mirror of
https://git.yoctoproject.org/poky
synced 2026-07-01 23:13:38 +02:00
busybox: Fix CVE-2026-29004
Pick patches from [1] and [2] as mentioned in Debian report in [3]. [1] https://git.busybox.net/busybox/commit/archival?id=42202bfb1e6ac51fa995beda8be4d7b654aeee2a [2] https://git.busybox.net/busybox/commit/archival?id=d368f3f7836d1c2484c8f839316e5c93e76d4409 [3] https://security-tracker.debian.org/tracker/CVE-2026-29004 (From OE-Core rev: ce830d67be738ffad413c15fbb6672d9c3a6edef) Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com> Reviewed-by: Bruno VERNAY <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
committed by
Paul Barker
parent
bc8fc54f18
commit
44baf9a477
41
meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch
Normal file
41
meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch
Normal file
@@ -0,0 +1,41 @@
|
||||
From e49fb0f6ad0a0f924ec2cfe6838d04c4f1f4c3ba Mon Sep 17 00:00:00 2001
|
||||
From: Denys Vlasenko <vda.linux@googlemail.com>
|
||||
Date: Thu, 12 Mar 2026 07:25:38 +0100
|
||||
Subject: [PATCH 1/2] udhcpc6: fix buffer overflow
|
||||
|
||||
CVE: CVE-2026-29004
|
||||
Upstream-Status: Backport [https://git.busybox.net/busybox/commit/archival?id=42202bfb1e6ac51fa995beda8be4d7b654aeee2a]
|
||||
|
||||
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
||||
(cherry picked from commit 42202bfb1e6ac51fa995beda8be4d7b654aeee2a)
|
||||
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
|
||||
---
|
||||
networking/udhcp/d6_dhcpc.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c
|
||||
index cdd06188e..62cc0f466 100644
|
||||
--- a/networking/udhcp/d6_dhcpc.c
|
||||
+++ b/networking/udhcp/d6_dhcpc.c
|
||||
@@ -351,15 +351,15 @@ static void option_to_env(const uint8_t *option, const uint8_t *option_end)
|
||||
addrs = option[3] >> 4;
|
||||
|
||||
/* Setup environment variable */
|
||||
- *new_env() = dlist = xmalloc(4 + addrs * 40 - 1);
|
||||
+ *new_env() = dlist = xmalloc(4 + addrs * 40 + 1);
|
||||
dlist = stpcpy(dlist, "dns=");
|
||||
option_offset = 0;
|
||||
|
||||
- while (addrs--) {
|
||||
+ while (addrs-- != 0) {
|
||||
sprint_nip6(dlist, option + 4 + option_offset);
|
||||
dlist += 39;
|
||||
option_offset += 16;
|
||||
- if (addrs)
|
||||
+ if (addrs != 0)
|
||||
*dlist++ = ' ';
|
||||
}
|
||||
|
||||
--
|
||||
2.43.0
|
||||
|
||||
46
meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch
Normal file
46
meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch
Normal file
@@ -0,0 +1,46 @@
|
||||
From 4d8d5b7c4426e62375235cf4903b6cb53bb193d3 Mon Sep 17 00:00:00 2001
|
||||
From: Denys Vlasenko <vda.linux@googlemail.com>
|
||||
Date: Thu, 12 Mar 2026 13:23:48 +0100
|
||||
Subject: [PATCH 2/2] udhcpc6: check the size of D6_OPT_IAPREFIX option
|
||||
|
||||
function old new delta
|
||||
option_to_env 694 711 +17
|
||||
|
||||
CVE: CVE-2026-29004
|
||||
Upstream-Status: Backport [https://git.busybox.net/busybox/commit/archival?id=d368f3f7836d1c2484c8f839316e5c93e76d4409]
|
||||
|
||||
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
||||
(cherry picked from commit d368f3f7836d1c2484c8f839316e5c93e76d4409)
|
||||
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
|
||||
---
|
||||
networking/udhcp/d6_dhcpc.c | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c
|
||||
index 62cc0f466..64a41c9d8 100644
|
||||
--- a/networking/udhcp/d6_dhcpc.c
|
||||
+++ b/networking/udhcp/d6_dhcpc.c
|
||||
@@ -287,8 +287,8 @@ static void option_to_env(const uint8_t *option, const uint8_t *option_end)
|
||||
* | valid-lifetime |
|
||||
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
*/
|
||||
- /* Make sure payload contains an address */
|
||||
- if (option[3] < 24)
|
||||
+ /* Make sure payload exists */
|
||||
+ if (option[3] < (16 + 4 + 4))
|
||||
break;
|
||||
|
||||
sprint_nip6(ipv6str, option + 4);
|
||||
@@ -332,6 +332,9 @@ static void option_to_env(const uint8_t *option, const uint8_t *option_end)
|
||||
* | |
|
||||
* +-+-+-+-+-+-+-+-+
|
||||
*/
|
||||
+ /* Make sure payload exists */
|
||||
+ if (option[3] < (4 + 4 + 1 + 16))
|
||||
+ break;
|
||||
move_from_unaligned32(v32, option + 4 + 4);
|
||||
v32 = ntohl(v32);
|
||||
*new_env() = xasprintf("ipv6prefix_lease=%u", (unsigned)v32);
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -64,6 +64,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
|
||||
file://CVE-2025-60876.patch \
|
||||
file://CVE-2026-26157-CVE-2026-26158-01.patch \
|
||||
file://CVE-2026-26157-CVE-2026-26158-02.patch \
|
||||
file://CVE-2026-29004-01.patch \
|
||||
file://CVE-2026-29004-02.patch \
|
||||
"
|
||||
SRC_URI:append:libc-musl = " file://musl.cfg "
|
||||
# TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html
|
||||
|
||||
Reference in New Issue
Block a user