From: Fabrice Fontaine Date: Sat, 29 Feb 2020 22:55:11 +0000 (+0100) Subject: package/shellinabox: fix CVE-2018-16789 X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=5553223297a5ef07220ab5b45bf48973f7166950;p=buildroot.git package/shellinabox: fix CVE-2018-16789 libhttp/url.c in shellinabox through 2.20 has an implementation flaw in the HTTP request parsing logic. By sending a crafted multipart/form-data HTTP request, an attacker could exploit this to force shellinaboxd into an infinite loop, exhausting available CPU resources and taking the service down. Signed-off-by: Fabrice Fontaine Signed-off-by: Yann E. MORIN --- diff --git a/package/shellinabox/0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch b/package/shellinabox/0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch new file mode 100644 index 0000000000..4b15f419e3 --- /dev/null +++ b/package/shellinabox/0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch @@ -0,0 +1,26 @@ +From 7f47efe1717c381f86566fabe0b1ced8cb98fe8f Mon Sep 17 00:00:00 2001 +From: irsl +Date: Fri, 26 Oct 2018 11:51:15 +0200 +Subject: [PATCH] fix for broken multipart/form-data + +Malformed multipart/form-data payload results in infinite loop and thus denial of service +[Upstream status: https://github.com/shellinabox/shellinabox/pull/446] +Signed-off-by: Fabrice Fontaine +--- + libhttp/url.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libhttp/url.c b/libhttp/url.c +index ed29475..4177871 100644 +--- a/libhttp/url.c ++++ b/libhttp/url.c +@@ -312,6 +312,9 @@ static void urlParsePostBody(struct URL *url, + } + } + } ++ } else { ++ warn("[http] broken multipart/form-data!"); ++ break; + } + } + if (lastPart) { diff --git a/package/shellinabox/shellinabox.mk b/package/shellinabox/shellinabox.mk index be36804cb7..4c93fdccef 100644 --- a/package/shellinabox/shellinabox.mk +++ b/package/shellinabox/shellinabox.mk @@ -9,6 +9,9 @@ SHELLINABOX_SITE = $(call github,shellinabox,shellinabox,v$(SHELLINABOX_VERSION) SHELLINABOX_LICENSE = GPL-2.0 with OpenSSL exception SHELLINABOX_LICENSE_FILES = COPYING GPL-2 +# 0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch +SHELLINABOX_IGNORE_CVES += CVE-2018-16789 + # Fetching from Github, and patching Makefile.am, so we need to autoreconf SHELLINABOX_AUTORECONF = YES