Bug#776186: busybox: CVE-2014-9645

To: 776186@bugs.debian.org
Subject: Bug#776186: busybox: CVE-2014-9645
From: Michael Gilbert <mgilbert@debian.org>
Date: Sun, 25 Jan 2015 22:30:04 -0500
Message-id: <[🔎] CANTw=MPWWRiDAxH-2KQ90p-+hvkA9bmH5e6fqs25mGHsRL_36A@mail.gmail.com>
Reply-to: Michael Gilbert <mgilbert@debian.org>, 776186@bugs.debian.org

control: tag -1 patch, pending

Hi,

I uploaded an nmu fixing this issue to delayed/15.  Please let me know
if I can shorten or if you want to do a maintainer upload instead.
See proposed patch attached.

Best wishes,
Mike

diff -Nru busybox-1.22.0/debian/changelog busybox-1.22.0/debian/changelog
--- busybox-1.22.0/debian/changelog	2014-11-14 09:53:24.000000000 +0000
+++ busybox-1.22.0/debian/changelog	2015-01-26 03:21:32.000000000 +0000
@@ -1,3 +1,10 @@
+busybox (1:1.22.0-14.1) unstable; urgency=medium
+
+  * Non-maintainer upload by the Security Team.
+  * Fix CVE-2014-9645: modeprobe accepts paths as modules (closes: #776186).
+
+ -- Michael Gilbert <mgilbert@debian.org>  Mon, 26 Jan 2015 03:18:37 +0000
+
 busybox (1:1.22.0-14) medium; urgency=low
 
   * one more attempt to fix the glibc build-depend for #769190, now
diff -Nru busybox-1.22.0/debian/patches/CVE-2014-9645.patch busybox-1.22.0/debian/patches/CVE-2014-9645.patch
--- busybox-1.22.0/debian/patches/CVE-2014-9645.patch	1970-01-01 00:00:00.000000000 +0000
+++ busybox-1.22.0/debian/patches/CVE-2014-9645.patch	2015-01-26 03:24:58.000000000 +0000
@@ -0,0 +1,25 @@
+From 4e314faa0aecb66717418e9a47a4451aec59262b
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Thu, 20 Nov 2014 17:24:33 +0000
+Subject: modprobe,rmmod: reject module names with slashes
+
+--- a/modutils/modprobe.c
++++ b/modutils/modprobe.c
+@@ -239,6 +239,17 @@ static void add_probe(const char *name)
+ {
+ 	struct module_entry *m;
+ 
++	/*
++	 * get_or_add_modentry() strips path from name and works
++	 * on remaining basename.
++	 * This would make "rmmod dir/name" and "modprobe dir/name"
++	 * to work like "rmmod name" and "modprobe name",
++	 * which is wrong, and can be abused via implicit modprobing:
++	 * "ifconfig /usbserial up" tries to modprobe netdev-/usbserial.
++	 */
++	if (strchr(name, '/'))
++		bb_error_msg_and_die("malformed module name '%s'", name);
++
+ 	m = get_or_add_modentry(name);
+ 	if (!(option_mask32 & (OPT_REMOVE | OPT_SHOW_DEPS))
+ 	 && (m->flags & (MODULE_FLAG_LOADED | MODULE_FLAG_BUILTIN))
diff -Nru busybox-1.22.0/debian/patches/series busybox-1.22.0/debian/patches/series
--- busybox-1.22.0/debian/patches/series	2014-11-10 12:06:53.000000000 +0000
+++ busybox-1.22.0/debian/patches/series	2015-01-26 03:24:54.000000000 +0000
@@ -27,3 +27,5 @@
 stop-checking-ancient-kernel-version.patch
 iproute-support-onelink-route-option-and-print-route-flags.patch
 update-deb-format-support.patch
+
+CVE-2014-9645.patch

Reply to:

Follow-Ups:
- Bug#776186: busybox: CVE-2014-9645
  - From: Cyril Brulebois <kibi@debian.org>

Prev by Date: Debian Installer Jessie RC 1 release
Next by Date: Processed: re: busybox: CVE-2014-9645
Previous by thread: Re: Debian Installer Jessie RC 1 release
Next by thread: Bug#776186: busybox: CVE-2014-9645
Index(es):
- Date
- Thread