fix CVE-2021-42373 CVE-2021-42375 and CVE-2021-42376

Signed-off-by: xiechengliang <xiechengliang1@huawei.com>
2021-11-24 19:38:20 +08:00 · 2021-11-24 19:38:20 +08:00 · 378a45e767
commit 378a45e767
parent 9fd82b993d
4 changed files with 225 additions and 1 deletions
--- a/backport-CVE-2021-42373.patch
+++ b/backport-CVE-2021-42373.patch
@ -0,0 +1,29 @@
+From 6dc5bd57af2f5cc6b8c953d2b223d3b012b2400b Mon Sep 17 00:00:00 2001
+From: xiechengliang <xiechengliang1@huawei.com>
+Date: Fri, 19 Nov 2021 18:34:10 +0800
+Subject: [PATCH] busybox: fix CVE-2021-42373
+
+backport from upstream:
+https://git.busybox.net/busybox/commit/?id=4d4fc5ca5ee4faae5dc4237f801d9527a3fb20cc
+
+Signed-off-by: xiechengliang <xiechengliang1@huawei.com>
+---
+ miscutils/man.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/miscutils/man.c b/miscutils/man.c
+index 722f6641e..d319e8bba 100644
+--- a/miscutils/man.c
+++ b/miscutils/man.c
+@@ -324,7 +324,7 @@ int man_main(int argc UNUSED_PARAM, char **argv)
+ 
+ 	/* is 1st ARG a SECTION? */
+ 	sec_list = conf_sec_list;
+-	if (is_section_name(conf_sec_list, *argv)) {
+	if (is_section_name(conf_sec_list, *argv) && argv[1]) {
+ 		/* yes */
+ 		sec_list = *argv++;
+ 	}
+-- 
+2.27.0
+
--- a/backport-CVE-2021-42375.patch
+++ b/backport-CVE-2021-42375.patch
@ -0,0 +1,53 @@
+From 9ac1dd9017b2b4acba4734f6f989b88da2ad7616 Mon Sep 17 00:00:00 2001
+From: xiechengliang <xiechengliang1@huawei.com>
+Date: Wed, 24 Nov 2021 19:15:25 +0800
+Subject: [PATCH 2/2] ash: parser: Fix VSLENGTH parsing with trailing garbage
+
+Let's adopt Herbert Xu's patch, not waiting for it to reach dash git:
+hush already has a similar fix.
+
+backport from upstream:
+https://git.busybox.net/busybox/commit/?id=53a7a9cd8c15d64fcc2278cf8981ba526dfbe0d2
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ shell/ash.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/shell/ash.c b/shell/ash.c
+index a33ab0626..1ca45f9c1 100644
+--- a/shell/ash.c
+++ b/shell/ash.c
+@@ -12635,7 +12635,7 @@ parsesub: {
+ 			do {
+ 				STPUTC(c, out);
+ 				c = pgetc_eatbnl();
+-			} while (!subtype && isdigit(c));
+			} while ((subtype == 0 || subtype == VSLENGTH) && isdigit(c));
+ 		} else if (c != '}') {
+ 			/* $[{[#]]<specialchar>[}] */
+ 			int cc = c;
+@@ -12665,11 +12665,6 @@ parsesub: {
+ 		} else
+ 			goto badsub;
+ 
+-		if (c != '}' && subtype == VSLENGTH) {
+-			/* ${#VAR didn't end with } */
+-			goto badsub;
+-		}
+-
+ 		if (subtype == 0) {
+ 			static const char types[] ALIGN1 = "}-+?=";
+ 			/* ${VAR...} but not $VAR or ${#VAR} */
+@@ -12726,6 +12721,8 @@ parsesub: {
+ #endif
+ 			}
+ 		} else {
+			if (subtype == VSLENGTH && c != '}')
+				subtype = 0;
+  badsub:
+ 			pungetc();
+ 		}
+-- 
+2.27.0
+
--- a/backport-CVE-2021-42376.patch
+++ b/backport-CVE-2021-42376.patch
@ -0,0 +1,133 @@
+From 251452bc54477ed41da27a1c020a88882aa2eaaf Mon Sep 17 00:00:00 2001
+From: xiechengliang <xiechengliang1@huawei.com>
+Date: Sat, 20 Nov 2021 12:01:23 +0800
+Subject: [PATCH 1/2] hush: fix handling of \^C and "^C"
+
+function                                             old     new   delta
+parse_stream                                        2238    2252     +14
+encode_string                                        243     256     +13
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 2/0 up/down: 27/0)               Total: 27 bytes
+
+backport from upstream:
+https://git.busybox.net/busybox/commit/?id=1b7a9b68d0e9aa19147d7fda16eb9a6b54156985
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ shell/ash_test/ash-misc/control_char3.right   |  1 +
+ shell/ash_test/ash-misc/control_char3.tests   |  2 ++
+ shell/ash_test/ash-misc/control_char4.right   |  1 +
+ shell/ash_test/ash-misc/control_char4.tests   |  2 ++
+ shell/hush.c                                  | 11 +++++++++++
+ shell/hush_test/hush-misc/control_char3.right |  1 +
+ shell/hush_test/hush-misc/control_char3.tests |  2 ++
+ shell/hush_test/hush-misc/control_char4.right |  1 +
+ shell/hush_test/hush-misc/control_char4.tests |  2 ++
+ 9 files changed, 23 insertions(+)
+ create mode 100644 shell/ash_test/ash-misc/control_char3.right
+ create mode 100755 shell/ash_test/ash-misc/control_char3.tests
+ create mode 100644 shell/ash_test/ash-misc/control_char4.right
+ create mode 100755 shell/ash_test/ash-misc/control_char4.tests
+ create mode 100644 shell/hush_test/hush-misc/control_char3.right
+ create mode 100755 shell/hush_test/hush-misc/control_char3.tests
+ create mode 100644 shell/hush_test/hush-misc/control_char4.right
+ create mode 100755 shell/hush_test/hush-misc/control_char4.tests
+
+diff --git a/shell/ash_test/ash-misc/control_char3.right b/shell/ash_test/ash-misc/control_char3.right
+new file mode 100644
+index 000000000..283e02cbb
+--- /dev/null
+++ b/shell/ash_test/ash-misc/control_char3.right
+@@ -0,0 +1 @@
+SHELL: line 1: : not found
+diff --git a/shell/ash_test/ash-misc/control_char3.tests b/shell/ash_test/ash-misc/control_char3.tests
+new file mode 100755
+index 000000000..4359db3f3
+--- /dev/null
+++ b/shell/ash_test/ash-misc/control_char3.tests
+@@ -0,0 +1,2 @@
+# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
+$THIS_SH -c '\' SHELL
+diff --git a/shell/ash_test/ash-misc/control_char4.right b/shell/ash_test/ash-misc/control_char4.right
+new file mode 100644
+index 000000000..2bf18e684
+--- /dev/null
+++ b/shell/ash_test/ash-misc/control_char4.right
+@@ -0,0 +1 @@
+SHELL: line 1: -: not found
+diff --git a/shell/ash_test/ash-misc/control_char4.tests b/shell/ash_test/ash-misc/control_char4.tests
+new file mode 100755
+index 000000000..48010f154
+--- /dev/null
+++ b/shell/ash_test/ash-misc/control_char4.tests
+@@ -0,0 +1,2 @@
+# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
+$THIS_SH -c '"-"' SHELL
+diff --git a/shell/hush.c b/shell/hush.c
+index 9fead37da..249728b9d 100644
+--- a/shell/hush.c
+++ b/shell/hush.c
+@@ -5235,6 +5235,11 @@ static int encode_string(o_string *as_string,
+ 	}
+ #endif
+ 	o_addQchr(dest, ch);
+	if (ch == SPECIAL_VAR_SYMBOL) {
+		/* Convert "^C" to corresponding special variable reference */
+		o_addchr(dest, SPECIAL_VAR_QUOTED_SVS);
+		o_addchr(dest, SPECIAL_VAR_SYMBOL);
+	}
+ 	goto again;
+ #undef as_string
+ }
+@@ -5346,6 +5351,11 @@ static struct pipe *parse_stream(char **pstring,
+ 			if (ch == '\n')
+ 				continue; /* drop \<newline>, get next char */
+ 			nommu_addchr(&ctx.as_string, '\\');
+			if (ch == SPECIAL_VAR_SYMBOL) {
+				nommu_addchr(&ctx.as_string, ch);
+				/* Convert \^C to corresponding special variable reference */
+				goto case_SPECIAL_VAR_SYMBOL;
+			}
+ 			o_addchr(&ctx.word, '\\');
+ 			if (ch == EOF) {
+ 				/* Testcase: eval 'echo Ok\' */
+@@ -5670,6 +5680,7 @@ static struct pipe *parse_stream(char **pstring,
+ 		/* Note: nommu_addchr(&ctx.as_string, ch) is already done */
+ 
+ 		switch (ch) {
+		case_SPECIAL_VAR_SYMBOL:
+ 		case SPECIAL_VAR_SYMBOL:
+ 			/* Convert raw ^C to corresponding special variable reference */
+ 			o_addchr(&ctx.word, SPECIAL_VAR_SYMBOL);
+diff --git a/shell/hush_test/hush-misc/control_char3.right b/shell/hush_test/hush-misc/control_char3.right
+new file mode 100644
+index 000000000..94b4f8699
+--- /dev/null
+++ b/shell/hush_test/hush-misc/control_char3.right
+@@ -0,0 +1 @@
+hush: can't execute '': No such file or directory
+diff --git a/shell/hush_test/hush-misc/control_char3.tests b/shell/hush_test/hush-misc/control_char3.tests
+new file mode 100755
+index 000000000..4359db3f3
+--- /dev/null
+++ b/shell/hush_test/hush-misc/control_char3.tests
+@@ -0,0 +1,2 @@
+# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
+$THIS_SH -c '\' SHELL
+diff --git a/shell/hush_test/hush-misc/control_char4.right b/shell/hush_test/hush-misc/control_char4.right
+new file mode 100644
+index 000000000..698e21427
+--- /dev/null
+++ b/shell/hush_test/hush-misc/control_char4.right
+@@ -0,0 +1 @@
+hush: can't execute '-': No such file or directory
+diff --git a/shell/hush_test/hush-misc/control_char4.tests b/shell/hush_test/hush-misc/control_char4.tests
+new file mode 100755
+index 000000000..48010f154
+--- /dev/null
+++ b/shell/hush_test/hush-misc/control_char4.tests
+@@ -0,0 +1,2 @@
+# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
+$THIS_SH -c '"-"' SHELL
+-- 
+2.27.0
+
--- a/busybox.spec
+++ b/busybox.spec
@ -4,7 +4,7 @@
 %endif

 %if "%{!?RELEASE:1}"
-%define RELEASE 10
+%define RELEASE 11
 %endif

 Name: busybox
@ -22,6 +22,9 @@ Source3: busybox-dynamic.config
 #backport
 Patch6000: backport-CVE-2021-42374.patch
 Patch6001: backport-CVE-2021-42377.patch
+Patch6002: backport-CVE-2021-42373.patch
+Patch6003: backport-CVE-2021-42375.patch
+Patch6004: backport-CVE-2021-42376.patch

 BuildRoot:      %_topdir/BUILDROOT
 #Dependency
@ -97,6 +100,12 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1
 %{_mandir}/man1/busybox.petitboot.1.gz

 %changelog
+* Wed Nov 24 2021 xiechengliang <xiechengliang1@huawei.com> - 1:1.33.1-11
+- Type:CVE
+- Id:NA
+- SUG:NA
+- DESC:fix CVE-2021-42373 CVE-2021-42375 and CVE-2021-42376
+
 * Mon Nov 22 2021 jikui <jikui2@huawei.com> - 1:1.33.1-10
 - Type:CVE
 - Id:NA