diff --git a/backport-CVE-2018-1000500.patch b/backport-CVE-2018-1000500.patch new file mode 100644 index 0000000000000000000000000000000000000000..2718fa63035bb2693ecc8783d9a9a7212d01a816 --- /dev/null +++ b/backport-CVE-2018-1000500.patch @@ -0,0 +1,96 @@ +From 45fa3f18adf57ef9d743038743d9c90573aeeb91 Mon Sep 17 00:00:00 2001 +From: Dimitri John Ledkov +Date: Tue, 19 May 2020 18:20:39 +0100 +Subject: [PATCH] wget: implement TLS verification with ENABLE_FEATURE_WGET_OPENSSL + +When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS +verification by default. And only ignore verification errors, if +--no-check-certificate was passed. + +Also note, that previously OPENSSL implementation did not implement +TLS verification, nor printed any warning messages that verification +was not performed. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533 + +CVE-2018-1000500 + +Signed-off-by: Dimitri John Ledkov +Signed-off-by: Denys Vlasenko + +--- + networking/wget.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/networking/wget.c b/networking/wget.c +index 9153264..de66ef2 100644 +--- a/networking/wget.c ++++ b/networking/wget.c +@@ -91,6 +91,9 @@ + //config: patches, but do want to waste bandwidth expaining how wrong + //config: it is, you will be ignored. + //config: ++//config: FEATURE_WGET_OPENSSL does implement TLS verification ++//config: using the certificates available to OpenSSL. ++//config: + //config:config FEATURE_WGET_OPENSSL + //config: bool "Try to connect to HTTPS using openssl" + //config: default y +@@ -115,7 +118,10 @@ + //config: If openssl can't be executed, internal TLS code will be used + //config: (if you enabled it); if openssl can be executed but fails later, + //config: wget can't detect this, and download will fail. +- ++//config: ++//config: By default TLS verification is performed, unless ++//config: --no-check-certificate option is passed. ++// + //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP)) + + //kbuild:lib-$(CONFIG_WGET) += wget.o +@@ -124,8 +130,11 @@ + //usage: IF_FEATURE_WGET_LONG_OPTIONS( + //usage: "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n" + //usage: " [-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n" ++//usage: IF_FEATURE_WGET_OPENSSL( ++//usage: " [--no-check-certificate]\n" ++//usage: ) + /* Since we ignore these opts, we don't show them in --help */ +-/* //usage: " [--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */ ++/* //usage: " [--no-cache] [--passive-ftp] [-t TRIES]" */ + /* //usage: " [-nv] [-nc] [-nH] [-np]" */ + //usage: " [-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..." + //usage: ) +@@ -137,7 +146,9 @@ + //usage: "Retrieve files via HTTP or FTP\n" + //usage: IF_FEATURE_WGET_LONG_OPTIONS( + //usage: "\n --spider Only check URL existence: $? is 0 if exists" +-///////: "\n --no-check-certificate Don't validate the server's certificate" ++//usage: IF_FEATURE_WGET_OPENSSL( ++//usage: "\n --no-check-certificate Don't validate the server's certificate" ++//usage: ) + //usage: ) + //usage: "\n -c Continue retrieval of aborted transfer" + //usage: "\n -q Quiet" +@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) + pid = xvfork(); + if (pid == 0) { + /* Child */ +- char *argv[8]; ++ char *argv[9]; + + close(sp[0]); + xmove_fd(sp[1], 0); +@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) + argv[5] = (char*)"-servername"; + argv[6] = (char*)servername; + } ++ if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) { ++ argv[7] = (char*)"-verify_return_error"; ++ } + + BB_EXECVP(argv[0], argv); + xmove_fd(3, 2); +-- +2.23.0 + diff --git a/backport-CVE-2021-28831.patch b/backport-CVE-2021-28831.patch new file mode 100644 index 0000000000000000000000000000000000000000..efcbde4ee46e6c11cfd5f707444b0fd58772cd3f --- /dev/null +++ b/backport-CVE-2021-28831.patch @@ -0,0 +1,42 @@ +From 26d06cef6684055a30cce5922095d22e8a9a91e3 Mon Sep 17 00:00:00 2001 +From: leizhongkai +Date: Sat, 17 Apr 2021 14:27:23 +0800 +Subject: [PATCH] busybox: fix CVE-2021-28831 + +backoprt from upstream: +https://git.busybox.net/busybox/patch/?id=dbd3b883a891f076911d752f56f7a906d5650a17 + +Signed-off-by: leizhongkai +--- + archival/libarchive/decompress_gunzip.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c +index 7f9046b..3eeae76 100644 +--- a/archival/libarchive/decompress_gunzip.c ++++ b/archival/libarchive/decompress_gunzip.c +@@ -222,10 +222,21 @@ static const uint8_t border[] ALIGN1 = { + * each table. + * t: table to free + */ ++#define BAD_HUFT(p) ((uintptr_t)(p) & 1) ++#define ERR_RET ((huft_t*)(uintptr_t)1) + static void huft_free(huft_t *p) + { + huft_t *q; + ++ /* ++ * If 'p' has the error bit set we have to clear it, otherwise we might run ++ * into a segmentation fault or an invalid pointer to free(p) ++ */ ++ if (BAD_HUFT(p)) { ++ p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET)); ++ } ++ ++ + /* Go through linked list, freeing from the malloced (t[-1]) address. */ + while (p) { + q = (--p)->v.t; +-- +2.23.0 + diff --git a/busybox.spec b/busybox.spec index b6e0cbc25338bff892b4fb8aacf18832d303415d..a5e7d079fdb1eb353e35a76ae486ba5696cfd2ea 100644 --- a/busybox.spec +++ b/busybox.spec @@ -4,7 +4,7 @@ %endif %if "%{!?RELEASE:1}" -%define RELEASE 6 +%define RELEASE 7 %endif Name: busybox @@ -21,6 +21,8 @@ Source3: busybox-dynamic.config #backport Patch6000: backport-bugfix-remove-stime-calls.patch +Patch6001: backport-CVE-2018-1000500.patch +Patch6002: backport-CVE-2021-28831.patch BuildRoot: %_topdir/BUILDROOT #Dependency @@ -96,6 +98,12 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1 %{_mandir}/man1/busybox.petitboot.1.gz %changelog +* Fri Apr 30 2021 caihaomin - 1:1.31.1-7 +- Type:CVE +- Id:NA +- SUG:NA +- DESC: fix CVE-2018-1000500 and CVE-2021-28831 + * Wed Jan 8 2020 openEuler Buildteam - 1:1.31.1-6 - Type:enhancement - Id:NA