busybox: Fix CVE-2026-29004

Pick patches from [1] and [2] as mentioned in Debian report in [3].

[1] https://git.busybox.net/busybox/commit/archival?id=42202bfb1e6ac51fa995beda8be4d7b654aeee2a
[2] https://git.busybox.net/busybox/commit/archival?id=d368f3f7836d1c2484c8f839316e5c93e76d4409
[3] https://security-tracker.debian.org/tracker/CVE-2026-29004

(From OE-Core rev: ce830d67be738ffad413c15fbb6672d9c3a6edef)

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Hugo SIMELIERE (Schneider Electric)
2026-05-20 12:44:13 +02:00
committed by Paul Barker
parent bc8fc54f18
commit 44baf9a477
3 changed files with 89 additions and 0 deletions

View File

@@ -0,0 +1,41 @@
From e49fb0f6ad0a0f924ec2cfe6838d04c4f1f4c3ba Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Thu, 12 Mar 2026 07:25:38 +0100
Subject: [PATCH 1/2] udhcpc6: fix buffer overflow
CVE: CVE-2026-29004
Upstream-Status: Backport [https://git.busybox.net/busybox/commit/archival?id=42202bfb1e6ac51fa995beda8be4d7b654aeee2a]
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
(cherry picked from commit 42202bfb1e6ac51fa995beda8be4d7b654aeee2a)
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
---
networking/udhcp/d6_dhcpc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c
index cdd06188e..62cc0f466 100644
--- a/networking/udhcp/d6_dhcpc.c
+++ b/networking/udhcp/d6_dhcpc.c
@@ -351,15 +351,15 @@ static void option_to_env(const uint8_t *option, const uint8_t *option_end)
addrs = option[3] >> 4;
/* Setup environment variable */
- *new_env() = dlist = xmalloc(4 + addrs * 40 - 1);
+ *new_env() = dlist = xmalloc(4 + addrs * 40 + 1);
dlist = stpcpy(dlist, "dns=");
option_offset = 0;
- while (addrs--) {
+ while (addrs-- != 0) {
sprint_nip6(dlist, option + 4 + option_offset);
dlist += 39;
option_offset += 16;
- if (addrs)
+ if (addrs != 0)
*dlist++ = ' ';
}
--
2.43.0

View File

@@ -0,0 +1,46 @@
From 4d8d5b7c4426e62375235cf4903b6cb53bb193d3 Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Thu, 12 Mar 2026 13:23:48 +0100
Subject: [PATCH 2/2] udhcpc6: check the size of D6_OPT_IAPREFIX option
function old new delta
option_to_env 694 711 +17
CVE: CVE-2026-29004
Upstream-Status: Backport [https://git.busybox.net/busybox/commit/archival?id=d368f3f7836d1c2484c8f839316e5c93e76d4409]
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
(cherry picked from commit d368f3f7836d1c2484c8f839316e5c93e76d4409)
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
---
networking/udhcp/d6_dhcpc.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c
index 62cc0f466..64a41c9d8 100644
--- a/networking/udhcp/d6_dhcpc.c
+++ b/networking/udhcp/d6_dhcpc.c
@@ -287,8 +287,8 @@ static void option_to_env(const uint8_t *option, const uint8_t *option_end)
* | valid-lifetime |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
- /* Make sure payload contains an address */
- if (option[3] < 24)
+ /* Make sure payload exists */
+ if (option[3] < (16 + 4 + 4))
break;
sprint_nip6(ipv6str, option + 4);
@@ -332,6 +332,9 @@ static void option_to_env(const uint8_t *option, const uint8_t *option_end)
* | |
* +-+-+-+-+-+-+-+-+
*/
+ /* Make sure payload exists */
+ if (option[3] < (4 + 4 + 1 + 16))
+ break;
move_from_unaligned32(v32, option + 4 + 4);
v32 = ntohl(v32);
*new_env() = xasprintf("ipv6prefix_lease=%u", (unsigned)v32);
--
2.43.0

View File

@@ -64,6 +64,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://CVE-2025-60876.patch \
file://CVE-2026-26157-CVE-2026-26158-01.patch \
file://CVE-2026-26157-CVE-2026-26158-02.patch \
file://CVE-2026-29004-01.patch \
file://CVE-2026-29004-02.patch \
"
SRC_URI:append:libc-musl = " file://musl.cfg "
# TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html