packages/busybox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2018-1000500

Browse Source
This commit is contained in:
xielh 2021-02-09 22:35:44 +08:00 committed by hht8
parent e45a10823a
commit ade7c6c65e
2 changed files with 105 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
backport-CVE-2018-1000500.patch Normal file
View File

@ -0,0 +1,96 @@
From 45fa3f18adf57ef9d743038743d9c90573aeeb91 Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov <xnox@ubuntu.com>
Date: Tue, 19 May 2020 18:20:39 +0100
Subject: [PATCH] wget: implement TLS verification with ENABLE_FEATURE_WGET_OPENSSL
When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
verification by default. And only ignore verification errors, if
--no-check-certificate was passed.
Also note, that previously OPENSSL implementation did not implement
TLS verification, nor printed any warning messages that verification
was not performed.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533
CVE-2018-1000500
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
---
networking/wget.c | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/networking/wget.c b/networking/wget.c
index 9153264..de66ef2 100644
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -91,6 +91,9 @@
//config: patches, but do want to waste bandwidth expaining how wrong
//config: it is, you will be ignored.
//config:
+//config: FEATURE_WGET_OPENSSL does implement TLS verification
+//config: using the certificates available to OpenSSL.
+//config:
//config:config FEATURE_WGET_OPENSSL
//config: bool "Try to connect to HTTPS using openssl"
//config: default y
@@ -115,7 +118,10 @@
//config: If openssl can't be executed, internal TLS code will be used
//config: (if you enabled it); if openssl can be executed but fails later,
//config: wget can't detect this, and download will fail.
-
+//config:
+//config: By default TLS verification is performed, unless
+//config: --no-check-certificate option is passed.
+//
//applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP))
//kbuild:lib-$(CONFIG_WGET) += wget.o
@@ -124,8 +130,11 @@
//usage: IF_FEATURE_WGET_LONG_OPTIONS(
//usage: "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n"
//usage: " [-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n"
+//usage: IF_FEATURE_WGET_OPENSSL(
+//usage: " [--no-check-certificate]\n"
+//usage: )
/* Since we ignore these opts, we don't show them in --help */
-/* //usage: " [--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */
+/* //usage: " [--no-cache] [--passive-ftp] [-t TRIES]" */
/* //usage: " [-nv] [-nc] [-nH] [-np]" */
//usage: " [-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
//usage: )
@@ -137,7 +146,9 @@
//usage: "Retrieve files via HTTP or FTP\n"
//usage: IF_FEATURE_WGET_LONG_OPTIONS(
//usage: "\n --spider Only check URL existence: $? is 0 if exists"
-///////: "\n --no-check-certificate Don't validate the server's certificate"
+//usage: IF_FEATURE_WGET_OPENSSL(
+//usage: "\n --no-check-certificate Don't validate the server's certificate"
+//usage: )
//usage: )
//usage: "\n -c Continue retrieval of aborted transfer"
//usage: "\n -q Quiet"
@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
pid = xvfork();
if (pid == 0) {
/* Child */
- char *argv[8];
+ char *argv[9];
close(sp[0]);
xmove_fd(sp[1], 0);
@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
argv[5] = (char*)"-servername";
argv[6] = (char*)servername;
}
+ if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
+ argv[7] = (char*)"-verify_return_error";
+ }
BB_EXECVP(argv[0], argv);
xmove_fd(3, 2);
--
2.23.0

9
busybox.spec
View File

@ -4,7 +4,7 @@
%endif %endif
%if "%{!?RELEASE:1}" %if "%{!?RELEASE:1}"
%define RELEASE 6 %define RELEASE 7
%endif %endif
Name: busybox Name: busybox
@ -21,6 +21,7 @@ Source3: busybox-dynamic.config
#backport #backport
Patch6000: backport-bugfix-remove-stime-calls.patch Patch6000: backport-bugfix-remove-stime-calls.patch
Patch6001: backport-CVE-2018-1000500.patch
BuildRoot: %_topdir/BUILDROOT BuildRoot: %_topdir/BUILDROOT
#Dependency #Dependency
@ -96,6 +97,12 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1
%{_mandir}/man1/busybox.petitboot.1.gz %{_mandir}/man1/busybox.petitboot.1.gz
%changelog %changelog
* Tue Feb 09 2021 xieliuhua <xieliuhua@huawei.com> - 1:1.31.1-7
- Type:CVE
- CVE:CVE-2018-1000500
- SUG:NA
- DESC:fix CVE-2018-1000500
* Wed Jan 8 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.31.1-6 * Wed Jan 8 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.31.1-6
- Type:enhancement - Type:enhancement
- Id:NA - Id:NA