mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-29 00:32:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

busybox: CVE-2017-16544

Browse Source 
In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2,
the tab autocomplete feature of the shell, used to get a list of filenames
in a directory, does not sanitize filenames and results in executing any
escape sequence in the terminal. This could potentially result in code
execution, arbitrary file writes, or other attacks.

Backport the patch from:
https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8
https://nvd.nist.gov/vuln/detail/CVE-2017-16544

(From OE-Core rev: aa41f0c37460a2863ce26d1321c19c9bedf680c4)

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Zhixiong Chi
2017-12-04 00:17:25 -08:00
committed by Richard Purdie
parent 09b8b36b30
commit 07447113ad
2 changed files with 44 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
meta/recipes-core/busybox/busybox/busybox-CVE-2017-16544.patch Normal file
View File

@@ -0,0 +1,43 @@
From c3797d40a1c57352192c6106cc0f435e7d9c11e8 Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Tue, 7 Nov 2017 18:09:29 +0100
Subject: lineedit: do not tab-complete any strings which have control
characters
function old new delta
add_match 41 68 +27
CVE: CVE-2017-16544
Upstream-Status: Backport
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
libbb/lineedit.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/libbb/lineedit.c b/libbb/lineedit.c
index c0e35bb..56e8140 100644
--- a/libbb/lineedit.c
+++ b/libbb/lineedit.c
@@ -645,6 +645,18 @@ static void free_tab_completion_data(void)
static void add_match(char *matched)
{
+ unsigned char *p = (unsigned char*)matched;
+ while (*p) {
+ /* ESC attack fix: drop any string with control chars */
+ if (*p < ' '
+ || (!ENABLE_UNICODE_SUPPORT && *p >= 0x7f)
+ || (ENABLE_UNICODE_SUPPORT && *p == 0x7f)
+ ) {
+ free(matched);
+ return;
+ }
+ p++;
+ }
matches = xrealloc_vector(matches, 4, num_matches);
matches[num_matches] = matched;
num_matches++;
--
cgit v0.12

1
meta/recipes-core/busybox/busybox_1.27.2.bb
View File

@@ -43,6 +43,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://runlevel \
file://makefile-libbb-race.patch \
file://CVE-2011-5325.patch \
file://busybox-CVE-2017-16544.patch \
"
SRC_URI_append_libc-musl = " file://musl.cfg "