Hi everyone,
I've prepared a candidate for busybox, (currently ready for bullseye,
next would be buster but as it has a lots of synergy it makes sense to
call for testing already now))
As busybox is, well, a very important package I'd appreciate to have
some extra quality control on that one, so please lend me some extra
pairs of eyes and maybe throw everything that looks like an awk script
at it...
I've put prebuilt packages here: https://people.debian.org/~tobi/bb/,
but of course they can be built using the LTS repo too:
https://salsa.debian.org/lts-team/packages/busybox
Thnks in advance!
Cheers,
tobi
For full transparency, and in the hope it helps the assemement here are
my notes for the journey:
Here's a list of CVEs and their status:
CVE-2023-42366 unpatched, unanswered upstream patch, see below
CVE-2023-42365 patch ready, see below
CVE-2023-42364 patch ready, see below
CVE-2023-42363 ignore/postpone, see below
CVE-2023-39810 unpatched, unanswered upstream feature patch [A]
CVE-2022-48174 patch from upstream
CVE-2021-42386 patch from Ubuntu
CVE-2021-42385 patch from Ubuntu
CVE-2021-42384 patch from Ubuntu
CVE-2021-42383 unpatched, no patch available.
CVE-2021-42382 patch from Ubuntu
CVE-2021-42381 patch from Ubuntu
CVE-2021-42380 patch from Ubuntu
CVE-2021-42379 patch from Ubuntu
CVE-2021-42378 patch from Ubuntu
CVE-2021-42374 patch from Ubuntu (marked unimportant in the security tracker)
CVE-2021-28831 patch from Ubuntu
"unanswered" means no reply from upstream.
"patch from Ubuntu" means: Those patches are taken from Ubuntu, package
versions 1:1.30.1-4ubuntu6.4.
CVE-2022-48174 was also originally taken from Ubuntu (d/changelog still
credits it,) but sec-tracker now also nows since XMas the (identical)
upstream commit as well.
CVE-2021-42374 is marked unimportant in the security tracker, but as the
patch was readily available from the Ubuntu package and the patch very
small,
I've decuded to included this fix too.
[A] https://lists.busybox.net/pipermail/busybox/2024-August/090865.html
CVE-2023-42363 - Use after free in awk:
=======================================
This CVE is marked "not affected" by Ubuntu [1] for the ubuntu releases
that have 1.30.x (that's also what we have in bullseye, buster)
There is a poc on the upstream bug [2], I can get the poc to trigger
with the version in bookworm, but not in bullseye and buster. In
bullseye and buster ASAN only reports the usual memory leaks, but not a
use-after-free.
Therefore I have reasons to believe that the bug was introduced later.
A git bisect finds [3] as the first commit that makes the poc trigger.
The code is touching the same code as the patch does [4], so I think
I've found correct commit, but it might be also that this "just" exposed
a bug enough to make the poc trigger
Even if the code is quite similiar, backporting seems risky, and due to
not be able to trigger the poc for 1.30, I'd suggest to "ignore" this
issue for bullseye and buster.
[1] https://ubuntu.com/security/CVE-2023-42363
[2] https://bugs.busybox.net/show_bug.cgi?id=15865
[3] https://github.com/mirror/busybox/commit/371fe9f71
[4] https://github.com/mirror/busybox/commit/fb08d43d4
CVE-2023-42364 - (Another) Use after free in awk:
=================================================
Note: CVE-2023-42365 is fixed with the same patch, they have the same
roots.
This CVE is marked "not affected" by Ubuntu [5] for the ubuntu releases
that have 1.30.x.
Also here we've got an poc that can be used for bisecting.
Bisecting leads to [6] however, this seems more to be the commit that
start exposing the behaviour, as the commit changes the custom memory
allocator which previously over-allocated chunks and now stops doing so,
so increased the likelyhood to write outside of the buffer.
So I believe 1.30.x is affected and backported the upstream patch to
1.30.1, patch is at salsa [7]
[5] https://ubuntu.com/security/CVE-2023-42364
[6] https://github.com/mirror/busybox/commit/6cf6f1eaee1f6be2b936c2ff0e5852c00740edb4
[7] https://salsa.debian.org/lts-team/packages/busybox/-/blob/debian/bullseye/debian/patches/CVE-2023-42364-part1.patch
https://salsa.debian.org/lts-team/packages/busybox/-/blob/debian/bullseye/debian/patches/CVE-2023-42364-part2.patch
CVE-2023-42366 - Heap buffer overflow
=====================================
Ubuntu says "vulnerable" for basically every version [8]
There is a poc that only works for busybox >= 1.34.0, older versions
detects the syntax error in the poc and terminates without being killed
by ASAN. (This does of course not mean older versions are immune)
There is no upstream patch, only a proposed patch in the ticket [9,10],
but the patch did not receive any reply from upstream. The patch indeed
seems to make the ASAN killer go away, tested on upstream 1.34.0 with
just that patch applied.
Bisecting seems to yield anoter red herring, [11], the logic changes the
memory allocation strategy and like above the new allocation stratetgy
does less over-allocation and possibly just makes is much more unlikely
to happen.
I'd ignore this issue for the moment, like 2023-42363.
[8] https://ubuntu.com/security/CVE-2023-42366
[9] https://bugs.busybox.net/show_bug.cgi?id=15874
[10] https://bugs.busybox.net/attachment.cgi?id=9697
[11] https://github.com/mirror/busybox/commit/8c5da0323bf2da02c40c587c5694b22e3ec623fb
pocs
=====
on p.d.o there is also a pocs.xz that has the pocs for some CVEs
obtained from the upstream bug tracker.
One-liner to compile and run one of the pocs (Needs clang and asan.)
cat ../pocs/poc-make-patch | patch -p1 && \
export ASAN_OPTIONS=detect_leaks=0 && \
make defconfig && make -j12 && \
export ASAN_OPTIONS="abort_on_error=1 symbolize=0" && \
./busybox_unstripped awk -f ../pocs/CVE-2023-42366/poc ../pocs/CVE-2023-42366/awk_t1_input
Note: for 1.30.1, you'll need to make sure to have
https://salsa.debian.org/lts-team/packages/busybox/-/blob/debian/bullseye/debian/patches/cherry-pick.1_31_0-92-gd3539be8f0.remove-stime-function-calls.patch?ref_type=heads
applied, or it will FTBFS.
--
tobi
Attachment:
signature.asc
Description: PGP signature