diff options
Diffstat (limited to 'nixpkgs/pkgs/os-specific/linux/busybox')
3 files changed, 198 insertions, 2 deletions
diff --git a/nixpkgs/pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch b/nixpkgs/pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch new file mode 100644 index 00000000000..029333b57e4 --- /dev/null +++ b/nixpkgs/pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch @@ -0,0 +1,71 @@ +From c29b637b55c93214993f40b1a223233d40b8a7d6 Mon Sep 17 00:00:00 2001 +From: Maximilian Bosch <maximilian@mbosch.me> +Date: Wed, 19 Feb 2020 22:32:28 +0100 +Subject: [PATCH] Fix build with glibc 2.31 + +This is derived from the corresponding upstream patch[1], however this +one doesn't apply cleanly on busybox-1.31.1, so I rebased the patch +locally and added it directly to nixpkgs. + +[1] https://git.busybox.net/busybox/patch/?id=d3539be8f27b8cbfdfee460fe08299158f08bcd9 +--- + coreutils/date.c | 2 +- + libbb/missing_syscalls.c | 8 -------- + util-linux/rdate.c | 8 ++++++-- + 3 files changed, 7 insertions(+), 11 deletions(-) + +diff --git a/coreutils/date.c b/coreutils/date.c +index 3414d38..931b7f9 100644 +--- a/coreutils/date.c ++++ b/coreutils/date.c +@@ -303,7 +303,7 @@ int date_main(int argc UNUSED_PARAM, char **argv) + ts.tv_sec = validate_tm_time(date_str, &tm_time); + + /* if setting time, set it */ +- if ((opt & OPT_SET) && stime(&ts.tv_sec) < 0) { ++ if ((opt & OPT_SET) && clock_settime(CLOCK_REALTIME, &ts) < 0) { + bb_perror_msg("can't set date"); + } + } +diff --git a/libbb/missing_syscalls.c b/libbb/missing_syscalls.c +index 87cf59b..dc40d91 100644 +--- a/libbb/missing_syscalls.c ++++ b/libbb/missing_syscalls.c +@@ -15,14 +15,6 @@ pid_t getsid(pid_t pid) + return syscall(__NR_getsid, pid); + } + +-int stime(const time_t *t) +-{ +- struct timeval tv; +- tv.tv_sec = *t; +- tv.tv_usec = 0; +- return settimeofday(&tv, NULL); +-} +- + int sethostname(const char *name, size_t len) + { + return syscall(__NR_sethostname, name, len); +diff --git a/util-linux/rdate.c b/util-linux/rdate.c +index 70f829e..878375d 100644 +--- a/util-linux/rdate.c ++++ b/util-linux/rdate.c +@@ -95,9 +95,13 @@ int rdate_main(int argc UNUSED_PARAM, char **argv) + if (!(flags & 2)) { /* no -p (-s may be present) */ + if (time(NULL) == remote_time) + bb_error_msg("current time matches remote time"); +- else +- if (stime(&remote_time) < 0) ++ else { ++ struct timespec ts; ++ ts.tv_sec = remote_time; ++ ts.tv_nsec = 0; ++ if (clock_settime(CLOCK_REALTIME, &ts) < 0) + bb_perror_msg_and_die("can't set time of day"); ++ } + } + + if (flags != 1) /* not lone -s */ +-- +2.25.0 + diff --git a/nixpkgs/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch b/nixpkgs/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch new file mode 100644 index 00000000000..d11cd670d5e --- /dev/null +++ b/nixpkgs/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch @@ -0,0 +1,94 @@ +From 45fa3f18adf57ef9d743038743d9c90573aeeb91 Mon Sep 17 00:00:00 2001 +From: Dimitri John Ledkov <xnox@ubuntu.com> +Date: Tue, 19 May 2020 18:20:39 +0100 +Subject: [PATCH] wget: implement TLS verification with + ENABLE_FEATURE_WGET_OPENSSL + +When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS +verification by default. And only ignore verification errors, if +--no-check-certificate was passed. + +Also note, that previously OPENSSL implementation did not implement +TLS verification, nor printed any warning messages that verification +was not performed. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533 + +CVE-2018-1000500 + +Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> +--- + networking/wget.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/networking/wget.c b/networking/wget.c +index f2fc9e215..6a8c08324 100644 +--- a/networking/wget.c ++++ b/networking/wget.c +@@ -91,6 +91,9 @@ + //config: patches, but do want to waste bandwidth expaining how wrong + //config: it is, you will be ignored. + //config: ++//config: FEATURE_WGET_OPENSSL does implement TLS verification ++//config: using the certificates available to OpenSSL. ++//config: + //config:config FEATURE_WGET_OPENSSL + //config: bool "Try to connect to HTTPS using openssl" + //config: default y +@@ -115,6 +118,9 @@ + //config: If openssl can't be executed, internal TLS code will be used + //config: (if you enabled it); if openssl can be executed but fails later, + //config: wget can't detect this, and download will fail. ++//config: ++//config: By default TLS verification is performed, unless ++//config: --no-check-certificate option is passed. + + //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP)) + +@@ -124,8 +130,11 @@ + //usage: IF_FEATURE_WGET_LONG_OPTIONS( + //usage: "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n" + //usage: " [-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n" ++//usage: IF_FEATURE_WGET_OPENSSL( ++//usage: " [--no-check-certificate]\n" ++//usage: ) + /* Since we ignore these opts, we don't show them in --help */ +-/* //usage: " [--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */ ++/* //usage: " [--no-cache] [--passive-ftp] [-t TRIES]" */ + /* //usage: " [-nv] [-nc] [-nH] [-np]" */ + //usage: " [-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..." + //usage: ) +@@ -137,7 +146,9 @@ + //usage: "Retrieve files via HTTP or FTP\n" + //usage: IF_FEATURE_WGET_LONG_OPTIONS( + //usage: "\n --spider Only check URL existence: $? is 0 if exists" +-///////: "\n --no-check-certificate Don't validate the server's certificate" ++//usage: IF_FEATURE_WGET_OPENSSL( ++//usage: "\n --no-check-certificate Don't validate the server's certificate" ++//usage: ) + //usage: ) + //usage: "\n -c Continue retrieval of aborted transfer" + //usage: "\n -q Quiet" +@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) + pid = xvfork(); + if (pid == 0) { + /* Child */ +- char *argv[8]; ++ char *argv[9]; + + close(sp[0]); + xmove_fd(sp[1], 0); +@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) + argv[5] = (char*)"-servername"; + argv[6] = (char*)servername; + } ++ if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) { ++ argv[7] = (char*)"-verify_return_error"; ++ } + + BB_EXECVP(argv[0], argv); + xmove_fd(3, 2); +-- +2.28.0 + diff --git a/nixpkgs/pkgs/os-specific/linux/busybox/default.nix b/nixpkgs/pkgs/os-specific/linux/busybox/default.nix index 430066831b8..599754129b4 100644 --- a/nixpkgs/pkgs/os-specific/linux/busybox/default.nix +++ b/nixpkgs/pkgs/os-specific/linux/busybox/default.nix @@ -1,4 +1,4 @@ -{ stdenv, lib, buildPackages, fetchurl +{ stdenv, lib, buildPackages, fetchurl, fetchFromGitLab , enableStatic ? false , enableMinimal ? false # Allow forcing musl without switching stdenv itself, e.g. for our bootstrapping: @@ -31,9 +31,26 @@ let CONFIG_FEATURE_UTMP n CONFIG_FEATURE_WTMP n ''; + + # The debian version lacks behind the upstream version and also contains + # a debian-specific suffix. We only fetch the debian repository to get the + # default.script + debianVersion = "1.30.1-6"; + debianSource = fetchFromGitLab { + domain = "salsa.debian.org"; + owner = "installer-team"; + repo = "busybox"; + rev = "debian/1%${debianVersion}"; + sha256 = "sha256-6r0RXtmqGXtJbvLSD1Ma1xpqR8oXL2bBKaUE/cSENL8="; + }; + debianDispatcherScript = "${debianSource}/debian/tree/udhcpc/etc/udhcpc/default.script"; + outDispatchPath = "$out/default.script"; in stdenv.mkDerivation rec { + # TODO: When bumping this version, please validate whether the wget patch is present upstream + # and remove the patch if it is. The patch should be present upstream for all versions 1.32.0+. + # See NixOs/nixpkgs#94722 for context. name = "busybox-1.31.1"; # Note to whoever is updating busybox: please verify that: @@ -49,6 +66,8 @@ stdenv.mkDerivation rec { patches = [ ./busybox-in-store.patch + ./0001-Fix-build-with-glibc-2.31.patch + ./0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch ] ++ stdenv.lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch; postPatch = "patchShebangs ."; @@ -80,6 +99,9 @@ stdenv.mkDerivation rec { # Bump from 4KB, much faster I/O CONFIG_FEATURE_COPYBUF_KB 64 + # Set the path for the udhcpc script + CONFIG_UDHCPC_DEFAULT_SCRIPT "${outDispatchPath}" + ${extraConfig} CONFIG_CROSS_COMPILER_PREFIX "${stdenv.cc.targetPrefix}" ${libcConfig} @@ -94,6 +116,15 @@ stdenv.mkDerivation rec { makeFlagsArray+=("CC=${stdenv.cc.targetPrefix}cc -isystem ${musl.dev}/include -B${musl}/lib -L${musl}/lib") ''; + postInstall = '' + sed -e ' + 1 a busybox() { '$out'/bin/busybox "$@"; }\ + logger() { '$out'/bin/logger "$@"; }\ + ' ${debianDispatcherScript} > ${outDispatchPath} + chmod 555 ${outDispatchPath} + PATH=$out/bin patchShebangs ${outDispatchPath} + ''; + depsBuildBuild = [ buildPackages.stdenv.cc ]; buildInputs = lib.optionals (enableStatic && !useMusl && stdenv.cc.libc ? static) [ stdenv.cc.libc stdenv.cc.libc.static ]; @@ -106,7 +137,7 @@ stdenv.mkDerivation rec { description = "Tiny versions of common UNIX utilities in a single small executable"; homepage = "https://busybox.net/"; license = licenses.gpl2; - maintainers = with maintainers; [ ]; + maintainers = with maintainers; [ TethysSvensson ]; platforms = platforms.linux; priority = 10; }; |