From: Peter Marko Date: Fri, 3 Oct 2025 18:25:33 +0000 (+0200) Subject: busybox: patch CVE-2025-46394 X-Git-Tag: uninative-5.0~90 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7b71962c282d296e29bc1bd6ab778b8ad2646919;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git busybox: patch CVE-2025-46394 Pick commit mentioning this CVE. Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie --- diff --git a/meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch b/meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch new file mode 100644 index 0000000000..c95cba3c33 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch @@ -0,0 +1,57 @@ +From f5e1bf966b19ea1821f00a8c9ecd7774598689b4 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Wed, 24 Sep 2025 03:28:47 +0200 +Subject: [PATCH] archival/libarchive: sanitize filenames on output (prevent + control sequence attacks + +This fixes CVE-2025-46394 (terminal escape sequence injection) + +Original credit: Ian.Norton at entrust.com + +function old new delta +header_list 9 15 +6 +header_verbose_list 239 244 +5 +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 2/0 up/down: 11/0) Total: 11 bytes + +Signed-off-by: Denys Vlasenko + +CVE: CVE-2025-46394 +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=f5e1bf966b19ea1821f00a8c9ecd7774598689b4] +Signed-off-by: Peter Marko +--- + archival/libarchive/header_list.c | 2 +- + archival/libarchive/header_verbose_list.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/archival/libarchive/header_list.c b/archival/libarchive/header_list.c +index 0621aa406..9490b3635 100644 +--- a/archival/libarchive/header_list.c ++++ b/archival/libarchive/header_list.c +@@ -8,5 +8,5 @@ + void FAST_FUNC header_list(const file_header_t *file_header) + { + //TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */ +- puts(file_header->name); ++ puts(printable_string(file_header->name)); + } +diff --git a/archival/libarchive/header_verbose_list.c b/archival/libarchive/header_verbose_list.c +index a575a08a0..e7a09430d 100644 +--- a/archival/libarchive/header_verbose_list.c ++++ b/archival/libarchive/header_verbose_list.c +@@ -57,13 +57,13 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header) + ptm->tm_hour, + ptm->tm_min, + ptm->tm_sec, +- file_header->name); ++ printable_string(file_header->name)); + + #endif /* FEATURE_TAR_UNAME_GNAME */ + + /* NB: GNU tar shows "->" for symlinks and "link to" for hardlinks */ + if (file_header->link_target) { +- printf(" -> %s", file_header->link_target); ++ printf(" -> %s", printable_string(file_header->link_target)); + } + bb_putchar('\n'); + } diff --git a/meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch b/meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch new file mode 100644 index 0000000000..ec17b9285a --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch @@ -0,0 +1,32 @@ +From 7378db981d87b4a2264e14d60340a7fb5c67ae59 Mon Sep 17 00:00:00 2001 +From: Peter Marko +Date: Fri, 3 Oct 2025 16:12:56 +0200 +Subject: [PATCH] testsuite/tar.tests: fix test after CVE-2025-46394 + +tar now sanitizes output and this test needs to expect that. + +Signed-off-by: Peter Marko + +CVE: CVE-2025-46394 +Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-October/091743.html] +Signed-off-by: Peter Marko +--- + testsuite/tar.tests | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/testsuite/tar.tests b/testsuite/tar.tests +index 0f2e89112..48fc38114 100755 +--- a/testsuite/tar.tests ++++ b/testsuite/tar.tests +@@ -325,9 +325,9 @@ unset LANG + rm -rf etc usr + ' "\ + etc/ssl/certs/3b2716e5.0 +-etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem ++etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??.pem + etc/ssl/certs/f80cc7f6.0 +-usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt ++usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??.crt + 0 + etc/ssl/certs/3b2716e5.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem + etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem -> /usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt diff --git a/meta/recipes-core/busybox/busybox_1.37.0.bb b/meta/recipes-core/busybox/busybox_1.37.0.bb index bec25348b8..9e6a7b7b4c 100644 --- a/meta/recipes-core/busybox/busybox_1.37.0.bb +++ b/meta/recipes-core/busybox/busybox_1.37.0.bb @@ -56,6 +56,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://0001-archival-disallow-path-traversals-CVE-2023-39810.patch \ file://0001-hwclock-Check-for-SYS_settimeofday-before-calling-sy.patch \ file://0001-busybox-Add-awk-gsub-erroneous-word-start-match-test.patch \ + file://CVE-2025-46394-01.patch \ + file://CVE-2025-46394-02.patch \ " SRC_URI:append:libc-musl = " file://musl.cfg" SRC_URI:append:x86-64 = " file://sha_accel.cfg"