From patchwork Fri Dec 29 04:01:02 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: TheWerthFam X-Patchwork-Id: 853614 X-Patchwork-Delegate: blogic@openwrt.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=65.50.211.133; helo=bombadil.infradead.org; envelope-from=lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="W/AdKmRv"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="u7NnTL32"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3z7CZQ3g4Xz9s74 for ; Fri, 29 Dec 2017 15:01:34 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender:Content-Type: Content-Transfer-Encoding:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:Subject:MIME-Version:Date:Message-ID:From:To: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=lF54hKhVhHqpeggNmynlrubE+UwUkC2Qby4enyXylfM=; b=W/AdKmRvtoIHBe u7XSdH7IxkO5bfWL2xL6+mCk2P0D0P0KL6AZDqHn1GEUdSN+wWUQHDdwoi/RcKe/eUfvhHMlSl3vK yx01jebHhEgB+hKYJkDUfiOs7M4sNaFE3z2J1scvlRN37M3xjM2hMYltRJkhpBdGfScYar9kcm4uV t3s81FkLlAgq8thZlOiZOOpgdomxDR7vdwvnonsC4HiH/yI3a+ITBHaPCTRsB2ZBCoQNuY87BwRfn 6zRPX17e0alBY4PXfm6K0SMhL7Q4gYl4vL2H66KIWJl0WYOY11jWk0ZjRm8rqGr+/njVfNMrGaqWE TlrXfT0Fg24lE/ly/7aw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1eUlrE-0006aH-5m; Fri, 29 Dec 2017 04:01:20 +0000 Received: from mail-qt0-x236.google.com ([2607:f8b0:400d:c0d::236]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1eUlrA-0006ZK-4W for lede-dev@lists.infradead.org; Fri, 29 Dec 2017 04:01:18 +0000 Received: by mail-qt0-x236.google.com with SMTP id r39so53104218qtr.13 for ; Thu, 28 Dec 2017 20:01:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=lJU95mybOvJuQ1RzRqUpWJ6RWkO2caZsNW2NEEFM5Qk=; b=u7NnTL32UroyiBQ/hw8SrqFWPj4F6c2PgTj5J6cYeZ8QCyzYaDLyeZLA/5v13aREeB uqJ1xt8Bda2fx5Mx/zlc/Bfa4nk/0yRsPBTk2CrSgSgKB4+1pUrEHIXvDq4pXmhyxNR8 PwYF/VYb1FnDLQi3brJbWiCXa2gDODG9tyZM8YYeskYq2pWhKpYv/c89A0VLhlMI9NGN 7gSymEpn+18aCaMCp1cmLn7aE3jEj194qj7R8Kifclv1y/qF3gLYgx6/q8yIx/Hdn7xu +x/Li2cPa1Rf8g4ykQPf/w7jHeV5r6sHRq+2PWQSFmpCCOkSjFVJ1tXlSEkqW1RKh7gs Vwlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=lJU95mybOvJuQ1RzRqUpWJ6RWkO2caZsNW2NEEFM5Qk=; b=eCgGTxiCIskztdyLvjhl7+0xS4kDQQ1drm1Zuk/I4LcAWKdyNVjSJ2WcLJgAek3wKL dYmwrQgaLyuyyff07qPGuuWH9zot+byUt8A0+/tu5H2RX80l5Nha84sZtYQClOJ7eN8I NgUcnL83SrnmxDS/ID+uI8pT2z4zrSZoHw9jxrijtcZEYjduraF0e8v6m/0bATV2I18t u3LBrxvBov1pHkzn9qzE6Kd4e3Kn41YCpERvKa5Q1iWDPS90mOqbBg//DE+0RvcfjvMk yP+WZjKosuLUgiCi8z9QKReG8o+xDVYP/9ZQnVRCHwo/tdpaTauj/Xglk9/6QiEVV8Oa ltCw== X-Gm-Message-State: AKGB3mInJBJB49MjqS3Yg+GHLS1F0ILknuWjeglssHxCc9aRkU+/iI1L 1rdB8kc+C92xsWSSrWLYRqOfwjnf X-Google-Smtp-Source: ACJfBotvwqnXyag9dj++D8qpjTfAGme5rqEUpc1ZmEF8TuC86qYTq6ofrKlED/vZPEVbaFXCkFtXWw== X-Received: by 10.200.27.116 with SMTP id p49mr47093835qtk.118.1514520063676; Thu, 28 Dec 2017 20:01:03 -0800 (PST) Received: from [192.168.40.117] (pool-96-249-12-118.albyny.east.verizon.net. [96.249.12.118]) by smtp.gmail.com with ESMTPSA id f13sm6021553qke.47.2017.12.28.20.01.02 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 28 Dec 2017 20:01:03 -0800 (PST) To: lede-dev@lists.infradead.org From: TheWerthFam Message-ID: <0b5ba565-c599-6095-9300-09e2e3cba997@gmail.com> Date: Thu, 28 Dec 2017 23:01:02 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 Content-Language: en-US X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20171228_200116_205102_F07DFF89 X-CRM114-Status: GOOD ( 10.02 ) X-Spam-Score: -2.0 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2607:f8b0:400d:c0d:0:0:0:236 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (thewerthfam[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain Subject: [LEDE-DEV] Patch FS#1181 - CVE-2017-16544: A Busybox autocompletion vulnerability X-BeenThere: lede-dev@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Lede-dev" Errors-To: lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Date: Thu, 28 Dec 2017 10:32:09 -0500 Subject: [PATCH] In the add_match function in libbb/lineedit.c in BusyBox  through 1.27.2, the tab autocomplete feature of the shell, used to get a list  of filenames in a directory, does not sanitize filenames and results in  executing any escape sequence in the terminal. This could potentially result  in code execution, arbitrary file writes, or other attacks. Fixes: FS#1181 - CVE-2017-16544: Backport the patch from: https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8 https://nvd.nist.gov/vuln/detail/CVE-2017-16544 Signed-off-by: Derek Werthmuller ---  libbb/lineedit.c | 12 ++++++++++++  1 file changed, 12 insertions(+) diff --git a/libbb/lineedit.c b/libbb/lineedit.c index 3e62f46..34538aa 100644 --- a/libbb/lineedit.c +++ b/libbb/lineedit.c @@ -632,6 +632,18 @@ static void free_tab_completion_data(void)  static void add_match(char *matched)  { +    unsigned char *p = (unsigned char*)matched; +    while (*p) { +        /* ESC attack fix: drop any string with control chars */ +        if (*p < ' ' +         || (!ENABLE_UNICODE_SUPPORT && *p >= 0x7f) +         || (ENABLE_UNICODE_SUPPORT && *p == 0x7f) +        ) { +            free(matched); +            return; +        } +        p++; +    }      matches = xrealloc_vector(matches, 4, num_matches);      matches[num_matches] = matched;      num_matches++;