busybox: Security fix CVE-2016-2147

busybox <= 1.24.2

(From OE-Core rev: 0a977091a4a5ee925b44c60bc4b13557696afadb)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/recipes-core/busybox/busybox/CVE-2016-2147.patch

@@ -0,0 +1,57 @@
+From d474ffc68290e0a83651c4432eeabfa62cd51e87 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Thu, 10 Mar 2016 11:47:58 +0100
+Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2016-2147
+
+https://git.busybox.net/busybox/commit/?id=d474ffc
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ networking/udhcp/domain_codec.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+Index: busybox-1.23.2/networking/udhcp/domain_codec.c
+===================================================================
+--- busybox-1.23.2.orig/networking/udhcp/domain_codec.c
++++ busybox-1.23.2/networking/udhcp/domain_codec.c
+@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t
+ 				if (crtpos + *c + 1 > clen) /* label too long? abort */
+ 					return NULL;
+ 				if (dst)
+-					memcpy(dst + len, c + 1, *c);
++					/* \3com ---> "com." */
++					((char*)mempcpy(dst + len, c + 1, *c))[0] = '.';
+ 				len += *c + 1;
+ 				crtpos += *c + 1;
+-				if (dst)
+-					dst[len - 1] = '.';
+ 			} else {
+ 				/* NUL: end of current domain name */
+ 				if (retpos == 0) {
+@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t
+ 					crtpos = retpos;
+ 					retpos = depth = 0;
+ 				}
+-				if (dst)
++				if (dst && len != 0)
++					/* \4host\3com\0\4host and we are at \0:
++					 * \3com was converted to "com.", change dot to space.
++					 */
+ 					dst[len - 1] = ' ';
+ 			}
+ 
+@@ -228,6 +230,9 @@ int main(int argc, char **argv)
+ 	int len;
+ 	uint8_t *encoded;
+ 
++        uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
++        printf("NUL:'%s'\n",   dname_dec(str, 6, ""));
++
+ #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
+ 	printf("'%s'\n",       DNAME_DEC("\4host\3com\0", "test1:"));
+ 	printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));

meta/recipes-core/busybox/busybox/CVE-2016-2147_2.patch

@@ -0,0 +1,32 @@
+From 1b7c17391de66502dd7a97c866e0a33681edbb1f Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Fri, 11 Mar 2016 00:26:58 +0100
+Subject: [PATCH] udhcpc: fix a warning in debug code
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Upsteam-Status: Backport
+CVE: CVE-2016-2147 regression fix
+
+https://git.busybox.net/busybox/commit/?id=1b7c17
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ networking/udhcp/domain_codec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
+index cee31f1..5a923cc 100644
+--- a/networking/udhcp/domain_codec.c
++++ b/networking/udhcp/domain_codec.c
+@@ -7,6 +7,7 @@
+  * Licensed under GPLv2 or later, see file LICENSE in this source tree.
+  */
+ #ifdef DNS_COMPR_TESTING
++# define _GNU_SOURCE
+ # define FAST_FUNC /* nothing */
+ # define xmalloc malloc
+ # include <stdlib.h>
+-- 
+2.3.5
+

meta/recipes-core/busybox/busybox_1.23.2.bb

@@ -42,6 +42,8 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://sha256sum.cfg \
            file://getopts.cfg \
            file://CVE-2016-2148.patch \
+           file://CVE-2016-2147.patch \
+           file://CVE-2016-2147_2.patch \
 "
 
 SRC_URI[tarball.md5sum] = "7925683d7dd105aabe9b6b618d48cc73"