From bugzilla at busybox.net Fri Feb 10 02:19:42 2023
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Fri, 10 Feb 2023 02:19:42 +0000
Subject: [Bug 15326] New: Buffer overflow with _FORTIFY_SOURCE=3 in fixdep
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=15326
Bug ID: 15326
Host: x86_64-pc-linux-gnu
Build: x86_64-pc-linux-gnu
Summary: Buffer overflow with _FORTIFY_SOURCE=3 in fixdep
Product: Busybox
Version: 1.35.x
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: sam at gentoo.org
CC: busybox-cvs at busybox.net
Target Milestone: ---
I reported this downstream first in Gentoo at https://bugs.gentoo.org/893776.
Every few attempts (not every time) to build busybox recently, I get:
```
make -j32 -l32 -j1 -s allyesconfig SKIP_SELINUX=y
*** buffer overflow detected ***: terminated
Aborted (core dumped)
make[1]: *** [scripts/Makefile.host:104: scripts/basic/docproc] Error 134
make: *** [Makefile:357: scripts_basic] Error 2
```
Isolating the command which crashes:
```
# gdb --args scripts/basic/fixdep scripts/kconfig/.kxgettext.o.d
scripts/kconfig/kxgettext.o $'x86_64-pc-linux-gnu-gcc
-Wp,-MD,scripts/kconfig/.kxgettext.o.d -O2 -ggdb3 -c -o
scripts/kconfig/kxgettext.o scripts/kconfig/kxgettext.c'
[...]
cmd_scripts/kconfig/kxgettext.o := x86_64-pc-linux-gnu-gcc
-Wp,-MD,scripts/kconfig/.kxgettext.o.d -O2 -ggdb3 -c -o
scripts/kconfig/kxgettext.o scripts/kconfig/kxgettext.c
deps_scripts/kconfig/kxgettext.o := \
scripts/kconfig/kxgettext.c \
/usr/include/gentoo/fortify.h \
/usr/include/stdlib.h \
/usr/include/bits/libc-header-start.h \
/usr/include/features.h \
/usr/include/features-time64.h \
/usr/include/bits/wordsize.h \
/usr/include/bits/timesize.h \
/usr/include/stdc-predef.h \
/usr/include/sys/cdefs.h \
/usr/include/bits/long-double.h \
/usr/include/gnu/stubs.h \
/usr/include/gnu/stubs-64.h \
/usr/lib/llvm/16/bin/../../../../lib/clang/16/include/stddef.h \
/usr/include/bits/waitflags.h \
/usr/include/bits/waitstatus.h \
/usr/include/bits/floatn.h \
/usr/include/bits/floatn-common.h \
/usr/include/sys/types.h \
/usr/include/bits/types.h \
/usr/include/bits/typesizes.h \
/usr/include/bits/time64.h \
/usr/include/bits/types/clock_t.h \
/usr/include/bits/types/clockid_t.h \
/usr/include/bits/types/time_t.h \
/usr/include/bits/types/timer_t.h \
/usr/include/bits/stdint-intn.h \
/usr/include/endian.h \
/usr/include/bits/endian.h \
/usr/include/bits/endianness.h \
/usr/include/bits/byteswap.h \
/usr/include/bits/uintn-identity.h \
/usr/include/sys/select.h \
/usr/include/bits/select.h \
/usr/include/bits/types/sigset_t.h \
/usr/include/bits/types/__sigset_t.h \
/usr/include/bits/types/struct_timeval.h \
/usr/include/bits/types/struct_timespec.h \
/usr/include/bits/select2.h \
/usr/include/bits/pthreadtypes.h \
/usr/include/bits/thread-shared-types.h \
/usr/include/bits/pthreadtypes-arch.h \
/usr/include/bits/atomic_wide_counter.h \
/usr/include/bits/struct_mutex.h \
/usr/include/bits/struct_rwlock.h \
/usr/include/alloca.h \
/usr/include/bits/stdlib-bsearch.h \
/usr/include/bits/stdlib-float.h \
/usr/include/bits/stdlib.h \
/usr/include/string.h \
/usr/include/bits/types/locale_t.h \
/usr/include/bits/types/__locale_t.h \
/usr/include/strings.h \
/usr/include/bits/strings_fortified.h \
/usr/include/bits/string_fortified.h \
scripts/kconfig/lkc.h \
scripts/kconfig/expr.h \
/usr/include/stdio.h \
/usr/lib/llvm/16/bin/../../../../lib/clang/16/include/stdarg.h \
/usr/include/bits/types/__fpos_t.h \
/usr/include/bits/types/__mbstate_t.h \
/usr/include/bits/types/__fpos64_t.h \
/usr/include/bits/types/__FILE.h \
/usr/include/bits/types/FILE.h \
/usr/include/bits/types/struct_FILE.h \
/usr/include/bits/stdio_lim.h \
/usr/include/bits/stdio2-decl.h \
/usr/include/bits/stdio.h \
/usr/include/bits/stdio2.h \
/usr/lib/llvm/16/bin/../../../../lib/clang/16/include/stdbool.h \
/usr/include/libintl.h \
/usr/include/locale.h \
/usr/include/bits/locale.h \
scripts/kconfig/lkc_proto.h \
*** buffer overflow detected ***: terminated
Program received signal SIGABRT, Aborted.
0x00007ffff7e40f0c in ?? () from /usr/lib64/libc.so.6
(gdb) bt
#0 0x00007ffff7e40f0c in ?? () from /usr/lib64/libc.so.6
#1 0x00007ffff7defae6 in raise () from /usr/lib64/libc.so.6
#2 0x00007ffff7dd8877 in abort () from /usr/lib64/libc.so.6
#3 0x00007ffff7dd97b8 in ?? () from /usr/lib64/libc.so.6
#4 0x00007ffff7ed415b in __fortify_fail () from /usr/lib64/libc.so.6
#5 0x00007ffff7ed28c6 in __chk_fail () from /usr/lib64/libc.so.6
#6 0x0000555555555b92 in memcpy (__len=18446744073709551614, __src=, __dest=0x7fffffffd5f0) at /usr/include/bits/string_fortified.h:29
#7 parse_dep_file (map=map at entry=0x7ffff7fc3000, len=) at
scripts/basic/fixdep.c:341
#8 0x0000555555555dd9 in print_deps () at scripts/basic/fixdep.c:379
#9 0x00005555555552d8 in main (argc=, argv=) at
scripts/basic/fixdep.c:411
(gdb)
```
Note the large length in memcpy:
```
(gdb) b /usr/include/bits/string_fortified.h:29 if __len >= 100
warning: failed to validate condition at location 1, disabling:
No symbol "__len" in current context.
Breakpoint 1 at 0x555555555587: /usr/include/bits/string_fortified.h:29. (4
locations)
(gdb) r
Breakpoint 1.4, memcpy (__len=18446744073709551614, __src=0x7ffff7fc3a24,
__dest=0x7fffffffd5f0) at /usr/include/bits/string_fortified.h:29
29 return __builtin___memcpy_chk (__dest, __src, __len,
(gdb) bt full
#0 memcpy (__len=18446744073709551614, __src=0x7ffff7fc3a24,
__dest=0x7fffffffd5f0) at /usr/include/bits/string_fortified.h:29
No locals.
#1 parse_dep_file (map=map at entry=0x7ffff7fc3000, len=) at
scripts/basic/fixdep.c:341
m = 0x7ffff7fc3a24 ""
end = 0x7ffff7fc3a24 ""
p = 0x7ffff7fc3a22 "\n\n"
s = 0x7fffffffd5f0 "scripts/kconfig/lkc_proto.h"
#2 0x0000555555555dd9 in print_deps () at scripts/basic/fixdep.c:379
st = {st_dev = 64512, st_ino = 1074419, st_nlink = 1, st_mode = 33188,
st_uid = 250, st_gid = 250, __pad0 = 0, st_rdev = 0, st_size = 2596, st_blksize
= 4096, st_blocks = 8, st_atim = {
tv_sec = 1675994249, tv_nsec = 352732056}, st_mtim = {tv_sec =
1675994249, tv_nsec = 352732056}, st_ctim = {tv_sec = 1675994249, tv_nsec =
352732056}, __glibc_reserved = {0, 0, 0}}
fd = 3
map = 0x7ffff7fc3000
#3 0x00005555555552d8 in main (argc=, argv=) at
scripts/basic/fixdep.c:411
No locals.
(gdb)
```
I've uploaded a copy of the unpacked source tarball with the needed dep files
at
https://dev.gentoo.org/~sam/bugs/busybox/busybox-1.35.0-bug893776-fortify-source.tar.xz.
--
You are receiving this mail because:
You are on the CC list for the bug.
From bugzilla at busybox.net Fri Feb 10 02:25:54 2023
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Fri, 10 Feb 2023 02:25:54 +0000
Subject: [Bug 15326] Buffer overflow with _FORTIFY_SOURCE=3 in fixdep
In-Reply-To:
References:
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=15326
--- Comment #1 from Sam James ---
I can reproduce in a fresh tarball of 1.36.0 after untarring with:
1. make HOSTCCFLAGS="-O2 -ggdb3 -D_FORTIFY_SOURCE=3" scripts_basic
2. cp /tmp/kxgettext.o.d scripts/kconfig/
3. scripts/basic/fixdep scripts/kconfig/.kxgettext.o.d
scripts/kconfig/kxgettext.o $'x86_64-pc-linux-gnu-gcc
-Wp,-MD,scripts/kconfig/.kxgettext.o.d -O2 -ggdb3 -c -o
scripts/kconfig/kxgettext.o scripts/kconfig/kxgettext.c'
--
You are receiving this mail because:
You are on the CC list for the bug.
From bugzilla at busybox.net Fri Feb 10 02:29:36 2023
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Fri, 10 Feb 2023 02:29:36 +0000
Subject: [Bug 15326] Buffer overflow with _FORTIFY_SOURCE=3 in fixdep
In-Reply-To:
References:
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=15326
--- Comment #2 from Sam James ---
Created attachment 9501
--> https://bugs.busybox.net/attachment.cgi?id=9501&action=edit
/tmp/kxgettext.o.d
--
You are receiving this mail because:
You are on the CC list for the bug.
From bugzilla at busybox.net Fri Feb 10 02:34:29 2023
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Fri, 10 Feb 2023 02:34:29 +0000
Subject: [Bug 15326] Buffer overflow with _FORTIFY_SOURCE=3 in fixdep
In-Reply-To:
References:
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=15326
--- Comment #3 from Sam James ---
fwiw I can reproduce with:
- gcc 13.0.1 20230205 (unreleased)
- gcc 12.2.1 20230204
- clang 15.0.7
--
You are receiving this mail because:
You are on the CC list for the bug.
From bugzilla at busybox.net Fri Feb 10 02:35:07 2023
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Fri, 10 Feb 2023 02:35:07 +0000
Subject: [Bug 15326] Buffer overflow with _FORTIFY_SOURCE=3 in fixdep
In-Reply-To:
References:
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=15326
--- Comment #4 from Sam James ---
... and without FORTIFY_SOURCE, it just corrupts:
```
Program received signal SIGSEGV, Segmentation fault.
0x0000682e6f746f72 in ?? ()
(gdb) bt
#0 0x0000682e6f746f72 in ?? ()
#1 0x0000000000000000 in ?? ()
``
--
You are receiving this mail because:
You are on the CC list for the bug.
From bugzilla at busybox.net Fri Feb 10 02:52:13 2023
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Fri, 10 Feb 2023 02:52:13 +0000
Subject: [Bug 15326] Buffer overflow with _FORTIFY_SOURCE=3 in fixdep
In-Reply-To:
References:
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=15326
--- Comment #5 from Sam James ---
huh, I can get it to crash with scripts/kconfig/.kxgettext.o.d as:
```
/tmp/garbage: \
/usr/include/stdlib.h \
```
```
# scripts/basic/fixdep scripts/kconfig/.kxgettext.o.d
scripts/kconfig/kxgettext.o $'clang-15 -Wp,-MD,scripts/kconfig/.kxgettext.o.d
-O2 -ggdb3 -c -o scripts/kconfig/kxqgettext.o scripts/kconfig/kxgettext.c'
cmd_scripts/kconfig/kxgettext.o := clang-15
-Wp,-MD,scripts/kconfig/.kxgettext.o.d -O2 -ggdb3 -c -o
scripts/kconfig/kxqgettext.o scripts/kconfig/kxgettext.c
deps_scripts/kconfig/kxgettext.o := \
/usr/include/stdlib.h \
Segmentation fault (core dumped)
```
--
You are receiving this mail because:
You are on the CC list for the bug.
From vda.linux at googlemail.com Mon Feb 13 14:05:19 2023
From: vda.linux at googlemail.com (Denys Vlasenko)
Date: Mon, 13 Feb 2023 15:05:19 +0100
Subject: [git commit] top: stop using div() from libc,
compilers now do it better
Message-ID: <20230213140547.A5F8385C77@busybox.osuosl.org>
commit: https://git.busybox.net/busybox/commit/?id=669c40ed8ebf480c95ce36135104e474e361a7e6
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master
function old new delta
div 23 - -23
display_process_list 1237 1178 -59
------------------------------------------------------------------------------
(add/remove: 0/2 grow/shrink: 0/1 up/down: 0/-82) Total: -82 bytes
Signed-off-by: Denys Vlasenko
---
procps/top.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/procps/top.c b/procps/top.c
index ff775422c..6d25d9633 100644
--- a/procps/top.c
+++ b/procps/top.c
@@ -619,17 +619,15 @@ static NOINLINE void display_process_list(int lines_rem, int scr_width)
unsigned busy_jifs;
#endif
- /* what info of the processes is shown */
- printf(OPT_BATCH_MODE ? "%.*s" : ESC"[7m" "%.*s" ESC"[m", scr_width,
- " PID PPID USER STAT VSZ %VSZ"
- IF_FEATURE_TOP_SMP_PROCESS(" CPU")
- IF_FEATURE_TOP_CPU_USAGE_PERCENTAGE(" %CPU")
- " COMMAND");
- lines_rem--;
-
#if ENABLE_FEATURE_TOP_DECIMALS
# define UPSCALE 1000
-# define CALC_STAT(name, val) div_t name = div((val), 10)
+typedef struct { unsigned quot, rem; } bb_div_t;
+/* Used to have "div_t name = div((val), 10)" here
+ * (IOW: intended to use libc-compatible way to divide and use
+ * both result and remainder, but musl does not inline div()...)
+ * Oh well. Modern compilers detect "N/d, N%d" idiom by themselves:
+ */
+# define CALC_STAT(name, val) bb_div_t name = { (val) / 10, (val) % 10 }
# define SHOW_STAT(name) name.quot, '0'+name.rem
# define FMT "%3u.%c"
#else
@@ -638,6 +636,15 @@ static NOINLINE void display_process_list(int lines_rem, int scr_width)
# define SHOW_STAT(name) name
# define FMT "%4u%%"
#endif
+
+ /* what info of the processes is shown */
+ printf(OPT_BATCH_MODE ? "%.*s" : ESC"[7m" "%.*s" ESC"[m", scr_width,
+ " PID PPID USER STAT VSZ %VSZ"
+ IF_FEATURE_TOP_SMP_PROCESS(" CPU")
+ IF_FEATURE_TOP_CPU_USAGE_PERCENTAGE(" %CPU")
+ " COMMAND");
+ lines_rem--;
+
/*
* %VSZ = s->vsz/MemTotal
*/
From bugzilla at busybox.net Tue Feb 14 10:27:05 2023
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Tue, 14 Feb 2023 10:27:05 +0000
Subject: [Bug 15336] New: unzip security issue
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=15336
Bug ID: 15336
Summary: unzip security issue
Product: Busybox
Version: 1.35.x
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: nimrod.stoler at cyberark.com
CC: busybox-cvs at busybox.net
Target Milestone: ---
Hello,
During our review of an embedded product we discovered that we can escalate our
privileges using busybox?s unzip utility.
We kindly like to disclose the specifics to you or to anyone dealing with
security on your side.
--
You are receiving this mail because:
You are on the CC list for the bug.
From bugzilla at busybox.net Thu Feb 16 11:00:26 2023
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Thu, 16 Feb 2023 11:00:26 +0000
Subject: [Bug 15341] New: busybox - 1.36.x - miscutils/seedrng.c: fix
include error on glibc < 2.25
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=15341
Bug ID: 15341
Summary: busybox - 1.36.x - miscutils/seedrng.c: fix
include error on glibc < 2.25
Product: Busybox
Version: unspecified
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: thomas.devoogdt at barco.com
CC: busybox-cvs at busybox.net
Target Milestone: ---
Created attachment 9511
--> https://bugs.busybox.net/attachment.cgi?id=9511&action=edit
0001-miscutils-seedrng.c-fix-sys-random.h-include-error-o.patch
getrandom() was introduced in version 3.17 of the Linux kernel.
Support was added to glibc in version 2.25.
https://man7.org/linux/man-pages/man2/getrandom.2.html
Since commit:
https://git.busybox.net/busybox/commit/?id=4b407bacd4c1628782d24c3e044e43780bb057a4
--
You are receiving this mail because:
You are on the CC list for the bug.
From bugzilla at busybox.net Thu Feb 16 11:37:07 2023
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Thu, 16 Feb 2023 11:37:07 +0000
Subject: [Bug 15326] Buffer overflow with _FORTIFY_SOURCE=3 in fixdep
In-Reply-To:
References:
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=15326
--- Comment #6 from Denys Vlasenko ---
(In reply to Sam James from comment #0)
p = memchr(m, ':', len);
if (!p) {
fprintf(stderr, "fixdep: parse error\n");
exit(1);
}
memcpy(s, m, p-m); s[p-m] = 0;
> Note the large length in memcpy:
> Breakpoint 1.4, memcpy (__len=18446744073709551614, __src=0x7ffff7fc3a24, __dest=0x7fffffffd5f0) at /usr/include/bits/string_fortified.h:29
29 return __builtin___memcpy_chk (__dest, __src, __len,
So, the __len is -2.
> #1 parse_dep_file (map=map at entry=0x7ffff7fc3000, len=) at scripts/basic/fixdep.c:341
> m = 0x7ffff7fc3a24 ""
> end = 0x7ffff7fc3a24 ""
> p = 0x7ffff7fc3a22 "\n\n"
> s = 0x7fffffffd5f0 "scripts/kconfig/lkc_proto.h"
Well... looks like memchr(m, ':', len) returned a pointer two bytes BEFORE the
start of the search string (!!!), so (p-m) evaluated to -2, which code rightly
does not expect.
Can you investigate further why memchr() does this? E.g. is it getting bogus
"len" parameter? Is it just buggy?
--
You are receiving this mail because:
You are on the CC list for the bug.
From bugzilla at busybox.net Fri Feb 17 19:31:36 2023
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Fri, 17 Feb 2023 19:31:36 +0000
Subject: [Bug 15346] New: tar does not have --format option + aliases for
formats
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=15346
Bug ID: 15346
Summary: tar does not have --format option + aliases for
formats
Product: Busybox
Version: unspecified
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Standard Compliance
Assignee: unassigned at busybox.net
Reporter: anonymous.maarten at gmail.com
CC: busybox-cvs at busybox.net
Target Milestone: ---
The -H/--format option allows one to choose an archive format.
GNU tar also provides direct options to select a format.
e.g. --posix as an alias for --format=posix
or --portability for --format=v7.
I ran into this issue in a GitHub workflow in an Alpine docker container, which
uses busybox by default.
The actions/cache action requires a "Posix-compliant tar".
It looks like busybox already generates posix archives.
I have pasted the error message below. The error is because of an --posix
option.
```
/usr/bin/docker exec
fe3da0b58a8d73eeeaa346c3db67e6e1f7f0bf9896d148552db4c9077d01788d sh -c "cat
/etc/*release | grep ^ID"
/bin/tar --posix -cf cache.tgz --exclude cache.tgz -P -C /__w/SDL/SDL
--files-from manifest.txt -z
/bin/tar: unrecognized option: posix
BusyBox v1.35.0 (2022-11-19 10:13:10 UTC) multi-call binary.
Usage: tar c|x|t [-ZzJjahmvokO] [-f TARFILE] [-C DIR] [-T FILE] [-X FILE]
[LONGOPT]... [FILE]...
Create, extract, or list files from a tar file
c Create
x Extract
t List
-f FILE Name of TARFILE ('-' for stdin/out)
-C DIR Change to DIR before operation
-v Verbose
-O Extract to stdout
-m Don't restore mtime
-o Don't restore user:group
-k Don't replace existing files
-Z (De)compress using compress
-z (De)compress using gzip
-J (De)compress using xz
-j (De)compress using bzip2
--lzma (De)compress using lzma
-a (De)compress based on extension
-h Follow symlinks
-T FILE File with names to include
-X FILE File with glob patterns to exclude
--exclude PATTERN Glob pattern to exclude
--overwrite Replace existing files
--strip-components NUM NUM of leading components to strip
--no-recursion Don't descend in directories
--numeric-owner Use numeric user:group
--no-same-permissions Don't restore access permissions
Warning: Failed to save: "/bin/tar" failed with error: The process '/bin/tar'
failed with exit code 1
Warning: Cache save failed.
```
--
You are receiving this mail because:
You are on the CC list for the bug.
From vda.linux at googlemail.com Wed Feb 22 09:50:14 2023
From: vda.linux at googlemail.com (Denys Vlasenko)
Date: Wed, 22 Feb 2023 10:50:14 +0100
Subject: [git commit] unzip: clear SUID/GID bits,
implement -K to not clear them
Message-ID: <20230222095255.C7EF4866C7@busybox.osuosl.org>
commit: https://git.busybox.net/busybox/commit/?id=75197998c22b0760a1a6d5e94f750b12855ef82f
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master
function old new delta
unzip_main 2656 2715 +59
packed_usage 34517 34552 +35
.rodata 105250 105251 +1
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 3/0 up/down: 95/0) Total: 95 bytes
Signed-off-by: Denys Vlasenko
---
archival/unzip.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/archival/unzip.c b/archival/unzip.c
index b27dd2187..691a2d81b 100644
--- a/archival/unzip.c
+++ b/archival/unzip.c
@@ -56,7 +56,7 @@
//kbuild:lib-$(CONFIG_UNZIP) += unzip.o
//usage:#define unzip_trivial_usage
-//usage: "[-lnojpq] FILE[.zip] [FILE]... [-x FILE]... [-d DIR]"
+//usage: "[-lnojpqK] FILE[.zip] [FILE]... [-x FILE]... [-d DIR]"
//usage:#define unzip_full_usage "\n\n"
//usage: "Extract FILEs from ZIP archive\n"
//usage: "\n -l List contents (with -q for short form)"
@@ -66,6 +66,7 @@
//usage: "\n -p Write to stdout"
//usage: "\n -t Test"
//usage: "\n -q Quiet"
+//usage: "\n -K Do not clear SUID bit"
//usage: "\n -x FILE Exclude FILEs"
//usage: "\n -d DIR Extract into DIR"
@@ -494,6 +495,7 @@ int unzip_main(int argc, char **argv)
OPT_l = (1 << 0),
OPT_x = (1 << 1),
OPT_j = (1 << 2),
+ OPT_K = (1 << 3),
};
unsigned opts;
smallint quiet = 0;
@@ -559,7 +561,7 @@ int unzip_main(int argc, char **argv)
opts = 0;
/* '-' makes getopt return 1 for non-options */
- while ((i = getopt(argc, argv, "-d:lnotpqxjv")) != -1) {
+ while ((i = getopt(argc, argv, "-d:lnotpqxjvK")) != -1) {
switch (i) {
case 'd': /* Extract to base directory */
base_dir = optarg;
@@ -602,6 +604,10 @@ int unzip_main(int argc, char **argv)
opts |= OPT_j;
break;
+ case 'K':
+ opts |= OPT_K;
+ break;
+
case 1:
if (!src_fn) {
/* The zip file */
@@ -819,7 +825,10 @@ int unzip_main(int argc, char **argv)
# endif
if ((cdf.fmt.version_made_by >> 8) == 3) {
/* This archive is created on Unix */
- dir_mode = file_mode = (cdf.fmt.external_attributes >> 16);
+ file_mode = (cdf.fmt.external_attributes >> 16);
+ if (!(opts & OPT_K))
+ file_mode &= ~(mode_t)(S_ISUID | S_ISGID);
+ dir_mode = file_mode;
}
}
#endif
From vda.linux at googlemail.com Thu Feb 23 11:00:36 2023
From: vda.linux at googlemail.com (Denys Vlasenko)
Date: Thu, 23 Feb 2023 12:00:36 +0100
Subject: [git commit] unzip: document some options we might support
Message-ID: <20230223110058.ABD9F868CD@busybox.osuosl.org>
commit: https://git.busybox.net/busybox/commit/?id=029740a3e43835d2a71696449baba5250a346e0a
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master
Signed-off-by: Denys Vlasenko
---
archival/unzip.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/archival/unzip.c b/archival/unzip.c
index 691a2d81b..71a302915 100644
--- a/archival/unzip.c
+++ b/archival/unzip.c
@@ -559,6 +559,11 @@ int unzip_main(int argc, char **argv)
* 204372 1 file
*/
+//TODO: accept and ignore these?
+// -a convert to text files with 't' label, -aa: all files
+// -b do not convert to text - bbox: we don't convert anything
+// -D skip restoration of timestamps for extracted items - bbox: we don't restore these (yet?)
+// -X restore user:group ownership
opts = 0;
/* '-' makes getopt return 1 for non-options */
while ((i = getopt(argc, argv, "-d:lnotpqxjvK")) != -1) {
@@ -583,6 +588,7 @@ int unzip_main(int argc, char **argv)
xmove_fd(xopen("/dev/null", O_WRONLY), STDOUT_FILENO);
/*fallthrough*/
+// NB: -c extract files to stdout/screen (unlike -p, also prints .zip and file names to stdout)
case 'p': /* Extract files to stdout */
dst_fd = STDOUT_FILENO;
/*fallthrough*/
@@ -853,6 +859,7 @@ int unzip_main(int argc, char **argv)
unzip_skip(zip.fmt.extra_len);
/* Guard against "/abspath", "/../" and similar attacks */
+// NB: UnZip 6.00 has option -: to disable this
overlapping_strcpy(dst_fn, strip_unsafe_prefix(dst_fn));
/* Filter zip entries */
From bugzilla at busybox.net Fri Feb 24 05:36:06 2023
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Fri, 24 Feb 2023 05:36:06 +0000
Subject: [Bug 15351] New: latest 1.36.0 `sh -i` without tty segfaults
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=15351
Bug ID: 15351
Summary: latest 1.36.0 `sh -i` without tty segfaults
Product: Busybox
Version: unspecified
Hardware: All
OS: Linux
Status: NEW
Severity: major
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: logoerthiner1 at 163.com
CC: busybox-cvs at busybox.net
Target Milestone: ---
A quick way to check whether a busybox version has this bug:
```
user@~ $ docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
Digest: sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c
Status: Image is up to date for busybox:latest
docker.io/library/busybox:latest
user@~ $ docker run -ti --rm busybox sh
/ #
/ # cat | sh -i
Segmentation fault (core dumped)
[1]+ Stopped (tty input) cat | sh -i
/ # fg
cat | sh -i
```
This bug appears both in my manually compiled version and in docker shipped
version, so it is not related to specific compiler or configs.
It seems that `sh -i` assumes stdin is a tty and will segfault when it is not.
This bug does not appear in 1.35.0 but shows in 1.36.0 .
--
You are receiving this mail because:
You are on the CC list for the bug.
From bugzilla at busybox.net Sun Feb 26 15:50:11 2023
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Sun, 26 Feb 2023 15:50:11 +0000
Subject: [Bug 14866] sha256sum reports false mismatch if input not delimited
by two spaces
In-Reply-To:
References:
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=14866
--- Comment #4 from Evan Carroll ---
I'm currently using alpine:latest which is still running BusyBox 1.35 and it's
affected by this specific bug, but I can't find the source code or patch for
sha256sum in the BusyBox project. This was in fact very confusing. It's easy to
introduce this bug in the system with `echo`, which will take two arguments and
always use 1 space when joining them.
# sha256sum myfile.xz
8f55c5a97591f1bebdeaff02cdd0d19b8161c1bcba4f2009a7e204c57c85981b myfile.xz
# echo 8f55c5a97591f1bebdeaff02cdd0d19b8161c1bcba4f2009a7e204c57c85981b
myfile.xz
8f55c5a97591f1bebdeaff02cdd0d19b8161c1bcba4f2009a7e204c57c85981b myfile.xz
# echo 8f55c5a97591f1bebdeaff02cdd0d19b8161c1bcba4f2009a7e204c57c85981b
myfile.xz | sha256sum -c
sha256sum: WARNING: 1 of 1 computed checksums did NOT match
# echo "8f55c5a97591f1bebdeaff02cdd0d19b8161c1bcba4f2009a7e204c57c85981b
myfile.xz" | sha256sum -c
myfile.xz: OK
--
You are receiving this mail because:
You are on the CC list for the bug.
From vda.linux at googlemail.com Mon Feb 27 12:09:44 2023
From: vda.linux at googlemail.com (Denys Vlasenko)
Date: Mon, 27 Feb 2023 13:09:44 +0100
Subject: [git commit] fixdep: avoid underflow when end of entry doesn't
coincide with EOF
Message-ID: <20230227121429.B46D386B84@busybox.osuosl.org>
commit: https://git.busybox.net/busybox/commit/?id=2d4a3d9e6c1493a9520b907e07a41aca90cdfd94
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master
Bug: https://bugs.gentoo.org/893776
Closes: https://bugs.busybox.net/show_bug.cgi?id=15326
Signed-off-by: Arsen Arsenovi??
Signed-off-by: Denys Vlasenko
---
scripts/basic/fixdep.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/scripts/basic/fixdep.c b/scripts/basic/fixdep.c
index 426b4888b..66be73aad 100644
--- a/scripts/basic/fixdep.c
+++ b/scripts/basic/fixdep.c
@@ -338,6 +338,11 @@ void parse_dep_file(void *map, size_t len)
do p--; while (!isalnum((unsigned char)*p));
p++;
}
+ if (p < m) {
+ /* we've consumed the last filename of this list
+ already. */
+ break;
+ }
memcpy(s, m, p-m); s[p-m] = 0;
if (strrcmp(s, "include/autoconf.h") &&
strrcmp(s, "arch/um/include/uml-config.h") &&
From bugzilla at busybox.net Mon Feb 27 12:19:28 2023
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Mon, 27 Feb 2023 12:19:28 +0000
Subject: [Bug 15326] Buffer overflow with _FORTIFY_SOURCE=3 in fixdep
In-Reply-To:
References:
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=15326
Denys Vlasenko changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #7 from Denys Vlasenko ---
Fixed in git.
--
You are receiving this mail because:
You are on the CC list for the bug.
From bugzilla at busybox.net Mon Feb 27 16:46:48 2023
From: bugzilla at busybox.net (bugzilla at busybox.net)
Date: Mon, 27 Feb 2023 16:46:48 +0000
Subject: [Bug 14866] sha256sum reports false mismatch if input not delimited
by two spaces
In-Reply-To:
References:
Message-ID:
https://bugs.busybox.net/show_bug.cgi?id=14866
Denys Vlasenko changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #5 from Denys Vlasenko ---
commit 3ad3aa6441ebaf817137051de2b74cb6b4379e7f
Author: Denys Vlasenko
Date: Mon Jul 11 14:36:39 2022 +0200
shaNNNsum: accept one-space "HASH FILENAME" format for -c, closes 14866
--
You are receiving this mail because:
You are on the CC list for the bug.