oss-sec mailing list archives
Buildroot: Talos download hash verification vulnerabilities
From: Peter Korsgaard <peter () korsgaard com>
Date: Sun, 10 Dec 2023 23:59:47 +0100
Hello, Talos recently published two vulnerability reports related to the hash verification of sources downloaded by Buildroot. These issues are fixed in Buildroot 2023.02.8 / 2023.08.4 / 2023.11. The reports are: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1844 CVE-2023-45841,CVE-2023-45842,CVE-2023-45838,CVE-2023-45839,CVE-2023-45840 Multiple data integrity vulnerabilities exist in the package hash checking functionality of Buildroot 2023.08.1 and Buildroot dev commit 622698d7847. A specially crafted man-in-the-middle attack can lead to arbitrary command execution in the builder. And: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1845 CVE-2023-43608 A data integrity vulnerability exists in the BR_NO_CHECK_HASH_FOR functionality of Buildroot 2023.08.1 and dev commit 622698d7847. A specially crafted man-in-the-middle attack can lead to arbitrary command execution in the builder. A summary describing the fixes and new features for handling download hashes for custom package locations and versions has been posted to the mailing list: https://lore.kernel.org/buildroot/87y1e7sq4u.fsf () 48ers dk/T/#u (Included here in full): Talos recently reported a number of security vulnerabilities in the package download hash checking in Buildroot, and these are now public at: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1844 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1845 A small number of packages did not have a .hash file, meaning that the downloaded sources were not verified - And for aufs + aufs-util they were downloaded from a http:// site, so conceptually vulnerable to a man in the middle attack. aufs/aufs-utils were changed to fetch from https by: https://gitlab.com/buildroot.org/buildroot/-/commit/f2a590750f5bedcee48ce7beb8f35356b42eda11 https://gitlab.com/buildroot.org/buildroot/-/commit/99d525028f969220719a4e6bcd694f7d9cfd5b67 The fallback download location on source.buildroot.net was changed to use https:// by: https://gitlab.com/buildroot.org/buildroot/-/commit/05296ced369bab8877efa624f3d9b4d201ba5b38 Hash files for riscv64-elf-toolchain and mxsldr were added by: https://gitlab.com/buildroot.org/buildroot/-/commit/cf2dcaa1ecede670a0bc54841652a0e3bea5c744 https://gitlab.com/buildroot.org/buildroot/-/commit/fefcfddc5e6a265c66adbdff615558f99133f148 Which are all included in 2023.02.7 / 2023.08.3 / 2023.11. Some packages allow a custom version or even a custom upstream location (E.G. Linux, U-Boot, versal-firmware, ..). For those custom versions Buildroot naturally cannot provide the expected hash, so instead we have added support for providing hashes for those files in the BR2_GLOBAL_PATCH_DIR location and added a BR2_DOWNLOAD_FORCE_CHECK_HASHES option to enforce hash checking (and fail if missing/invalid) for all downloads. This was added by: https://gitlab.com/buildroot.org/buildroot/-/commit/5d36710e36fc4698c8fae71675bcff7395246006 https://gitlab.com/buildroot.org/buildroot/-/commit/e091e31831122b60b084bd755e94df4dfe7188d2 To make it easier to manage these custom hash files a utils/add-custom-hashes helper script has been added by: https://gitlab.com/buildroot.org/buildroot/-/commit/4984d0f230d0962270beb195966603f1d5a56300 Which are all included in 2023.02.7 / 2023.08.3 / 2023.11. See the documentation for further details about this feature: https://buildroot.org/downloads/manual/manual.html#_adding_project_specific_patches_and_hashes Notice that it is up to the user of Buildroot to use this feature to protect their custom downloads! Finally the toradex_apalis_imx6_defconfig fetched Linux and U-Boot from a git:// URL, so custom hashes were added in the BR2_GLOBAL_PATCH_DIR for those by: https://gitlab.com/buildroot.org/buildroot/-/commit/cdc9b8a3a75c4c39f23feb4e3b0e296786e0132c Which is included in 2023.02.8 / 2023.08.4 / 2023.11. Thanks to Talos for discovering and reporting these issues to us and to Yann E. MORIN for implementing the custom hash logic. -- Bye, Peter Korsgaard
Current thread:
- Buildroot: Talos download hash verification vulnerabilities Peter Korsgaard (Dec 10)