From 157dc65fb744c00c972a065079e83458b6249344 Mon Sep 17 00:00:00 2001 From: Gustavo Zacarias Date: Fri, 25 Mar 2016 18:56:32 -0300 Subject: [PATCH] busybox: security bump to version 1.24.2 The version bump doesn't inherently fix the security issues, however the added CVE patches do, which fix: CVE-2016-2147 - out of bounds write (heap) due to integer underflow in udhcpc. CVE-2016-2148 - heap-based buffer overflow in OPTION_6RD parsing. Drop patches that are upstream as well. Signed-off-by: Gustavo Zacarias Signed-off-by: Peter Korsgaard --- ...rip-non-l-arguments-returned-by-pkg.patch} | 0 package/busybox/0002-unzip.patch | 111 --------------- .../busybox/0003-ash-recursive-heredocs.patch | 84 +++++++++++ .../0003-g-unzip-fix-recent-breakage.patch | 134 ------------------ package/busybox/0004-fix-CVE-2016-2147.patch | 73 ++++++++++ package/busybox/0004-truncate-open-mode.patch | 74 ---------- package/busybox/0005-fix-CVE-2016-2148.patch | 56 ++++++++ package/busybox/busybox.hash | 6 +- package/busybox/busybox.mk | 2 +- 9 files changed, 217 insertions(+), 323 deletions(-) rename package/busybox/{0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch => 0002-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch} (100%) delete mode 100644 package/busybox/0002-unzip.patch create mode 100644 package/busybox/0003-ash-recursive-heredocs.patch delete mode 100644 package/busybox/0003-g-unzip-fix-recent-breakage.patch create mode 100644 package/busybox/0004-fix-CVE-2016-2147.patch delete mode 100644 package/busybox/0004-truncate-open-mode.patch create mode 100644 package/busybox/0005-fix-CVE-2016-2148.patch diff --git a/package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch b/package/busybox/0002-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch similarity index 100% rename from package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch rename to package/busybox/0002-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch diff --git a/package/busybox/0002-unzip.patch b/package/busybox/0002-unzip.patch deleted file mode 100644 index 400e528435..0000000000 --- a/package/busybox/0002-unzip.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 1de25a6e87e0e627aa34298105a3d17c60a1f44e Mon Sep 17 00:00:00 2001 -From: Denys Vlasenko -Date: Mon, 26 Oct 2015 19:33:05 +0100 -Subject: [PATCH] unzip: test for bad archive SEGVing - -function old new delta -huft_build 1296 1300 +4 - -Signed-off-by: Denys Vlasenko -Signed-off-by: Gustavo Zacarias ---- - archival/libarchive/decompress_gunzip.c | 11 +++++++---- - testsuite/unzip.tests | 23 ++++++++++++++++++++++- - 2 files changed, 29 insertions(+), 5 deletions(-) - -diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c -index 7b6f459..30bf451 100644 ---- a/archival/libarchive/decompress_gunzip.c -+++ b/archival/libarchive/decompress_gunzip.c -@@ -305,11 +305,12 @@ static int huft_build(const unsigned *b, const unsigned n, - unsigned i; /* counter, current code */ - unsigned j; /* counter */ - int k; /* number of bits in current code */ -- unsigned *p; /* pointer into c[], b[], or v[] */ -+ const unsigned *p; /* pointer into c[], b[], or v[] */ - huft_t *q; /* points to current table */ - huft_t r; /* table entry for structure assignment */ - huft_t *u[BMAX]; /* table stack */ - unsigned v[N_MAX]; /* values in order of bit length */ -+ unsigned v_end; - int ws[BMAX + 1]; /* bits decoded stack */ - int w; /* bits decoded */ - unsigned x[BMAX + 1]; /* bit offsets, then code stack */ -@@ -324,7 +325,7 @@ static int huft_build(const unsigned *b, const unsigned n, - - /* Generate counts for each bit length */ - memset(c, 0, sizeof(c)); -- p = (unsigned *) b; /* cast allows us to reuse p for pointing to b */ -+ p = b; - i = n; - do { - c[*p]++; /* assume all entries <= BMAX */ -@@ -365,12 +366,14 @@ static int huft_build(const unsigned *b, const unsigned n, - } - - /* Make a table of values in order of bit lengths */ -- p = (unsigned *) b; -+ p = b; - i = 0; -+ v_end = 0; - do { - j = *p++; - if (j != 0) { - v[x[j]++] = i; -+ v_end = x[j]; - } - } while (++i < n); - -@@ -432,7 +435,7 @@ static int huft_build(const unsigned *b, const unsigned n, - - /* set up table entry in r */ - r.b = (unsigned char) (k - w); -- if (p >= v + n) { -+ if (p >= v + v_end) { // Was "if (p >= v + n)" but v[] can be shorter! - r.e = 99; /* out of values--invalid code */ - } else if (*p < s) { - r.e = (unsigned char) (*p < 256 ? 16 : 15); /* 256 is EOB code */ -diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests -index 8677a03..ca0a458 100755 ---- a/testsuite/unzip.tests -+++ b/testsuite/unzip.tests -@@ -7,7 +7,7 @@ - - . ./testing.sh - --# testing "test name" "options" "expected result" "file input" "stdin" -+# testing "test name" "commands" "expected result" "file input" "stdin" - # file input will be file called "input" - # test can create a file "actual" instead of writing to stdout - -@@ -30,6 +30,27 @@ testing "unzip (subdir only)" "unzip -q foo.zip foo/ && test -d foo && test ! -f - rmdir foo - rm foo.zip - -+# File containing some damaged encrypted stream -+testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \ -+"Archive: bad.zip -+ inflating: ]3j½r«IK-%Ix -+unzip: inflate error -+1 -+" \ -+"" "\ -+begin-base64 644 bad.zip -+UEsDBBQAAgkIAAAAIQA5AAAANwAAADwAAAAQAAcAXTNqwr1ywqtJGxJLLSVJ -+eCkBD0AdKBk8JzQsIj01JC0/ORJQSwMEFAECCAAAAAAhADoAAAAPAAAANgAA -+AAwAAQASw73Ct1DCokohPXQiNjoUNTUiHRwgLT4WHlBLAQIQABQAAggIAAAA -+oQA5AAAANwAAADwAAAAQQAcADAAAACwAMgCAAAAAAABdM2rCvXLCq0kbEkst -+JUl4KQEPQB0oGSY4Cz4QNgEnJSYIPVBLAQIAABQAAggAAAAAIQAqAAAADwAA -+BDYAAAAMAAEADQAAADIADQAAAEEAAAASw73Ct1DKokohPXQiNzA+FAI1HCcW -+NzITNFBLBQUKAC4JAA04Cw0EOhZQSwUGAQAABAIAAgCZAAAAeQAAAAIALhM= -+==== -+" -+ -+rm * -+ - # Clean up scratch directory. - - cd .. --- -2.6.2 - diff --git a/package/busybox/0003-ash-recursive-heredocs.patch b/package/busybox/0003-ash-recursive-heredocs.patch new file mode 100644 index 0000000000..f054a90375 --- /dev/null +++ b/package/busybox/0003-ash-recursive-heredocs.patch @@ -0,0 +1,84 @@ +From 4194c2875310c13ee3ca2bb0e1aea6a2ae67c55a Mon Sep 17 00:00:00 2001 +From: Ron Yorston +Date: Thu, 29 Oct 2015 16:44:56 +0000 +Subject: [PATCH] ash: fix error during recursive processing of here document + +Save the value of the checkkwd flag to prevent it being clobbered +during recursion. + +Based on commit ec2c84d from git://git.kernel.org/pub/scm/utils/dash/dash.git +by Herbert Xu. + +function old new delta +readtoken 190 203 +13 +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 1/0 up/down: 13/0) Total: 13 bytes + +Signed-off-by: Ron Yorston +Signed-off-by: Denys Vlasenko +Signed-off-by: Mike Frysinger +(cherry picked from commit 713f07d906d9171953be0c12e2369869855b6ca6) +Signed-off-by: Gustavo Zacarias +--- + shell/ash.c | 5 +++-- + shell/ash_test/ash-heredoc/heredoc3.right | 1 + + shell/ash_test/ash-heredoc/heredoc3.tests | 9 +++++++++ + 3 files changed, 13 insertions(+), 2 deletions(-) + create mode 100644 shell/ash_test/ash-heredoc/heredoc3.right + create mode 100755 shell/ash_test/ash-heredoc/heredoc3.tests + +diff --git a/shell/ash.c b/shell/ash.c +index 8a1628e..256e933 100644 +--- a/shell/ash.c ++++ b/shell/ash.c +@@ -11893,6 +11893,7 @@ static int + readtoken(void) + { + int t; ++ int kwd = checkkwd; + #if DEBUG + smallint alreadyseen = tokpushback; + #endif +@@ -11906,7 +11907,7 @@ readtoken(void) + /* + * eat newlines + */ +- if (checkkwd & CHKNL) { ++ if (kwd & CHKNL) { + while (t == TNL) { + parseheredoc(); + t = xxreadtoken(); +@@ -11920,7 +11921,7 @@ readtoken(void) + /* + * check for keywords + */ +- if (checkkwd & CHKKWD) { ++ if (kwd & CHKKWD) { + const char *const *pp; + + pp = findkwd(wordtext); +diff --git a/shell/ash_test/ash-heredoc/heredoc3.right b/shell/ash_test/ash-heredoc/heredoc3.right +new file mode 100644 +index 0000000..ce01362 +--- /dev/null ++++ b/shell/ash_test/ash-heredoc/heredoc3.right +@@ -0,0 +1 @@ ++hello +diff --git a/shell/ash_test/ash-heredoc/heredoc3.tests b/shell/ash_test/ash-heredoc/heredoc3.tests +new file mode 100755 +index 0000000..96c227c +--- /dev/null ++++ b/shell/ash_test/ash-heredoc/heredoc3.tests +@@ -0,0 +1,9 @@ ++echo hello >greeting ++cat </dev/null ++rm greeting +-- +2.7.4 + diff --git a/package/busybox/0003-g-unzip-fix-recent-breakage.patch b/package/busybox/0003-g-unzip-fix-recent-breakage.patch deleted file mode 100644 index 061e2c47e2..0000000000 --- a/package/busybox/0003-g-unzip-fix-recent-breakage.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 6bd3fff51aa74e2ee2d87887b12182a3b09792ef Mon Sep 17 00:00:00 2001 -From: Denys Vlasenko -Date: Fri, 30 Oct 2015 23:41:53 +0100 -Subject: [PATCH] [g]unzip: fix recent breakage. - -Also, do emit error message we so painstakingly pass from gzip internals - -Signed-off-by: Denys Vlasenko -Signed-off-by: Arnout Vandecappelle (Essensium/Mind) ---- - archival/libarchive/decompress_gunzip.c | 33 +++++++++++++++++++++------------ - testsuite/unzip.tests | 1 + - 2 files changed, 22 insertions(+), 12 deletions(-) - -diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c -index 30bf451..20e4d9a 100644 ---- a/archival/libarchive/decompress_gunzip.c -+++ b/archival/libarchive/decompress_gunzip.c -@@ -309,8 +309,7 @@ static int huft_build(const unsigned *b, const unsigned n, - huft_t *q; /* points to current table */ - huft_t r; /* table entry for structure assignment */ - huft_t *u[BMAX]; /* table stack */ -- unsigned v[N_MAX]; /* values in order of bit length */ -- unsigned v_end; -+ unsigned v[N_MAX + 1]; /* values in order of bit length. last v[] is never used */ - int ws[BMAX + 1]; /* bits decoded stack */ - int w; /* bits decoded */ - unsigned x[BMAX + 1]; /* bit offsets, then code stack */ -@@ -365,15 +364,17 @@ static int huft_build(const unsigned *b, const unsigned n, - *xp++ = j; - } - -- /* Make a table of values in order of bit lengths */ -+ /* Make a table of values in order of bit lengths. -+ * To detect bad input, unused v[i]'s are set to invalid value UINT_MAX. -+ * In particular, last v[i] is never filled and must not be accessed. -+ */ -+ memset(v, 0xff, sizeof(v)); - p = b; - i = 0; -- v_end = 0; - do { - j = *p++; - if (j != 0) { - v[x[j]++] = i; -- v_end = x[j]; - } - } while (++i < n); - -@@ -435,7 +436,9 @@ static int huft_build(const unsigned *b, const unsigned n, - - /* set up table entry in r */ - r.b = (unsigned char) (k - w); -- if (p >= v + v_end) { // Was "if (p >= v + n)" but v[] can be shorter! -+ if (/*p >= v + n || -- redundant, caught by the second check: */ -+ *p == UINT_MAX /* do we access uninited v[i]? (see memset(v))*/ -+ ) { - r.e = 99; /* out of values--invalid code */ - } else if (*p < s) { - r.e = (unsigned char) (*p < 256 ? 16 : 15); /* 256 is EOB code */ -@@ -520,8 +523,9 @@ static NOINLINE int inflate_codes(STATE_PARAM_ONLY) - e = t->e; - if (e > 16) - do { -- if (e == 99) -- abort_unzip(PASS_STATE_ONLY);; -+ if (e == 99) { -+ abort_unzip(PASS_STATE_ONLY); -+ } - bb >>= t->b; - k -= t->b; - e -= 16; -@@ -557,8 +561,9 @@ static NOINLINE int inflate_codes(STATE_PARAM_ONLY) - e = t->e; - if (e > 16) - do { -- if (e == 99) -+ if (e == 99) { - abort_unzip(PASS_STATE_ONLY); -+ } - bb >>= t->b; - k -= t->b; - e -= 16; -@@ -824,8 +829,9 @@ static int inflate_block(STATE_PARAM smallint *e) - - b_dynamic >>= 4; - k_dynamic -= 4; -- if (nl > 286 || nd > 30) -+ if (nl > 286 || nd > 30) { - abort_unzip(PASS_STATE_ONLY); /* bad lengths */ -+ } - - /* read in bit-length-code lengths */ - for (j = 0; j < nb; j++) { -@@ -906,12 +912,14 @@ static int inflate_block(STATE_PARAM smallint *e) - bl = lbits; - - i = huft_build(ll, nl, 257, cplens, cplext, &inflate_codes_tl, &bl); -- if (i != 0) -+ if (i != 0) { - abort_unzip(PASS_STATE_ONLY); -+ } - bd = dbits; - i = huft_build(ll + nl, nd, 0, cpdist, cpdext, &inflate_codes_td, &bd); -- if (i != 0) -+ if (i != 0) { - abort_unzip(PASS_STATE_ONLY); -+ } - - /* set up data for inflate_codes() */ - inflate_codes_setup(PASS_STATE bl, bd); -@@ -999,6 +1007,7 @@ inflate_unzip_internal(STATE_PARAM transformer_state_t *xstate) - error_msg = "corrupted data"; - if (setjmp(error_jmp)) { - /* Error from deep inside zip machinery */ -+ bb_error_msg(error_msg); - n = -1; - goto ret; - } -diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests -index ca0a458..d8738a3 100755 ---- a/testsuite/unzip.tests -+++ b/testsuite/unzip.tests -@@ -34,6 +34,7 @@ rm foo.zip - testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \ - "Archive: bad.zip - inflating: ]3j½r«IK-%Ix -+unzip: corrupted data - unzip: inflate error - 1 - " \ --- -2.6.2 - diff --git a/package/busybox/0004-fix-CVE-2016-2147.patch b/package/busybox/0004-fix-CVE-2016-2147.patch new file mode 100644 index 0000000000..bd1e47ecf4 --- /dev/null +++ b/package/busybox/0004-fix-CVE-2016-2147.patch @@ -0,0 +1,73 @@ +From 3c4de6e36c4d387a648622e7b828a05f2b1b47e6 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Fri, 26 Feb 2016 15:54:56 +0100 +Subject: [PATCH] udhcpc: fix OPTION_6RD parsing (could overflow its malloced + buffer) + +Signed-off-by: Denys Vlasenko +Signed-off-by: Mike Frysinger +(cherry picked from commit 352f79acbd759c14399e39baef21fc4ffe180ac2) +Signed-off-by: Gustavo Zacarias +--- + networking/udhcp/common.c | 15 +++++++++++++-- + networking/udhcp/dhcpc.c | 4 ++-- + 2 files changed, 15 insertions(+), 4 deletions(-) + +diff --git a/networking/udhcp/common.c b/networking/udhcp/common.c +index bc41c8d..680852c 100644 +--- a/networking/udhcp/common.c ++++ b/networking/udhcp/common.c +@@ -142,7 +142,7 @@ const char dhcp_option_strings[] ALIGN1 = + * udhcp_str2optset: to determine how many bytes to allocate. + * xmalloc_optname_optval: to estimate string length + * from binary option length: (option[LEN] / dhcp_option_lengths[opt_type]) +- * is the number of elements, multiply in by one element's string width ++ * is the number of elements, multiply it by one element's string width + * (len_of_option_as_string[opt_type]) and you know how wide string you need. + */ + const uint8_t dhcp_option_lengths[] ALIGN1 = { +@@ -162,7 +162,18 @@ const uint8_t dhcp_option_lengths[] ALIGN1 = { + [OPTION_S32] = 4, + /* Just like OPTION_STRING, we use minimum length here */ + [OPTION_STATIC_ROUTES] = 5, +- [OPTION_6RD] = 22, /* ignored by udhcp_str2optset */ ++ [OPTION_6RD] = 12, /* ignored by udhcp_str2optset */ ++ /* The above value was chosen as follows: ++ * len_of_option_as_string[] for this option is >60: it's a string of the form ++ * "32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 ". ++ * Each additional ipv4 address takes 4 bytes in binary option and appends ++ * another "255.255.255.255 " 16-byte string. We can set [OPTION_6RD] = 4 ++ * but this severely overestimates string length: instead of 16 bytes, ++ * it adds >60 for every 4 bytes in binary option. ++ * We cheat and declare here that option is in units of 12 bytes. ++ * This adds more than 60 bytes for every three ipv4 addresses - more than enough. ++ * (Even 16 instead of 12 should work, but let's be paranoid). ++ */ + }; + + +diff --git a/networking/udhcp/dhcpc.c b/networking/udhcp/dhcpc.c +index 915f659..2332b57 100644 +--- a/networking/udhcp/dhcpc.c ++++ b/networking/udhcp/dhcpc.c +@@ -113,7 +113,7 @@ static const uint8_t len_of_option_as_string[] = { + [OPTION_IP ] = sizeof("255.255.255.255 "), + [OPTION_IP_PAIR ] = sizeof("255.255.255.255 ") * 2, + [OPTION_STATIC_ROUTES ] = sizeof("255.255.255.255/32 255.255.255.255 "), +- [OPTION_6RD ] = sizeof("32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "), ++ [OPTION_6RD ] = sizeof("132 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "), + [OPTION_STRING ] = 1, + [OPTION_STRING_HOST ] = 1, + #if ENABLE_FEATURE_UDHCP_RFC3397 +@@ -220,7 +220,7 @@ static NOINLINE char *xmalloc_optname_optval(uint8_t *option, const struct dhcp_ + type = optflag->flags & OPTION_TYPE_MASK; + optlen = dhcp_option_lengths[type]; + upper_length = len_of_option_as_string[type] +- * ((unsigned)(len + optlen - 1) / (unsigned)optlen); ++ * ((unsigned)(len + optlen) / (unsigned)optlen); + + dest = ret = xmalloc(upper_length + strlen(opt_name) + 2); + dest += sprintf(ret, "%s=", opt_name); +-- +2.7.4 + diff --git a/package/busybox/0004-truncate-open-mode.patch b/package/busybox/0004-truncate-open-mode.patch deleted file mode 100644 index f0dc6d1f4f..0000000000 --- a/package/busybox/0004-truncate-open-mode.patch +++ /dev/null @@ -1,74 +0,0 @@ -From be729c1d3b5c923f10871dd68ea94156d0f8c803 Mon Sep 17 00:00:00 2001 -From: Ari Sundholm -Date: Mon, 4 Jan 2016 15:40:37 +0200 -Subject: [PATCH] truncate: always set mode when opening file to avoid fortify - errors - -Busybox crashes due to no mode being given when opening: -$ ./busybox truncate -s 1M foo -*** invalid open64 call: O_CREAT without mode ***: ./busybox terminated -======= Backtrace: ========= -/lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7f66d921338f] -/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f66d92aac9c] -/lib/x86_64-linux-gnu/libc.so.6(+0xeb6aa)[0x7f66d928b6aa] -./busybox[0x4899f9] -======= Memory map: ======== -00400000-004d0000 r-xp 00000000 00:1a 137559 /home/ari/busybox/busybox -006cf000-006d0000 r--p 000cf000 00:1a 137559 /home/ari/busybox/busybox -006d0000-006d1000 rw-p 000d0000 00:1a 137559 /home/ari/busybox/busybox -006d1000-006d4000 rw-p 00000000 00:00 0 -014e7000-01508000 rw-p 00000000 00:00 0 [heap] -7f66d8f8a000-7f66d8fa0000 r-xp 00000000 08:07 1579008 /lib/x86_64-linux-gnu/libgcc_s.so.1 -7f66d8fa0000-7f66d919f000 ---p 00016000 08:07 1579008 /lib/x86_64-linux-gnu/libgcc_s.so.1 -7f66d919f000-7f66d91a0000 rw-p 00015000 08:07 1579008 /lib/x86_64-linux-gnu/libgcc_s.so.1 -7f66d91a0000-7f66d935b000 r-xp 00000000 08:07 1578994 /lib/x86_64-linux-gnu/libc-2.19.so -7f66d935b000-7f66d955a000 ---p 001bb000 08:07 1578994 /lib/x86_64-linux-gnu/libc-2.19.so -7f66d955a000-7f66d955e000 r--p 001ba000 08:07 1578994 /lib/x86_64-linux-gnu/libc-2.19.so -7f66d955e000-7f66d9560000 rw-p 001be000 08:07 1578994 /lib/x86_64-linux-gnu/libc-2.19.so -7f66d9560000-7f66d9565000 rw-p 00000000 00:00 0 -7f66d9565000-7f66d966a000 r-xp 00000000 08:07 1579020 /lib/x86_64-linux-gnu/libm-2.19.so -7f66d966a000-7f66d9869000 ---p 00105000 08:07 1579020 /lib/x86_64-linux-gnu/libm-2.19.so -7f66d9869000-7f66d986a000 r--p 00104000 08:07 1579020 /lib/x86_64-linux-gnu/libm-2.19.so -7f66d986a000-7f66d986b000 rw-p 00105000 08:07 1579020 /lib/x86_64-linux-gnu/libm-2.19.so -7f66d986b000-7f66d988e000 r-xp 00000000 08:07 1578981 /lib/x86_64-linux-gnu/ld-2.19.so -7f66d9a64000-7f66d9a67000 rw-p 00000000 00:00 0 -7f66d9a8a000-7f66d9a8d000 rw-p 00000000 00:00 0 -7f66d9a8d000-7f66d9a8e000 r--p 00022000 08:07 1578981 /lib/x86_64-linux-gnu/ld-2.19.so -7f66d9a8e000-7f66d9a8f000 rw-p 00023000 08:07 1578981 /lib/x86_64-linux-gnu/ld-2.19.so -7f66d9a8f000-7f66d9a90000 rw-p 00000000 00:00 0 -7ffc47761000-7ffc47782000 rw-p 00000000 00:00 0 [stack] -7ffc477ab000-7ffc477ad000 r-xp 00000000 00:00 0 [vdso] -ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] -Aborted (core dumped) -$ - -Fix this by simply always setting the mode, as it doesn't hurt even -when O_CREAT is not specified. - -This bug is a regression introduced in fc3e40e, as xopen(), which -was originally used, would automatically set the mode. - -Signed-off-by: Ari Sundholm -Signed-off-by: Mike Frysinger -(cherry picked from commit e111a1640494fe87fc913f94fae3bb805de0fc99) -Signed-off-by: Gustavo Zacarias ---- - coreutils/truncate.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/coreutils/truncate.c b/coreutils/truncate.c -index e5fa656..4c997bf 100644 ---- a/coreutils/truncate.c -+++ b/coreutils/truncate.c -@@ -64,7 +64,7 @@ int truncate_main(int argc UNUSED_PARAM, char **argv) - - argv += optind; - while (*argv) { -- int fd = open(*argv, flags); -+ int fd = open(*argv, flags, 0666); - if (fd < 0) { - if (errno != ENOENT || !(opts & OPT_NOCREATE)) { - bb_perror_msg("%s: open", *argv); --- -2.6.2 - diff --git a/package/busybox/0005-fix-CVE-2016-2148.patch b/package/busybox/0005-fix-CVE-2016-2148.patch new file mode 100644 index 0000000000..93eff484d4 --- /dev/null +++ b/package/busybox/0005-fix-CVE-2016-2148.patch @@ -0,0 +1,56 @@ +From 3a76bb5136d05f94ee62e377aa723e63444912c7 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Thu, 10 Mar 2016 11:47:58 +0100 +Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name + +Signed-off-by: Denys Vlasenko +Signed-off-by: Mike Frysinger +(cherry picked from commit d474ffc68290e0a83651c4432eeabfa62cd51e87) +Signed-off-by: Gustavo Zacarias +--- + networking/udhcp/domain_codec.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c +index c1325d8..8429367 100644 +--- a/networking/udhcp/domain_codec.c ++++ b/networking/udhcp/domain_codec.c +@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre) + if (crtpos + *c + 1 > clen) /* label too long? abort */ + return NULL; + if (dst) +- memcpy(dst + len, c + 1, *c); ++ /* \3com ---> "com." */ ++ ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.'; + len += *c + 1; + crtpos += *c + 1; +- if (dst) +- dst[len - 1] = '.'; + } else { + /* NUL: end of current domain name */ + if (retpos == 0) { +@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre) + crtpos = retpos; + retpos = depth = 0; + } +- if (dst) ++ if (dst && len != 0) ++ /* \4host\3com\0\4host and we are at \0: ++ * \3com was converted to "com.", change dot to space. ++ */ + dst[len - 1] = ' '; + } + +@@ -228,6 +230,9 @@ int main(int argc, char **argv) + int len; + uint8_t *encoded; + ++ uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 }; ++ printf("NUL:'%s'\n", dname_dec(str, 6, "")); ++ + #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre)) + printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:")); + printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", "")); +-- +2.7.4 + diff --git a/package/busybox/busybox.hash b/package/busybox/busybox.hash index 99fb8e4e72..7486aeb94b 100644 --- a/package/busybox/busybox.hash +++ b/package/busybox/busybox.hash @@ -1,3 +1,3 @@ -# From http://busybox.net/downloads/busybox-1.24.1.tar.bz2.sign -md5 be98a40cadf84ce2d6b05fa41a275c6a busybox-1.24.1.tar.bz2 -sha1 157d14d24748b4505b1a418535688706a2b81680 busybox-1.24.1.tar.bz2 +# From http://busybox.net/downloads/busybox-1.24.2.tar.bz2.sign +md5 2eaae519cac1143bcf583636a745381f busybox-1.24.2.tar.bz2 +sha1 03e6cfc8ddb2f709f308719a9b9f4818bc0a28d0 busybox-1.24.2.tar.bz2 diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk index 7c904c8188..c7fb8b41e6 100644 --- a/package/busybox/busybox.mk +++ b/package/busybox/busybox.mk @@ -4,7 +4,7 @@ # ################################################################################ -BUSYBOX_VERSION = 1.24.1 +BUSYBOX_VERSION = 1.24.2 BUSYBOX_SITE = http://www.busybox.net/downloads BUSYBOX_SOURCE = busybox-$(BUSYBOX_VERSION).tar.bz2 BUSYBOX_LICENSE = GPLv2 -- 2.30.2