Update BusyBox (especially for CVE-2019-5021)

[tianon]

We should probably merge #5880 first so we can run that test against this and make sure it's actually fixed. 😄

[yosifkit]

Diff:

diff --git a/busybox_glibc/Dockerfile.builder b/busybox_glibc/Dockerfile.builder
index fb1e926..f270815 100644
--- a/busybox_glibc/Dockerfile.builder
+++ b/busybox_glibc/Dockerfile.builder
@@ -116,11 +116,15 @@ RUN set -ex \
 
 # download a few extra files from buildroot (/etc/passwd, etc)
 RUN set -ex; \
-	buildrootVersion='2019.02.1'; \
+	buildrootVersion='2019.02.2'; \
 	mkdir -p rootfs/etc; \
 	for f in passwd shadow group; do \
 		curl -fL -o "rootfs/etc/$f" "https://git.busybox.net/buildroot/plain/system/skeleton/etc/$f?id=$buildrootVersion"; \
 	done; \
+# CVE-2019-5021, https://github.com/docker-library/official-images/pull/5880#issuecomment-490681907
+	grep -E '^root::' rootfs/etc/shadow; \
+	sed -ri -e 's/^root::/root:*:/' rootfs/etc/shadow; \
+	grep -E '^root:[*]:' rootfs/etc/shadow; \
 # set expected permissions, etc too (https://git.busybox.net/buildroot/tree/system/device_table.txt)
 	curl -fL -o buildroot-device-table.txt "https://git.busybox.net/buildroot/plain/system/device_table.txt?id=$buildrootVersion"; \
 	awk ' \
diff --git a/busybox_glibc/busybox.tar.xz b/busybox_glibc/busybox.tar.xz
index 927ed1a..4c68ffb 100644
Binary files a/busybox_glibc/busybox.tar.xz and b/busybox_glibc/busybox.tar.xz differ
diff --git a/busybox_latest/Dockerfile.builder b/busybox_latest/Dockerfile.builder
index e12d59d..1242f0a 100644
--- a/busybox_latest/Dockerfile.builder
+++ b/busybox_latest/Dockerfile.builder
@@ -30,7 +30,7 @@ RUN gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys AB07D806D2CE7
 
 # https://buildroot.org/download.html
 # https://buildroot.org/downloads/?C=M;O=D
-ENV BUILDROOT_VERSION 2019.02.1
+ENV BUILDROOT_VERSION 2019.02.2
 
 RUN set -ex; \
 	tarball="buildroot-${BUILDROOT_VERSION}.tar.bz2"; \
@@ -244,6 +244,10 @@ RUN set -ex; \
 			"../buildroot/system/skeleton/etc/$f" \
 			"rootfs/etc/$f"; \
 	done; \
+# CVE-2019-5021, https://github.com/docker-library/official-images/pull/5880#issuecomment-490681907
+	grep -E '^root::' rootfs/etc/shadow; \
+	sed -ri -e 's/^root::/root:*:/' rootfs/etc/shadow; \
+	grep -E '^root:[*]:' rootfs/etc/shadow; \
 # set expected permissions, etc too (https://git.busybox.net/buildroot/tree/system/device_table.txt)
 	awk ' \
 		!/^#/ { \
@@ -257,7 +261,7 @@ RUN set -ex; \
 			} \
 			printf "chmod %s %s\n", $3, $1; \
 		} \
-	' "../buildroot/system/device_table.txt" | bash -Eeuo pipefail -x
+	' ../buildroot/system/device_table.txt | bash -Eeuo pipefail -x
 
 # create missing home directories
 RUN set -ex \
diff --git a/busybox_latest/busybox.tar.xz b/busybox_latest/busybox.tar.xz
index ecdf878..a844fe9 100644
Binary files a/busybox_latest/busybox.tar.xz and b/busybox_latest/busybox.tar.xz differ
diff --git a/busybox_musl/Dockerfile.builder b/busybox_musl/Dockerfile.builder
index 858b502..b21eda6 100644
--- a/busybox_musl/Dockerfile.builder
+++ b/busybox_musl/Dockerfile.builder
@@ -103,11 +103,15 @@ RUN set -x \
 
 # download a few extra files from buildroot (/etc/passwd, etc)
 RUN set -ex; \
-	buildrootVersion='2019.02.1'; \
+	buildrootVersion='2019.02.2'; \
 	mkdir -p rootfs/etc; \
 	for f in passwd shadow group; do \
 		curl -fL -o "rootfs/etc/$f" "https://git.busybox.net/buildroot/plain/system/skeleton/etc/$f?id=$buildrootVersion"; \
 	done; \
+# CVE-2019-5021, https://github.com/docker-library/official-images/pull/5880#issuecomment-490681907
+	grep -E '^root::' rootfs/etc/shadow; \
+	sed -ri -e 's/^root::/root:*:/' rootfs/etc/shadow; \
+	grep -E '^root:[*]:' rootfs/etc/shadow; \
 # set expected permissions, etc too (https://git.busybox.net/buildroot/tree/system/device_table.txt)
 	curl -fL -o buildroot-device-table.txt "https://git.busybox.net/buildroot/plain/system/device_table.txt?id=$buildrootVersion"; \
 	awk ' \
diff --git a/busybox_musl/busybox.tar.xz b/busybox_musl/busybox.tar.xz
index aeb4fa8..2e9013b 100644
Binary files a/busybox_musl/busybox.tar.xz and b/busybox_musl/busybox.tar.xz differ
diff --git a/busybox_uclibc/Dockerfile.builder b/busybox_uclibc/Dockerfile.builder
index e12d59d..1242f0a 100644
--- a/busybox_uclibc/Dockerfile.builder
+++ b/busybox_uclibc/Dockerfile.builder
@@ -30,7 +30,7 @@ RUN gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys AB07D806D2CE7
 
 # https://buildroot.org/download.html
 # https://buildroot.org/downloads/?C=M;O=D
-ENV BUILDROOT_VERSION 2019.02.1
+ENV BUILDROOT_VERSION 2019.02.2
 
 RUN set -ex; \
 	tarball="buildroot-${BUILDROOT_VERSION}.tar.bz2"; \
@@ -244,6 +244,10 @@ RUN set -ex; \
 			"../buildroot/system/skeleton/etc/$f" \
 			"rootfs/etc/$f"; \
 	done; \
+# CVE-2019-5021, https://github.com/docker-library/official-images/pull/5880#issuecomment-490681907
+	grep -E '^root::' rootfs/etc/shadow; \
+	sed -ri -e 's/^root::/root:*:/' rootfs/etc/shadow; \
+	grep -E '^root:[*]:' rootfs/etc/shadow; \
 # set expected permissions, etc too (https://git.busybox.net/buildroot/tree/system/device_table.txt)
 	awk ' \
 		!/^#/ { \
@@ -257,7 +261,7 @@ RUN set -ex; \
 			} \
 			printf "chmod %s %s\n", $3, $1; \
 		} \
-	' "../buildroot/system/device_table.txt" | bash -Eeuo pipefail -x
+	' ../buildroot/system/device_table.txt | bash -Eeuo pipefail -x
 
 # create missing home directories
 RUN set -ex \
diff --git a/busybox_uclibc/busybox.tar.xz b/busybox_uclibc/busybox.tar.xz
index ecdf878..a844fe9 100644
Binary files a/busybox_uclibc/busybox.tar.xz and b/busybox_uclibc/busybox.tar.xz differ

[yosifkit]

Build test of #5885; fff3922; amd64 (busybox):

$ bashbrew build busybox:1.30.1-uclibc
Building bashbrew/cache:2bfd7b9f9f914313525ee6032e3b0afbe51cbd5b12b1a93e9d4b3d478f58f230 (busybox:1.30.1-uclibc)
Tagging busybox:1.30.1-uclibc
Tagging busybox:1.30-uclibc
Tagging busybox:1-uclibc
Tagging busybox:uclibc

$ test/run.sh busybox:1.30.1-uclibc
testing busybox:1.30.1-uclibc
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build busybox:1.30.1-glibc
Building bashbrew/cache:33c63740a1974d4e4a33659d534037db742d8c8defc48824cb9837c772a57e23 (busybox:1.30.1-glibc)
Tagging busybox:1.30.1-glibc
Tagging busybox:1.30-glibc
Tagging busybox:1-glibc
Tagging busybox:glibc

$ test/run.sh busybox:1.30.1-glibc
testing busybox:1.30.1-glibc
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build busybox:1.30.1-musl
Building bashbrew/cache:de2939cdbf75a23e42151fced9104ce68609be5a3a7da91b3aa1857e911faeeb (busybox:1.30.1-musl)
Tagging busybox:1.30.1-musl
Tagging busybox:1.30-musl
Tagging busybox:1-musl
Tagging busybox:musl

$ test/run.sh busybox:1.30.1-musl
testing busybox:1.30.1-musl
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build busybox:1.30.1
Using bashbrew/cache:2bfd7b9f9f914313525ee6032e3b0afbe51cbd5b12b1a93e9d4b3d478f58f230 (busybox:1.30.1)
Tagging busybox:1.30.1
Tagging busybox:1.30
Tagging busybox:1
Tagging busybox:latest

$ test/run.sh busybox:1.30.1
testing busybox:1.30.1
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed