From 41c9e389fd1ebce7fc2e723a9074fa7f2a00e11a Mon Sep 17 00:00:00 2001
From: Ariadne Conill <ariadne@dereferenced.org>
Date: Sun, 3 Apr 2022 12:27:12 +0000
Subject: [PATCH] main/busybox: add security mitigation for ALPINE-13661
 (CVE-2022-28391)

---
 ...tr-ensure-only-printable-characters-.patch | 40 +++++++++++++
 ...e-all-printed-strings-with-printable.patch | 59 +++++++++++++++++++
 main/busybox/APKBUILD                         | 12 +++-
 3 files changed, 108 insertions(+), 3 deletions(-)
 create mode 100644 main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
 create mode 100644 main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch

diff --git a/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch b/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
new file mode 100644
index 000000000000..1d1716e3b0c1
--- /dev/null
+++ b/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
@@ -0,0 +1,40 @@
+From 0c8da1bead8ffaf270b4b723ead2c517371405d7 Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Sun, 3 Apr 2022 12:14:33 +0000
+Subject: [PATCH 1/2] libbb: sockaddr2str: ensure only printable characters are
+ returned for the hostname part
+
+CVE: Pending
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
+---
+ libbb/xconnect.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libbb/xconnect.c b/libbb/xconnect.c
+index 0e0b247b8..02c061e67 100644
+--- a/libbb/xconnect.c
++++ b/libbb/xconnect.c
+@@ -497,8 +497,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
+ 	);
+ 	if (rc)
+ 		return NULL;
++	/* ensure host contains only printable characters */
+ 	if (flags & IGNORE_PORT)
+-		return xstrdup(host);
++		return xstrdup(printable_string(host));
+ #if ENABLE_FEATURE_IPV6
+ 	if (sa->sa_family == AF_INET6) {
+ 		if (strchr(host, ':')) /* heh, it's not a resolved hostname */
+@@ -509,7 +510,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
+ #endif
+ 	/* For now we don't support anything else, so it has to be INET */
+ 	/*if (sa->sa_family == AF_INET)*/
+-		return xasprintf("%s:%s", host, serv);
++		return xasprintf("%s:%s", printable_string(host), serv);
+ 	/*return xstrdup(host);*/
+ }
+ 
+-- 
+2.35.1
+
diff --git a/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch b/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
new file mode 100644
index 000000000000..4be540d02624
--- /dev/null
+++ b/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
@@ -0,0 +1,59 @@
+From 812b407e545b70b16cf32aade135b5c32eaf674f Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Sun, 3 Apr 2022 12:16:45 +0000
+Subject: [PATCH 2/2] nslookup: sanitize all printed strings with
+ printable_string
+
+Otherwise, terminal sequences can be injected, which enables various terminal injection
+attacks from DNS results.
+
+CVE: Pending
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
+---
+ networking/nslookup.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/networking/nslookup.c b/networking/nslookup.c
+index 6da97baf4..4bdcde1b8 100644
+--- a/networking/nslookup.c
++++ b/networking/nslookup.c
+@@ -407,7 +407,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ 				//printf("Unable to uncompress domain: %s\n", strerror(errno));
+ 				return -1;
+ 			}
+-			printf(format, ns_rr_name(rr), dname);
++			printf(format, ns_rr_name(rr), printable_string(dname));
+ 			break;
+ 
+ 		case ns_t_mx:
+@@ -422,7 +422,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ 				//printf("Cannot uncompress MX domain: %s\n", strerror(errno));
+ 				return -1;
+ 			}
+-			printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname);
++			printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname));
+ 			break;
+ 
+ 		case ns_t_txt:
+@@ -434,7 +434,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ 			if (n > 0) {
+ 				memset(dname, 0, sizeof(dname));
+ 				memcpy(dname, ns_rr_rdata(rr) + 1, n);
+-				printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname);
++				printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname));
+ 			}
+ 			break;
+ 
+@@ -483,7 +483,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ 				return -1;
+ 			}
+ 
+-			printf("\tmail addr = %s\n", dname);
++			printf("\tmail addr = %s\n", printable_string(dname));
+ 			cp += n;
+ 
+ 			printf("\tserial = %lu\n", ns_get32(cp));
+-- 
+2.35.1
+
diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD
index ae4c7b2c852e..1998d3dd4f8d 100644
--- a/main/busybox/APKBUILD
+++ b/main/busybox/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=busybox
 pkgver=1.31.1
-pkgrel=21
+pkgrel=22
 pkgdesc="Size optimized toolbox of many common UNIX utilities"
 url="https://busybox.net/"
 arch="all"
@@ -42,6 +42,9 @@ source="https://busybox.net/downloads/busybox-$pkgver.tar.bz2
 	CVE-2021-42374.patch
 	awk-fixes.patch
 
+	0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
+	0002-nslookup-sanitize-all-printed-strings-with-printable.patch
+
 	acpid.logrotate
 	busyboxconfig
 	busyboxconfig-extras
@@ -52,6 +55,9 @@ source="https://busybox.net/downloads/busybox-$pkgver.tar.bz2
 	"
 
 # secfixes:
+#   1.31.1-r22:
+#     - ALPINE-13661
+#     - CVE-2022-28391
 #   1.31.1-r21:
 #     - CVE-2021-42374
 #     - CVE-2021-42378
@@ -235,8 +241,6 @@ ssl_client() {
 	install -m755 "$_dyndir"/ssl_client \
 		"$subpkgdir"/usr/bin/ssl_client
 }
-
-
 sha512sums="
 0d1197c25d963d7f95ef21e08c06c0d6124ac7b59c99989e891f744ffee4878a3b1fe44a247241a9da39fa5de0ba87f1b6d862401b591f277e66e89c02764bbf  busybox-1.31.1.tar.bz2
 07e79138c80a12fd3c8770c4a1beaba986465b099816511d2de744b34f7457f22351d991f510cce8665effd651cca34a85f685ed52747313b3980ebf25988958  0001-ln-no-target-directory-implies-no-dereference.patch
@@ -259,6 +263,8 @@ d8926f0e4ed7d2fe5af89ff2a944d781b45b109c9edf1ef2591e7bce2a8bbadd7c8ca814cb3c928a
 90598077e3000efa92167d446211965737bd3ee8c9dc29b6a33ebbd7c2e2a52eaadd225a1695bc4375ae0ec90a533915926de5fa4364d880b6c99934d7b0f916  traceroute-opt-x.patch
 0e241dc63d49103569852089c07149a2ff2599331f988ca20e8f6f606e560795b919ceffb6b3f4f1aba56b688b969c52bfdc2d1deb7c6ec08deaf707771b996a  CVE-2021-42374.patch
 e4fae8467f2f3c6c3274a5f7e4b9d9c3e9742fe478379ae0096b5b0dc93a52e5a295acd2d4d12f0cc4679b3df5b5490076de5196a70cc4e17d8dbc829c57d903  awk-fixes.patch
+b52050678e79e4da856956906d07fcb620cbf35f2ef6b5a8ee3b8d244ea63b4b98eef505451184d5b4937740d91eef154ed748c30d329ac485be51b37626f251  0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
+017ed99fbf95debf6ab975ccf259590a79d86b999f4ae8ac39244e84881eff72abb99ac82209a02377b6b30bc552f3b673fe118752cbf349a42d3fb5a34e9cb1  0002-nslookup-sanitize-all-printed-strings-with-printable.patch
 aa93095e20de88730f526c6f463cef711b290b9582cdbd8c1ba2bd290019150cbeaa7007c2e15f0362d5b9315dd63f60511878f0ea05e893f4fdfb4a54af3fb1  acpid.logrotate
 33ee716a324a622e03ae3303afb50c856d0706a5e78923e313040e98513aaa311ecfbc1e4acf784eba9e35cc6f91fa72862bbbfe3b1f7c2a76f94b6f55cb13c0  busyboxconfig
 5f9739b9d0c1ba5d77e3153c373593a1bcb813cf466f951b00a2a040262e5077fb13c1a7aa17d67d1533a473bfcacc1a22833b7f491b4dde9dcb5638ad585f9a  busyboxconfig-extras
-- 
GitLab