poky/meta/recipes-core/busybox/busybox/busybox-CVE-2018-1000500.patch - openbmc/openbmc - Gitiles

 From 71e7e2fb35c806d20f9739d832cd9ae3a86fdee2 Mon Sep 17 00:00:00 2001
 From: Dimitri John Ledkov <xnox@ubuntu.com>
 Date: Tue, 19 May 2020 18:20:39 +0100
 Subject: [PATCH] wget: implement TLS verification with
  ENABLE_FEATURE_WGET_OPENSSL

 When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
 verification by default. And only ignore verification errors, if
 --no-check-certificate was passed.

 Also note, that previously OPENSSL implementation did not implement
 TLS verification, nor printed any warning messages that verification
 was not performed.

 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533

 CVE-2018-1000500

 Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91]
 CVE: CVE-2018-1000500

 Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 Signed-off-by: Rahul Kumar <rahulk@mvista.com>
 ---
  networking/wget.c | 20 +++++++++++++++++---
  1 file changed, 17 insertions(+), 3 deletions(-)

 diff --git a/networking/wget.c b/networking/wget.c
 index 9153264..a7e6deb 100644
 --- a/networking/wget.c
 +++ b/networking/wget.c
 @@ -91,6 +91,9 @@
  //config:	patches, but do want to waste bandwidth expaining how wrong
  //config:	it is, you will be ignored.
  //config:
 +//config:	FEATURE_WGET_OPENSSL does implement TLS verification
 +//config:	using the certificates available to OpenSSL.
 +//config:
  //config:config FEATURE_WGET_OPENSSL
  //config:	bool "Try to connect to HTTPS using openssl"
  //config:	default y
 @@ -115,6 +118,9 @@
  //config:	If openssl can't be executed, internal TLS code will be used
  //config:	(if you enabled it); if openssl can be executed but fails later,
  //config:	wget can't detect this, and download will fail.
 +//config:
 +//config:	By default TLS verification is performed, unless
 +//config:	--no-check-certificate option is passed.

  //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP))

 @@ -124,8 +130,11 @@
  //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
  //usage:       "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n"
  //usage:       "	[-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n"
 +//usage:	IF_FEATURE_WGET_OPENSSL(
 +//usage:       "	[--no-check-certificate]\n"
 +//usage:	)
  /* Since we ignore these opts, we don't show them in --help */
 -/* //usage:    "	[--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */
 +/* //usage:    "	[--no-cache] [--passive-ftp] [-t TRIES]" */
  /* //usage:    "	[-nv] [-nc] [-nH] [-np]" */
  //usage:       "	[-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
  //usage:	)
 @@ -137,7 +146,9 @@
  //usage:       "Retrieve files via HTTP or FTP\n"
  //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
  //usage:     "\n	--spider	Only check URL existence: $? is 0 if exists"
 -///////:     "\n	--no-check-certificate	Don't validate the server's certificate"
 +//usage:	IF_FEATURE_WGET_OPENSSL(
 +//usage:     "\n	--no-check-certificate	Don't validate the server's certificate"
 +//usage:	)
  //usage:	)
  //usage:     "\n	-c		Continue retrieval of aborted transfer"
  //usage:     "\n	-q		Quiet"
 @@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
  	pid = xvfork();
  	if (pid == 0) {
  		/* Child */
 -		char *argv[8];
 +		char *argv[9];

  		close(sp[0]);
  		xmove_fd(sp[1], 0);
 @@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
  			argv[5] = (char*)"-servername";
  			argv[6] = (char*)servername;
  		}
 +		if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
 +			argv[7] = (char*)"-verify_return_error";
 +		}

  		BB_EXECVP(argv[0], argv);
  		xmove_fd(3, 2);
 --
 2.7.4
	From 71e7e2fb35c806d20f9739d832cd9ae3a86fdee2 Mon Sep 17 00:00:00 2001
	From: Dimitri John Ledkov <xnox@ubuntu.com>
	Date: Tue, 19 May 2020 18:20:39 +0100
	Subject: [PATCH] wget: implement TLS verification with
	ENABLE_FEATURE_WGET_OPENSSL

	When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
	verification by default. And only ignore verification errors, if
	--no-check-certificate was passed.

	Also note, that previously OPENSSL implementation did not implement
	TLS verification, nor printed any warning messages that verification
	was not performed.

	Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533

	CVE-2018-1000500

	Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91]
	CVE: CVE-2018-1000500

	Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
	Signed-off-by: Rahul Kumar <rahulk@mvista.com>
	---
	networking/wget.c \| 20 +++++++++++++++++---
	1 file changed, 17 insertions(+), 3 deletions(-)

	diff --git a/networking/wget.c b/networking/wget.c
	index 9153264..a7e6deb 100644
	--- a/networking/wget.c
	+++ b/networking/wget.c
	@@ -91,6 +91,9 @@
	//config: patches, but do want to waste bandwidth expaining how wrong
	//config: it is, you will be ignored.
	//config:
	+//config: FEATURE_WGET_OPENSSL does implement TLS verification
	+//config: using the certificates available to OpenSSL.
	+//config:
	//config:config FEATURE_WGET_OPENSSL
	//config: bool "Try to connect to HTTPS using openssl"
	//config: default y
	@@ -115,6 +118,9 @@
	//config: If openssl can't be executed, internal TLS code will be used
	//config: (if you enabled it); if openssl can be executed but fails later,
	//config: wget can't detect this, and download will fail.
	+//config:
	+//config: By default TLS verification is performed, unless
	+//config: --no-check-certificate option is passed.

	//applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP))

	@@ -124,8 +130,11 @@
	//usage: IF_FEATURE_WGET_LONG_OPTIONS(
	//usage: "[-c\|--continue] [--spider] [-q\|--quiet] [-O\|--output-document FILE]\n"
	//usage: " [-o\|--output-file FILE] [--header 'header: value'] [-Y\|--proxy on/off]\n"
	+//usage: IF_FEATURE_WGET_OPENSSL(
	+//usage: " [--no-check-certificate]\n"
	+//usage: )
	/* Since we ignore these opts, we don't show them in --help */
	-/* //usage: " [--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */
	+/* //usage: " [--no-cache] [--passive-ftp] [-t TRIES]" */
	/* //usage: " [-nv] [-nc] [-nH] [-np]" */
	//usage: " [-P DIR] [-S\|--server-response] [-U\|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
	//usage: )
	@@ -137,7 +146,9 @@
	//usage: "Retrieve files via HTTP or FTP\n"
	//usage: IF_FEATURE_WGET_LONG_OPTIONS(
	//usage: "\n --spider Only check URL existence: $? is 0 if exists"
	-///////: "\n --no-check-certificate Don't validate the server's certificate"
	+//usage: IF_FEATURE_WGET_OPENSSL(
	+//usage: "\n --no-check-certificate Don't validate the server's certificate"
	+//usage: )
	//usage: )
	//usage: "\n -c Continue retrieval of aborted transfer"
	//usage: "\n -q Quiet"
	@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
	pid = xvfork();
	if (pid == 0) {
	/* Child */
	- char *argv[8];
	+ char *argv[9];

	close(sp[0]);
	xmove_fd(sp[1], 0);
	@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
	argv[5] = (char*)"-servername";
	argv[6] = (char*)servername;
	}
	+ if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
	+ argv[7] = (char*)"-verify_return_error";
	+ }

	BB_EXECVP(argv[0], argv);
	xmove_fd(3, 2);
	--
	2.7.4