Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/sys-apps/busybox/files
diff options
context:
space:
mode:
authorMike Frysinger <vapier@gentoo.org>2016-03-21 14:45:08 -0400
committerMike Frysinger <vapier@gentoo.org>2016-03-21 14:45:08 -0400
commit596b078da777fa1b066d57366803a13855a0c652 (patch)
tree8336c41e957e76d65e2486ee496f753712540139 /sys-apps/busybox/files
parentdev-util/fatrace: Version bump, fix python pkg_setup (bug 482848, thanks vapi... (diff)
downloadgentoo-596b078da777fa1b066d57366803a13855a0c652.tar.gz
gentoo-596b078da777fa1b066d57366803a13855a0c652.tar.bz2
gentoo-596b078da777fa1b066d57366803a13855a0c652.zip
sys-apps/busybox: version bump to 1.24.2 #577610
Diffstat (limited to 'sys-apps/busybox/files')
-rw-r--r--sys-apps/busybox/files/busybox-1.24.2-CVE-2016-2147.patch72
-rw-r--r--sys-apps/busybox/files/busybox-1.24.2-CVE-2016-2148.patch55
-rw-r--r--sys-apps/busybox/files/busybox-1.24.2-ash-recursive-heredocs.patch83
3 files changed, 210 insertions, 0 deletions
diff --git a/sys-apps/busybox/files/busybox-1.24.2-CVE-2016-2147.patch b/sys-apps/busybox/files/busybox-1.24.2-CVE-2016-2147.patch
new file mode 100644
index 000000000000..2187c9b6732c
--- /dev/null
+++ b/sys-apps/busybox/files/busybox-1.24.2-CVE-2016-2147.patch
@@ -0,0 +1,72 @@
+From 3c4de6e36c4d387a648622e7b828a05f2b1b47e6 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Fri, 26 Feb 2016 15:54:56 +0100
+Subject: [PATCH] udhcpc: fix OPTION_6RD parsing (could overflow its malloced
+ buffer)
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+(cherry picked from commit 352f79acbd759c14399e39baef21fc4ffe180ac2)
+---
+ networking/udhcp/common.c | 15 +++++++++++++--
+ networking/udhcp/dhcpc.c | 4 ++--
+ 2 files changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/networking/udhcp/common.c b/networking/udhcp/common.c
+index bc41c8d..680852c 100644
+--- a/networking/udhcp/common.c
++++ b/networking/udhcp/common.c
+@@ -142,7 +142,7 @@ const char dhcp_option_strings[] ALIGN1 =
+ * udhcp_str2optset: to determine how many bytes to allocate.
+ * xmalloc_optname_optval: to estimate string length
+ * from binary option length: (option[LEN] / dhcp_option_lengths[opt_type])
+- * is the number of elements, multiply in by one element's string width
++ * is the number of elements, multiply it by one element's string width
+ * (len_of_option_as_string[opt_type]) and you know how wide string you need.
+ */
+ const uint8_t dhcp_option_lengths[] ALIGN1 = {
+@@ -162,7 +162,18 @@ const uint8_t dhcp_option_lengths[] ALIGN1 = {
+ [OPTION_S32] = 4,
+ /* Just like OPTION_STRING, we use minimum length here */
+ [OPTION_STATIC_ROUTES] = 5,
+- [OPTION_6RD] = 22, /* ignored by udhcp_str2optset */
++ [OPTION_6RD] = 12, /* ignored by udhcp_str2optset */
++ /* The above value was chosen as follows:
++ * len_of_option_as_string[] for this option is >60: it's a string of the form
++ * "32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 ".
++ * Each additional ipv4 address takes 4 bytes in binary option and appends
++ * another "255.255.255.255 " 16-byte string. We can set [OPTION_6RD] = 4
++ * but this severely overestimates string length: instead of 16 bytes,
++ * it adds >60 for every 4 bytes in binary option.
++ * We cheat and declare here that option is in units of 12 bytes.
++ * This adds more than 60 bytes for every three ipv4 addresses - more than enough.
++ * (Even 16 instead of 12 should work, but let's be paranoid).
++ */
+ };
+
+
+diff --git a/networking/udhcp/dhcpc.c b/networking/udhcp/dhcpc.c
+index 915f659..2332b57 100644
+--- a/networking/udhcp/dhcpc.c
++++ b/networking/udhcp/dhcpc.c
+@@ -113,7 +113,7 @@ static const uint8_t len_of_option_as_string[] = {
+ [OPTION_IP ] = sizeof("255.255.255.255 "),
+ [OPTION_IP_PAIR ] = sizeof("255.255.255.255 ") * 2,
+ [OPTION_STATIC_ROUTES ] = sizeof("255.255.255.255/32 255.255.255.255 "),
+- [OPTION_6RD ] = sizeof("32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
++ [OPTION_6RD ] = sizeof("132 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
+ [OPTION_STRING ] = 1,
+ [OPTION_STRING_HOST ] = 1,
+ #if ENABLE_FEATURE_UDHCP_RFC3397
+@@ -220,7 +220,7 @@ static NOINLINE char *xmalloc_optname_optval(uint8_t *option, const struct dhcp_
+ type = optflag->flags & OPTION_TYPE_MASK;
+ optlen = dhcp_option_lengths[type];
+ upper_length = len_of_option_as_string[type]
+- * ((unsigned)(len + optlen - 1) / (unsigned)optlen);
++ * ((unsigned)(len + optlen) / (unsigned)optlen);
+
+ dest = ret = xmalloc(upper_length + strlen(opt_name) + 2);
+ dest += sprintf(ret, "%s=", opt_name);
+--
+2.7.4
+
diff --git a/sys-apps/busybox/files/busybox-1.24.2-CVE-2016-2148.patch b/sys-apps/busybox/files/busybox-1.24.2-CVE-2016-2148.patch
new file mode 100644
index 000000000000..08e08bec173d
--- /dev/null
+++ b/sys-apps/busybox/files/busybox-1.24.2-CVE-2016-2148.patch
@@ -0,0 +1,55 @@
+From 3a76bb5136d05f94ee62e377aa723e63444912c7 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Thu, 10 Mar 2016 11:47:58 +0100
+Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+(cherry picked from commit d474ffc68290e0a83651c4432eeabfa62cd51e87)
+---
+ networking/udhcp/domain_codec.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
+index c1325d8..8429367 100644
+--- a/networking/udhcp/domain_codec.c
++++ b/networking/udhcp/domain_codec.c
+@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre)
+ if (crtpos + *c + 1 > clen) /* label too long? abort */
+ return NULL;
+ if (dst)
+- memcpy(dst + len, c + 1, *c);
++ /* \3com ---> "com." */
++ ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.';
+ len += *c + 1;
+ crtpos += *c + 1;
+- if (dst)
+- dst[len - 1] = '.';
+ } else {
+ /* NUL: end of current domain name */
+ if (retpos == 0) {
+@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre)
+ crtpos = retpos;
+ retpos = depth = 0;
+ }
+- if (dst)
++ if (dst && len != 0)
++ /* \4host\3com\0\4host and we are at \0:
++ * \3com was converted to "com.", change dot to space.
++ */
+ dst[len - 1] = ' ';
+ }
+
+@@ -228,6 +230,9 @@ int main(int argc, char **argv)
+ int len;
+ uint8_t *encoded;
+
++ uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
++ printf("NUL:'%s'\n", dname_dec(str, 6, ""));
++
+ #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
+ printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:"));
+ printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));
+--
+2.7.4
+
diff --git a/sys-apps/busybox/files/busybox-1.24.2-ash-recursive-heredocs.patch b/sys-apps/busybox/files/busybox-1.24.2-ash-recursive-heredocs.patch
new file mode 100644
index 000000000000..5405eafeaa9e
--- /dev/null
+++ b/sys-apps/busybox/files/busybox-1.24.2-ash-recursive-heredocs.patch
@@ -0,0 +1,83 @@
+From 4194c2875310c13ee3ca2bb0e1aea6a2ae67c55a Mon Sep 17 00:00:00 2001
+From: Ron Yorston <rmy@pobox.com>
+Date: Thu, 29 Oct 2015 16:44:56 +0000
+Subject: [PATCH] ash: fix error during recursive processing of here document
+
+Save the value of the checkkwd flag to prevent it being clobbered
+during recursion.
+
+Based on commit ec2c84d from git://git.kernel.org/pub/scm/utils/dash/dash.git
+by Herbert Xu.
+
+function old new delta
+readtoken 190 203 +13
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 1/0 up/down: 13/0) Total: 13 bytes
+
+Signed-off-by: Ron Yorston <rmy@pobox.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+(cherry picked from commit 713f07d906d9171953be0c12e2369869855b6ca6)
+---
+ shell/ash.c | 5 +++--
+ shell/ash_test/ash-heredoc/heredoc3.right | 1 +
+ shell/ash_test/ash-heredoc/heredoc3.tests | 9 +++++++++
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+ create mode 100644 shell/ash_test/ash-heredoc/heredoc3.right
+ create mode 100755 shell/ash_test/ash-heredoc/heredoc3.tests
+
+diff --git a/shell/ash.c b/shell/ash.c
+index 8a1628e..256e933 100644
+--- a/shell/ash.c
++++ b/shell/ash.c
+@@ -11893,6 +11893,7 @@ static int
+ readtoken(void)
+ {
+ int t;
++ int kwd = checkkwd;
+ #if DEBUG
+ smallint alreadyseen = tokpushback;
+ #endif
+@@ -11906,7 +11907,7 @@ readtoken(void)
+ /*
+ * eat newlines
+ */
+- if (checkkwd & CHKNL) {
++ if (kwd & CHKNL) {
+ while (t == TNL) {
+ parseheredoc();
+ t = xxreadtoken();
+@@ -11920,7 +11921,7 @@ readtoken(void)
+ /*
+ * check for keywords
+ */
+- if (checkkwd & CHKKWD) {
++ if (kwd & CHKKWD) {
+ const char *const *pp;
+
+ pp = findkwd(wordtext);
+diff --git a/shell/ash_test/ash-heredoc/heredoc3.right b/shell/ash_test/ash-heredoc/heredoc3.right
+new file mode 100644
+index 0000000..ce01362
+--- /dev/null
++++ b/shell/ash_test/ash-heredoc/heredoc3.right
+@@ -0,0 +1 @@
++hello
+diff --git a/shell/ash_test/ash-heredoc/heredoc3.tests b/shell/ash_test/ash-heredoc/heredoc3.tests
+new file mode 100755
+index 0000000..96c227c
+--- /dev/null
++++ b/shell/ash_test/ash-heredoc/heredoc3.tests
+@@ -0,0 +1,9 @@
++echo hello >greeting
++cat <<EOF &&
++$(cat greeting)
++EOF
++{
++ echo $?
++ cat greeting
++} >/dev/null
++rm greeting
+--
+2.7.4
+