Mail archive
alpine-aports

[alpine-aports] [PATCH v3.4] main/busybox: security fixes #6617

From: Sergei Lukin <sergej.lukin_at_gmail.com>
Date: Wed, 18 Jan 2017 13:54:14 +0000

CVE-2016-6301: NTP server denial of service flaw
---
 main/busybox/APKBUILD            | 18 ++++++++++++-----
 main/busybox/CVE-2016-6301.patch | 42 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+), 5 deletions(-)
 create mode 100644 main/busybox/CVE-2016-6301.patch
diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD
index 50e97fa..5ee2341 100644
--- a/main/busybox/APKBUILD
+++ b/main/busybox/APKBUILD
_at_@ -1,8 +1,9 @@
+# Contributor: Sergei Lukin <sergej.lukin_at_gmail.com>
 # Contributor: Ɓukasz Jendrysik <scadu_at_yandex.com>
 # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
 pkgname=busybox
 pkgver=1.24.2
-pkgrel=12
+pkgrel=13
 pkgdesc="Size optimized toolbox of many common UNIX utilities"
 url=http://busybox.net
 arch="all"
_at_@ -62,9 +63,13 @@ source="http://busybox.net/downloads/$pkgname-$pkgver.tar.bz2
 
 	acpid.logrotate
 	busyboxconfig
-	glibc.patch"
+	glibc.patch
+	CVE-2016-6301.patch
+	"
 
 # secfixes:
+#   1.24.2-r12:
+#     - CVE-2016-6301
 #   1.24.2-r0:
 #     - CVE-2016-2147
 #     - CVE-2016-2148
_at_@ -214,7 +219,8 @@ c682706fa98b63497ce0d1bc2ea3e688  0001-xargs-make-I-imply-r.patch
 6234d8817d3c0ee9f4c01e83bf6a96c4  0016-whois-make-it-actually-work.patch
 4046b78ee6a25259954797d73b94f4bd  acpid.logrotate
 ab4a2e1385566b01002e526614dd38c2  busyboxconfig
-befaac2c59c380e36a452b3f1c1d4a3a  glibc.patch"
+befaac2c59c380e36a452b3f1c1d4a3a  glibc.patch
+b23dd4bd38216d05d88287371d35513a  CVE-2016-6301.patch"
 sha256sums="e71ef53ec656f31c42633918d301405d40dea1d97eca12f272217ae4a971c855  busybox-1.24.2.tar.bz2
 52bd2c7c44779f910eedd2fea73ec0de520add400894cc132276587e25c73e39  bbsuid.c
 9bbf0bec82e6d6907474958f3be048c54657fbf49207810b7e4d4d6146f0069d  nologin.c
_at_@ -253,7 +259,8 @@ bf1d97532af24f5a658dd41b94336c3b1fe67d842e83636c25693e65d1995790  0001-xargs-mak
 1be53b0d1aa3c3f44bff31e092bc786259c7475de4b24dfaa71e70c50672f421  0016-whois-make-it-actually-work.patch
 f7cbeb5a5a47395ad30454ce8262abcd3e91c33ef803c2ae31a9258d7142dd48  acpid.logrotate
 a129ededc4c5ec3d0385e4da50a87e81f348ecc7541a2105dd98f0c8543a3a2f  busyboxconfig
-c604ef791c31d35a8c5ee4558d21428a46f37a6d762c4a7e29864f4037fc44a0  glibc.patch"
+c604ef791c31d35a8c5ee4558d21428a46f37a6d762c4a7e29864f4037fc44a0  glibc.patch
+0bffce454b303b832a19946006eebcb217fa6e14a3c638170bd003dc66504e77  CVE-2016-6301.patch"
 sha512sums="4d20fb68ee440be2855231c7fd5f3cb9dd9bfcc1a688f0b59cd3f7a55c8819e9cc44bd15f91500713571f2a84e5e44adc0fa8ae0ae3ebf63961dfc9e1c9ef8e0  busybox-1.24.2.tar.bz2
 c1dd56509277c59751907a27f067f1622191ddfd498acfe390d83136d36a41f2bdfc2fd4daf35af77219a66fb00fea20483f34112afd5df2ccd9f36ab548e66f  bbsuid.c
 4e7c291a70e879b74c0fc07c54a73ef50537d8be68fee6b2d409425c07afd2d67f9b6afcd8c33a7971014913cc5de85e45079681c9e77200c6cc2f34acfba6d2  nologin.c
_at_@ -292,4 +299,5 @@ afa0aa2fee08b28b6f4a32bd761d9fd7ab6989a13651ffa9dc8a3a3c4de3c646ce0881c2abd1be96
 09cb1bf25c9442986e7d9816277e75591a2af8ba78117869c5cba35d2e189db351455137e9511cf61788864812056133fc9ec5e204f9eb18ae86c34dd8493ae8  0016-whois-make-it-actually-work.patch
 dadb4c953ebc755b88ee95c1489feb0c2d352f6e44abc716166024e6eea11ab9d10c84fad62c081775834d205cb04aa1be3c994676c88f4284495c54b9188e8b  acpid.logrotate
 580a6e15d6517641951bb1648c406cee2a82fab353552a60d37f29e5f58da664437d99d5bd313d88e260a92735c32886ffc1cad98f901bb27d1f5027fdce37d7  busyboxconfig
-1d2739379dab1deb3eae7cffd4845300eb7d30f7343b4a1209b21a5680860d55080ad45fdefe098b249ce3040c01951fa7f0a79cd447b2d7b260eb000099d9dc  glibc.patch"
+1d2739379dab1deb3eae7cffd4845300eb7d30f7343b4a1209b21a5680860d55080ad45fdefe098b249ce3040c01951fa7f0a79cd447b2d7b260eb000099d9dc  glibc.patch
+a3030e07a30951b2c4a292670f2ff87541c2a84322525422505f1e3f578021b87c004d0180e5f4219bd1befef2981283b331eb3471de0ae6e4bf44dba8fab502  CVE-2016-6301.patch"
diff --git a/main/busybox/CVE-2016-6301.patch b/main/busybox/CVE-2016-6301.patch
new file mode 100644
index 0000000..67d2fe5
--- /dev/null
+++ b/main/busybox/CVE-2016-6301.patch
_at_@ -0,0 +1,42 @@
+https://git.busybox.net/busybox/patch/?id=150dc7a2b483b8338a3e185c478b4b23ee884e71
+
+From 150dc7a2b483b8338a3e185c478b4b23ee884e71 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar_at_redhat.com>
+Date: Mon, 1 Aug 2016 20:24:24 +0200
+Subject: ntpd: respond only to client and symmetric active packets
+
+The busybox NTP implementation doesn't check the NTP mode of packets
+received on the server port and responds to any packet with the right
+size. This includes responses from another NTP server. An attacker can
+send a packet with a spoofed source address in order to create an
+infinite loop of responses between two busybox NTP servers. Adding
+more packets to the loop increases the traffic between the servers
+until one of them has a fully loaded CPU and/or network.
+
+Signed-off-by: Miroslav Lichvar <mlichvar_at_redhat.com>
+Signed-off-by: Denys Vlasenko <vda.linux_at_googlemail.com>
+---
+ networking/ntpd.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/networking/ntpd.c b/networking/ntpd.c
+index 130cef0..8ca62cf 100644
+--- a/networking/ntpd.c
++++ b/networking/ntpd.c
+_at_@ -2051,6 +2051,13 @@ recv_and_process_client_pkt(void /*int fd*/)
+ 		goto bail;
+ 	}
+ 
++	/* Respond only to client and symmetric active packets */
++	if ((msg.m_status & MODE_MASK) != MODE_CLIENT
++	 && (msg.m_status & MODE_MASK) != MODE_SYM_ACT
++	) {
++		goto bail;
++	}
++
+ 	query_status = msg.m_status;
+ 	query_xmttime = msg.m_xmttime;
+ 
+-- 
+cgit v0.12
+
-- 
2.8.3
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Wed Jan 18 2017 - 13:54:14 GMT