Merge pull request #104433 from j4m3s-s/master
busybox: 1.31.1 -> 1.32.0
This commit is contained in:
Sandro
GitHub
commit
826f08c65f
@ -1,71 +0,0 @@
|
||||
From c29b637b55c93214993f40b1a223233d40b8a7d6 Mon Sep 17 00:00:00 2001
|
||||
From: Maximilian Bosch <maximilian@mbosch.me>
|
||||
Date: Wed, 19 Feb 2020 22:32:28 +0100
|
||||
Subject: [PATCH] Fix build with glibc 2.31
|
||||
|
||||
This is derived from the corresponding upstream patch[1], however this
|
||||
one doesn't apply cleanly on busybox-1.31.1, so I rebased the patch
|
||||
locally and added it directly to nixpkgs.
|
||||
|
||||
[1] https://git.busybox.net/busybox/patch/?id=d3539be8f27b8cbfdfee460fe08299158f08bcd9
|
||||
---
|
||||
coreutils/date.c | 2 +-
|
||||
libbb/missing_syscalls.c | 8 --------
|
||||
util-linux/rdate.c | 8 ++++++--
|
||||
3 files changed, 7 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/coreutils/date.c b/coreutils/date.c
|
||||
index 3414d38..931b7f9 100644
|
||||
--- a/coreutils/date.c
|
||||
+++ b/coreutils/date.c
|
||||
@@ -303,7 +303,7 @@ int date_main(int argc UNUSED_PARAM, char **argv)
|
||||
ts.tv_sec = validate_tm_time(date_str, &tm_time);
|
||||
|
||||
/* if setting time, set it */
|
||||
- if ((opt & OPT_SET) && stime(&ts.tv_sec) < 0) {
|
||||
+ if ((opt & OPT_SET) && clock_settime(CLOCK_REALTIME, &ts) < 0) {
|
||||
bb_perror_msg("can't set date");
|
||||
}
|
||||
}
|
||||
diff --git a/libbb/missing_syscalls.c b/libbb/missing_syscalls.c
|
||||
index 87cf59b..dc40d91 100644
|
||||
--- a/libbb/missing_syscalls.c
|
||||
+++ b/libbb/missing_syscalls.c
|
||||
@@ -15,14 +15,6 @@ pid_t getsid(pid_t pid)
|
||||
return syscall(__NR_getsid, pid);
|
||||
}
|
||||
|
||||
-int stime(const time_t *t)
|
||||
-{
|
||||
- struct timeval tv;
|
||||
- tv.tv_sec = *t;
|
||||
- tv.tv_usec = 0;
|
||||
- return settimeofday(&tv, NULL);
|
||||
-}
|
||||
-
|
||||
int sethostname(const char *name, size_t len)
|
||||
{
|
||||
return syscall(__NR_sethostname, name, len);
|
||||
diff --git a/util-linux/rdate.c b/util-linux/rdate.c
|
||||
index 70f829e..878375d 100644
|
||||
--- a/util-linux/rdate.c
|
||||
+++ b/util-linux/rdate.c
|
||||
@@ -95,9 +95,13 @@ int rdate_main(int argc UNUSED_PARAM, char **argv)
|
||||
if (!(flags & 2)) { /* no -p (-s may be present) */
|
||||
if (time(NULL) == remote_time)
|
||||
bb_error_msg("current time matches remote time");
|
||||
- else
|
||||
- if (stime(&remote_time) < 0)
|
||||
+ else {
|
||||
+ struct timespec ts;
|
||||
+ ts.tv_sec = remote_time;
|
||||
+ ts.tv_nsec = 0;
|
||||
+ if (clock_settime(CLOCK_REALTIME, &ts) < 0)
|
||||
bb_perror_msg_and_die("can't set time of day");
|
||||
+ }
|
||||
}
|
||||
|
||||
if (flags != 1) /* not lone -s */
|
||||
--
|
||||
2.25.0
|
||||
|
||||
@ -1,94 +0,0 @@
|
||||
From 45fa3f18adf57ef9d743038743d9c90573aeeb91 Mon Sep 17 00:00:00 2001
|
||||
From: Dimitri John Ledkov <xnox@ubuntu.com>
|
||||
Date: Tue, 19 May 2020 18:20:39 +0100
|
||||
Subject: [PATCH] wget: implement TLS verification with
|
||||
ENABLE_FEATURE_WGET_OPENSSL
|
||||
|
||||
When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
|
||||
verification by default. And only ignore verification errors, if
|
||||
--no-check-certificate was passed.
|
||||
|
||||
Also note, that previously OPENSSL implementation did not implement
|
||||
TLS verification, nor printed any warning messages that verification
|
||||
was not performed.
|
||||
|
||||
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533
|
||||
|
||||
CVE-2018-1000500
|
||||
|
||||
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
|
||||
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
||||
---
|
||||
networking/wget.c | 20 +++++++++++++++++---
|
||||
1 file changed, 17 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/networking/wget.c b/networking/wget.c
|
||||
index f2fc9e215..6a8c08324 100644
|
||||
--- a/networking/wget.c
|
||||
+++ b/networking/wget.c
|
||||
@@ -91,6 +91,9 @@
|
||||
//config: patches, but do want to waste bandwidth expaining how wrong
|
||||
//config: it is, you will be ignored.
|
||||
//config:
|
||||
+//config: FEATURE_WGET_OPENSSL does implement TLS verification
|
||||
+//config: using the certificates available to OpenSSL.
|
||||
+//config:
|
||||
//config:config FEATURE_WGET_OPENSSL
|
||||
//config: bool "Try to connect to HTTPS using openssl"
|
||||
//config: default y
|
||||
@@ -115,6 +118,9 @@
|
||||
//config: If openssl can't be executed, internal TLS code will be used
|
||||
//config: (if you enabled it); if openssl can be executed but fails later,
|
||||
//config: wget can't detect this, and download will fail.
|
||||
+//config:
|
||||
+//config: By default TLS verification is performed, unless
|
||||
+//config: --no-check-certificate option is passed.
|
||||
|
||||
//applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP))
|
||||
|
||||
@@ -124,8 +130,11 @@
|
||||
//usage: IF_FEATURE_WGET_LONG_OPTIONS(
|
||||
//usage: "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n"
|
||||
//usage: " [-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n"
|
||||
+//usage: IF_FEATURE_WGET_OPENSSL(
|
||||
+//usage: " [--no-check-certificate]\n"
|
||||
+//usage: )
|
||||
/* Since we ignore these opts, we don't show them in --help */
|
||||
-/* //usage: " [--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */
|
||||
+/* //usage: " [--no-cache] [--passive-ftp] [-t TRIES]" */
|
||||
/* //usage: " [-nv] [-nc] [-nH] [-np]" */
|
||||
//usage: " [-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
|
||||
//usage: )
|
||||
@@ -137,7 +146,9 @@
|
||||
//usage: "Retrieve files via HTTP or FTP\n"
|
||||
//usage: IF_FEATURE_WGET_LONG_OPTIONS(
|
||||
//usage: "\n --spider Only check URL existence: $? is 0 if exists"
|
||||
-///////: "\n --no-check-certificate Don't validate the server's certificate"
|
||||
+//usage: IF_FEATURE_WGET_OPENSSL(
|
||||
+//usage: "\n --no-check-certificate Don't validate the server's certificate"
|
||||
+//usage: )
|
||||
//usage: )
|
||||
//usage: "\n -c Continue retrieval of aborted transfer"
|
||||
//usage: "\n -q Quiet"
|
||||
@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
|
||||
pid = xvfork();
|
||||
if (pid == 0) {
|
||||
/* Child */
|
||||
- char *argv[8];
|
||||
+ char *argv[9];
|
||||
|
||||
close(sp[0]);
|
||||
xmove_fd(sp[1], 0);
|
||||
@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
|
||||
argv[5] = (char*)"-servername";
|
||||
argv[6] = (char*)servername;
|
||||
}
|
||||
+ if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
|
||||
+ argv[7] = (char*)"-verify_return_error";
|
||||
+ }
|
||||
|
||||
BB_EXECVP(argv[0], argv);
|
||||
xmove_fd(3, 2);
|
||||
--
|
||||
2.28.0
|
||||
|
||||
@ -48,17 +48,14 @@ let
|
||||
in
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
# TODO: When bumping this version, please validate whether the wget patch is present upstream
|
||||
# and remove the patch if it is. The patch should be present upstream for all versions 1.32.0+.
|
||||
# See NixOs/nixpkgs#94722 for context.
|
||||
name = "busybox-1.31.1";
|
||||
name = "busybox-1.32.0";
|
||||
|
||||
# Note to whoever is updating busybox: please verify that:
|
||||
# nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test
|
||||
# still builds after the update.
|
||||
src = fetchurl {
|
||||
url = "https://busybox.net/downloads/${name}.tar.bz2";
|
||||
sha256 = "1659aabzp8w4hayr4z8kcpbk2z1q2wqhw7i1yb0l72b45ykl1yfh";
|
||||
sha256 = "w12H8dBLKxU9M8J1wmMuQNOIqI8ZqecXJ+C7v/Uf5ok=";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" "pie" ]
|
||||
@ -66,8 +63,6 @@ stdenv.mkDerivation rec {
|
||||
|
||||
patches = [
|
||||
./busybox-in-store.patch
|
||||
./0001-Fix-build-with-glibc-2.31.patch
|
||||
./0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch
|
||||
] ++ stdenv.lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch;
|
||||
|
||||
postPatch = "patchShebangs .";
|
||||
|
||||
Loading…
Reference in New Issue
Block a user