aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/busybox/APKBUILD14
-rw-r--r--main/busybox/CVE-2017-15873.patch210
-rw-r--r--main/busybox/CVE-2017-16544.patch40
3 files changed, 263 insertions, 1 deletions
diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD
index 872cd75c22..fe615c73d5 100644
--- a/main/busybox/APKBUILD
+++ b/main/busybox/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=busybox
pkgver=1.24.2
-pkgrel=1
+pkgrel=2
pkgdesc="Size optimized toolbox of many common UNIX utilities"
url=http://busybox.net
arch="all"
@@ -45,6 +45,9 @@ source="http://busybox.net/downloads/$pkgname-$pkgver.tar.bz2
0001-ash-backport-fix-for-here-document-issues.patch
0001-ash-fix-error-during-recursive-processing-of-here-do.patch
+ CVE-2017-15873.patch
+ CVE-2017-16544.patch
+
acpid.logrotate
busyboxconfig
glibc.patch
@@ -52,6 +55,9 @@ source="http://busybox.net/downloads/$pkgname-$pkgver.tar.bz2
"
# secfixes:
+# 1.24.2-r2:
+# - CVE-2017-15873
+# - CVE-2017-16544
# 1.24.2-r1:
# - CVE-2016-6301
@@ -186,6 +192,8 @@ f7c45568bdb0d2295c43108691e78a40 3002-libbb-allow_blank-argument-for-ask_and_ch
f82d49c891c02516462db3cda29ccca7 3003-su-FEATURE_SU_NULLOK_SECURE.patch
5f03ee6f3e93bbc6aedff0777b227810 0001-ash-backport-fix-for-here-document-issues.patch
a4d1cf64fd1835a284ccc6dbc78e3ce0 0001-ash-fix-error-during-recursive-processing-of-here-do.patch
+15509e6feeda066d5277fc6359e9cf93 CVE-2017-15873.patch
+c4fe22721f51afb20573dcc3aa39d681 CVE-2017-16544.patch
4046b78ee6a25259954797d73b94f4bd acpid.logrotate
5cddea6331e6aff69869568b679186ec busyboxconfig
befaac2c59c380e36a452b3f1c1d4a3a glibc.patch
@@ -213,6 +221,8 @@ ce24e38be870c90bdcb90e7b0445067adf7be0fac6b1154d2364a4db9ee3a9d8 3002-libbb-all
d7b18672334ddeee7fbd6c0e92f26c5d2ef49ddefebf0b7f6eff8dc1ad8d3f7e 3003-su-FEATURE_SU_NULLOK_SECURE.patch
f712ce190ce86084d56977e125d1561615394f3d9b840e926537868260e19d79 0001-ash-backport-fix-for-here-document-issues.patch
1d3f8f7b6d0972f8e56437fce8efbafe70e2d869fbe82f06eba11e0103fce224 0001-ash-fix-error-during-recursive-processing-of-here-do.patch
+ee0369ad00c843cd815c03769ee1acadfc979c590c8d61495cd067f245624f63 CVE-2017-15873.patch
+31194ef9226d5f80146cc9bc33374ba82e789aee14043bb5bf385c681b8edfe0 CVE-2017-16544.patch
f7cbeb5a5a47395ad30454ce8262abcd3e91c33ef803c2ae31a9258d7142dd48 acpid.logrotate
ddc0c2e87e37a5e6cc878c5c5c14093c43b361a4d32eee813e0f0b01900efb9e busyboxconfig
c604ef791c31d35a8c5ee4558d21428a46f37a6d762c4a7e29864f4037fc44a0 glibc.patch
@@ -240,6 +250,8 @@ ed8d060b85d4da1681eb35ba64c5b249391e6a7edbeb55b8952897f08fe9bafac33593992772d80a
c6579970450e7c711461ab1953f534ae855c4a355b4a452b3fc52a286355c87e41f8951b1b5217d0f659e3173ace8718d42dad3dcc878899cf9decdf4d3fe238 3003-su-FEATURE_SU_NULLOK_SECURE.patch
d55cab6ed08434e2a278edf1be6171b921bcaee47598988e4de6b390a01569e10394c54d5d4a27e6eba251ce68df5cc1ece358be32a9c31bdf1f7e9147cf5180 0001-ash-backport-fix-for-here-document-issues.patch
c14a632f9477c13ea99b24a73c81c9c44ead8b536970acd758e739b43a6260860039674341192ce7bb20a9204ee7d93dcd9541e526f2437d4d2d88637b400867 0001-ash-fix-error-during-recursive-processing-of-here-do.patch
+e41b5378572b540c02fdc191fb33d10b4ba7500da943bd3edc311b74c92214753ce2cea0afad68cec946db3618523f4a422bff243a3ed772097fbac91f85ab78 CVE-2017-15873.patch
+c988edc761b39099b54c45c6656813183bcd725de2f013ecdccd0f2dfef7b9724242196450d9a958e51aeacd64be9a1b6f342a3f8d23fe2944ffc4099007122d CVE-2017-16544.patch
dadb4c953ebc755b88ee95c1489feb0c2d352f6e44abc716166024e6eea11ab9d10c84fad62c081775834d205cb04aa1be3c994676c88f4284495c54b9188e8b acpid.logrotate
249f9c4769b7e20149109810bed8ed48c87e7e67817f27fbb620857bb3db1857f2d1616c4badba5c9eb2b6a1a14a15e89327b8c5f3c2d3ea15d09e252bab2a20 busyboxconfig
1d2739379dab1deb3eae7cffd4845300eb7d30f7343b4a1209b21a5680860d55080ad45fdefe098b249ce3040c01951fa7f0a79cd447b2d7b260eb000099d9dc glibc.patch
diff --git a/main/busybox/CVE-2017-15873.patch b/main/busybox/CVE-2017-15873.patch
new file mode 100644
index 0000000000..485aef39d3
--- /dev/null
+++ b/main/busybox/CVE-2017-15873.patch
@@ -0,0 +1,210 @@
+From 3cd642df5f6c274c762c2b1388bdccc9d74f1db2 Mon Sep 17 00:00:00 2001
+From: Rostislav Skudnov <rostislav@tuxera.com>
+Date: Wed, 1 Feb 2017 18:35:13 +0000
+Subject: [PATCH 1/2] Replace int -> uint to avoid signed integer overflow
+
+An example of such an error (should be compiled with DEBUG_SANITIZE):
+
+runtime error: left shift of 1 by 31 places cannot be represented in
+type 'int'
+
+Signed-off-by: Rostislav Skudnov <rostislav@tuxera.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ archival/libarchive/decompress_bunzip2.c | 6 +++---
+ libbb/crc32.c | 2 +-
+ libbb/getopt32.c | 4 ++--
+ libbb/pw_encrypt.c | 2 +-
+ miscutils/rx.c | 2 +-
+ 5 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/archival/libarchive/decompress_bunzip2.c b/archival/libarchive/decompress_bunzip2.c
+index fe5953da2..4fb989c29 100644
+--- a/archival/libarchive/decompress_bunzip2.c
++++ b/archival/libarchive/decompress_bunzip2.c
+@@ -134,7 +134,7 @@ static unsigned get_bits(bunzip_data *bd, int bits_wanted)
+
+ /* Avoid 32-bit overflow (dump bit buffer to top of output) */
+ if (bit_count >= 24) {
+- bits = bd->inbufBits & ((1 << bit_count) - 1);
++ bits = bd->inbufBits & ((1U << bit_count) - 1);
+ bits_wanted -= bit_count;
+ bits <<= bits_wanted;
+ bit_count = 0;
+@@ -158,11 +158,11 @@ static int get_next_block(bunzip_data *bd)
+ {
+ struct group_data *hufGroup;
+ int dbufCount, dbufSize, groupCount, *base, *limit, selector,
+- i, j, t, runPos, symCount, symTotal, nSelectors, byteCount[256];
++ i, j, runPos, symCount, symTotal, nSelectors, byteCount[256];
+ int runCnt = runCnt; /* for compiler */
+ uint8_t uc, symToByte[256], mtfSymbol[256], *selectors;
+ uint32_t *dbuf;
+- unsigned origPtr;
++ unsigned origPtr, t;
+
+ dbuf = bd->dbuf;
+ dbufSize = bd->dbufSize;
+diff --git a/libbb/crc32.c b/libbb/crc32.c
+index ac9836cc9..0711ca84e 100644
+--- a/libbb/crc32.c
++++ b/libbb/crc32.c
+@@ -24,7 +24,7 @@ uint32_t* FAST_FUNC crc32_filltable(uint32_t *crc_table, int endian)
+ {
+ uint32_t polynomial = endian ? 0x04c11db7 : 0xedb88320;
+ uint32_t c;
+- int i, j;
++ unsigned i, j;
+
+ if (!crc_table)
+ crc_table = xmalloc(256 * sizeof(uint32_t));
+diff --git a/libbb/getopt32.c b/libbb/getopt32.c
+index 15b6efc09..497fc016f 100644
+--- a/libbb/getopt32.c
++++ b/libbb/getopt32.c
+@@ -404,7 +404,7 @@ getopt32(char **argv, const char *applet_opts, ...)
+ if (c >= 32)
+ break;
+ on_off->opt_char = *s;
+- on_off->switch_on = (1 << c);
++ on_off->switch_on = (1U << c);
+ if (*++s == ':') {
+ on_off->optarg = va_arg(p, void **);
+ if (s[1] == '+' || s[1] == '*') {
+@@ -454,7 +454,7 @@ getopt32(char **argv, const char *applet_opts, ...)
+ if (c >= 32)
+ break;
+ on_off->opt_char = l_o->val;
+- on_off->switch_on = (1 << c);
++ on_off->switch_on = (1U << c);
+ if (l_o->has_arg != no_argument)
+ on_off->optarg = va_arg(p, void **);
+ c++;
+diff --git a/libbb/pw_encrypt.c b/libbb/pw_encrypt.c
+index 4cdc2de76..fe06a8fe6 100644
+--- a/libbb/pw_encrypt.c
++++ b/libbb/pw_encrypt.c
+@@ -30,7 +30,7 @@ static int i64c(int i)
+ int FAST_FUNC crypt_make_salt(char *p, int cnt /*, int x */)
+ {
+ /* was: x += ... */
+- int x = getpid() + monotonic_us();
++ unsigned x = getpid() + monotonic_us();
+ do {
+ /* x = (x*1664525 + 1013904223) % 2^32 generator is lame
+ * (low-order bit is not "random", etc...),
+diff --git a/miscutils/rx.c b/miscutils/rx.c
+index 660f66a89..86627e1b5 100644
+--- a/miscutils/rx.c
++++ b/miscutils/rx.c
+@@ -94,7 +94,7 @@ static int receive(/*int read_fd, */int file_fd)
+ int blockBegin;
+ int blockNo, blockNoOnesCompl;
+ int cksum_or_crc;
+- int expected;
++ unsigned expected;
+ int i, j;
+
+ blockBegin = read_byte(timeout);
+--
+2.15.0
+
+
+From 2be3fc2e5407081a597a99e3a71d55fd673de50f Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Sun, 22 Oct 2017 18:23:23 +0200
+Subject: [PATCH 2/2] bunzip2: fix runCnt overflow from bug 10431
+
+This particular corrupted file can be dealth with by using "unsigned".
+If there will be cases where it genuinely overflows, there is a disabled
+code to deal with that too.
+
+function old new delta
+get_next_block 1678 1667 -11
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ archival/libarchive/decompress_bunzip2.c | 30 +++++++++++++++++++-----------
+ 1 file changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/archival/libarchive/decompress_bunzip2.c b/archival/libarchive/decompress_bunzip2.c
+index 4fb989c29..2da5d59ac 100644
+--- a/archival/libarchive/decompress_bunzip2.c
++++ b/archival/libarchive/decompress_bunzip2.c
+@@ -157,15 +157,15 @@ static unsigned get_bits(bunzip_data *bd, int bits_wanted)
+ static int get_next_block(bunzip_data *bd)
+ {
+ struct group_data *hufGroup;
+- int dbufCount, dbufSize, groupCount, *base, *limit, selector,
+- i, j, runPos, symCount, symTotal, nSelectors, byteCount[256];
+- int runCnt = runCnt; /* for compiler */
++ int groupCount, *base, *limit, selector,
++ i, j, symCount, symTotal, nSelectors, byteCount[256];
+ uint8_t uc, symToByte[256], mtfSymbol[256], *selectors;
+ uint32_t *dbuf;
+ unsigned origPtr, t;
++ unsigned dbufCount, runPos;
++ unsigned runCnt = runCnt; /* for compiler */
+
+ dbuf = bd->dbuf;
+- dbufSize = bd->dbufSize;
+ selectors = bd->selectors;
+
+ /* In bbox, we are ok with aborting through setjmp which is set up in start_bunzip */
+@@ -188,7 +188,7 @@ static int get_next_block(bunzip_data *bd)
+ it didn't actually work. */
+ if (get_bits(bd, 1)) return RETVAL_OBSOLETE_INPUT;
+ origPtr = get_bits(bd, 24);
+- if ((int)origPtr > dbufSize) return RETVAL_DATA_ERROR;
++ if (origPtr > bd->dbufSize) return RETVAL_DATA_ERROR;
+
+ /* mapping table: if some byte values are never used (encoding things
+ like ascii text), the compression code removes the gaps to have fewer
+@@ -436,7 +436,14 @@ static int get_next_block(bunzip_data *bd)
+ symbols, but a run of length 0 doesn't mean anything in this
+ context). Thus space is saved. */
+ runCnt += (runPos << nextSym); /* +runPos if RUNA; +2*runPos if RUNB */
+- if (runPos < dbufSize) runPos <<= 1;
++//The 32-bit overflow of runCnt wasn't yet seen, but probably can happen.
++//This would be the fix (catches too large count way before it can overflow):
++// if (runCnt > bd->dbufSize) {
++// dbg("runCnt:%u > dbufSize:%u RETVAL_DATA_ERROR",
++// runCnt, bd->dbufSize);
++// return RETVAL_DATA_ERROR;
++// }
++ if (runPos < bd->dbufSize) runPos <<= 1;
+ goto end_of_huffman_loop;
+ }
+
+@@ -446,14 +453,15 @@ static int get_next_block(bunzip_data *bd)
+ literal used is the one at the head of the mtfSymbol array.) */
+ if (runPos != 0) {
+ uint8_t tmp_byte;
+- if (dbufCount + runCnt > dbufSize) {
+- dbg("dbufCount:%d+runCnt:%d %d > dbufSize:%d RETVAL_DATA_ERROR",
+- dbufCount, runCnt, dbufCount + runCnt, dbufSize);
++ if (dbufCount + runCnt > bd->dbufSize) {
++ dbg("dbufCount:%u+runCnt:%u %u > dbufSize:%u RETVAL_DATA_ERROR",
++ dbufCount, runCnt, dbufCount + runCnt, bd->dbufSize);
+ return RETVAL_DATA_ERROR;
+ }
+ tmp_byte = symToByte[mtfSymbol[0]];
+ byteCount[tmp_byte] += runCnt;
+- while (--runCnt >= 0) dbuf[dbufCount++] = (uint32_t)tmp_byte;
++ while ((int)--runCnt >= 0)
++ dbuf[dbufCount++] = (uint32_t)tmp_byte;
+ runPos = 0;
+ }
+
+@@ -467,7 +475,7 @@ static int get_next_block(bunzip_data *bd)
+ first symbol in the mtf array, position 0, would have been handled
+ as part of a run above. Therefore 1 unused mtf position minus
+ 2 non-literal nextSym values equals -1.) */
+- if (dbufCount >= dbufSize) return RETVAL_DATA_ERROR;
++ if (dbufCount >= bd->dbufSize) return RETVAL_DATA_ERROR;
+ i = nextSym - 1;
+ uc = mtfSymbol[i];
+
+--
+2.15.0
+
diff --git a/main/busybox/CVE-2017-16544.patch b/main/busybox/CVE-2017-16544.patch
new file mode 100644
index 0000000000..27f101ccad
--- /dev/null
+++ b/main/busybox/CVE-2017-16544.patch
@@ -0,0 +1,40 @@
+From deece5e2f1b9a521955a8939175d28a440735c61 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Tue, 7 Nov 2017 18:09:29 +0100
+Subject: [PATCH] lineedit: do not tab-complete any strings which have control
+ characters
+
+function old new delta
+add_match 41 68 +27
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ libbb/lineedit.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/libbb/lineedit.c b/libbb/lineedit.c
+index 31e392147..269009114 100644
+--- a/libbb/lineedit.c
++++ b/libbb/lineedit.c
+@@ -633,6 +633,18 @@ static void free_tab_completion_data(void)
+
+ static void add_match(char *matched)
+ {
++ unsigned char *p = (unsigned char*)matched;
++ while (*p) {
++ /* ESC attack fix: drop any string with control chars */
++ if (*p < ' '
++ || (!ENABLE_UNICODE_SUPPORT && *p >= 0x7f)
++ || (ENABLE_UNICODE_SUPPORT && *p == 0x7f)
++ ) {
++ free(matched);
++ return;
++ }
++ p++;
++ }
+ matches = xrealloc_vector(matches, 4, num_matches);
+ matches[num_matches] = matched;
+ num_matches++;
+--
+2.15.0
+