背景:
最近项目发现了发现了2个跟busybox相关的安全漏洞:
busybox | 1.24.1 | 1.32.1 | CVE-2018-1000517 | Exact match | 7.5 | 9.8 | 2018-06-26T16:29:00Z | 2021-01-12T06:19:25Z | http://nvd.nist.gov/vuln/detail/CVE-2018-1000517 | ||
busybox | 1.24.1 | 1.32.1 | CVE-2016-2148 | Exact match | 7.5 | 9.8 | 2017-02-09T15:59:00Z | 2021-01-12T06:19:25Z | http://nvd.nist.gov/vuln/detail/CVE-2016-2148 |
解决方法:
软件平台:Android 9.0
硬件平台:全志T7
为了修复该漏洞,我需要升级busybox版本,整个过程记录如下:
1、下载busybox源码(https://busybox.net/),选择最新的稳定版本。
2、解压到android源码根目录
3、配置编译选项(交叉编译工具/静态编译)
make menuconfig
1)设置busybox为静态的:CONFIG_STATIC=y
2)设置交叉编译工具的绝对路径
3、编译,编译完成后即可看到busybox二进制文件
make
附上config/busybox文件:https://download.csdn.net/download/android_sniper/14812553
4、测试
把busybox push 到android系统,运行结果如下:
# busybox
BusyBox v1.33.0 (2021-01-19 16:40:40 CST) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2015.
Licensed under GPLv2. See source distribution for detailed
copyright notices.