From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Fri, 17 Jun 2022 08:47:12 +0200
Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33])
	by lore.white.stw.pengutronix.de with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <ptxdist-bounces+lore=lore.pengutronix.de@pengutronix.de>)
	id 1o25l8-004uMU-Tr
	for lore@lore.pengutronix.de; Fri, 17 Jun 2022 08:47:12 +0200
Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de)
	by metis.ext.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces@pengutronix.de>)
	id 1o25l9-0007q8-1p; Fri, 17 Jun 2022 08:47:11 +0200
Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2])
 by metis.ext.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mol@pengutronix.de>)
 id 1o25kw-0007py-9K; Fri, 17 Jun 2022 08:46:58 +0200
Received: from [2a0a:edc0:0:1101:1d::39] (helo=dude03.red.stw.pengutronix.de)
 by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2)
 (envelope-from <mol@pengutronix.de>)
 id 1o25ku-0010c8-3x; Fri, 17 Jun 2022 08:46:57 +0200
Received: from mol by dude03.red.stw.pengutronix.de with local (Exim 4.94.2)
 (envelope-from <mol@pengutronix.de>)
 id 1o25ku-003Sua-Qp; Fri, 17 Jun 2022 08:46:56 +0200
Date: Fri, 17 Jun 2022 08:46:56 +0200
From: Michael Olbrich <m.olbrich@pengutronix.de>
To: Christian Melki <christian.melki@t2data.com>
Message-ID: <YqwjYA7MPscskFjt@pengutronix.de>
Mail-Followup-To: Christian Melki <christian.melki@t2data.com>,
 ptxdist@pengutronix.de
References: <20220616143105.1063018-1-christian.melki@t2data.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20220616143105.1063018-1-christian.melki@t2data.com>
X-Sent-From: Pengutronix Hildesheim
X-URL: http://www.pengutronix.de/
X-IRC: #ptxdist @freenode
X-Accept-Language: de,en
X-Accept-Content-Type: text/plain
Subject: Re: [ptxdist] [PATCH] busybox: Fix CVE-2022-28391, CVE-2022-30065
X-BeenThere: ptxdist@pengutronix.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Cc: ptxdist@pengutronix.de
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de
X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false

On Thu, Jun 16, 2022 at 04:31:05PM +0200, Christian Melki wrote:
> Busybox has not had a release for ~6 months.
> Plugging CVEs, with fixes that has yet to be
> accepted upstream.
> 
> Signed-off-by: Christian Melki <christian.melki@t2data.com>
> ---
>  ...tr-ensure-only-printable-characters-.patch | 36 +++++++++++
>  ...e-all-printed-strings-with-printable.patch | 63 +++++++++++++++++++
>  .../0003-editors-awk.c-CVE-2022-30065.patch   | 35 +++++++++++
>  patches/busybox-1.35.0/series                 |  5 +-
>  4 files changed, 138 insertions(+), 1 deletion(-)
>  create mode 100644 patches/busybox-1.35.0/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
>  create mode 100644 patches/busybox-1.35.0/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
>  create mode 100644 patches/busybox-1.35.0/0003-editors-awk.c-CVE-2022-30065.patch
> 
> diff --git a/patches/busybox-1.35.0/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch b/patches/busybox-1.35.0/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
> new file mode 100644
> index 000000000..507d4e54e
> --- /dev/null
> +++ b/patches/busybox-1.35.0/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
> @@ -0,0 +1,36 @@
> +From: Ariadne Conill <ariadne@dereferenced.org>
> +Date: Sun, 3 Apr 2022 12:14:33 +0000
> +Subject: [PATCH] libbb: sockaddr2str: ensure only printable characters are
> + returned for the hostname part
> +
> +CVE: Pending
> +Upstream-Status: Pending

Did you get this patch from yocto, or do you know where more about it? It
says "Upstream-Status: Pending" here but this patch was never sent to the
busybox mailing list :-/.

> +Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
> +---
> + libbb/xconnect.c | 5 +++--
> + 1 file changed, 3 insertions(+), 2 deletions(-)
> +
> +diff --git a/libbb/xconnect.c b/libbb/xconnect.c
> +index 0e0b247b8590..02c061e6749c 100644
> +--- a/libbb/xconnect.c
> ++++ b/libbb/xconnect.c
> +@@ -497,8 +497,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
> + 	);
> + 	if (rc)
> + 		return NULL;
> ++	/* ensure host contains only printable characters */
> + 	if (flags & IGNORE_PORT)
> +-		return xstrdup(host);
> ++		return xstrdup(printable_string(host));
> + #if ENABLE_FEATURE_IPV6
> + 	if (sa->sa_family == AF_INET6) {
> + 		if (strchr(host, ':')) /* heh, it's not a resolved hostname */
> +@@ -509,7 +510,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
> + #endif
> + 	/* For now we don't support anything else, so it has to be INET */
> + 	/*if (sa->sa_family == AF_INET)*/
> +-		return xasprintf("%s:%s", host, serv);
> ++		return xasprintf("%s:%s", printable_string(host), serv);
> + 	/*return xstrdup(host);*/
> + }
> + 
> diff --git a/patches/busybox-1.35.0/0002-nslookup-sanitize-all-printed-strings-with-printable.patch b/patches/busybox-1.35.0/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
> new file mode 100644
> index 000000000..5d4370f28
> --- /dev/null
> +++ b/patches/busybox-1.35.0/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
> @@ -0,0 +1,63 @@
> +From: Ariadne Conill <ariadne@dereferenced.org>
> +Date: Sun, 3 Apr 2022 12:16:45 +0000
> +Subject: [PATCH] nslookup: sanitize all printed strings with printable_string
> +
> +Otherwise, terminal sequences can be injected, which enables various terminal injection
> +attacks from DNS results.
> +
> +CVE: Pending
> +Upstream-Status: Pending
> +Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>

Same here.

> +---
> + networking/nslookup.c | 10 +++++-----
> + 1 file changed, 5 insertions(+), 5 deletions(-)
> +
> +diff --git a/networking/nslookup.c b/networking/nslookup.c
> +index 6da97baf4216..4bdcde1b808a 100644
> +--- a/networking/nslookup.c
> ++++ b/networking/nslookup.c
> +@@ -407,7 +407,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
> + 				//printf("Unable to uncompress domain: %s\n", strerror(errno));
> + 				return -1;
> + 			}
> +-			printf(format, ns_rr_name(rr), dname);
> ++			printf(format, ns_rr_name(rr), printable_string(dname));
> + 			break;
> + 
> + 		case ns_t_mx:
> +@@ -422,7 +422,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
> + 				//printf("Cannot uncompress MX domain: %s\n", strerror(errno));
> + 				return -1;
> + 			}
> +-			printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname);
> ++			printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname));
> + 			break;
> + 
> + 		case ns_t_txt:
> +@@ -434,7 +434,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
> + 			if (n > 0) {
> + 				memset(dname, 0, sizeof(dname));
> + 				memcpy(dname, ns_rr_rdata(rr) + 1, n);
> +-				printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname);
> ++				printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname));
> + 			}
> + 			break;
> + 
> +@@ -454,7 +454,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
> + 			}
> + 
> + 			printf("%s\tservice = %u %u %u %s\n", ns_rr_name(rr),
> +-				ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), dname);
> ++				ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), printable_string(dname));
> + 			break;
> + 
> + 		case ns_t_soa:
> +@@ -483,7 +483,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
> + 				return -1;
> + 			}
> + 
> +-			printf("\tmail addr = %s\n", dname);
> ++			printf("\tmail addr = %s\n", printable_string(dname));
> + 			cp += n;
> + 
> + 			printf("\tserial = %lu\n", ns_get32(cp));
> diff --git a/patches/busybox-1.35.0/0003-editors-awk.c-CVE-2022-30065.patch b/patches/busybox-1.35.0/0003-editors-awk.c-CVE-2022-30065.patch
> new file mode 100644
> index 000000000..5e04616c0
> --- /dev/null
> +++ b/patches/busybox-1.35.0/0003-editors-awk.c-CVE-2022-30065.patch
> @@ -0,0 +1,35 @@
> +From: Christian Melki <christian.melki@t2data.com>
> +Date: Thu, 16 Jun 2022 16:06:31 +0200
> +Subject: [PATCH] editors/awk.c: CVE-2022-30065.
> +
> +A possible fix for a use-after-free in Busybox's awk applet.
> +If processing a crafted awk pattern in the copyvar function,
> +this could lead to denial of service and possibly code execution.
> +
> +Signed-off-by: Christian Melki <christian.melki@t2data.com>

Please keep the original author of a patch. Also, this patch is not
correct. See the discussion on the busybox list. And considering the
comment to the new fix for this CVE, this need more discussion:

"
        Potential fix, that prevents the use-after-free. But honestly,
        I don't really know what I'm doing and I don't know if this
        breaks any valid cases.
"

Michael

> +---
> + editors/awk.c | 4 +++-
> + 1 file changed, 3 insertions(+), 1 deletion(-)
> +
> +diff --git a/editors/awk.c b/editors/awk.c
> +index f6314ac7201a..cdc6799baaf0 100644
> +--- a/editors/awk.c
> ++++ b/editors/awk.c
> +@@ -2908,7 +2908,7 @@ static var *evaluate(node *op, var *res)
> + 		if (opinfo & OF_RES2) {
> + 			R.v = evaluate(op->r.n, TMPVAR1);
> + 			//TODO: L.v may be invalid now, set L.v to NULL to catch bugs?
> +-			//L.v = NULL;
> ++			L.v = NULL;
> + 			if (opinfo & OF_STR2) {
> + 				R.s = getvar_s(R.v);
> + 				debug_printf_eval("R.s:'%s'\n", R.s);
> +@@ -3114,6 +3114,8 @@ static var *evaluate(node *op, var *res)
> + 
> + 		case XC( OC_MOVE ):
> + 			debug_printf_eval("MOVE\n");
> ++			if (L.v == NULL)
> ++				syntax_error(EMSG_POSSIBLE_ERROR);
> + 			/* if source is a temporary string, jusk relink it to dest */
> + 			if (R.v == TMPVAR1
> + 			 && !(R.v->type & VF_NUMBER)
> diff --git a/patches/busybox-1.35.0/series b/patches/busybox-1.35.0/series
> index ee5360887..c6803d8fe 100644
> --- a/patches/busybox-1.35.0/series
> +++ b/patches/busybox-1.35.0/series
> @@ -1,9 +1,12 @@
>  # generated by git-ptx-patches
>  #tag:base --start-number 1
> +0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
> +0002-nslookup-sanitize-all-printed-strings-with-printable.patch
> +0003-editors-awk.c-CVE-2022-30065.patch
>  #tag:upstream-stable --start-number 1
>  #tag:upstream-master --start-number 100
>  #tag:ptx --start-number 200
>  0200-reactivate-check-for-tty.patch
>  0201-build-system-only-pass-real-libs-to-SELINUX_LIBS.patch
>  0202-scripts-trylink-honour-SKIP_STRIP-and-don-t-strip-if.patch
> -# 9c0cc4baa8090165b429198c9a10e02c  - git-ptx-patches magic
> +# 7bc58a3d2561391e982e735c4a884938  - git-ptx-patches magic
> -- 
> 2.34.1
> 
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |