diff options
| author |   Rahul Chauhan <rahulk@mvista.com> | 2020-07-12 07:14:53 +0530 |
|---|---|---|
| committer |   Steve Sakoman <steve@sakoman.com> | 2020-07-17 09:12:02 -1000 |
| commit | 1ff4e723ed65ff7ee2921a50ca0c004ea7bb2508 (patch) | |
| tree | f4d5cfb7fb3b9aefb25ab91df1adc6dc15454984 | |
| parent | 9e23163016b7a8fea0dbfe2111f9493017e5a7b2 (diff) | |
| download | openembedded-core-1ff4e723ed65ff7ee2921a50ca0c004ea7bb2508.tar.gz | |
busybox: Security Fix For CVE-2018-1000500
CVE: CVE-2018-1000500
Signed-off-by: Rahul Kumar <rahulk@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch | 98 | ||||
| -rw-r--r-- | meta/recipes-core/busybox/busybox_1.31.1.bb | 1 |
2 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch b/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch new file mode 100644 index 0000000000..d1a33e4ab5 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch @@ -0,0 +1,98 @@ +From 71e7e2fb35c806d20f9739d832cd9ae3a86fdee2 Mon Sep 17 00:00:00 2001 +From: Dimitri John Ledkov <xnox@ubuntu.com> +Date: Tue, 19 May 2020 18:20:39 +0100 +Subject: [PATCH] wget: implement TLS verification with + ENABLE_FEATURE_WGET_OPENSSL + +When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS +verification by default. And only ignore verification errors, if +--no-check-certificate was passed. + +Also note, that previously OPENSSL implementation did not implement +TLS verification, nor printed any warning messages that verification +was not performed. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533 + +CVE-2018-1000500 + +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91] +CVE: CVE-2018-1000500 + +Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> +Signed-off-by: Rahul Kumar <rahulk@mvista.com> +--- + networking/wget.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/networking/wget.c b/networking/wget.c +index 9153264..a7e6deb 100644 +--- a/networking/wget.c ++++ b/networking/wget.c +@@ -91,6 +91,9 @@ + //config: patches, but do want to waste bandwidth expaining how wrong + //config: it is, you will be ignored. + //config: ++//config: FEATURE_WGET_OPENSSL does implement TLS verification ++//config: using the certificates available to OpenSSL. ++//config: + //config:config FEATURE_WGET_OPENSSL + //config: bool "Try to connect to HTTPS using openssl" + //config: default y +@@ -115,6 +118,9 @@ + //config: If openssl can't be executed, internal TLS code will be used + //config: (if you enabled it); if openssl can be executed but fails later, + //config: wget can't detect this, and download will fail. ++//config: ++//config: By default TLS verification is performed, unless ++//config: --no-check-certificate option is passed. + + //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP)) + +@@ -124,8 +130,11 @@ + //usage: IF_FEATURE_WGET_LONG_OPTIONS( + //usage: "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n" + //usage: " [-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n" ++//usage: IF_FEATURE_WGET_OPENSSL( ++//usage: " [--no-check-certificate]\n" ++//usage: ) + /* Since we ignore these opts, we don't show them in --help */ +-/* //usage: " [--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */ ++/* //usage: " [--no-cache] [--passive-ftp] [-t TRIES]" */ + /* //usage: " [-nv] [-nc] [-nH] [-np]" */ + //usage: " [-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..." + //usage: ) +@@ -137,7 +146,9 @@ + //usage: "Retrieve files via HTTP or FTP\n" + //usage: IF_FEATURE_WGET_LONG_OPTIONS( + //usage: "\n --spider Only check URL existence: $? is 0 if exists" +-///////: "\n --no-check-certificate Don't validate the server's certificate" ++//usage: IF_FEATURE_WGET_OPENSSL( ++//usage: "\n --no-check-certificate Don't validate the server's certificate" ++//usage: ) + //usage: ) + //usage: "\n -c Continue retrieval of aborted transfer" + //usage: "\n -q Quiet" +@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) + pid = xvfork(); + if (pid == 0) { + /* Child */ +- char *argv[8]; ++ char *argv[9]; + + close(sp[0]); + xmove_fd(sp[1], 0); +@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) + argv[5] = (char*)"-servername"; + argv[6] = (char*)servername; + } ++ if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) { ++ argv[7] = (char*)"-verify_return_error"; ++ } + + BB_EXECVP(argv[0], argv); + xmove_fd(3, 2); +-- +2.7.4 + diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb b/meta/recipes-core/busybox/busybox_1.31.1.bb index 2bb1d59ba7..a6b47027af 100644 --- a/meta/recipes-core/busybox/busybox_1.31.1.bb +++ b/meta/recipes-core/busybox/busybox_1.31.1.bb @@ -48,6 +48,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://0001-Remove-syscall-wrappers-around-clock_gettime-closes-.patch \ file://0001-Remove-stime-function-calls.patch \ file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \ + file://busybox-CVE-2018-1000500.patch \ " SRC_URI_append_libc-musl = " file://musl.cfg " |