp_byte;
+ while ((int)--runCnt >= 0)
+ dbuf[dbufCount++] = (uint32_t)tmp_byte;
runPos = 0;
}
@@ -466,7 +474,7 @@ static int get_next_block(bunzip_data *bd)
first symbol in the mtf array, position 0, would have been handled
as part of a run above. Therefore 1 unused mtf position minus
2 non-literal nextSym values equals -1.) */
- if (dbufCount >= dbufSize) return RETVAL_DATA_ERROR;
+ if (dbufCount >= bd->dbufSize) return RETVAL_DATA_ERROR;
i = nextSym - 1;
uc = mtfSymbol[i];
--
cgit v0.12
meta/recipes-core/busybox/busybox/busybox-CVE-2017-16544.patch
-43
View File
@@ -1,43 +0,0 @@
From c3797d40a1c57352192c6106cc0f435e7d9c11e8 Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Tue, 7 Nov 2017 18:09:29 +0100
Subject: lineedit: do not tab-complete any strings which have control
characters
function old new delta
add_match 41 68 +27
CVE: CVE-2017-16544
Upstream-Status: Backport
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
libbb/lineedit.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/libbb/lineedit.c b/libbb/lineedit.c
index c0e35bb..56e8140 100644
--- a/libbb/lineedit.c
+++ b/libbb/lineedit.c
@@ -645,6 +645,18 @@ static void free_tab_completion_data(void)
static void add_match(char *matched)
{
+ unsigned char *p = (unsigned char*)matched;
+ while (*p) {
+ /* ESC attack fix: drop any string with control chars */
+ if (*p < ' '
+ || (!ENABLE_UNICODE_SUPPORT && *p >= 0x7f)
+ || (ENABLE_UNICODE_SUPPORT && *p == 0x7f)
+ ) {
+ free(matched);
+ return;
+ }
+ p++;
+ }
matches = xrealloc_vector(matches, 4, num_matches);
matches[num_matches] = matched;
num_matches++;
--
cgit v0.12
meta/recipes-core/busybox/busybox/busybox-fix-lzma-segfaults.patch
-106
View File
@@ -1,106 +0,0 @@
busybox-1.27.2: Fix lzma segfaults
[No upstream tracking] -- https://bugs.busybox.net/show_bug.cgi?id=10871
libarchive: check buffer index in lzma_decompress
With specific defconfig busybox fails to check zip fileheader magic
(archival/unzip.c) and uses (archival/libarchive/decompress_unlzma.c)
for decompression which leads to segmentation fault. It prevents accessing into
buffer, which is smaller than pos index. Patch includes multiple segmentation
fault fixes.
Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=a36986bb80289c1cd8d15a557e49207c9a42946b]
bug: 10436 10871
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
index a904087..29eee2a 100644
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@@ -11,6 +11,14 @@
#include "libbb.h"
#include "bb_archive.h"
+
+#if 0
+# define dbg(...) bb_error_msg(__VA_ARGS__)
+#else
+# define dbg(...) ((void)0)
+#endif
+
+
#if ENABLE_FEATURE_LZMA_FAST
# define speed_inline ALWAYS_INLINE
# define size_inline
@@ -217,6 +225,7 @@ unpack_lzma_stream(transformer_state_t *xstate)
rc_t *rc;
int i;
uint8_t *buffer;
+ uint32_t buffer_size;
uint8_t previous_byte = 0;
size_t buffer_pos = 0, global_pos = 0;
int len = 0;
@@ -246,7 +255,8 @@ unpack_lzma_stream(transformer_state_t *xstate)
if (header.dict_size == 0)
header.dict_size++;
- buffer = xmalloc(MIN(header.dst_size, header.dict_size));
+ buffer_size = MIN(header.dst_size, header.dict_size);
+ buffer = xmalloc(buffer_size);
{
int num_probs;
@@ -341,8 +351,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
state = state < LZMA_NUM_LIT_STATES ? 9 : 11;
pos = buffer_pos - rep0;
- if ((int32_t)pos < 0)
+ if ((int32_t)pos < 0) {
pos += header.dict_size;
+ /* see unzip_bad_lzma_2.zip: */
+ if (pos >= buffer_size)
+ goto bad;
+ }
previous_byte = buffer[pos];
goto one_byte1;
#else
@@ -417,6 +431,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--)
rep0 = (rep0 << 1) | rc_direct_bit(rc);
rep0 <<= LZMA_NUM_ALIGN_BITS;
+ if ((int32_t)rep0 < 0) {
+ dbg("%d rep0:%d", __LINE__, rep0);
+ goto bad;
+ }
prob3 = p + LZMA_ALIGN;
}
i2 = 1;
@@ -450,8 +468,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
IF_NOT_FEATURE_LZMA_FAST(string:)
do {
uint32_t pos = buffer_pos - rep0;
- if ((int32_t)pos < 0)
+ if ((int32_t)pos < 0) {
pos += header.dict_size;
+ /* more stringent test (see unzip_bad_lzma_1.zip): */
+ if (pos >= buffer_size)
+ goto bad;
+ }
previous_byte = buffer[pos];
IF_NOT_FEATURE_LZMA_FAST(one_byte2:)
buffer[buffer_pos++] = previous_byte;
@@ -478,6 +500,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
IF_DESKTOP(total_written += buffer_pos;)
if (transformer_write(xstate, buffer, buffer_pos) != (ssize_t)buffer_pos) {
bad:
+ /* One of our users, bbunpack(), expects _us_ to emit
+ * the error message (since it's the best place to give
+ * potentially more detailed information).
+ * Do not fail silently.
+ */
+ bb_error_msg("corrupted data");
total_written = -1; /* failure */
}
rc_free(rc);
meta/recipes-core/busybox/busybox/busybox-udhcpc-no_deconfig.patch
+27 -21
View File
@@ -31,11 +31,11 @@ Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
networking/udhcp/dhcpc.c | 29 ++++++++++++++++------
1 file changed, 21 insertions(+), 8 deletions(-)
Index: busybox-1.27.2/networking/udhcp/dhcpc.c
Index: busybox-1.29.1/networking/udhcp/dhcpc.c
===================================================================
--- busybox-1.27.2.orig/networking/udhcp/dhcpc.c
+++ busybox-1.27.2/networking/udhcp/dhcpc.c
@@ -49,6 +49,8 @@ struct tpacket_auxdata {
--- busybox-1.29.1.orig/networking/udhcp/dhcpc.c
+++ busybox-1.29.1/networking/udhcp/dhcpc.c
@@ -48,6 +48,8 @@
};
#endif
@@ -44,7 +44,7 @@ Index: busybox-1.27.2/networking/udhcp/dhcpc.c
/* "struct client_config_t client_config" is in bb_common_bufsiz1 */
@@ -104,8 +106,9 @@ enum {
@@ -103,8 +105,9 @@
OPT_x = 1 << 18,
OPT_f = 1 << 19,
OPT_B = 1 << 20,
@@ -55,7 +55,7 @@ Index: busybox-1.27.2/networking/udhcp/dhcpc.c
USE_FOR_MMU( OPTBIT_b,)
IF_FEATURE_UDHCPC_ARPING(OPTBIT_a,)
IF_FEATURE_UDHCP_PORT( OPTBIT_P,)
@@ -1110,7 +1113,8 @@ static void perform_renew(void)
@@ -1116,7 +1119,8 @@
state = RENEW_REQUESTED;
break;
case RENEW_REQUESTED: /* impatient are we? fine, square 1 */
@@ -65,7 +65,7 @@ Index: busybox-1.27.2/networking/udhcp/dhcpc.c
case REQUESTING:
case RELEASED:
change_listen_mode(LISTEN_RAW);
@@ -1146,7 +1150,8 @@ static void perform_release(uint32_t server_addr, uint32_t requested_ip)
@@ -1152,7 +1156,8 @@
* Users requested to be notified in all cases, even if not in one
* of the states above.
*/
@@ -75,16 +75,16 @@ Index: busybox-1.27.2/networking/udhcp/dhcpc.c
change_listen_mode(LISTEN_NONE);
state = RELEASED;
@@ -1298,7 +1303,7 @@ int udhcpc_main(int argc UNUSED_PARAM, char **argv)
/* O,x: list; -T,-t,-A take numeric param */
IF_UDHCP_VERBOSE(opt_complementary = "vv";)
IF_LONG_OPTS(applet_long_options = udhcpc_longopts;)
- opt = getopt32(argv, "CV:H:h:F:i:np:qRr:s:T:+t:+SA:+O:*ox:*fB"
+ opt = getopt32(argv, "CV:H:h:F:i:np:qRr:s:T:+t:+SA:+O:*ox:*fBD"
@@ -1265,7 +1270,7 @@
/* Parse command line */
opt = getopt32long(argv, "^"
/* O,x: list; -T,-t,-A take numeric param */
- "CV:H:h:F:i:np:qRr:s:T:+t:+SA:+O:*ox:*fB"
+ "CV:H:h:F:i:np:qRr:s:T:+t:+SA:+O:*ox:*fBD"
USE_FOR_MMU("b")
IF_FEATURE_UDHCPC_ARPING("a::")
IF_FEATURE_UDHCP_PORT("P:")
@@ -1409,6 +1414,10 @@ int udhcpc_main(int argc UNUSED_PARAM, char **argv)
@@ -1376,6 +1381,10 @@
logmode |= LOGMODE_SYSLOG;
}
@@ -94,8 +94,8 @@ Index: busybox-1.27.2/networking/udhcp/dhcpc.c
+
/* Make sure fd 0,1,2 are open */
bb_sanitize_stdio();
/* Equivalent of doing a fflush after every \n */
@@ -1423,7 +1432,8 @@ int udhcpc_main(int argc UNUSED_PARAM, char **argv)
/* Create pidfile */
@@ -1388,7 +1397,8 @@
srand(monotonic_us());
state = INIT_SELECTING;
@@ -105,7 +105,7 @@ Index: busybox-1.27.2/networking/udhcp/dhcpc.c
change_listen_mode(LISTEN_RAW);
packet_num = 0;
timeout = 0;
@@ -1577,7 +1587,8 @@ int udhcpc_main(int argc UNUSED_PARAM, char **argv)
@@ -1555,7 +1565,8 @@
}
/* Timed out, enter init state */
bb_error_msg("lease lost, entering init state");
@@ -115,23 +115,29 @@ Index: busybox-1.27.2/networking/udhcp/dhcpc.c
state = INIT_SELECTING;
client_config.first_secs = 0; /* make secs field count from 0 */
/*timeout = 0; - already is */
@@ -1770,7 +1781,8 @@ int udhcpc_main(int argc UNUSED_PARAM, char **argv)
@@ -1748,8 +1759,10 @@
"(got ARP reply), declining");
send_decline(/*xid,*/ server_addr, packet.yiaddr);
if (state != REQUESTING)
- if (state != REQUESTING)
- udhcp_run_script(NULL, "deconfig");
+ if (state != REQUESTING) {
+ if (allow_deconfig)
+ udhcp_run_script(NULL, "deconfig");
+ }
change_listen_mode(LISTEN_RAW);
state = INIT_SELECTING;
client_config.first_secs = 0; /* make secs field count from 0 */
@@ -1840,7 +1852,8 @@ int udhcpc_main(int argc UNUSED_PARAM, char **argv)
@@ -1818,8 +1831,10 @@
/* return to init state */
bb_error_msg("received %s", "DHCP NAK");
udhcp_run_script(&packet, "nak");
if (state != REQUESTING)
- if (state != REQUESTING)
- udhcp_run_script(NULL, "deconfig");
+ if (state != REQUESTING) {
+ if (allow_deconfig)
+ udhcp_run_script(NULL, "deconfig");
+ }
change_listen_mode(LISTEN_RAW);
sleep(3); /* avoid excessive network traffic */
state = INIT_SELECTING;
meta/recipes-core/busybox/busybox/defconfig
+37 -9
View File
@@ -1,12 +1,12 @@
#
# Automatically generated make config: don't edit
# Busybox version: 1.27.2
# Wed Sep 27 08:56:13 2017
# Busybox version: 1.29.1
# Thu Jul 19 11:09:46 2018
#
CONFIG_HAVE_DOT_CONFIG=y
#
# Busybox Settings
# Settings
#
# CONFIG_DESKTOP is not set
# CONFIG_EXTRA_COMPAT is not set
@@ -78,7 +78,7 @@ CONFIG_NO_DEBUG_LIB=y
# CONFIG_EFENCE is not set
#
# Busybox Library Tuning
# Library Tuning
#
# CONFIG_FEATURE_USE_BSS_TAIL is not set
CONFIG_FEATURE_RTMINMAX=y
@@ -90,6 +90,7 @@ CONFIG_MD5_SMALL=1
CONFIG_SHA3_SMALL=1
CONFIG_FEATURE_FAST_TOP=y
# CONFIG_FEATURE_ETC_NETWORKS is not set
# CONFIG_FEATURE_ETC_SERVICES is not set
CONFIG_FEATURE_EDITING=y
CONFIG_FEATURE_EDITING_MAX_LEN=1024
# CONFIG_FEATURE_EDITING_VI is not set
@@ -321,6 +322,7 @@ CONFIG_TRUE=y
CONFIG_TTY=y
CONFIG_UNAME=y
CONFIG_UNAME_OSNAME="GNU/Linux"
# CONFIG_BB_ARCH is not set
CONFIG_UNIQ=y
CONFIG_UNLINK=y
CONFIG_USLEEP=y
@@ -392,6 +394,14 @@ CONFIG_FEATURE_START_STOP_DAEMON_LONG_OPTIONS=y
CONFIG_FEATURE_START_STOP_DAEMON_FANCY=y
CONFIG_WHICH=y
#
# klibc-utils
#
# CONFIG_MINIPS is not set
# CONFIG_NUKE is not set
# CONFIG_RESUME is not set
# CONFIG_RUN_INIT is not set
#
# Editors
#
@@ -678,6 +688,10 @@ CONFIG_FEATURE_MOUNT_LOOP=y
CONFIG_FEATURE_MOUNT_LOOP_CREATE=y
# CONFIG_FEATURE_MTAB_SUPPORT is not set
# CONFIG_VOLUMEID is not set
#
# Filesystem/Volume identification
#
# CONFIG_FEATURE_VOLUMEID_BCACHE is not set
# CONFIG_FEATURE_VOLUMEID_BTRFS is not set
# CONFIG_FEATURE_VOLUMEID_CRAMFS is not set
@@ -725,6 +739,7 @@ CONFIG_FEATURE_CROND_DIR=""
# CONFIG_FEATURE_HDPARM_HDIO_DRIVE_RESET is not set
# CONFIG_FEATURE_HDPARM_HDIO_TRISTATE_HWIF is not set
# CONFIG_FEATURE_HDPARM_HDIO_GETSET_DMA is not set
# CONFIG_HEXEDIT is not set
# CONFIG_I2CGET is not set
# CONFIG_I2CSET is not set
# CONFIG_I2CDUMP is not set
@@ -807,6 +822,7 @@ CONFIG_MICROCOM=y
# CONFIG_RUNLEVEL is not set
# CONFIG_RX is not set
# CONFIG_SETSID is not set
# CONFIG_SETFATTR is not set
CONFIG_STRINGS=y
CONFIG_TIME=y
# CONFIG_TIMEOUT is not set
@@ -912,6 +928,8 @@ CONFIG_FEATURE_FANCY_PING=y
CONFIG_ROUTE=y
# CONFIG_SLATTACH is not set
# CONFIG_SSL_CLIENT is not set
# CONFIG_TC is not set
# CONFIG_FEATURE_TC_INGRESS is not set
# CONFIG_TCPSVD is not set
# CONFIG_UDPSVD is not set
CONFIG_TELNET=y
@@ -949,13 +967,9 @@ CONFIG_FEATURE_WGET_HTTPS=y
# CONFIG_FEATURE_WGET_OPENSSL is not set
# CONFIG_WHOIS is not set
# CONFIG_ZCIP is not set
# CONFIG_UDHCPC6 is not set
# CONFIG_FEATURE_UDHCPC6_RFC3646 is not set
# CONFIG_FEATURE_UDHCPC6_RFC4704 is not set
# CONFIG_FEATURE_UDHCPC6_RFC4833 is not set
CONFIG_UDHCPD=y
# CONFIG_FEATURE_UDHCPD_WRITE_LEASES_EARLY is not set
# CONFIG_FEATURE_UDHCPD_BASE_IP_ON_MAC is not set
# CONFIG_FEATURE_UDHCPD_WRITE_LEASES_EARLY is not set
CONFIG_DHCPD_LEASES_FILE="/var/lib/misc/udhcpd.leases"
CONFIG_DUMPLEASES=y
# CONFIG_DHCPRELAY is not set
@@ -963,6 +977,15 @@ CONFIG_UDHCPC=y
CONFIG_FEATURE_UDHCPC_ARPING=y
CONFIG_FEATURE_UDHCPC_SANITIZEOPT=y
CONFIG_UDHCPC_DEFAULT_SCRIPT="/usr/share/udhcpc/default.script"
# CONFIG_UDHCPC6 is not set
# CONFIG_FEATURE_UDHCPC6_RFC3646 is not set
# CONFIG_FEATURE_UDHCPC6_RFC4704 is not set
# CONFIG_FEATURE_UDHCPC6_RFC4833 is not set
# CONFIG_FEATURE_UDHCPC6_RFC5970 is not set
#
# Common options for DHCP applets
#
# CONFIG_FEATURE_UDHCP_PORT is not set
CONFIG_UDHCP_DEBUG=0
# CONFIG_FEATURE_UDHCP_RFC3397 is not set
@@ -1045,6 +1068,7 @@ CONFIG_WATCH=y
# CONFIG_SV is not set
CONFIG_SV_DEFAULT_SERVICE_DIR=""
# CONFIG_SVC is not set
# CONFIG_SVOK is not set
# CONFIG_SVLOGD is not set
# CONFIG_CHCON is not set
# CONFIG_FEATURE_CHCON_LONG_OPTIONS is not set
@@ -1134,6 +1158,10 @@ CONFIG_FEATURE_SH_HISTFILESIZE=y
# System Logging Utilities
#
CONFIG_KLOGD=y
#
# klogd should not be used together with syslog to kernel printk buffer
#
CONFIG_FEATURE_KLOGD_KLOGCTL=y
CONFIG_LOGGER=y
# CONFIG_LOGREAD is not set
meta/recipes-core/busybox/busybox/umount-ignore-c.patch
-40
View File
@@ -1,40 +0,0 @@
Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=426134128112738c97a665170b21153ef0764b7d]
From 95ea12791c8623bf825bc711ac7790306e7e1adb Mon Sep 17 00:00:00 2001
From: Shawn Landden <slandden@gmail.com>
Date: Mon, 8 Jan 2018 13:31:58 +0100
Subject: [PATCH] umount: ignore -c
Organization: O.S. Systems Software LTDA.
"-c, --no-canonicalize: Do not canonicalize paths."
As busybox doesn't canonicalize paths in the first place it is safe to ignore
this option.
See https://github.com/systemd/systemd/issues/7786
Signed-off-by: Shawn Landden <slandden@gmail.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
---
util-linux/umount.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/util-linux/umount.c b/util-linux/umount.c
index 0c50dc9ee..0425c5b76 100644
--- a/util-linux/umount.c
+++ b/util-linux/umount.c
@@ -68,8 +68,8 @@ static struct mntent *getmntent_r(FILE* stream, struct mntent* result,
}
#endif
-/* ignored: -v -t -i */
-#define OPTION_STRING "fldnra" "vt:i"
+/* ignored: -c -v -t -i */
+#define OPTION_STRING "fldnra" "cvt:i"
#define OPT_FORCE (1 << 0) // Same as MNT_FORCE
#define OPT_LAZY (1 << 1) // Same as MNT_DETACH
#define OPT_FREELOOP (1 << 2)
--
2.18.0
meta/recipes-core/busybox/busybox_1.27.2.bb → meta/recipes-core/busybox/busybox_1.29.2.bb
+2 -7
View File
@@ -42,13 +42,8 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://rcK \
file://runlevel \
file://makefile-libbb-race.patch \
file://CVE-2011-5325.patch \
file://CVE-2017-15873.patch \
file://busybox-CVE-2017-16544.patch \
file://busybox-fix-lzma-segfaults.patch \
file://umount-ignore-c.patch \
"
SRC_URI_append_libc-musl = " file://musl.cfg "
SRC_URI[tarball.md5sum] = "476186f4bab81781dab2369bfd42734e"
SRC_URI[tarball.sha256sum] = "9d4be516b61e6480f156b11eb42577a13529f75d3383850bb75c50c285de63df"
SRC_URI[tarball.md5sum] = "46617af37a39579711d8b36f189cdf1e"
SRC_URI[tarball.sha256sum] = "67d2fa6e147a45875fe972de62d907ef866fe784c495c363bf34756c444a5d61"