Bug#1010264: CVE-2022-28391

To: Debian Bug Tracking System <1010264@bugs.debian.org>
Subject: Bug#1010264: CVE-2022-28391
From: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Date: Wed, 06 Jul 2022 16:01:52 +0900
Message-id: <[🔎] 165709091201.2016830.11532256438504842679.reportbug@ryzen7>
Reply-to: Nobuhiro Iwamatsu <iwamatsu@debian.org>, 1010264@bugs.debian.org
References: <165106052732.15361.16329981273607996588.reportbug@hullmann.westfalen.local>

Package: busybox
Version: 1:1.35.0-1
Tags: patch
Followup-For: Bug #1010264

Dear Maintainer,

I created a patch which corect this issue.
The correction contained in this patch was taken from the following
posts.
  http://lists.busybox.net/pipermail/busybox/2022-June/089751.html
Could you check this?

Best regards,
  Nobuhiro

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf, arm64, i386

Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages busybox depends on:
ii  libc6  2.33-7

busybox recommends no packages.

busybox suggests no packages.

-- no debconf information

>From 8e24308e8a8ebedc07e08255d3efbb00f2b13003 Mon Sep 17 00:00:00 2001
From: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Date: Wed, 6 Jul 2022 15:46:06 +0900
Subject: [PATCH] d/aptches: Fix CVE-2022-28391

These patches fix CVE-2022-28391.
These have not been incorporated into the upstream tree yet, but has been
posted on the ML[0].

[0]: http://lists.busybox.net/pipermail/busybox/2022-June/089751.html

Signed-off-by: Nobuhiro Iwamatsu <iwamatsu@debian.org>
---
 ...tr-ensure-only-printable-characters-.patch | 40 +++++++++++
 ...e-all-printed-strings-with-printable.patch | 68 +++++++++++++++++++
 debian/patches/series                         |  3 +
 3 files changed, 111 insertions(+)
 create mode 100644 debian/patches/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
 create mode 100644 debian/patches/0002-nslookup-sanitize-all-printed-strings-with-printable.patch

diff --git a/debian/patches/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch b/debian/patches/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
new file mode 100644
index 000000000..1d1716e3b
--- /dev/null
+++ b/debian/patches/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
@@ -0,0 +1,40 @@
+From 0c8da1bead8ffaf270b4b723ead2c517371405d7 Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Sun, 3 Apr 2022 12:14:33 +0000
+Subject: [PATCH 1/2] libbb: sockaddr2str: ensure only printable characters are
+ returned for the hostname part
+
+CVE: Pending
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
+---
+ libbb/xconnect.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libbb/xconnect.c b/libbb/xconnect.c
+index 0e0b247b8..02c061e67 100644
+--- a/libbb/xconnect.c
++++ b/libbb/xconnect.c
+@@ -497,8 +497,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
+ 	);
+ 	if (rc)
+ 		return NULL;
++	/* ensure host contains only printable characters */
+ 	if (flags & IGNORE_PORT)
+-		return xstrdup(host);
++		return xstrdup(printable_string(host));
+ #if ENABLE_FEATURE_IPV6
+ 	if (sa->sa_family == AF_INET6) {
+ 		if (strchr(host, ':')) /* heh, it's not a resolved hostname */
+@@ -509,7 +510,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
+ #endif
+ 	/* For now we don't support anything else, so it has to be INET */
+ 	/*if (sa->sa_family == AF_INET)*/
+-		return xasprintf("%s:%s", host, serv);
++		return xasprintf("%s:%s", printable_string(host), serv);
+ 	/*return xstrdup(host);*/
+ }
+ 
+-- 
+2.35.1
+
diff --git a/debian/patches/0002-nslookup-sanitize-all-printed-strings-with-printable.patch b/debian/patches/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
new file mode 100644
index 000000000..01c45c9ba
--- /dev/null
+++ b/debian/patches/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
@@ -0,0 +1,68 @@
+From 812b407e545b70b16cf32aade135b5c32eaf674f Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Sun, 3 Apr 2022 12:16:45 +0000
+Subject: [PATCH 2/2] nslookup: sanitize all printed strings with
+ printable_string
+
+Otherwise, terminal sequences can be injected, which enables various terminal injection
+attacks from DNS results.
+
+CVE: Pending
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
+---
+ networking/nslookup.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/networking/nslookup.c b/networking/nslookup.c
+index 6da97baf4..4bdcde1b8 100644
+--- a/networking/nslookup.c
++++ b/networking/nslookup.c
+@@ -407,7 +407,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ 				//printf("Unable to uncompress domain: %s\n", strerror(errno));
+ 				return -1;
+ 			}
+-			printf(format, ns_rr_name(rr), dname);
++			printf(format, ns_rr_name(rr), printable_string(dname));
+ 			break;
+ 
+ 		case ns_t_mx:
+@@ -422,7 +422,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ 				//printf("Cannot uncompress MX domain: %s\n", strerror(errno));
+ 				return -1;
+ 			}
+-			printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname);
++			printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname));
+ 			break;
+ 
+ 		case ns_t_txt:
+@@ -434,7 +434,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ 			if (n > 0) {
+ 				memset(dname, 0, sizeof(dname));
+ 				memcpy(dname, ns_rr_rdata(rr) + 1, n);
+-				printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname);
++				printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname));
+ 			}
+ 			break;
+ 
+@@ -454,7 +454,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ 			}
+ 
+ 			printf("%s\tservice = %u %u %u %s\n", ns_rr_name(rr),
+-				ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), dname);
++				ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), printable_string(dname));
+ 			break;
+ 
+ 		case ns_t_soa:
+@@ -483,7 +483,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ 				return -1;
+ 			}
+ 
+-			printf("\tmail addr = %s\n", dname);
++			printf("\tmail addr = %s\n", printable_string(dname));
+ 			cp += n;
+ 
+ 			printf("\tserial = %lu\n", ns_get32(cp));
+-- 
+2.35.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 88296acca..4c26a198c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,6 @@ revert-9c143ce52da11ec3d21a3491c3749841d3dc10f0.patch
 temp-deb-installer-hack.patch
 install-readlink-in-bin.patch
 spelling.diff
+# patches for CVE-2022-28391
+0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
+0002-nslookup-sanitize-all-printed-strings-with-printable.patch
-- 
2.36.0

Reply to:

Prev by Date: debian-installer_20210731+deb11u4_source.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Next by Date: Processed: tagging 1010264
Previous by thread: debian-installer_20210731+deb11u4_source.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Next by thread: Processed: tagging 1010264
Index(es):
- Date
- Thread