答复: Backporting security fixes for 1_31_stable, 1_32_stable and 1_33_stable

xiechengliang xiechengliang1 at huawei.com
Thu Nov 11 12:33:28 UTC 2021 

I asked one of the disclosers of these vulnerabilities by email,  he gave me the following results.

  CVE                    fix
CVE-2021-42373     	commit 4d4fc5ca5ee4f (man: fix segfault in "man 1")
CVE-2021-42374		commit 04f052c56ded (unlzma: fix a case where we could read before beginning of buffer)
CVE-2021-42375       commit 53a7a9cd8c15 (ash: parser: Fix VSLENGTH parsing with trailing garbage)
CVE-2021-42376       commit 1b7a9b68d0e9 (hush: fix handling of \^C and "^C")
CVE-2021-42377       commit 83a4967e5042 (hush: fix handling of "cmd && &")

CVE-2021-42378-- CVE-2021-42386,  For the CVE related to the awk,  he also doesn't know which patch is for each CVE.

The following is part of the original text of his email:
" BusyBox maintainers fixed our reported issues across multiple commits, especially for the awk utility, so it’s not straight forward to find all of the fix commits easily."

Can anyone point out the repair commit of awk related CVE ?

-----邮件原件-----
发件人: busybox [mailto:busybox-bounces at busybox.net] 代表 Natanael Copa
发送时间: 2021年11月11日 18:44
收件人: busybox at busybox.net
主题: Backporting security fixes for 1_31_stable, 1_32_stable and 1_33_stable

Hi!

There are a number of security issues published that affects busybox older than 1.34.

https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/

I am interested in backporting the fixes to alpine linux stable branches, which means that I'd like to backport the fixes for:
- 1_33_stable
- 1_32_stable
- 1_31_stable

So I am trying to find the exact commits that fixes each CVE so I can document that we fix everything. But I need some help with identifying the exact commit that fixes each CVE.

I believe others are interested in this as well so I'm sharing my findings here.

CVE-2021-42373:	A NULL pointer dereference in man leads to
                denial of service when a section name is supplied but
                no page argument is given

		man	1.33.0-1.33.1

This issue does not affect alpine linux because we don't have `man` applet enabled. The upstream fix seems to be: 

commit 4d4fc5ca5ee4f (man: fix segfault in "man 1")



CVE-2021-42374:	An out-of-bounds heap read in unlzma leads to
                information leak and denial of service when crafted
                LZMA-compressed input is decompressed. This can be
                triggered by any applet/format that internally supports
                LZMA compression.

		lzma/unlzma and more	1.27.0 * 1.33.1

Upstream fix seems to be commit 04f052c56ded (unlzma: fix a case where we could read before beginning of buffer)


CVE-2021-42375:	An incorrect handling of a special element in
                ash leads to denial of service when processing a
                crafted shell command, due to the shell mistaking
                specific characters for reserved characters. This may
                be used for DoS under rare conditions of filtered
                command input.

		ash	1.33.1

Anyone knows which commit fixes this? It should be one of those, but I have no clue which:

76ef4391548ded8db511e2f7f8f35a3010be7ec5 ash: regressions in process substitution
53d45c934f54b7931cc736eba42903cb1f6d4632 ash: speed up ${v//pattern/repl}
1310d7b1d106d7ab0ec84ce88c12302cca934230 ash: speed up ${v//pattern/repl} if !ASH_OPTIMIZE_FOR_SIZE
53a7a9cd8c15d64fcc2278cf8981ba526dfbe0d2 ash: parser: Fix VSLENGTH parsing with trailing garbage
ad57e4e4b23926002ce72979729b017520bef1d0 ash: revert accidental change (should have been separate) 96436fb36a5fa0ac8e993fb093b4788fb5448afe e2fsprogs/*: remove ioctl calling obfuscation
1f60d88cf6f5ad3efcad6e7ef1501ce334046e40 *: more --help tweaks e2b9215868a3d72691e5bc0f887354254606447b *: --help tweaks 457825f77a7c7286647ee888a1000a6bb12ca8fc shells: do not allow bare "read" in non-bash compat configs
a1b0d3856d9a0419cb74bf4c87525265871b5868 ash: add process substitution in bash-compatibility mode 33745b1fc8cc6d41f4e708d67800d296668af2ce ash: placate -Werror=format-security 2b7c1aa92c68524559a2067609d09309d5c09adc ash: match bash behavior for ${empty_var/*/repl}
4e039bab375a273344b6c847daa04f13d8317c04 ash: improve --help
85158b600d161bea3fc9d62df8e4ecf4d642fbf0 ash: code shrink
3c13da3dab539eac948de48640d8862857d0c8d0 libbb: introduce and use xgettimeofday(), do not truncate 64-bit time_t in shells

I would guess it is "ash: parser: Fix VSLENGTH parsing with trailing garbage". Can someone confirm that?



We don't use hush in alpine linux, but someone else might be interested in backporting those.

CVE-2021-42376:	A NULL pointer dereference in hush leads to
                denial of service when processing a crafted shell
                command, due to missing validation after a \x03
                delimiter character. This may be used for DoS under
                very rare conditions of filtered command input.
                
		hush	1.16-1.31.1

I guess this is commit 1b7a9b68d0e9 (hush: fix handling of \^C and "^C")?


CVE-2021-42377:	An attacker-controlled pointer free in hush
		leads to denial of service and possible code execution
		when processing a crafted shell command, due to the
		shell mishandling the &&& string. This may be used for
		remote code execution under rare conditions of filtered
		command input.

		hush	1.33.0-1.33.1

I guess this is commit 83a4967e5042 (hush: fix handling of "cmd && &")?




The list of awk fixes is a bit more complicated. I have no clue which of the following commits fixes which CVE:

$ git log --format=oneline 1_33_0..1_34_0 -- editors/awk.c
dabbeeb79356eef78528acd55e1f143ae80372f7 awk: whitespace and debugging tweaks d3480dd58211d9d8c06ec7ef00089262603003ff awk: disallow break/continue outside of loops
d62627487a44d9175b05d49846aeef83fed97019 awk: tighten parsing - disallow extra semicolons
ab755e3717cefc06fd28ce8db56f0402412afaa3 awk: in parsing, remove superfluous NEWLINE check; optimize builtin arg evaluation
8d269ef85984f6476e7fdbec2c5a70f3b5c48a72 awk: fix printf "%-10c", 0
caa93ecdd3a9b998a69dcbfafdddbc9c58887ec3 awk: fix corner case in awk_printf
39aabfe8f033c9c62acf676b660dc979714d26a7 awk: unbreak "cmd" | getline
4ef8841b21e27e7c7f58d3c9901c833b4fa5a862 awk: unbreak "printf('%c') can output NUL" testcase
3d57a8490738d9febaa4496eba791e4fbfc91826 awk: undo TI_PRINT, it introduced a bug (print with any redirect acting as printf)
49c3ce64f092fd5434fc67056f312bd32f82bae3 awk: rollback_token() + chain_group() == chain_until_rbrace()
e2e3802987266c98df0efdf40ad5da4b07df0113 awk: fix printf buffer overflow 08ca313d7edb99687068b93b5d2435b59f3db23a awk: simplify tests for operation class cb042b05828c4c89320bc9c7454c04c2761bbb9a awk: restore strdup elision optimization in assignment
90404ed2f62a872ffd9a555660b7ce17fae372d8 awk: match(): code shrink 0e3ef4efb061366bfa4b9609fe3a03f3a1e40f0e awk: rand(): 64-bit constants should be ULL 2211fa70ccad29fc7bccd34c13141850ebb199da awk: do not use a copy of g_progname for node->l.new_progname
e1e7ad6b6005b2265667040fc9d7f69b73b0d5b0 awk: support %F %a %A in printf
1f765709ed9c9595647853ac2cd7905f218c3044 awk: open-code TS_OPTERM, no logic changes 2b65e73db3254a7228802886546152c72217017d awk: tighten rules in action parsing
717200eb43c9420773c0f8b751aadabba3052027 awk: rename GRPSTART/END to L/RBRACE, no code changes
b705bf55395bf338f9b9888d87e418f67d4f1a29 awk: move match() code out-of-line 646429e05e2f62250da80aa8d98111f3a9818e9a awk: use smaller regmatch_t arrays, they had 2 elements for no apparent reason
a5d7b0f4f4e9728c3eb7a06d38227d9f3351e677 awk: fix detection of VAR=VAL arguments 4d902ea9def573cd15271177abbfa50fbf30c84f awk: fix beavior of "exit" without parameter
8bb03da906e1f8f750123214b15a19d7d4e166c1 awk: rand() could return 1.0, fix this - should be in [0,1)
37ae8cdc6e428e68ad76f6b446881ecff305ebd3 awk: beautify builtins table, no code changes 47d9133896f0de6b17393309193051e4bd52015e awk: enforce simple builtins' argument number
786ca197ad1305607efaccb067c19931d9e765b1 awk: make builtin definitions more understandable, no code changes
640212ae0ea8a1b47cd73a080d77b25b9f3ccd40 awk: do not special-case "delete"
ef5463cf16f88c0992b2073a30ab6081c86fdf23 awk: shuffle globals for smaller offsets
966cafcc77d8cda5d1a95bc73080e9a9b9010a45 awk: use "static" tmpvars in main and exit 1193c68fa718ff16c47aba23f8532bf1568f294e awk: when parsing length(), simplify eating of LPAREN 40573556f2a67b11319785e0479b7087d02c060e awk: shuffle functions to reduce forward declarations, no code changes
8b4c429025c233640bd5c5838552f34683a06fc0 awk: use static tmpvars instead of nvalloc(1)ed ones
1573487e2100892d06e3628828690692313a48d5 awk: rename temp variables, no code changes d7354df169603807fe2ac4f8a0f9f72c9703184f awk: evaluate all, even superfluous function args
ca9278ee5855a91a5521960d3743809f47ed27b8 awk: rewrite "print" logic a bit to make it clearer
d1507101695f6bad35a61c4770b7d3913597ac16 awk: allow empty fuinctions with no arguments, disallow function redefinitions
86fc2872b33224cfa5442700c2a8abd020cbf900 awk: replace incorrect use of union in undefined function check (no code changes)
6cf6f1eaee1f6be2b936c2ff0e5852c00740edb4 awk: remove custom pool allocator for temporary awk variables 3aff3b9cb81c1f574aaafaf3981e755c6639e2bc awk: assorted optimizations
b3c91a127f8baecee0265ba92898ae1e718bdb31 awk: free unused parsing structures after parse is done 21fbee2e87ddf7b47bb501b6529b63ac2b3af0bd awk: document which hashes are used at what state (parse/execute) 6872c193a935df47facf717c15a32f93b43c6bcf awk: fix parsing of expressions such as "v (a)"
686287b5da98508dd03fb295745c82d00440131e awk: deindent a block, no code changes
216d3d8ad9b7d0346cf439ccaca18d0a263e7608 awk: code shrink
4f27503a1ecab8dfe373a349df3d8fe3c22e2160 awk: get rid of "move name one char back" trick in next_token()
f414fb4411e65662b44f038ed3175789172edc20 awk: when parsing TC_FUNCTION token, eat its opening '('
cb6061a4e9860bf3d529109b34103ce3bde6d735 awk: g_buf[] does not need a separate allocation
926420795b4191e045d4a316bfed19f84275a185 awk: simplify parsing of function declaration
9782cb7774f00a3e777e3d764ccce15055a29977 awk: rename TC_SEQSTART/END to L/RPAREN, no code changes
a493441ca52adca7df3976c668f2e7c48d1b67a1 awk: deindent code block, no code changes
adcd9a6f349f3f2715a586b45fb27350b37cf1e5 awk: use TS_foo for combined token classes. No code changes
832cb4fcb98d2845bd3f9d244593fc1b5f362ca0 awk: make ltclass ("last token class") local to next_token()
af0172369eb024fff3c8c2cd2c8765a7fde5a9f5 awk: remove redundant check 78645d8371e69ce82841b66aa5ef69c02055f5bc awk: move locals deeper into scopes where they are used, no logic changes 8c5da0323bf2da02c40c587c5694b22e3ec623fb awk: more efficient -f FILE, document what "some trick in next_token" is
ac4786ba002620eb4c046c847e69d6a12ea0e322 qwk: make code clearer, no actual code changes
fd217c1cbf7a702ad632bb21f7757433de1755b7 awk: after preinc/dec, only allow variable, field ref, array ref, or another preinc/dec a885ce1af05c4eaa5ebcf883cb3da3433ca1c48b awk: fix use-after-free in "$BIGNUM1 $BIGGERNUM2" concat op e8fe9f96356a6b19ec907ea30cffc829c539a7ff awk: allow printf('%c') to output NUL, closes 13486



CVE-2021-42378:	A use-after-free in awk leads to denial of
		service and possibly code execution when processing a
		crafted awk pattern in the getvar_i function

		awk	1.16-1.33.1

CVE-2021-42379:	A use-after-free in awk leads to denial of
		service and possibly code execution when processing a
		crafted awk pattern in the next_input_file
		function

		awk 1.18-1.33.1

CVE-2021-42380:	A use-after-free in awk leads to denial of
		service and possibly code execution when processing a
		crafted awk pattern in the clrvar function

		awk	1.28-1.33.1

CVE-2021-42381:	A use-after-free in awk leads to denial of
		service and possibly code execution when processing a
		crafted awk pattern in the hash_init function

		awk	1.21-1.33.1

CVE-2021-42382:	A use-after-free in awk leads to denial of
		service and possibly code execution when processing a
		crafted awk pattern in the getvar_s function

		awk	1.26-1.33.1

CVE-2021-42383:	A use-after-free in awk leads to denial of
		service and possibly code execution when processing a
		crafted awk pattern in the evaluate function

		awk	1.33.1

NOTE:		I think this is a bit peculiar. It is claimed that
		1.33.0 is not affected (compare with CVE-2021-42377),
		which means that 1.33.1 would introduce this problem.
		However. There are no changes in awk between 1.33.0 and
		1.33.1.

CVE-2021-42384:	A use-after-free in awk leads to denial of
		service and possibly code execution when processing a
		crafted awk pattern in the handle_special
		function

		awk 1.18-1.33.1

CVE-2021-42385:	A use-after-free in awk leads to denial of
		service and possibly code execution when processing a
		crafted awk pattern in the evaluate function

		awk	1.16-1.33.1

CVE-2021-42386:	A use-after-free in awk leads to denial of
		service and possibly code execution when processing a
		crafted awk pattern in the nvalloc function

		awk	1.16-1.33.1



If I get some help identifying exactly what commits fixes each issue
I'll try cherry pick them to 1_31_stable - 1_33_stable branches and
submit patches to they can be applied upstream in those branches.

_______________________________________________
busybox mailing list
busybox at busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

More information about the busybox mailing list