From bugzilla at busybox.net Tue Sep 6 16:55:35 2022
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Tue, 06 Sep 2022 16:55:35 +0000
Subject: [Bug 14811] networking/nslookup.c parse_reply() CVE-2022-28391 patch
query
In-Reply-To:
References:
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=14811
--- Comment #2 from Mark Esler ---
Could the below patches be reviewed for their applicability to bug
14811 and CVE-2022-28391?
https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
--
You are receiving this mail because:
You are on the CC list for the bug.
From vda.linux at googlemail.com Thu Sep 8 14:31:44 2022
From: vda.linux at googlemail.com (Denys Vlasenko)
Date: Thu, 8 Sep 2022 16:31:44 +0200
Subject: [git commit] tls: include signature_algorithms extension in client
hello message
Message-ID: <20220908143245.E3BBC82AB9@busybox.osuosl.org>
commit: https://git.busybox.net/busybox/commit/?id=9bab580cd4337a3b9daf7d63f1fc863b7a569ae0
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master
function old new delta
tls_xread_record 629 645 +16
.rodata 105167 105179 +12
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 2/0 up/down: 28/0) Total: 28 bytes
Signed-off-by: Denys Vlasenko
---
networking/tls.c | 91 +++++++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 73 insertions(+), 18 deletions(-)
diff --git a/networking/tls.c b/networking/tls.c
index 415952f16..935ca76a4 100644
--- a/networking/tls.c
+++ b/networking/tls.c
@@ -948,11 +948,46 @@ static int tls_has_buffered_record(tls_state_t *tls)
static const char *alert_text(int code)
{
+ //10 unexpected_message
+ //20 bad_record_mac
+ //21 decryption_failed
+ //22 record_overflow
+ //30 decompression_failure
+ //40 handshake_failure
+ //41 no_certificate
+ //42 bad_certificate
+ //43 unsupported_certificate
+ //44 certificate_revoked
+ //45 certificate_expired
+ //46 certificate_unknown
+ //47 illegal_parameter
+ //48 unknown_ca
+ //49 access_denied
+ //50 decode_error
+ //51 decrypt_error
+ //52 too_many_cids_requested
+ //60 export_restriction
+ //70 protocol_version
+ //71 insufficient_security
+ //80 internal_error
+ //86 inappropriate_fallback
+ //90 user_canceled
+ //100 no_renegotiation
+ //109 missing_extension
+ //110 unsupported_extension
+ //111 certificate_unobtainable
+ //112 unrecognized_name
+ //113 bad_certificate_status_response
+ //114 bad_certificate_hash_value
+ //115 unknown_psk_identity
+ //116 certificate_required
+ //120 no_application_protocol
switch (code) {
case 20: return "bad MAC";
case 50: return "decode error";
- case 51: return "decrypt error";
case 40: return "handshake failure";
+ case 51: return "decrypt error";
+ case 80: return "internal error";
case 112: return "unrecognized name";
}
return itoa(code);
@@ -1531,26 +1566,47 @@ static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni)
#endif
0x01,0x00, //not a cipher - comprtypes_len, comprtype
};
- static const uint8_t supported_groups[] = {
+ // https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
+ static const uint8_t extensions[] = {
+ // is.gd responds with "handshake failure" to our hello if there's no supported_groups
0x00,0x0a, //extension_type: "supported_groups"
- 0x00,2 * (1 + ALLOW_CURVE_P256 + ALLOW_CURVE_X25519), //ext len
- 0x00,2 * (0 + ALLOW_CURVE_P256 + ALLOW_CURVE_X25519), //list len
+ 0x00,2 * (1 + ALLOW_CURVE_P256 + ALLOW_CURVE_X25519), //ext len
+ 0x00,2 * (0 + ALLOW_CURVE_P256 + ALLOW_CURVE_X25519), //list len
#if ALLOW_CURVE_P256
- 0x00,0x17, //curve_secp256r1 (aka P256, aka prime256v1)
+ 0x00,0x17, //curve_secp256r1 (aka P256, aka prime256v1)
#endif
- //0x00,0x18, //curve_secp384r1
- //0x00,0x19, //curve_secp521r1
+ //0x00,0x18, //curve_secp384r1
+ //0x00,0x19, //curve_secp521r1
#if ALLOW_CURVE_X25519
- 0x00,0x1d, //curve_x25519 (RFC 7748)
+ 0x00,0x1d, //curve_x25519 (RFC 7748)
+#endif
+ //0x00,0x1e, //curve_x448 (RFC 7748)
+
+ //0x00,0x0b,0x00,0x04,0x03,0x00,0x01,0x02, //extension_type: "ec_point_formats"
+ //0x00,0x16,0x00,0x00, //extension_type: "encrpypt-then-mac"
+ //0x00,0x17,0x00,0x00, //extension_type: "extended_master"
+ //0x00,0x23,0x00,0x00, //extension_type: "session_ticket"
+
+ // kojipkgs.fedoraproject.org responds with alert code 80 ("internal error")
+ // to our hello without signature_algorithms.
+ // It is satisfied with just 0x04,0x01.
+ 0x00,0x0d, //extension_type: "signature_algorithms" (RFC5246 section 7.4.1.4.1):
+#define SIGALGS (3 + 3 * ENABLE_FEATURE_TLS_SHA1)
+ 0x00,2 * (1 + SIGALGS), //ext len
+ 0x00,2 * (0 + SIGALGS), //list len
+ //Format: two bytes
+ // byte 1: 0:none,1:md5,2:sha1,3:sha224,4:sha256,5:sha384,6:sha512
+ // byte 2: 1:rsa,2:dsa,3:ecdsa
+ // (note that TLS 1.3 changes this, see RFC8446 section 4.2.3)
+#if ENABLE_FEATURE_TLS_SHA1
+ 0x02,0x01, //sha1 + rsa
+ 0x02,0x02, //sha1 + dsa
+ 0x02,0x03, //sha1 + ecdsa
#endif
- //0x00,0x1e, //curve_x448 (RFC 7748)
+ 0x04,0x01, //sha256 + rsa - kojipkgs.fedoraproject.org wants this
+ 0x04,0x02, //sha256 + dsa
+ 0x04,0x03, //sha256 + ecdsa
};
- //static const uint8_t signature_algorithms[] = {
- // 000d
- // 0020
- // 001e
- // 0601 0602 0603 0501 0502 0503 0401 0402 0403 0301 0302 0303 0201 0202 0203
- //};
struct client_hello {
uint8_t type;
@@ -1591,8 +1647,7 @@ static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni)
int sni_len = sni ? strnlen(sni, 127 - 5) : 0;
ext_len = 0;
- /* is.gd responds with "handshake failure" to our hello if there's no supported_groups element */
- ext_len += sizeof(supported_groups);
+ ext_len += sizeof(extensions);
if (sni_len)
ext_len += 9 + sni_len;
@@ -1626,7 +1681,7 @@ static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni)
ptr[8] = sni_len; //name len
ptr = mempcpy(&ptr[9], sni, sni_len);
}
- memcpy(ptr, supported_groups, sizeof(supported_groups));
+ memcpy(ptr, extensions, sizeof(extensions));
tls->hsd = xzalloc(sizeof(*tls->hsd));
/* HANDSHAKE HASH: ^^^ + len if need to save saved_client_hello */
From vda.linux at googlemail.com Thu Sep 8 14:56:54 2022
From: vda.linux at googlemail.com (Denys Vlasenko)
Date: Thu, 8 Sep 2022 16:56:54 +0200
Subject: [git commit] tls: move definitions around, no code changes
Message-ID: <20220908145744.DE6CE82ACB@busybox.osuosl.org>
commit: https://git.busybox.net/busybox/commit/?id=c8c1fcdba163f264a503380bc63485aacd09214c
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master
Signed-off-by: Denys Vlasenko
---
networking/tls.c | 34 ++++++++++++----------------------
1 file changed, 12 insertions(+), 22 deletions(-)
diff --git a/networking/tls.c b/networking/tls.c
index 935ca76a4..8d074c058 100644
--- a/networking/tls.c
+++ b/networking/tls.c
@@ -1566,6 +1566,18 @@ static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni)
#endif
0x01,0x00, //not a cipher - comprtypes_len, comprtype
};
+ struct client_hello {
+ uint8_t type;
+ uint8_t len24_hi, len24_mid, len24_lo;
+ uint8_t proto_maj, proto_min;
+ uint8_t rand32[32];
+ uint8_t session_id_len;
+ /* uint8_t session_id[]; */
+ uint8_t cipherid_len16_hi, cipherid_len16_lo;
+ uint8_t cipherid[2 * (1 + NUM_CIPHERS)]; /* actually variable */
+ uint8_t comprtypes_len;
+ uint8_t comprtypes[1]; /* actually variable */
+ };
// https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
static const uint8_t extensions[] = {
// is.gd responds with "handshake failure" to our hello if there's no supported_groups
@@ -1606,28 +1618,6 @@ static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni)
0x04,0x01, //sha256 + rsa - kojipkgs.fedoraproject.org wants this
0x04,0x02, //sha256 + dsa
0x04,0x03, //sha256 + ecdsa
- };
-
- struct client_hello {
- uint8_t type;
- uint8_t len24_hi, len24_mid, len24_lo;
- uint8_t proto_maj, proto_min;
- uint8_t rand32[32];
- uint8_t session_id_len;
- /* uint8_t session_id[]; */
- uint8_t cipherid_len16_hi, cipherid_len16_lo;
- uint8_t cipherid[2 * (1 + NUM_CIPHERS)]; /* actually variable */
- uint8_t comprtypes_len;
- uint8_t comprtypes[1]; /* actually variable */
- /* Extensions (SNI shown):
- * hi,lo // len of all extensions
- * 00,00 // extension_type: "Server Name"
- * 00,0e // list len (there can be more than one SNI)
- * 00,0c // len of 1st Server Name Indication
- * 00 // name type: host_name
- * 00,09 // name len
- * "localhost" // name
- */
// GNU Wget 1.18 to cdn.kernel.org sends these extensions:
// 0055
// 0005 0005 0100000000 - status_request
From bugzilla at busybox.net Mon Sep 19 15:41:51 2022
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Mon, 19 Sep 2022 15:41:51 +0000
Subject: [Bug 15001] New: netstat is vulnerable to escape sequence injection
(busybox)
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=15001
Bug ID: 15001
Summary: netstat is vulnerable to escape sequence injection
(busybox)
Product: Busybox
Version: unspecified
Hardware: All
URL: https://gitlab.alpinelinux.org/alpine/aports/-/issues/
13661
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: ajak at gentoo.org
CC: busybox-cvs at busybox.net
Target Milestone: ---
I'm relaying this from Alpine's bug tracker as it seems nobody ever reported
this upstream,
"Hey there,
Alpine ships BusyBox with the netstat applet enabled. This is vulnerable to
escape sequence injection when used from an VT compatible terminal. To exploit
this vulnerability the PTR for a remote host must contain a escape sequence and
the victim has to execute netstat. I've set up an example at [elided] with the
PTR resolving to \027[33\;46mlocalhost.
$ dig -x [elided] @8.8.8.8
; <<>> DiG 9.16.25 <<>> -x [elided] @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59625
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;[elided]. IN PTR
;; ANSWER SECTION:
[elided]. 1 IN PTR \027[33\;46mlocalhost.
;; Query time: 55 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 03 00:11:16 DST 2022
;; MSG SIZE rcvd: 132
If you try to ssh [elided] and run netstat -t while trying to establish the
connection from a different terminal, the second terminal will change the
background and font color. Other escape sequences may lead to code execution."
Alpine carries some patches but Ariadne says they're incorrect:
https://bugs.gentoo.org/836920
--
You are receiving this mail because:
You are on the CC list for the bug.
From bugzilla at busybox.net Mon Sep 19 15:45:13 2022
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Mon, 19 Sep 2022 15:45:13 +0000
Subject: [Bug 15001] netstat is vulnerable to escape sequence injection
(busybox)
In-Reply-To:
References:
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=15001
John Helmert III changed:
What |Removed |Added
----------------------------------------------------------------------------
Alias| |CVE-2022-28391
--
You are receiving this mail because:
You are on the CC list for the bug.
From bugzilla at busybox.net Thu Sep 22 10:02:49 2022
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Thu, 22 Sep 2022 10:02:49 +0000
Subject: [Bug 15011] New: Can't see the first line of a file with a long path
with less
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=15011
Bug ID: 15011
Summary: Can't see the first line of a file with a long path
with less
Product: Busybox
Version: 1.35.x
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: yuri.kanivetsky at gmail.com
CC: busybox-cvs at busybox.net
Target Milestone: ---
Created attachment 9361
--> https://bugs.busybox.net/attachment.cgi?id=9361&action=edit
a screenshot of the way less looks in this case
$ docker run --rm -it alpine:3.16
$ mkdir -p some/looooooooooooooooooooooooooooooooooong
$ echo test > some/looooooooooooooooooooooooooooooooooong/path
$ less some/looooooooooooooooooooooooooooooooooong/path
Supposedly the path should be truncated in some way.
Encountered while inspecting docker files, e.g.
/var/lib/registry/docker/registry/v2/repositories/i1/_layers/sha256/ca59306b586e89d56b5aa314ed33f922db000fd93a536514fcc2655a0d23c736/link.
--
You are receiving this mail because:
You are on the CC list for the bug.
From bugzilla at busybox.net Thu Sep 22 10:04:12 2022
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Thu, 22 Sep 2022 10:04:12 +0000
Subject: [Bug 15011] Can't see the first line of a file with a long path with
less
In-Reply-To:
References:
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=15011
--- Comment #1 from Yuri Kanivetsky ---
Actually, here's an easier way to see the attached screenshot:
https://i.imgur.com/KM6vUaC.png
--
You are receiving this mail because:
You are on the CC list for the bug.
From bugzilla at busybox.net Tue Sep 27 07:19:12 2022
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Tue, 27 Sep 2022 07:19:12 +0000
Subject: [Bug 15016] New: Busybox bc Calculator bc_error_at Function Uaf
Vulnerability
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=15016
Bug ID: 15016
Summary: Busybox bc Calculator bc_error_at Function Uaf
Vulnerability
Product: Busybox
Version: 1.33.x
Hardware: All
OS: Linux
Status: NEW
Severity: major
Priority: P5
Component: Standard Compliance
Assignee: unassigned at busybox.net
Reporter: sohu0106 at 126.com
CC: busybox-cvs at busybox.net
Target Milestone: ---
Created attachment 9366
--> https://bugs.busybox.net/attachment.cgi?id=9366&action=edit
poc
Busybox bc Calculator bc_error_at Function Uaf Vulnerability
busybox-master\busybox-1.33.1\miscutils\bc.c
In line 988, err_at is the global heap memory G.prs.lex_next_at.
When a value is assigned in the zxc_lex_next function, the UAF is caused after
the incorrect branch is released.
miscutils/bc.c
981 static ERRORFUNC int bc_error_at(const char *msg)
982 {
983 const char *err_at = G.prs.lex_next_at;
984 if (err_at) {
985 IF_ERROR_RETURN_POSSIBLE(return) bc_error_ fmt(
986 "%s at '%.*s'",
987 msg,
988 (int)(strchrnul(err_at, '\n') - er r_at),
989 err_at
990 );
991 }
992 IF_ERROR_RETURN_POSSIBLE(return) bc_error_fmt("%s" , msg);
993 }
Freed Function is
libbb/xfuncs_printf.c
59 void* FAST_FUNC xrealloc(void *ptr, size_t size)
60 {
61 ptr = realloc(ptr, size);
62 if (ptr == NULL && size != 0)
63 bb_die_memory_exhausted();
64 return ptr;
65 }
66 #endif /* DMALLOC */
2 asan report
./busybox_unstripped bc
out/default/crashes/id\:000000\,sig\:06\,src\:000554+000829\,time\:3480213\,execs\:390856\,op\:splice\,rep\:16
bc 1.33.1
bc 1.33.1
Adapted from https://github.com/gavinhoward/bc
Original code (c) 2018 Gavin D. Howard and contributors
=================================================================
==556554==ERROR: AddressSanitizer: heap-use-after-free on address
0x6030000002e0 at pc 0x7f0419528d4d bp 0x7ffd18813e60 sp 0x7ffd18813608
READ of size 2 at 0x6030000002e0 thread T0
#0 0x7f0419528d4c (/lib/x86_64-linux-gnu/libasan.so.5+0x73d4c)
#1 0x564f7483d148 in bc_error_at miscutils/bc.c:988
0x6030000002e0 is located 0 bytes inside of 32-byte region
[0x6030000002e0,0x603000000300)
freed by thread T0 here:
#0 0x7f04195c2ffe in __interceptor_realloc
(/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe)
#1 0x564f747fd10c in xrealloc libbb/xfuncs_printf.c:61
previously allocated by thread T0 here:
#0 0x7f04195c2bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x564f747fd074 in xmalloc libbb/xfuncs_printf.c:50
SUMMARY: AddressSanitizer: heap-use-after-free
(/lib/x86_64-linux-gnu/libasan.so.5+0x73d4c)
Shadow bytes around the buggy address:
0x0c067fff8000: fa fa 00 00 07 fa fa fa 00 00 06 fa fa fa 00 00
0x0c067fff8010: 07 fa fa fa 00 00 00 fa fa fa 00 00 06 fa fa fa
0x0c067fff8020: 00 00 00 01 fa fa 00 00 00 02 fa fa 00 00 00 01
0x0c067fff8030: fa fa 00 00 07 fa fa fa 00 00 04 fa fa fa 00 00
0x0c067fff8040: 00 01 fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
=>0x0c067fff8050: 00 00 00 00 fa fa 00 00 00 00 fa fa[fd]fd fd fd
0x0c067fff8060: fa fa 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==556554==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.