2 年前 · b7a154911d
--- a/package/busybox/0004-libbb-sockaddr2str-ensure-only-printable-characters-.patch
+++ b/package/busybox/0004-libbb-sockaddr2str-ensure-only-printable-characters-.patch
@@ -0,0 +1,42 @@
 
				+From 9d825e854ef53ebbe0aea2f1a69f52b763104daf Mon Sep 17 00:00:00 2001
			
 
				+From: Ariadne Conill <ariadne@dereferenced.org>
			
 
				+Date: Mon, 19 Sep 2022 14:15:12 +0200
			
 
				+Subject: [PATCH] libbb: sockaddr2str: ensure only printable characters are
			
 
				+ returned for the hostname part
			
 
				+
			
 
				+CVE: CVE-2022-28391
			
 
				+Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
			
 
				+Tested-by: Radoslav Kolev <radoslav.kolev@suse.com>
			
 
				+Backport from ML: http://lists.busybox.net/pipermail/busybox/2022-July/089796.html
			
 
				+Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
			
 
				+---
			
 
				+ libbb/xconnect.c | 5 +++--
			
 
				+ 1 file changed, 3 insertions(+), 2 deletions(-)
			
 
				+
			
 
				+diff --git a/libbb/xconnect.c b/libbb/xconnect.c
			
 
				+index 0e0b247b8..02c061e67 100644
			
 
				+--- a/libbb/xconnect.c
			
 
				++++ b/libbb/xconnect.c
			
 
				+@@ -497,8 +497,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
			
 
				+ 	);
			
 
				+ 	if (rc)
			
 
				+ 		return NULL;
			
 
				++	/* ensure host contains only printable characters */
			
 
				+ 	if (flags & IGNORE_PORT)
			
 
				+-		return xstrdup(host);
			
 
				++		return xstrdup(printable_string(host));
			
 
				+ #if ENABLE_FEATURE_IPV6
			
 
				+ 	if (sa->sa_family == AF_INET6) {
			
 
				+ 		if (strchr(host, ':')) /* heh, it's not a resolved hostname */
			
 
				+@@ -509,7 +510,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
			
 
				+ #endif
			
 
				+ 	/* For now we don't support anything else, so it has to be INET */
			
 
				+ 	/*if (sa->sa_family == AF_INET)*/
			
 
				+-		return xasprintf("%s:%s", host, serv);
			
 
				++		return xasprintf("%s:%s", printable_string(host), serv);
			
 
				+ 	/*return xstrdup(host);*/
			
 
				+ }
			
 
				+ 
			
 
				+-- 
			
 
				+2.37.3
			
 
				+
			
--- a/package/busybox/0005-nslookup-sanitize-all-printed-strings-with-printable.patch
+++ b/package/busybox/0005-nslookup-sanitize-all-printed-strings-with-printable.patch
@@ -0,0 +1,69 @@
 
				+From bd463a5564a2c0618317448c3f965d389534c3df Mon Sep 17 00:00:00 2001
			
 
				+From: Ariadne Conill <ariadne@dereferenced.org>
			
 
				+Date: Mon, 19 Sep 2022 14:15:12 +0200
			
 
				+Subject: [PATCH] nslookup: sanitize all printed strings with printable_string
			
 
				+
			
 
				+Otherwise, terminal sequences can be injected, which enables various terminal injection
			
 
				+attacks from DNS results.
			
 
				+
			
 
				+CVE: CVE-2022-28391
			
 
				+Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
			
 
				+Tested-by: Radoslav Kolev <radoslav.kolev@suse.com>
			
 
				+Backport from ML: http://lists.busybox.net/pipermail/busybox/2022-July/089795.html
			
 
				+Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
			
 
				+---
			
 
				+ networking/nslookup.c | 10 +++++-----
			
 
				+ 1 file changed, 5 insertions(+), 5 deletions(-)
			
 
				+
			
 
				+diff --git a/networking/nslookup.c b/networking/nslookup.c
			
 
				+index 6da97baf4..4bdcde1b8 100644
			
 
				+--- a/networking/nslookup.c
			
 
				++++ b/networking/nslookup.c
			
 
				+@@ -407,7 +407,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
			
 
				+ 				//printf("Unable to uncompress domain: %s\n", strerror(errno));
			
 
				+ 				return -1;
			
 
				+ 			}
			
 
				+-			printf(format, ns_rr_name(rr), dname);
			
 
				++			printf(format, ns_rr_name(rr), printable_string(dname));
			
 
				+ 			break;
			
 
				+ 
			
 
				+ 		case ns_t_mx:
			
 
				+@@ -422,7 +422,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
			
 
				+ 				//printf("Cannot uncompress MX domain: %s\n", strerror(errno));
			
 
				+ 				return -1;
			
 
				+ 			}
			
 
				+-			printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname);
			
 
				++			printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname));
			
 
				+ 			break;
			
 
				+ 
			
 
				+ 		case ns_t_txt:
			
 
				+@@ -434,7 +434,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
			
 
				+ 			if (n > 0) {
			
 
				+ 				memset(dname, 0, sizeof(dname));
			
 
				+ 				memcpy(dname, ns_rr_rdata(rr) + 1, n);
			
 
				+-				printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname);
			
 
				++				printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname));
			
 
				+ 			}
			
 
				+ 			break;
			
 
				+ 
			
 
				+@@ -454,7 +454,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
			
 
				+ 			}
			
 
				+ 
			
 
				+ 			printf("%s\tservice = %u %u %u %s\n", ns_rr_name(rr),
			
 
				+-				ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), dname);
			
 
				++				ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), printable_string(dname));
			
 
				+ 			break;
			
 
				+ 
			
 
				+ 		case ns_t_soa:
			
 
				+@@ -483,7 +483,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
			
 
				+ 				return -1;
			
 
				+ 			}
			
 
				+ 
			
 
				+-			printf("\tmail addr = %s\n", dname);
			
 
				++			printf("\tmail addr = %s\n", printable_string(dname));
			
 
				+ 			cp += n;
			
 
				+ 
			
 
				+ 			printf("\tserial = %lu\n", ns_get32(cp));
			
 
				+-- 
			
 
				+2.37.3
			
 
				+
			
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -13,6 +13,9 @@ BUSYBOX_CPE_ID_VENDOR = busybox
 
				 
			
 
				 # 0003-awk-fix-use-after-free-CVE-2022-30065.patch
			
 
				 BUSYBOX_IGNORE_CVES += CVE-2022-30065
			
 
				+# 0004-libbb-sockaddr2str-ensure-only-printable-characters-.patch
			
 
				+# 0005-nslookup-sanitize-all-printed-strings-with-printable.patch
			
 
				+BUSYBOX_IGNORE_CVES += CVE-2022-28391
			
 
				 
			
 
				 BUSYBOX_CFLAGS = \
			
 
				 	$(TARGET_CFLAGS)