Hi! There are a number of security issues published that affects busybox older than 1.34.
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/ I am interested in backporting the fixes to alpine linux stable branches, which means that I'd like to backport the fixes for: - 1_33_stable - 1_32_stable - 1_31_stable So I am trying to find the exact commits that fixes each CVE so I can document that we fix everything. But I need some help with identifying the exact commit that fixes each CVE. I believe others are interested in this as well so I'm sharing my findings here. CVE-2021-42373: A NULL pointer dereference in man leads to denial of service when a section name is supplied but no page argument is given man 1.33.0-1.33.1 This issue does not affect alpine linux because we don't have `man` applet enabled. The upstream fix seems to be: commit 4d4fc5ca5ee4f (man: fix segfault in "man 1") CVE-2021-42374: An out-of-bounds heap read in unlzma leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that internally supports LZMA compression. lzma/unlzma and more 1.27.0 * 1.33.1 Upstream fix seems to be commit 04f052c56ded (unlzma: fix a case where we could read before beginning of buffer) CVE-2021-42375: An incorrect handling of a special element in ash leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input. ash 1.33.1 Anyone knows which commit fixes this? It should be one of those, but I have no clue which: 76ef4391548ded8db511e2f7f8f35a3010be7ec5 ash: regressions in process substitution 53d45c934f54b7931cc736eba42903cb1f6d4632 ash: speed up ${v//pattern/repl} 1310d7b1d106d7ab0ec84ce88c12302cca934230 ash: speed up ${v//pattern/repl} if !ASH_OPTIMIZE_FOR_SIZE 53a7a9cd8c15d64fcc2278cf8981ba526dfbe0d2 ash: parser: Fix VSLENGTH parsing with trailing garbage ad57e4e4b23926002ce72979729b017520bef1d0 ash: revert accidental change (should have been separate) 96436fb36a5fa0ac8e993fb093b4788fb5448afe e2fsprogs/*: remove ioctl calling obfuscation 1f60d88cf6f5ad3efcad6e7ef1501ce334046e40 *: more --help tweaks e2b9215868a3d72691e5bc0f887354254606447b *: --help tweaks 457825f77a7c7286647ee888a1000a6bb12ca8fc shells: do not allow bare "read" in non-bash compat configs a1b0d3856d9a0419cb74bf4c87525265871b5868 ash: add process substitution in bash-compatibility mode 33745b1fc8cc6d41f4e708d67800d296668af2ce ash: placate -Werror=format-security 2b7c1aa92c68524559a2067609d09309d5c09adc ash: match bash behavior for ${empty_var/*/repl} 4e039bab375a273344b6c847daa04f13d8317c04 ash: improve --help 85158b600d161bea3fc9d62df8e4ecf4d642fbf0 ash: code shrink 3c13da3dab539eac948de48640d8862857d0c8d0 libbb: introduce and use xgettimeofday(), do not truncate 64-bit time_t in shells I would guess it is "ash: parser: Fix VSLENGTH parsing with trailing garbage". Can someone confirm that? We don't use hush in alpine linux, but someone else might be interested in backporting those. CVE-2021-42376: A NULL pointer dereference in hush leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input. hush 1.16-1.31.1 I guess this is commit 1b7a9b68d0e9 (hush: fix handling of \^C and "^C")? CVE-2021-42377: An attacker-controlled pointer free in hush leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input. hush 1.33.0-1.33.1 I guess this is commit 83a4967e5042 (hush: fix handling of "cmd && &")? The list of awk fixes is a bit more complicated. I have no clue which of the following commits fixes which CVE: $ git log --format=oneline 1_33_0..1_34_0 -- editors/awk.c dabbeeb79356eef78528acd55e1f143ae80372f7 awk: whitespace and debugging tweaks d3480dd58211d9d8c06ec7ef00089262603003ff awk: disallow break/continue outside of loops d62627487a44d9175b05d49846aeef83fed97019 awk: tighten parsing - disallow extra semicolons ab755e3717cefc06fd28ce8db56f0402412afaa3 awk: in parsing, remove superfluous NEWLINE check; optimize builtin arg evaluation 8d269ef85984f6476e7fdbec2c5a70f3b5c48a72 awk: fix printf "%-10c", 0 caa93ecdd3a9b998a69dcbfafdddbc9c58887ec3 awk: fix corner case in awk_printf 39aabfe8f033c9c62acf676b660dc979714d26a7 awk: unbreak "cmd" | getline 4ef8841b21e27e7c7f58d3c9901c833b4fa5a862 awk: unbreak "printf('%c') can output NUL" testcase 3d57a8490738d9febaa4496eba791e4fbfc91826 awk: undo TI_PRINT, it introduced a bug (print with any redirect acting as printf) 49c3ce64f092fd5434fc67056f312bd32f82bae3 awk: rollback_token() + chain_group() == chain_until_rbrace() e2e3802987266c98df0efdf40ad5da4b07df0113 awk: fix printf buffer overflow 08ca313d7edb99687068b93b5d2435b59f3db23a awk: simplify tests for operation class cb042b05828c4c89320bc9c7454c04c2761bbb9a awk: restore strdup elision optimization in assignment 90404ed2f62a872ffd9a555660b7ce17fae372d8 awk: match(): code shrink 0e3ef4efb061366bfa4b9609fe3a03f3a1e40f0e awk: rand(): 64-bit constants should be ULL 2211fa70ccad29fc7bccd34c13141850ebb199da awk: do not use a copy of g_progname for node->l.new_progname e1e7ad6b6005b2265667040fc9d7f69b73b0d5b0 awk: support %F %a %A in printf 1f765709ed9c9595647853ac2cd7905f218c3044 awk: open-code TS_OPTERM, no logic changes 2b65e73db3254a7228802886546152c72217017d awk: tighten rules in action parsing 717200eb43c9420773c0f8b751aadabba3052027 awk: rename GRPSTART/END to L/RBRACE, no code changes b705bf55395bf338f9b9888d87e418f67d4f1a29 awk: move match() code out-of-line 646429e05e2f62250da80aa8d98111f3a9818e9a awk: use smaller regmatch_t arrays, they had 2 elements for no apparent reason a5d7b0f4f4e9728c3eb7a06d38227d9f3351e677 awk: fix detection of VAR=VAL arguments 4d902ea9def573cd15271177abbfa50fbf30c84f awk: fix beavior of "exit" without parameter 8bb03da906e1f8f750123214b15a19d7d4e166c1 awk: rand() could return 1.0, fix this - should be in [0,1) 37ae8cdc6e428e68ad76f6b446881ecff305ebd3 awk: beautify builtins table, no code changes 47d9133896f0de6b17393309193051e4bd52015e awk: enforce simple builtins' argument number 786ca197ad1305607efaccb067c19931d9e765b1 awk: make builtin definitions more understandable, no code changes 640212ae0ea8a1b47cd73a080d77b25b9f3ccd40 awk: do not special-case "delete" ef5463cf16f88c0992b2073a30ab6081c86fdf23 awk: shuffle globals for smaller offsets 966cafcc77d8cda5d1a95bc73080e9a9b9010a45 awk: use "static" tmpvars in main and exit 1193c68fa718ff16c47aba23f8532bf1568f294e awk: when parsing length(), simplify eating of LPAREN 40573556f2a67b11319785e0479b7087d02c060e awk: shuffle functions to reduce forward declarations, no code changes 8b4c429025c233640bd5c5838552f34683a06fc0 awk: use static tmpvars instead of nvalloc(1)ed ones 1573487e2100892d06e3628828690692313a48d5 awk: rename temp variables, no code changes d7354df169603807fe2ac4f8a0f9f72c9703184f awk: evaluate all, even superfluous function args ca9278ee5855a91a5521960d3743809f47ed27b8 awk: rewrite "print" logic a bit to make it clearer d1507101695f6bad35a61c4770b7d3913597ac16 awk: allow empty fuinctions with no arguments, disallow function redefinitions 86fc2872b33224cfa5442700c2a8abd020cbf900 awk: replace incorrect use of union in undefined function check (no code changes) 6cf6f1eaee1f6be2b936c2ff0e5852c00740edb4 awk: remove custom pool allocator for temporary awk variables 3aff3b9cb81c1f574aaafaf3981e755c6639e2bc awk: assorted optimizations b3c91a127f8baecee0265ba92898ae1e718bdb31 awk: free unused parsing structures after parse is done 21fbee2e87ddf7b47bb501b6529b63ac2b3af0bd awk: document which hashes are used at what state (parse/execute) 6872c193a935df47facf717c15a32f93b43c6bcf awk: fix parsing of expressions such as "v (a)" 686287b5da98508dd03fb295745c82d00440131e awk: deindent a block, no code changes 216d3d8ad9b7d0346cf439ccaca18d0a263e7608 awk: code shrink 4f27503a1ecab8dfe373a349df3d8fe3c22e2160 awk: get rid of "move name one char back" trick in next_token() f414fb4411e65662b44f038ed3175789172edc20 awk: when parsing TC_FUNCTION token, eat its opening '(' cb6061a4e9860bf3d529109b34103ce3bde6d735 awk: g_buf[] does not need a separate allocation 926420795b4191e045d4a316bfed19f84275a185 awk: simplify parsing of function declaration 9782cb7774f00a3e777e3d764ccce15055a29977 awk: rename TC_SEQSTART/END to L/RPAREN, no code changes a493441ca52adca7df3976c668f2e7c48d1b67a1 awk: deindent code block, no code changes adcd9a6f349f3f2715a586b45fb27350b37cf1e5 awk: use TS_foo for combined token classes. No code changes 832cb4fcb98d2845bd3f9d244593fc1b5f362ca0 awk: make ltclass ("last token class") local to next_token() af0172369eb024fff3c8c2cd2c8765a7fde5a9f5 awk: remove redundant check 78645d8371e69ce82841b66aa5ef69c02055f5bc awk: move locals deeper into scopes where they are used, no logic changes 8c5da0323bf2da02c40c587c5694b22e3ec623fb awk: more efficient -f FILE, document what "some trick in next_token" is ac4786ba002620eb4c046c847e69d6a12ea0e322 qwk: make code clearer, no actual code changes fd217c1cbf7a702ad632bb21f7757433de1755b7 awk: after preinc/dec, only allow variable, field ref, array ref, or another preinc/dec a885ce1af05c4eaa5ebcf883cb3da3433ca1c48b awk: fix use-after-free in "$BIGNUM1 $BIGGERNUM2" concat op e8fe9f96356a6b19ec907ea30cffc829c539a7ff awk: allow printf('%c') to output NUL, closes 13486 CVE-2021-42378: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function awk 1.16-1.33.1 CVE-2021-42379: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function awk 1.18-1.33.1 CVE-2021-42380: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function awk 1.28-1.33.1 CVE-2021-42381: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function awk 1.21-1.33.1 CVE-2021-42382: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function awk 1.26-1.33.1 CVE-2021-42383: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function awk 1.33.1 NOTE: I think this is a bit peculiar. It is claimed that 1.33.0 is not affected (compare with CVE-2021-42377), which means that 1.33.1 would introduce this problem. However. There are no changes in awk between 1.33.0 and 1.33.1. CVE-2021-42384: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function awk 1.18-1.33.1 CVE-2021-42385: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function awk 1.16-1.33.1 CVE-2021-42386: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function awk 1.16-1.33.1 If I get some help identifying exactly what commits fixes each issue I'll try cherry pick them to 1_31_stable - 1_33_stable branches and submit patches to they can be applied upstream in those branches. _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
