5553223297
libhttp/url.c in shellinabox through 2.20 has an implementation flaw in the HTTP request parsing logic. By sending a crafted multipart/form-data HTTP request, an attacker could exploit this to force shellinaboxd into an infinite loop, exhausting available CPU resources and taking the service down. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
33 lines
1.1 KiB
Makefile
33 lines
1.1 KiB
Makefile
################################################################################
|
|
#
|
|
# shellinabox
|
|
#
|
|
################################################################################
|
|
|
|
SHELLINABOX_VERSION = 2.20
|
|
SHELLINABOX_SITE = $(call github,shellinabox,shellinabox,v$(SHELLINABOX_VERSION))
|
|
SHELLINABOX_LICENSE = GPL-2.0 with OpenSSL exception
|
|
SHELLINABOX_LICENSE_FILES = COPYING GPL-2
|
|
|
|
# 0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch
|
|
SHELLINABOX_IGNORE_CVES += CVE-2018-16789
|
|
|
|
# Fetching from Github, and patching Makefile.am, so we need to autoreconf
|
|
SHELLINABOX_AUTORECONF = YES
|
|
|
|
# The OpenSSL support is supposed to be optional, but in practice,
|
|
# with OpenSSL disabled, it fails to build. See
|
|
# https://github.com/shellinabox/shellinabox/issues/385.
|
|
SHELLINABOX_DEPENDENCIES = zlib openssl
|
|
SHELLINABOX_CONF_OPTS = \
|
|
--disable-runtime-loading \
|
|
--enable-ssl
|
|
|
|
# musl's implementation of utmpx is a dummy one, and some aspects of
|
|
# it cause build failures in shellinabox
|
|
ifeq ($(BR2_TOOLCHAIN_USES_MUSL),y)
|
|
SHELLINABOX_CONF_OPTS += --disable-utmp
|
|
endif
|
|
|
|
$(eval $(autotools-package))
|