[ptxdist] [PATCH] busybox: Fix CVE-2022-28391, CVE-2022-30065

[Christian Melki <christian.melki@t2data.com>]

Busybox has not had a release for ~6 months.
Plugging CVEs, with fixes that has yet to be
accepted upstream.

Signed-off-by: Christian Melki <christian.melki@t2data.com>
---
 ...tr-ensure-only-printable-characters-.patch | 36 +++++++++++
 ...e-all-printed-strings-with-printable.patch | 63 +++++++++++++++++++
 .../0003-editors-awk.c-CVE-2022-30065.patch   | 35 +++++++++++
 patches/busybox-1.35.0/series                 |  5 +-
 4 files changed, 138 insertions(+), 1 deletion(-)
 create mode 100644 patches/busybox-1.35.0/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
 create mode 100644 patches/busybox-1.35.0/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
 create mode 100644 patches/busybox-1.35.0/0003-editors-awk.c-CVE-2022-30065.patch

diff --git a/patches/busybox-1.35.0/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch b/patches/busybox-1.35.0/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
new file mode 100644
index 000000000..507d4e54e
--- /dev/null
+++ b/patches/busybox-1.35.0/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
@@ -0,0 +1,36 @@
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Sun, 3 Apr 2022 12:14:33 +0000
+Subject: [PATCH] libbb: sockaddr2str: ensure only printable characters are
+ returned for the hostname part
+
+CVE: Pending
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
+---
+ libbb/xconnect.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libbb/xconnect.c b/libbb/xconnect.c
+index 0e0b247b8590..02c061e6749c 100644
+--- a/libbb/xconnect.c
++++ b/libbb/xconnect.c
+@@ -497,8 +497,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
+ 	);
+ 	if (rc)
+ 		return NULL;
++	/* ensure host contains only printable characters */
+ 	if (flags & IGNORE_PORT)
+-		return xstrdup(host);
++		return xstrdup(printable_string(host));
+ #if ENABLE_FEATURE_IPV6
+ 	if (sa->sa_family == AF_INET6) {
+ 		if (strchr(host, ':')) /* heh, it's not a resolved hostname */
+@@ -509,7 +510,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
+ #endif
+ 	/* For now we don't support anything else, so it has to be INET */
+ 	/*if (sa->sa_family == AF_INET)*/
+-		return xasprintf("%s:%s", host, serv);
++		return xasprintf("%s:%s", printable_string(host), serv);
+ 	/*return xstrdup(host);*/
+ }
+ 
diff --git a/patches/busybox-1.35.0/0002-nslookup-sanitize-all-printed-strings-with-printable.patch b/patches/busybox-1.35.0/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
new file mode 100644
index 000000000..5d4370f28
--- /dev/null
+++ b/patches/busybox-1.35.0/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
@@ -0,0 +1,63 @@
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Sun, 3 Apr 2022 12:16:45 +0000
+Subject: [PATCH] nslookup: sanitize all printed strings with printable_string
+
+Otherwise, terminal sequences can be injected, which enables various terminal injection
+attacks from DNS results.
+
+CVE: Pending
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
+---
+ networking/nslookup.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/networking/nslookup.c b/networking/nslookup.c
+index 6da97baf4216..4bdcde1b808a 100644
+--- a/networking/nslookup.c
++++ b/networking/nslookup.c
+@@ -407,7 +407,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ 				//printf("Unable to uncompress domain: %s\n", strerror(errno));
+ 				return -1;
+ 			}
+-			printf(format, ns_rr_name(rr), dname);
++			printf(format, ns_rr_name(rr), printable_string(dname));
+ 			break;
+ 
+ 		case ns_t_mx:
+@@ -422,7 +422,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ 				//printf("Cannot uncompress MX domain: %s\n", strerror(errno));
+ 				return -1;
+ 			}
+-			printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname);
++			printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname));
+ 			break;
+ 
+ 		case ns_t_txt:
+@@ -434,7 +434,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ 			if (n > 0) {
+ 				memset(dname, 0, sizeof(dname));
+ 				memcpy(dname, ns_rr_rdata(rr) + 1, n);
+-				printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname);
++				printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname));
+ 			}
+ 			break;
+ 
+@@ -454,7 +454,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ 			}
+ 
+ 			printf("%s\tservice = %u %u %u %s\n", ns_rr_name(rr),
+-				ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), dname);
++				ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), printable_string(dname));
+ 			break;
+ 
+ 		case ns_t_soa:
+@@ -483,7 +483,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ 				return -1;
+ 			}
+ 
+-			printf("\tmail addr = %s\n", dname);
++			printf("\tmail addr = %s\n", printable_string(dname));
+ 			cp += n;
+ 
+ 			printf("\tserial = %lu\n", ns_get32(cp));
diff --git a/patches/busybox-1.35.0/0003-editors-awk.c-CVE-2022-30065.patch b/patches/busybox-1.35.0/0003-editors-awk.c-CVE-2022-30065.patch
new file mode 100644
index 000000000..5e04616c0
--- /dev/null
+++ b/patches/busybox-1.35.0/0003-editors-awk.c-CVE-2022-30065.patch
@@ -0,0 +1,35 @@
+From: Christian Melki <christian.melki@t2data.com>
+Date: Thu, 16 Jun 2022 16:06:31 +0200
+Subject: [PATCH] editors/awk.c: CVE-2022-30065.
+
+A possible fix for a use-after-free in Busybox's awk applet.
+If processing a crafted awk pattern in the copyvar function,
+this could lead to denial of service and possibly code execution.
+
+Signed-off-by: Christian Melki <christian.melki@t2data.com>
+---
+ editors/awk.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/editors/awk.c b/editors/awk.c
+index f6314ac7201a..cdc6799baaf0 100644
+--- a/editors/awk.c
++++ b/editors/awk.c
+@@ -2908,7 +2908,7 @@ static var *evaluate(node *op, var *res)
+ 		if (opinfo & OF_RES2) {
+ 			R.v = evaluate(op->r.n, TMPVAR1);
+ 			//TODO: L.v may be invalid now, set L.v to NULL to catch bugs?
+-			//L.v = NULL;
++			L.v = NULL;
+ 			if (opinfo & OF_STR2) {
+ 				R.s = getvar_s(R.v);
+ 				debug_printf_eval("R.s:'%s'\n", R.s);
+@@ -3114,6 +3114,8 @@ static var *evaluate(node *op, var *res)
+ 
+ 		case XC( OC_MOVE ):
+ 			debug_printf_eval("MOVE\n");
++			if (L.v == NULL)
++				syntax_error(EMSG_POSSIBLE_ERROR);
+ 			/* if source is a temporary string, jusk relink it to dest */
+ 			if (R.v == TMPVAR1
+ 			 && !(R.v->type & VF_NUMBER)
diff --git a/patches/busybox-1.35.0/series b/patches/busybox-1.35.0/series
index ee5360887..c6803d8fe 100644
--- a/patches/busybox-1.35.0/series
+++ b/patches/busybox-1.35.0/series
@@ -1,9 +1,12 @@
 # generated by git-ptx-patches
 #tag:base --start-number 1
+0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
+0002-nslookup-sanitize-all-printed-strings-with-printable.patch
+0003-editors-awk.c-CVE-2022-30065.patch
 #tag:upstream-stable --start-number 1
 #tag:upstream-master --start-number 100
 #tag:ptx --start-number 200
 0200-reactivate-check-for-tty.patch
 0201-build-system-only-pass-real-libs-to-SELINUX_LIBS.patch
 0202-scripts-trylink-honour-SKIP_STRIP-and-don-t-strip-if.patch
-# 9c0cc4baa8090165b429198c9a10e02c  - git-ptx-patches magic
+# 7bc58a3d2561391e982e735c4a884938  - git-ptx-patches magic
-- 
2.34.1