| Message ID | 20250928221332.1308547-1-peter.marko@siemens.com |
|---|---|
| State | New |
| Headers | show |
| Series | busybox: patch CVE-2025-46394 | expand |
On Mon Sep 29, 2025 at 12:13 AM CEST, Peter Marko via lists.openembedded.org wrote: > From: Peter Marko <peter.marko@siemens.com> > > Pick commit mentioning this CVE. > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > --- Hi Peter, Thanks for your patch. It looks like this is breaking some ptest: AssertionError: Failed ptests: {'busybox': ['tar_Pax-encoded_UTF8_names_and_symlinks']} https://autobuilder.yoctoproject.org/valkyrie/#/builders/56/builds/543 https://autobuilder.yoctoproject.org/valkyrie/#/builders/61/builds/2324 https://autobuilder.yoctoproject.org/valkyrie/#/builders/73/builds/2363 Ptest logs can be found here: https://valkyrie.yocto.io/pub/non-release/20250929-53/testresults/qemuriscv64-ptest/core-image-ptest-busybox/ https://valkyrie.yocto.io/pub/non-release/20250929-53/testresults/qemux86-64-ptest/core-image-ptest-busybox/ https://valkyrie.yocto.io/pub/non-release/20250929-53/testresults/qemuarm64-ptest/core-image-ptest-busybox/ Can you have a look at these, please? Thanks, Mathieu
> -----Original Message----- > From: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> > Sent: Monday, September 29, 2025 13:20 > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>; > openembedded-core@lists.openembedded.org > Subject: Re: [OE-core][PATCH] busybox: patch CVE-2025-46394 > > On Mon Sep 29, 2025 at 12:13 AM CEST, Peter Marko via lists.openembedded.org > wrote: > > From: Peter Marko <peter.marko@siemens.com> > > > > Pick commit mentioning this CVE. > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > > --- > > Hi Peter, > > Thanks for your patch. > > It looks like this is breaking some ptest: > > AssertionError: > Failed ptests: > {'busybox': ['tar_Pax-encoded_UTF8_names_and_symlinks']} > > https://autobuilder.yoctoproject.org/valkyrie/#/builders/56/builds/543 > https://autobuilder.yoctoproject.org/valkyrie/#/builders/61/builds/2324 > https://autobuilder.yoctoproject.org/valkyrie/#/builders/73/builds/2363 > > Ptest logs can be found here: > > https://valkyrie.yocto.io/pub/non-release/20250929-53/testresults/qemuriscv64- > ptest/core-image-ptest-busybox/ > https://valkyrie.yocto.io/pub/non-release/20250929-53/testresults/qemux86-64- > ptest/core-image-ptest-busybox/ > https://valkyrie.yocto.io/pub/non-release/20250929-53/testresults/qemuarm64- > ptest/core-image-ptest-busybox/ > > Can you have a look at these, please? Looks like the CVE patch broke their own tests. The patch changes printout but the test compares to unmangled string. I'll try to submit a patch for the test upstream. Peter > > Thanks, > Mathieu > > -- > Mathieu Dubois-Briand, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com
diff --git a/meta/recipes-core/busybox/busybox/CVE-2025-46394.patch b/meta/recipes-core/busybox/busybox/CVE-2025-46394.patch new file mode 100644 index 00000000000..c95cba3c33b --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2025-46394.patch @@ -0,0 +1,57 @@ +From f5e1bf966b19ea1821f00a8c9ecd7774598689b4 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <vda.linux@googlemail.com> +Date: Wed, 24 Sep 2025 03:28:47 +0200 +Subject: [PATCH] archival/libarchive: sanitize filenames on output (prevent + control sequence attacks + +This fixes CVE-2025-46394 (terminal escape sequence injection) + +Original credit: Ian.Norton at entrust.com + +function old new delta +header_list 9 15 +6 +header_verbose_list 239 244 +5 +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 2/0 up/down: 11/0) Total: 11 bytes + +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> + +CVE: CVE-2025-46394 +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=f5e1bf966b19ea1821f00a8c9ecd7774598689b4] +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + archival/libarchive/header_list.c | 2 +- + archival/libarchive/header_verbose_list.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/archival/libarchive/header_list.c b/archival/libarchive/header_list.c +index 0621aa406..9490b3635 100644 +--- a/archival/libarchive/header_list.c ++++ b/archival/libarchive/header_list.c +@@ -8,5 +8,5 @@ + void FAST_FUNC header_list(const file_header_t *file_header) + { + //TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */ +- puts(file_header->name); ++ puts(printable_string(file_header->name)); + } +diff --git a/archival/libarchive/header_verbose_list.c b/archival/libarchive/header_verbose_list.c +index a575a08a0..e7a09430d 100644 +--- a/archival/libarchive/header_verbose_list.c ++++ b/archival/libarchive/header_verbose_list.c +@@ -57,13 +57,13 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header) + ptm->tm_hour, + ptm->tm_min, + ptm->tm_sec, +- file_header->name); ++ printable_string(file_header->name)); + + #endif /* FEATURE_TAR_UNAME_GNAME */ + + /* NB: GNU tar shows "->" for symlinks and "link to" for hardlinks */ + if (file_header->link_target) { +- printf(" -> %s", file_header->link_target); ++ printf(" -> %s", printable_string(file_header->link_target)); + } + bb_putchar('\n'); + } diff --git a/meta/recipes-core/busybox/busybox_1.37.0.bb b/meta/recipes-core/busybox/busybox_1.37.0.bb index bec25348b82..d2aed177957 100644 --- a/meta/recipes-core/busybox/busybox_1.37.0.bb +++ b/meta/recipes-core/busybox/busybox_1.37.0.bb @@ -56,6 +56,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://0001-archival-disallow-path-traversals-CVE-2023-39810.patch \ file://0001-hwclock-Check-for-SYS_settimeofday-before-calling-sy.patch \ file://0001-busybox-Add-awk-gsub-erroneous-word-start-match-test.patch \ + file://CVE-2025-46394.patch \ " SRC_URI:append:libc-musl = " file://musl.cfg" SRC_URI:append:x86-64 = " file://sha_accel.cfg"