Re: [OE-core] [dunfell][PATCH] busybox: Security Fix For CVE-2018-1000500

Sun, 12 Jul 2020 09:37:18 -0700 

Hi Armin,

As per my observation, master branch does not affect this CVE.

I could not get any reference where i find out exactly from which version
to which version, This CVE affect.

Since busybox upstarem released a patch for CVE-2018-1000500 with busybox
v1_32_0~25
and master branch is using busybox v1.32.0-r0 and I checked this patch code
is present in busybox  v1.32.0-r0 source code.
so master branch does not affect.

Feel free to point out if I am wrong at any place.

*Thanks & Regards,*
Rahul Kumar
Software Engineer,Linux Solutions Engineering
Group,Montavista Software LLC
Email Id: [email protected]
<https://plus.google.com/+CodeTwoSoftware>


On Sun, Jul 12, 2020 at 8:33 AM akuster808 <[email protected]> wrote:

>
>
> On 7/11/20 6:21 PM, Rahul Kumar wrote:
>
> CVE: CVE-2018-1000500
>
> Signed-off-by: Rahul Kumar <[email protected]> <[email protected]>
>
>
> Does this affect master?
>
> -armin
>
> ---
>  .../busybox/busybox/busybox-CVE-2018-1000500.patch | 98 
> ++++++++++++++++++++++
>  meta/recipes-core/busybox/busybox_1.31.1.bb        |  1 +
>  2 files changed, 99 insertions(+)
>  create mode 100644 
> meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch
>
> diff --git a/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch 
> b/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch
> new file mode 100644
> index 0000000..cde3923
> --- /dev/null
> +++ b/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch
> @@ -0,0 +1,98 @@
> +From 71e7e2fb35c806d20f9739d832cd9ae3a86fdee2 Mon Sep 17 00:00:00 2001
> +From: Dimitri John Ledkov <[email protected]> <[email protected]>
> +Date: Tue, 19 May 2020 18:20:39 +0100
> +Subject: [PATCH] wget: implement TLS verification with
> + ENABLE_FEATURE_WGET_OPENSSL
> +
> +When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
> +verification by default. And only ignore verification errors, if
> +--no-check-certificate was passed.
> +
> +Also note, that previously OPENSSL implementation did not implement
> +TLS verification, nor printed any warning messages that verification
> +was not performed.
> +
> +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533
> +
> +CVE-2018-1000500
> +
> +Upstream Status: Backport 
> https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91
> +CVE: CVE-2018-1000500
> +
> +Signed-off-by: Dimitri John Ledkov <[email protected]> <[email protected]>
> +Signed-off-by: Denys Vlasenko <[email protected]> 
> <[email protected]>
> +Signed-off-by: Rahul Kumar <[email protected]> <[email protected]>
> +---
> + networking/wget.c | 20 +++++++++++++++++---
> + 1 file changed, 17 insertions(+), 3 deletions(-)
> +
> +diff --git a/networking/wget.c b/networking/wget.c
> +index 9153264..a7e6deb 100644
> +--- a/networking/wget.c
> ++++ b/networking/wget.c
> +@@ -91,6 +91,9 @@
> + //config:   patches, but do want to waste bandwidth expaining how wrong
> + //config:   it is, you will be ignored.
> + //config:
> ++//config:   FEATURE_WGET_OPENSSL does implement TLS verification
> ++//config:   using the certificates available to OpenSSL.
> ++//config:
> + //config:config FEATURE_WGET_OPENSSL
> + //config:   bool "Try to connect to HTTPS using openssl"
> + //config:   default y
> +@@ -115,6 +118,9 @@
> + //config:   If openssl can't be executed, internal TLS code will be used
> + //config:   (if you enabled it); if openssl can be executed but fails later,
> + //config:   wget can't detect this, and download will fail.
> ++//config:
> ++//config:   By default TLS verification is performed, unless
> ++//config:   --no-check-certificate option is passed.
> +
> + //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP))
> +
> +@@ -124,8 +130,11 @@
> + //usage:    IF_FEATURE_WGET_LONG_OPTIONS(
> + //usage:       "[-c|--continue] [--spider] [-q|--quiet] 
> [-O|--output-document FILE]\n"
> + //usage:       "    [-o|--output-file FILE] [--header 'header: value'] 
> [-Y|--proxy on/off]\n"
> ++//usage:    IF_FEATURE_WGET_OPENSSL(
> ++//usage:       "    [--no-check-certificate]\n"
> ++//usage:    )
> + /* Since we ignore these opts, we don't show them in --help */
> +-/* //usage:    "    [--no-check-certificate] [--no-cache] [--passive-ftp] 
> [-t TRIES]" */
> ++/* //usage:    "    [--no-cache] [--passive-ftp] [-t TRIES]" */
> + /* //usage:    "    [-nv] [-nc] [-nH] [-np]" */
> + //usage:       "    [-P DIR] [-S|--server-response] [-U|--user-agent 
> AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
> + //usage:    )
> +@@ -137,7 +146,9 @@
> + //usage:       "Retrieve files via HTTP or FTP\n"
> + //usage:    IF_FEATURE_WGET_LONG_OPTIONS(
> + //usage:     "\n    --spider        Only check URL existence: $? is 0 if 
> exists"
> +-///////:     "\n    --no-check-certificate  Don't validate the server's 
> certificate"
> ++//usage:    IF_FEATURE_WGET_OPENSSL(
> ++//usage:     "\n    --no-check-certificate  Don't validate the server's 
> certificate"
> ++//usage:    )
> + //usage:    )
> + //usage:     "\n    -c              Continue retrieval of aborted transfer"
> + //usage:     "\n    -q              Quiet"
> +@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, 
> unsigned port)
> +     pid = xvfork();
> +     if (pid == 0) {
> +             /* Child */
> +-            char *argv[8];
> ++            char *argv[9];
> +
> +             close(sp[0]);
> +             xmove_fd(sp[1], 0);
> +@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, 
> unsigned port)
> +                     argv[5] = (char*)"-servername";
> +                     argv[6] = (char*)servername;
> +             }
> ++            if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
> ++                    argv[7] = (char*)"-verify_return_error";
> ++            }
> +
> +             BB_EXECVP(argv[0], argv);
> +             xmove_fd(3, 2);
> +--
> +2.7.4
> +
> diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb 
> b/meta/recipes-core/busybox/busybox_1.31.1.bb
> index 2bb1d59..a6b4702 100644
> --- a/meta/recipes-core/busybox/busybox_1.31.1.bb
> +++ b/meta/recipes-core/busybox/busybox_1.31.1.bb
> @@ -48,6 +48,7 @@ SRC_URI = 
> "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
>             
> file://0001-Remove-syscall-wrappers-around-clock_gettime-closes-.patch \
>             file://0001-Remove-stime-function-calls.patch \
>             
> file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \
> +           file://busybox-CVE-2018-1000500.patch \
>  " 
> <https://busybox.net/downloads/busybox-$%7BPV%7D.tar.bz2;name=tarball%5Cfile://0001-Remove-syscall-wrappers-around-clock_gettime-closes-.patch%5Cfile://0001-Remove-stime-function-calls.patch%5Cfile://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch%5C+file://busybox-CVE-2018-1000500.patch%5C>
>  SRC_URI_append_libc-musl = " file://musl.cfg "
>
>
> 
>
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#140569): 
https://lists.openembedded.org/g/openembedded-core/message/140569
Mute This Topic: https://lists.openembedded.org/mt/75450387/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub  
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to