git.ipfire.org Git - thirdparty/openembedded/openembedded-core.git/commit

author	Steve Sakoman <steve@sakoman.com>
	Tue, 10 May 2022 13:21:48 +0000 (15:21 +0200)
committer	Steve Sakoman <steve@sakoman.com>
	Tue, 10 May 2022 18:23:11 +0000 (08:23 -1000)
commit	0b9cbcc4ceac3938afd1dd6010ce6d9a3da21598
tree	f92b9a0d7d2dd897f2c3ae4d0bddcd530f4eda51	tree
parent	3f899844b383bfd13f176d86181d9219b3dbe345	commit \| diff

busybox: fix CVE-2022-28391

BusyBox through 1.35.0 allows remote attackers to execute arbitrary code
if netstat is used to print a DNS PTR record's value to a VT compatible
terminal. Alternatively, the attacker could choose to change the terminal's colors.

https://nvd.nist.gov/vuln/detail/CVE-2022-28391

Backported from kirkstone 3e17df4cd17c132dc7732ebd3d1c80c81c85bcc4.
2nd patch adjusted to apply on 1.31.1.

Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch	[new file with mode: 0644]	blob
meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch	[new file with mode: 0644]	blob
meta/recipes-core/busybox/busybox_1.31.1.bb		diff \| blob \| blame \| history