[master][kirkstone] busybox: fix CVE-2022-28391


Steve Sakoman
 

BusyBox through 1.35.0 allows remote attackers to execute arbitrary code
if netstat is used to print a DNS PTR record's value to a VT compatible
terminal. Alternatively, the attacker could choose to change the terminal's colors.

https://nvd.nist.gov/vuln/detail/CVE-2022-28391

Signed-off-by: Steve Sakoman <steve@...>
---
...tr-ensure-only-printable-characters-.patch | 41 +++++++++++
...e-all-printed-strings-with-printable.patch | 69 +++++++++++++++++++
meta/recipes-core/busybox/busybox_1.35.0.bb | 2 +
3 files changed, 112 insertions(+)
create mode 100644 meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
create mode 100644 meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch

diff --git a/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch b/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
new file mode 100644
index 0000000000..4635250170
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
@@ -0,0 +1,41 @@
+From 0c8da1bead8ffaf270b4b723ead2c517371405d7 Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@...>
+Date: Sun, 3 Apr 2022 12:14:33 +0000
+Subject: [PATCH 1/2] libbb: sockaddr2str: ensure only printable characters are
+ returned for the hostname part
+
+CVE: CVE-2022-28391
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill <ariadne@...>
+Signed-off-by: Steve Sakoman <steve@...>
+---
+ libbb/xconnect.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libbb/xconnect.c b/libbb/xconnect.c
+index 0e0b247b8..02c061e67 100644
+--- a/libbb/xconnect.c
++++ b/libbb/xconnect.c
+@@ -497,8 +497,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
+ );
+ if (rc)
+ return NULL;
++ /* ensure host contains only printable characters */
+ if (flags & IGNORE_PORT)
+- return xstrdup(host);
++ return xstrdup(printable_string(host));
+ #if ENABLE_FEATURE_IPV6
+ if (sa->sa_family == AF_INET6) {
+ if (strchr(host, ':')) /* heh, it's not a resolved hostname */
+@@ -509,7 +510,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
+ #endif
+ /* For now we don't support anything else, so it has to be INET */
+ /*if (sa->sa_family == AF_INET)*/
+- return xasprintf("%s:%s", host, serv);
++ return xasprintf("%s:%s", printable_string(host), serv);
+ /*return xstrdup(host);*/
+ }
+
+--
+2.35.1
+
diff --git a/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
new file mode 100644
index 0000000000..0d7409ddc3
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
@@ -0,0 +1,69 @@
+From 812b407e545b70b16cf32aade135b5c32eaf674f Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@...>
+Date: Sun, 3 Apr 2022 12:16:45 +0000
+Subject: [PATCH 2/2] nslookup: sanitize all printed strings with
+ printable_string
+
+Otherwise, terminal sequences can be injected, which enables various terminal injection
+attacks from DNS results.
+
+CVE: CVE-2022-28391
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill <ariadne@...>
+Signed-off-by: Steve Sakoman <steve@...>
+---
+ networking/nslookup.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/networking/nslookup.c b/networking/nslookup.c
+index 6da97baf4..4bdcde1b8 100644
+--- a/networking/nslookup.c
++++ b/networking/nslookup.c
+@@ -407,7 +407,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ //printf("Unable to uncompress domain: %s\n", strerror(errno));
+ return -1;
+ }
+- printf(format, ns_rr_name(rr), dname);
++ printf(format, ns_rr_name(rr), printable_string(dname));
+ break;
+
+ case ns_t_mx:
+@@ -422,7 +422,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ //printf("Cannot uncompress MX domain: %s\n", strerror(errno));
+ return -1;
+ }
+- printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname);
++ printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname));
+ break;
+
+ case ns_t_txt:
+@@ -434,7 +434,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ if (n > 0) {
+ memset(dname, 0, sizeof(dname));
+ memcpy(dname, ns_rr_rdata(rr) + 1, n);
+- printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname);
++ printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname));
+ }
+ break;
+
+@@ -454,7 +454,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ }
+
+ printf("%s\tservice = %u %u %u %s\n", ns_rr_name(rr),
+- ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), dname);
++ ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), printable_string(dname));
+ break;
+
+ case ns_t_soa:
+@@ -483,7 +483,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ return -1;
+ }
+
+- printf("\tmail addr = %s\n", dname);
++ printf("\tmail addr = %s\n", printable_string(dname));
+ cp += n;
+
+ printf("\tserial = %lu\n", ns_get32(cp));
+--
+2.35.1
+
diff --git a/meta/recipes-core/busybox/busybox_1.35.0.bb b/meta/recipes-core/busybox/busybox_1.35.0.bb
index ab11f3d89a..f2f1b35902 100644
--- a/meta/recipes-core/busybox/busybox_1.35.0.bb
+++ b/meta/recipes-core/busybox/busybox_1.35.0.bb
@@ -47,6 +47,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://0001-testsuite-use-www.example.org-for-wget-test-cases.patch \
file://0001-du-l-works-fix-to-use-145-instead-of-144.patch \
file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \
+ file://0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch \
+ file://0002-nslookup-sanitize-all-printed-strings-with-printable.patch \
"
SRC_URI:append:libc-musl = " file://musl.cfg "

--
2.25.1

Join openembedded-core@lists.openembedded.org to automatically receive all group messages.