Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <87edftoe8s.fsf@48ers.dk>
Date: Sun, 10 Dec 2023 23:59:47 +0100
From: Peter Korsgaard <peter@...sgaard.com>
To: oss-security@...ts.openwall.com
Subject: Buildroot: Talos download hash verification vulnerabilities

Hello,

Talos recently published two vulnerability reports related to the hash
verification of sources downloaded by Buildroot. These issues are fixed
in Buildroot 2023.02.8 / 2023.08.4 / 2023.11.

The reports are:

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1844

CVE-2023-45841,CVE-2023-45842,CVE-2023-45838,CVE-2023-45839,CVE-2023-45840

Multiple data integrity vulnerabilities exist in the package hash
checking functionality of Buildroot 2023.08.1 and Buildroot dev commit
622698d7847. A specially crafted man-in-the-middle attack can lead to
arbitrary command execution in the builder.

And:

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1845

CVE-2023-43608

A data integrity vulnerability exists in the BR_NO_CHECK_HASH_FOR
functionality of Buildroot 2023.08.1 and dev commit 622698d7847. A
specially crafted man-in-the-middle attack can lead to arbitrary command
execution in the builder.


A summary describing the fixes and new features for handling download
hashes for custom package locations and versions has been posted to the
mailing list:

https://lore.kernel.org/buildroot/87y1e7sq4u.fsf@48ers.dk/T/#u

(Included here in full):

Talos recently reported a number of security vulnerabilities in the
package download hash checking in Buildroot, and these are now public
at:

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1844
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1845

A small number of packages did not have a .hash file, meaning that the
downloaded sources were not verified - And for aufs + aufs-util they
were downloaded from a http:// site, so conceptually vulnerable to a man
in the middle attack.

aufs/aufs-utils were changed to fetch from https by:

https://gitlab.com/buildroot.org/buildroot/-/commit/f2a590750f5bedcee48ce7beb8f35356b42eda11
https://gitlab.com/buildroot.org/buildroot/-/commit/99d525028f969220719a4e6bcd694f7d9cfd5b67

The fallback download location on source.buildroot.net was changed to
use https:// by:

https://gitlab.com/buildroot.org/buildroot/-/commit/05296ced369bab8877efa624f3d9b4d201ba5b38

Hash files for riscv64-elf-toolchain and mxsldr were added by:

https://gitlab.com/buildroot.org/buildroot/-/commit/cf2dcaa1ecede670a0bc54841652a0e3bea5c744
https://gitlab.com/buildroot.org/buildroot/-/commit/fefcfddc5e6a265c66adbdff615558f99133f148

Which are all included in 2023.02.7 / 2023.08.3 / 2023.11.


Some packages allow a custom version or even a custom upstream location
(E.G. Linux, U-Boot, versal-firmware, ..). For those custom versions
Buildroot naturally cannot provide the expected hash, so instead we have
added support for providing hashes for those files in the
BR2_GLOBAL_PATCH_DIR location and added a
BR2_DOWNLOAD_FORCE_CHECK_HASHES option to enforce hash checking (and
fail if missing/invalid) for all downloads. This was added by:

https://gitlab.com/buildroot.org/buildroot/-/commit/5d36710e36fc4698c8fae71675bcff7395246006
https://gitlab.com/buildroot.org/buildroot/-/commit/e091e31831122b60b084bd755e94df4dfe7188d2

To make it easier to manage these custom hash files a
utils/add-custom-hashes helper script has been added by:

https://gitlab.com/buildroot.org/buildroot/-/commit/4984d0f230d0962270beb195966603f1d5a56300

Which are all included in 2023.02.7 / 2023.08.3 / 2023.11.

See the documentation for further details about this feature:

https://buildroot.org/downloads/manual/manual.html#_adding_project_specific_patches_and_hashes

Notice that it is up to the user of Buildroot to use this feature to
protect their custom downloads!


Finally the toradex_apalis_imx6_defconfig fetched Linux and U-Boot from
a git:// URL, so custom hashes were added in the BR2_GLOBAL_PATCH_DIR
for those by:

https://gitlab.com/buildroot.org/buildroot/-/commit/cdc9b8a3a75c4c39f23feb4e3b0e296786e0132c

Which is included in 2023.02.8 / 2023.08.4 / 2023.11.


Thanks to Talos for discovering and reporting these issues to us and to
Yann E. MORIN for implementing the custom hash logic.

-- 
Bye, Peter Korsgaard

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.