[OE-core][dunfell 03/14] busybox: fix CVE-2022-28391

Steve Sakoman Wed, 11 May 2022 11:20:07 -0700

BusyBox through 1.35.0 allows remote attackers to execute arbitrary code
if netstat is used to print a DNS PTR record's value to a VT compatible
terminal. Alternatively, the attacker could choose to change the terminal's 
colors.


https://nvd.nist.gov/vuln/detail/CVE-2022-28391

Backported from kirkstone 3e17df4cd17c132dc7732ebd3d1c80c81c85bcc4.
2nd patch adjusted to apply on 1.31.1.

Signed-off-by: Steve Sakoman <st...@sakoman.com>
Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.ja...@gmail.com>
Signed-off-by: Steve Sakoman <st...@sakoman.com>
---
 ...tr-ensure-only-printable-characters-.patch | 38 +++++++++++
 ...e-all-printed-strings-with-printable.patch | 64 +++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.31.1.bb   |  2 +
 3 files changed, 104 insertions(+)
 create mode 100644 
meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
 create mode 100644 
meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch

diff --git 
a/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
 
b/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
new file mode 100644
index 0000000000..18bf5f19e4
--- /dev/null
+++ 
b/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
@@ -0,0 +1,38 @@
+From c7e181fdf58c392e06ab805e2c044c3e57d5445a Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <aria...@dereferenced.org>
+Date: Sun, 3 Apr 2022 12:14:33 +0000
+Subject: [PATCH] libbb: sockaddr2str: ensure only printable characters are
+ returned for the hostname part
+
+CVE: CVE-2022-28391
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill <aria...@dereferenced.org>
+Signed-off-by: Steve Sakoman <st...@sakoman.com>
+---
+ libbb/xconnect.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libbb/xconnect.c b/libbb/xconnect.c
+index eb2871cb1..b5520bb21 100644
+--- a/libbb/xconnect.c
++++ b/libbb/xconnect.c
+@@ -501,8 +501,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr 
*sa, int flags)
+       );
+       if (rc)
+               return NULL;
++      /* ensure host contains only printable characters */
+       if (flags & IGNORE_PORT)
+-              return xstrdup(host);
++              return xstrdup(printable_string(host));
+ #if ENABLE_FEATURE_IPV6
+       if (sa->sa_family == AF_INET6) {
+               if (strchr(host, ':')) /* heh, it's not a resolved hostname */
+@@ -513,7 +514,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr 
*sa, int flags)
+ #endif
+       /* For now we don't support anything else, so it has to be INET */
+       /*if (sa->sa_family == AF_INET)*/
+-              return xasprintf("%s:%s", host, serv);
++              return xasprintf("%s:%s", printable_string(host), serv);
+       /*return xstrdup(host);*/
+ }
+ 
diff --git 
a/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
 
b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
new file mode 100644
index 0000000000..2c9da33a51
--- /dev/null
+++ 
b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
@@ -0,0 +1,64 @@
+From f8ad7c331b25ba90fd296b37c443b4114cb196e2 Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <aria...@dereferenced.org>
+Date: Sun, 3 Apr 2022 12:16:45 +0000
+Subject: [PATCH] nslookup: sanitize all printed strings with printable_string
+
+Otherwise, terminal sequences can be injected, which enables various terminal 
injection
+attacks from DNS results.
+
+MJ: One chunk wasn't applicable on 1.31.1 version, because parsing of
+SRV records was added only in newer 1.32.0 with:
+  commit 6b4960155e94076bf25518e4e268a7a5f849308e
+  Author: Jo-Philipp Wich <j...@mein.io>
+  Date:   Thu Jun 27 17:27:29 2019 +0200
+
+    nslookup: implement support for SRV records
+
+CVE: CVE-2022-28391
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill <aria...@dereferenced.org>
+Signed-off-by: Steve Sakoman <st...@sakoman.com>
+---
+ networking/nslookup.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/networking/nslookup.c b/networking/nslookup.c
+index 24e09d4f0..89b9c8a13 100644
+--- a/networking/nslookup.c
++++ b/networking/nslookup.c
+@@ -404,7 +404,7 @@ static int parse_reply(const unsigned char *msg, size_t 
len)
+                               //printf("Unable to uncompress domain: %s\n", 
strerror(errno));
+                               return -1;
+                       }
+-                      printf(format, ns_rr_name(rr), dname);
++                      printf(format, ns_rr_name(rr), printable_string(dname));
+                       break;
+ 
+               case ns_t_mx:
+@@ -419,7 +419,7 @@ static int parse_reply(const unsigned char *msg, size_t 
len)
+                               //printf("Cannot uncompress MX domain: %s\n", 
strerror(errno));
+                               return -1;
+                       }
+-                      printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), 
n, dname);
++                      printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), 
n, printable_string(dname));
+                       break;
+ 
+               case ns_t_txt:
+@@ -431,7 +431,7 @@ static int parse_reply(const unsigned char *msg, size_t 
len)
+                       if (n > 0) {
+                               memset(dname, 0, sizeof(dname));
+                               memcpy(dname, ns_rr_rdata(rr) + 1, n);
+-                              printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), 
dname);
++                              printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), 
printable_string(dname));
+                       }
+                       break;
+ 
+@@ -461,7 +461,7 @@ static int parse_reply(const unsigned char *msg, size_t 
len)
+                               return -1;
+                       }
+ 
+-                      printf("\tmail addr = %s\n", dname);
++                      printf("\tmail addr = %s\n", printable_string(dname));
+                       cp += n;
+ 
+                       printf("\tserial = %lu\n", ns_get32(cp));
diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb 
b/meta/recipes-core/busybox/busybox_1.31.1.bb
index 38b448b3e1..d062f0f7dd 100644
--- a/meta/recipes-core/busybox/busybox_1.31.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.31.1.bb
@@ -55,6 +55,8 @@ SRC_URI = 
"https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://CVE-2021-42374.patch \
            file://CVE-2021-42376.patch \
            file://CVE-2021-423xx-awk.patch \
+           
file://0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch \
+           
file://0002-nslookup-sanitize-all-printed-strings-with-printable.patch \
            "
 SRC_URI_append_libc-musl = " file://musl.cfg "
 
-- 
2.25.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165509): 
https://lists.openembedded.org/g/openembedded-core/message/165509
Mute This Topic: https://lists.openembedded.org/mt/91042152/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell 03/14] busybox: fix CVE-2022-28391

Reply via email to