mirror of
https://git.busybox.net/buildroot.git
synced 2024-12-03 02:13:29 +08:00
d68b617993
Remove upstream patch 0003-awk-fix-use-after-free-CVE-2022-30065.patch and update _IGNORE_CVES accordingly. The two other CVE fixes are still not applied upstream. Renumber the patches and update the comment in the .mk file. Refresh busybox.config. All configs are set to the new defaults, except for CONFIG_UDHCPC_DEFAULT_SCRIPT: for this one, reuse the script we also use for DHCPv4. This is matches the behaviour previous to the bump, where we had a single script handling both. Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
43 lines
1.5 KiB
Diff
43 lines
1.5 KiB
Diff
From 9d825e854ef53ebbe0aea2f1a69f52b763104daf Mon Sep 17 00:00:00 2001
|
|
From: Ariadne Conill <ariadne@dereferenced.org>
|
|
Date: Mon, 19 Sep 2022 14:15:12 +0200
|
|
Subject: [PATCH] libbb: sockaddr2str: ensure only printable characters are
|
|
returned for the hostname part
|
|
|
|
CVE: CVE-2022-28391
|
|
Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
|
|
Tested-by: Radoslav Kolev <radoslav.kolev@suse.com>
|
|
Backport from ML: http://lists.busybox.net/pipermail/busybox/2022-July/089796.html
|
|
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
|
|
---
|
|
libbb/xconnect.c | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/libbb/xconnect.c b/libbb/xconnect.c
|
|
index 0e0b247b8..02c061e67 100644
|
|
--- a/libbb/xconnect.c
|
|
+++ b/libbb/xconnect.c
|
|
@@ -497,8 +497,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
|
|
);
|
|
if (rc)
|
|
return NULL;
|
|
+ /* ensure host contains only printable characters */
|
|
if (flags & IGNORE_PORT)
|
|
- return xstrdup(host);
|
|
+ return xstrdup(printable_string(host));
|
|
#if ENABLE_FEATURE_IPV6
|
|
if (sa->sa_family == AF_INET6) {
|
|
if (strchr(host, ':')) /* heh, it's not a resolved hostname */
|
|
@@ -509,7 +510,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
|
|
#endif
|
|
/* For now we don't support anything else, so it has to be INET */
|
|
/*if (sa->sa_family == AF_INET)*/
|
|
- return xasprintf("%s:%s", host, serv);
|
|
+ return xasprintf("%s:%s", printable_string(host), serv);
|
|
/*return xstrdup(host);*/
|
|
}
|
|
|
|
--
|
|
2.37.3
|
|
|