busybox: cve-2014-9645

author Armin Kuster <akuster@mvista.com>

Wed, 28 Jan 2015 01:19:28 +0000 (17:19 -0800)

committer Richard Purdie <richard.purdie@linuxfoundation.org>

Wed, 11 Feb 2015 17:39:53 +0000 (17:39 +0000)
author Armin Kuster <akuster@mvista.com>
Wed, 28 Jan 2015 01:19:28 +0000 (17:19 -0800)
committer Richard Purdie <richard.purdie@linuxfoundation.org>
Wed, 11 Feb 2015 17:39:53 +0000 (17:39 +0000)
diff --git a/meta/recipes-core/busybox/busybox/CVE-2014-9645_busybox_reject_module_names_with_slashes.patch b/meta/recipes-core/busybox/busybox/CVE-2014-9645_busybox_reject_module_names_with_slashes.patch

new file mode 100644 (file)

index 0000000..4e76067
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2014-9645_busybox_reject_module_names_with_slashes.patch
@@ -0,0 +1,41 @@
+Upstream-status: Backport
+http://git.busybox.net/busybox/commit/?id=4e314faa0aecb66717418e9a47a4451aec59262b
+
+CVE-2014-9645 fix.
+
+[YOCTO #7257]
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+From 4e314faa0aecb66717418e9a47a4451aec59262b Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Thu, 20 Nov 2014 17:24:33 +0000
+Subject: modprobe,rmmod: reject module names with slashes
+
+function                                             old     new   delta
+add_probe                                             86     113     +27
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+Index: busybox-1.22.1/modutils/modprobe.c
+===================================================================
+--- busybox-1.22.1.orig/modutils/modprobe.c
++++ busybox-1.22.1/modutils/modprobe.c
+@@ -238,6 +238,17 @@ static void add_probe(const char *name)
+ {
+       struct module_entry *m;
+ 
++      /*
++       * get_or_add_modentry() strips path from name and works
++       * on remaining basename.
++       * This would make "rmmod dir/name" and "modprobe dir/name"
++       * to work like "rmmod name" and "modprobe name",
++       * which is wrong, and can be abused via implicit modprobing:
++       * "ifconfig /usbserial up" tries to modprobe netdev-/usbserial.
++       */
++      if (strchr(name, '/'))
++              bb_error_msg_and_die("malformed module name '%s'", name);
++
+       m = get_or_add_modentry(name);
+       if (!(option_mask32 & (OPT_REMOVE | OPT_SHOW_DEPS))
+        && (m->flags & MODULE_FLAG_LOADED)
diff --git a/meta/recipes-core/busybox/busybox_1.22.1.bb b/meta/recipes-core/busybox/busybox_1.22.1.bb

index 8879e529625f21eb93442a87ff6a39696f92c558..77365201b5b8640180f59699222f99c83930dd33 100644 (file)
--- a/meta/recipes-core/busybox/busybox_1.22.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.22.1.bb
@@ -32,6 +32,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
             file://0001-build-system-Specify-nostldlib-when-linking-to-.o-fi.patch \
             file://recognize_connmand.patch \
             file://busybox-cross-menuconfig.patch \
+           file://CVE-2014-9645_busybox_reject_module_names_with_slashes.patch \
  "
  
  SRC_URI[tarball.md5sum] = "337d1a15ab1cb1d4ed423168b1eb7d7e"
author	Armin Kuster <akuster@mvista.com>
	Wed, 28 Jan 2015 01:19:28 +0000 (17:19 -0800)
committer	Richard Purdie <richard.purdie@linuxfoundation.org>
	Wed, 11 Feb 2015 17:39:53 +0000 (17:39 +0000)
meta/recipes-core/busybox/busybox/CVE-2014-9645_busybox_reject_module_names_with_slashes.patch	[new file with mode: 0644]	patch \| blob
meta/recipes-core/busybox/busybox_1.22.1.bb		patch \| blob \| history