!17 update busybox to 1.33.1

From: @jackey_1024
Reviewed-by: @flyflyflypeng,@caihaomin
Signed-off-by: @caihaomin

backport-CVE-2018-1000500.patch

@@ -1,96 +0,0 @@
-From 45fa3f18adf57ef9d743038743d9c90573aeeb91 Mon Sep 17 00:00:00 2001
-From: Dimitri John Ledkov <xnox@ubuntu.com>
-Date: Tue, 19 May 2020 18:20:39 +0100
-Subject: [PATCH] wget: implement TLS verification with ENABLE_FEATURE_WGET_OPENSSL
-
-When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
-verification by default. And only ignore verification errors, if
---no-check-certificate was passed.
-
-Also note, that previously OPENSSL implementation did not implement
-TLS verification, nor printed any warning messages that verification
-was not performed.
-
-Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533
-
-CVE-2018-1000500
-
-Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
-Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-
----
- networking/wget.c | 22 ++++++++++++++++++----
- 1 file changed, 18 insertions(+), 4 deletions(-)
-
-diff --git a/networking/wget.c b/networking/wget.c
-index 9153264..de66ef2 100644
---- a/networking/wget.c
-+++ b/networking/wget.c
-@@ -91,6 +91,9 @@
- //config:	patches, but do want to waste bandwidth expaining how wrong
- //config:	it is, you will be ignored.
- //config:
-+//config:	FEATURE_WGET_OPENSSL does implement TLS verification
-+//config:	using the certificates available to OpenSSL.
-+//config:
- //config:config FEATURE_WGET_OPENSSL
- //config:	bool "Try to connect to HTTPS using openssl"
- //config:	default y
-@@ -115,7 +118,10 @@
- //config:	If openssl can't be executed, internal TLS code will be used
- //config:	(if you enabled it); if openssl can be executed but fails later,
- //config:	wget can't detect this, and download will fail.
--
-+//config:
-+//config:	By default TLS verification is performed, unless
-+//config:	--no-check-certificate option is passed.
-+//
- //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP))
- 
- //kbuild:lib-$(CONFIG_WGET) += wget.o
-@@ -124,8 +130,11 @@
- //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
- //usage:       "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n"
- //usage:       "	[-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n"
-+//usage:       IF_FEATURE_WGET_OPENSSL(
-+//usage:       "	[--no-check-certificate]\n"
-+//usage:       )
- /* Since we ignore these opts, we don't show them in --help */
--/* //usage:    "	[--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */
-+/* //usage:    "	[--no-cache] [--passive-ftp] [-t TRIES]" */
- /* //usage:    "	[-nv] [-nc] [-nH] [-np]" */
- //usage:       "	[-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
- //usage:	)
-@@ -137,7 +146,9 @@
- //usage:       "Retrieve files via HTTP or FTP\n"
- //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
- //usage:     "\n	--spider	Only check URL existence: $? is 0 if exists"
--///////:     "\n	--no-check-certificate	Don't validate the server's certificate"
-+//usage:	IF_FEATURE_WGET_OPENSSL(
-+//usage:	"\n       --no-check-certificate  Don't validate the server's certificate"
-+//usage:	)
- //usage:	)
- //usage:     "\n	-c		Continue retrieval of aborted transfer"
- //usage:     "\n	-q		Quiet"
-@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
- 	pid = xvfork();
- 	if (pid == 0) {
- 		/* Child */
--		char *argv[8];
-+		char *argv[9];
- 
- 		close(sp[0]);
- 		xmove_fd(sp[1], 0);
-@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
- 			argv[5] = (char*)"-servername";
- 			argv[6] = (char*)servername;
- 		}
-+		if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
-+			argv[7] = (char*)"-verify_return_error";
-+		}
- 
- 		BB_EXECVP(argv[0], argv);
- 		xmove_fd(3, 2);
--- 
-2.23.0
-

backport-CVE-2021-28831.patch

@@ -1,42 +0,0 @@
-From 26d06cef6684055a30cce5922095d22e8a9a91e3 Mon Sep 17 00:00:00 2001
-From: leizhongkai <leizhongkai@huawei.com>
-Date: Sat, 17 Apr 2021 14:27:23 +0800
-Subject: [PATCH] busybox: fix CVE-2021-28831
-
-backoprt from upstream:
-https://git.busybox.net/busybox/patch/?id=dbd3b883a891f076911d752f56f7a906d5650a17
-
-Signed-off-by: leizhongkai <leizhongkai@huawei.com>
----
- archival/libarchive/decompress_gunzip.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
-index 7f9046b..3eeae76 100644
---- a/archival/libarchive/decompress_gunzip.c
-+++ b/archival/libarchive/decompress_gunzip.c
-@@ -222,10 +222,21 @@ static const uint8_t border[] ALIGN1 = {
-  * each table.
-  * t: table to free
-  */
-+#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
-+#define ERR_RET     ((huft_t*)(uintptr_t)1)
- static void huft_free(huft_t *p)
- {
- 	huft_t *q;
- 
-+    /*
-+     * If 'p' has the error bit set we have to clear it, otherwise we might run
-+     * into a segmentation fault or an invalid pointer to free(p)
-+     */
-+    if (BAD_HUFT(p)) {
-+        p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET));
-+    }
-+
-+
- 	/* Go through linked list, freeing from the malloced (t[-1]) address. */
- 	while (p) {
- 		q = (--p)->v.t;
--- 
-2.23.0
-

backport-bugfix-remove-stime-calls.patch

@@ -1,96 +0,0 @@
-From d3539be8f27b8cbfdfee460fe08299158f08bcd9 Mon Sep 17 00:00:00 2001
-From: d3539be8f27b8cbfdfee460fe08299158f08bcd9 Mon Sep 17 00:00:00 2001
-Date: Tue, 19 Nov 2019 13:06:40 +0100
-Subject: [PATCH] Remove stime() function calls
-
-stime() has been deprecated in glibc 2.31 and replaced with
-clock_settime(). Let's replace the stime()function calls with
-clock_settime() in preperation.
-
-function                                             old     new   delta
-rdate_main                                           197     224     +27
-clock_settime                                          -      27     +27
-date_main                                            926     941     +15
-stime                                                 37       -     -37
-------------------------------------------------------------------------------
-(add/remove: 2/2 grow/shrink: 2/0 up/down: 69/-37)             Total: 32 bytes
-
-Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
-Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
----
- coreutils/date.c         |  8 ++++++--
- libbb/missing_syscalls.c |  8 --------
- util-linux/rdate.c       | 10 +++++++---
- 3 files changed, 13 insertions(+), 13 deletions(-)
-
-diff --git a/coreutils/date.c b/coreutils/date.c
-index 3414d38..f7f8fe1 100644
---- a/coreutils/date.c
-+++ b/coreutils/date.c
-@@ -279,6 +279,9 @@ int date_main(int argc UNUSED_PARAM, char **argv)
- 		time(&ts.tv_sec);
- #endif
- 	}
-+#if !ENABLE_FEATURE_DATE_NANO
-+	ts.tv_nsec = 0;
-+#endif
- 	localtime_r(&ts.tv_sec, &tm_time);
- 
- 	/* If date string is given, update tm_time, and maybe set date */
-@@ -301,10 +304,11 @@ int date_main(int argc UNUSED_PARAM, char **argv)
- 		if (date_str[0] != '@')
- 			tm_time.tm_isdst = -1;
- 		ts.tv_sec = validate_tm_time(date_str, &tm_time);
-+		ts.tv_nsec = 0;
- 
- 		/* if setting time, set it */
--		if ((opt & OPT_SET) && stime(&ts.tv_sec) < 0) {
--			bb_perror_msg("can't set date");
-+		if ((opt & OPT_SET) && clock_settime(CLOCK_REALTIME, &ts) < 0) {
-+			bb_simple_perror_msg("can't set date");
- 		}
- 	}
- 
-diff --git a/libbb/missing_syscalls.c b/libbb/missing_syscalls.c
-index 87cf59b..dc40d91 100644
---- a/libbb/missing_syscalls.c
-+++ b/libbb/missing_syscalls.c
-@@ -15,14 +15,6 @@ pid_t getsid(pid_t pid)
- 	return syscall(__NR_getsid, pid);
- }
- 
--int stime(const time_t *t)
--{
--	struct timeval tv;
--	tv.tv_sec = *t;
--	tv.tv_usec = 0;
--	return settimeofday(&tv, NULL);
--}
--
- int sethostname(const char *name, size_t len)
- {
- 	return syscall(__NR_sethostname, name, len);
-diff --git a/util-linux/rdate.c b/util-linux/rdate.c
-index 70f829e..bab41d9 100644
---- a/util-linux/rdate.c
-+++ b/util-linux/rdate.c
-@@ -95,9 +95,13 @@ int rdate_main(int argc UNUSED_PARAM, char **argv)
- 	if (!(flags & 2)) { /* no -p (-s may be present) */
- 		if (time(NULL) == remote_time)
- 			bb_error_msg("current time matches remote time");
--		else
--			if (stime(&remote_time) < 0)
--				bb_perror_msg_and_die("can't set time of day");
-+		else {
-+			struct timespec ts;
-+			ts.tv_sec = remote_time;
-+			ts.tv_nsec = 0;
-+			if (clock_settime(CLOCK_REALTIME, &ts) < 0)
-+				bb_simple_perror_msg_and_die("can't set time of day");
-+		}
- 	}
- 
- 	if (flags != 1) /* not lone -s */
--- 
-2.11.0
-

busybox.spec

@@ -1,10 +1,10 @@
 #spec file for busybox
 %if "%{!?VERSION:1}"
-%define VERSION 1.31.1
+%define VERSION 1.33.1
 %endif
 
 %if "%{!?RELEASE:1}"
-%define RELEASE 8
+%define RELEASE 9
 %endif
 
 Name: busybox
@@ -19,14 +19,9 @@ Source1: busybox-static.config
 Source2: busybox-petitboot.config
 Source3: busybox-dynamic.config
 
-#backport
-Patch6000: backport-bugfix-remove-stime-calls.patch
-Patch6001: backport-CVE-2018-1000500.patch 
-Patch6002: backport-CVE-2021-28831.patch
-
 BuildRoot:      %_topdir/BUILDROOT
 #Dependency
-BuildRequires: gcc glibc-static git
+BuildRequires: gcc glibc-static
 BuildRequires: libselinux-devel >= 1.27.7-2
 BuildRequires: libsepol-devel libselinux-static libsepol-static
 
@@ -55,7 +50,7 @@ This package contains help documentation for busybox
 
 %prep
 # auto apply all needed patch with git
-%autosetup -n %{name}-%{version} -p1 -Sgit -v
+%autosetup -n %{name}-%{version} -p1 -v
 
 %build
 export CFLAGS="$RPM_OPT_FLAGS -fPIE" LDFLAGS="-Wl,-z,now"
@@ -98,6 +93,12 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1
 %{_mandir}/man1/busybox.petitboot.1.gz
 
 %changelog
+* Fri Aug 13 2021 jikui <jikui2@huawei.com> - 1:1.33.1-9
+- Type:enhancement
+- Id:NA
+- SUG:NA
+- DESC:update busybox to 1.33.1
+
 * Fri Apr 30 2021 caihaomin <caihaomin@huawei.com> - 1:1.31.1-8
 - Type:CVE
 - CVE:CVE-2021-28831