new file mode 100644
@@ -0,0 +1,129 @@
+From 7a8f42fb20013a1493d8cae1c43436f85e656f2d Mon Sep 17 00:00:00 2001
+From: Zephkeks <zephyrofficialdiscord@gmail.com>
+Date: Tue, 13 May 2025 11:04:17 +0200
+Subject: [PATCH] CVE-2025-46836: interface.c: Stack-based Buffer Overflow in
+ get_name()
+
+Coordinated as GHSA-pfwf-h6m3-63wf
+
+CVE: CVE-2025-46836
+
+Upstream-Status: Backport
+[https://github.com/ecki/net-tools/commit/7a8f42fb20013a1493d8cae1c43436f85e656f2d]
+[https://github.com/ecki/net-tools/commit/ddb0e375fb9ca95bb69335540b85bbdaa2714348]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ lib/interface.c | 63 ++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 39 insertions(+), 24 deletions(-)
+
+diff --git a/lib/interface.c b/lib/interface.c
+index 71d4163..a054f12 100644
+--- a/lib/interface.c
++++ b/lib/interface.c
+@@ -211,32 +211,47 @@ out:
+ }
+
+ static const char *get_name(char *name, const char *p)
++/* Safe version — guarantees at most IFNAMSIZ‑1 bytes are copied
++ and the destination buffer is always NUL‑terminated. */
+ {
+- while (isspace(*p))
+- p++;
+- while (*p) {
+- if (isspace(*p))
+- break;
+- if (*p == ':') { /* could be an alias */
+- const char *dot = p++;
+- while (*p && isdigit(*p)) p++;
+- if (*p == ':') {
+- /* Yes it is, backup and copy it. */
+- p = dot;
+- *name++ = *p++;
+- while (*p && isdigit(*p)) {
+- *name++ = *p++;
+- }
+- } else {
+- /* No, it isn't */
+- p = dot;
+- }
+- p++;
+- break;
+- }
+- *name++ = *p++;
++ char *dst = name; /* current write ptr */
++ const char *end = name + IFNAMSIZ - 1; /* last byte we may write */
++
++ /* Skip leading white‑space. */
++ while (isspace((unsigned char)*p))
++ ++p;
++
++ /* Copy until white‑space, end of string, or buffer full. */
++ while (*p && !isspace((unsigned char)*p) && dst < end) {
++ if (*p == ':') { /* possible alias veth0:123: */
++ const char *dot = p; /* remember the colon */
++ ++p;
++ while (*p && isdigit((unsigned char)*p))
++ ++p;
++
++ if (*p == ':') { /* confirmed alias */
++ p = dot; /* rewind and copy it all */
++
++ /* copy the colon */
++ if (dst < end)
++ *dst++ = *p++;
++
++ /* copy the digits */
++ while (*p && isdigit((unsigned char)*p) && dst < end)
++ *dst++ = *p++;
++
++ if (*p == ':') /* consume trailing colon */
++ ++p;
++ } else { /* if so treat as normal */
++ p = dot;
++ }
++ break; /* interface name ends here */
++ }
++
++ *dst++ = *p++; /* ordinary character copy */
+ }
+- *name++ = '\0';
++
++ *dst = '\0'; /* always NUL‑terminate */
+ return p;
+ }
+
+--
+2.34.1
+
+From ddb0e375fb9ca95bb69335540b85bbdaa2714348 Mon Sep 17 00:00:00 2001
+From: Bernd Eckenfels <net-tools@lina.inka.de>
+Date: Sat, 17 May 2025 21:53:23 +0200
+Subject: [PATCH] Interface statistic regression after 7a8f42fb2
+
+---
+ lib/interface.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/lib/interface.c b/lib/interface.c
+index a054f12..ca4adf1 100644
+--- a/lib/interface.c
++++ b/lib/interface.c
+@@ -239,12 +239,11 @@ static const char *get_name(char *name, const char *p)
+ /* copy the digits */
+ while (*p && isdigit((unsigned char)*p) && dst < end)
+ *dst++ = *p++;
+-
+- if (*p == ':') /* consume trailing colon */
+- ++p;
+ } else { /* if so treat as normal */
+ p = dot;
+ }
++ if (*p == ':') /* consume trailing colon */
++ ++p;
+ break; /* interface name ends here */
+ }
+
+--
+2.34.1
+
@@ -11,6 +11,7 @@ SRC_URI = "git://git.code.sf.net/p/net-tools/code;protocol=https;branch=master \
file://net-tools-config.h \
file://net-tools-config.make \
file://Add_missing_headers.patch \
+ file://CVE-2025-46836.patch \
"
S = "${WORKDIR}/git"
CVE-2025-46836: net-tools is a collection of programs that form the base set of the NET-3 networking distribution for the Linux operating system. Inn versions up to and including 2.10, the Linux network utilities (like ifconfig) from the net-tools package do not properly validate the structure of /proc files when showing interfaces. `get_name()` in `interface.c` copies interface labels from `/proc/net/dev` into a fixed 16-byte stack buffer without bounds checking, leading to possible arbitrary code execution or crash. The known attack path does not require privilege but also does not provide privilege escalation in this scenario. A patch is available and expected to be part of version 2.20. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-46836 Patch from: https://github.com/ecki/net-tools/commit/7a8f42fb20013a1493d8cae1c43436f85e656f2d https://github.com/ecki/net-tools/commit/ddb0e375fb9ca95bb69335540b85bbdaa2714348 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- .../net-tools/net-tools/CVE-2025-46836.patch | 129 ++++++++++++++++++ .../net-tools/net-tools_2.10.bb | 1 + 2 files changed, 130 insertions(+) create mode 100644 meta/recipes-extended/net-tools/net-tools/CVE-2025-46836.patch