|
Message-ID: <87edftoe8s.fsf@48ers.dk> Date: Sun, 10 Dec 2023 23:59:47 +0100 From: Peter Korsgaard <peter@...sgaard.com> To: oss-security@...ts.openwall.com Subject: Buildroot: Talos download hash verification vulnerabilities Hello, Talos recently published two vulnerability reports related to the hash verification of sources downloaded by Buildroot. These issues are fixed in Buildroot 2023.02.8 / 2023.08.4 / 2023.11. The reports are: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1844 CVE-2023-45841,CVE-2023-45842,CVE-2023-45838,CVE-2023-45839,CVE-2023-45840 Multiple data integrity vulnerabilities exist in the package hash checking functionality of Buildroot 2023.08.1 and Buildroot dev commit 622698d7847. A specially crafted man-in-the-middle attack can lead to arbitrary command execution in the builder. And: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1845 CVE-2023-43608 A data integrity vulnerability exists in the BR_NO_CHECK_HASH_FOR functionality of Buildroot 2023.08.1 and dev commit 622698d7847. A specially crafted man-in-the-middle attack can lead to arbitrary command execution in the builder. A summary describing the fixes and new features for handling download hashes for custom package locations and versions has been posted to the mailing list: https://lore.kernel.org/buildroot/87y1e7sq4u.fsf@48ers.dk/T/#u (Included here in full): Talos recently reported a number of security vulnerabilities in the package download hash checking in Buildroot, and these are now public at: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1844 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1845 A small number of packages did not have a .hash file, meaning that the downloaded sources were not verified - And for aufs + aufs-util they were downloaded from a http:// site, so conceptually vulnerable to a man in the middle attack. aufs/aufs-utils were changed to fetch from https by: https://gitlab.com/buildroot.org/buildroot/-/commit/f2a590750f5bedcee48ce7beb8f35356b42eda11 https://gitlab.com/buildroot.org/buildroot/-/commit/99d525028f969220719a4e6bcd694f7d9cfd5b67 The fallback download location on source.buildroot.net was changed to use https:// by: https://gitlab.com/buildroot.org/buildroot/-/commit/05296ced369bab8877efa624f3d9b4d201ba5b38 Hash files for riscv64-elf-toolchain and mxsldr were added by: https://gitlab.com/buildroot.org/buildroot/-/commit/cf2dcaa1ecede670a0bc54841652a0e3bea5c744 https://gitlab.com/buildroot.org/buildroot/-/commit/fefcfddc5e6a265c66adbdff615558f99133f148 Which are all included in 2023.02.7 / 2023.08.3 / 2023.11. Some packages allow a custom version or even a custom upstream location (E.G. Linux, U-Boot, versal-firmware, ..). For those custom versions Buildroot naturally cannot provide the expected hash, so instead we have added support for providing hashes for those files in the BR2_GLOBAL_PATCH_DIR location and added a BR2_DOWNLOAD_FORCE_CHECK_HASHES option to enforce hash checking (and fail if missing/invalid) for all downloads. This was added by: https://gitlab.com/buildroot.org/buildroot/-/commit/5d36710e36fc4698c8fae71675bcff7395246006 https://gitlab.com/buildroot.org/buildroot/-/commit/e091e31831122b60b084bd755e94df4dfe7188d2 To make it easier to manage these custom hash files a utils/add-custom-hashes helper script has been added by: https://gitlab.com/buildroot.org/buildroot/-/commit/4984d0f230d0962270beb195966603f1d5a56300 Which are all included in 2023.02.7 / 2023.08.3 / 2023.11. See the documentation for further details about this feature: https://buildroot.org/downloads/manual/manual.html#_adding_project_specific_patches_and_hashes Notice that it is up to the user of Buildroot to use this feature to protect their custom downloads! Finally the toradex_apalis_imx6_defconfig fetched Linux and U-Boot from a git:// URL, so custom hashes were added in the BR2_GLOBAL_PATCH_DIR for those by: https://gitlab.com/buildroot.org/buildroot/-/commit/cdc9b8a3a75c4c39f23feb4e3b0e296786e0132c Which is included in 2023.02.8 / 2023.08.4 / 2023.11. Thanks to Talos for discovering and reporting these issues to us and to Yann E. MORIN for implementing the custom hash logic. -- Bye, Peter Korsgaard
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.