CBL-Mariner/SPECS/busybox/CVE-2022-28391.patch

From 0c8da1bead8ffaf270b4b723ead2c517371405d7 Mon Sep 17 00:00:00 2001
From: Ariadne Conill <ariadne@dereferenced.org>
Date: Sun, 3 Apr 2022 12:14:33 +0000
Subject: [PATCH 1/2] libbb: sockaddr2str: ensure only printable characters are
 returned for the hostname part

CVE: Pending
Upstream-Status: Pending
Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
Signed-off-by: Henry Beberman <henry.beberman@microsoft.com>
---
 libbb/xconnect.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libbb/xconnect.c b/libbb/xconnect.c
index 0e0b247b8..02c061e67 100644
--- a/libbb/xconnect.c
+++ b/libbb/xconnect.c
@@ -497,8 +497,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
 	);
 	if (rc)
 		return NULL;
+	/* ensure host contains only printable characters */
 	if (flags & IGNORE_PORT)
-		return xstrdup(host);
+		return xstrdup(printable_string(host));
 #if ENABLE_FEATURE_IPV6
 	if (sa->sa_family == AF_INET6) {
 		if (strchr(host, ':')) /* heh, it's not a resolved hostname */
@@ -509,7 +510,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
 #endif
 	/* For now we don't support anything else, so it has to be INET */
 	/*if (sa->sa_family == AF_INET)*/
-		return xasprintf("%s:%s", host, serv);
+		return xasprintf("%s:%s", printable_string(host), serv);
 	/*return xstrdup(host);*/
 }
 
-- 
2.35.1

From 812b407e545b70b16cf32aade135b5c32eaf674f Mon Sep 17 00:00:00 2001
From: Ariadne Conill <ariadne@dereferenced.org>
Date: Sun, 3 Apr 2022 12:16:45 +0000
Subject: [PATCH 2/2] nslookup: sanitize all printed strings with
 printable_string

Otherwise, terminal sequences can be injected, which enables various terminal injection
attacks from DNS results.

CVE: Pending
Upstream-Status: Pending
Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
Signed-off-by: Henry Beberman <henry.beberman@microsoft.com>
---
 networking/nslookup.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/networking/nslookup.c b/networking/nslookup.c
index 6da97baf4..4bdcde1b8 100644
--- a/networking/nslookup.c
+++ b/networking/nslookup.c
@@ -407,7 +407,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
 				//printf("Unable to uncompress domain: %s\n", strerror(errno));
 				return -1;
 			}
-			printf(format, ns_rr_name(rr), dname);
+			printf(format, ns_rr_name(rr), printable_string(dname));
 			break;
 
 		case ns_t_mx:
@@ -422,7 +422,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
 				//printf("Cannot uncompress MX domain: %s\n", strerror(errno));
 				return -1;
 			}
-			printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname);
+			printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname));
 			break;
 
 		case ns_t_txt:
@@ -434,7 +434,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
 			if (n > 0) {
 				memset(dname, 0, sizeof(dname));
 				memcpy(dname, ns_rr_rdata(rr) + 1, n);
-				printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname);
+				printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname));
 			}
 			break;
 
@@ -454,7 +454,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
 			}
 
 			printf("%s\tservice = %u %u %u %s\n", ns_rr_name(rr),
-				ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), dname);
+				ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), printable_string(dname));
 			break;
 
 		case ns_t_soa:
@@ -483,7 +483,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
 				return -1;
 			}
 
-			printf("\tmail addr = %s\n", dname);
+			printf("\tmail addr = %s\n", printable_string(dname));
 			cp += n;
 
 			printf("\tserial = %lu\n", ns_get32(cp));
-- 
2.35.1