busybox: add a minor workaround for CVE-2025-46394

Message ID	20250928230449.156501-1-jeroen@myspectrum.nl
State	New
Headers	show Return-Path: <jeroen@myspectrum.nl> ip: 149.210.149.73, mailfrom: jeroen@myspectrum.nl) sender: sendmail@myspectrum.nl) by yellow.myspectrum.nl (Postfix) with ESMTPSA id 5F96D2011E; Sun, 28 Sep 2025 23:04:56 +0000 (UTC) From: jeroen@myspectrum.nl To: openembedded-core@lists.openembedded.org Cc: Jeroen Hofstee <jhofstee@victronenergy.com> Subject: [PATCH] busybox: add a minor workaround for CVE-2025-46394 Date: Mon, 29 Sep 2025 01:04:49 +0200 Message-ID: <20250928230449.156501-1-jeroen@myspectrum.nl> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable
Series	busybox: add a minor workaround for CVE-2025-46394 \| expand busybox: add a minor workaround for CVE-2025-46394

Message ID

20250928230449.156501-1-jeroen@myspectrum.nl

State

New

Headers

From: jeroen@myspectrum.nl
To: openembedded-core@lists.openembedded.org
Cc: Jeroen Hofstee <jhofstee@victronenergy.com>
Subject: [PATCH] busybox: add a minor workaround for CVE-2025-46394
Date: Mon, 29 Sep 2025 01:04:49 +0200
Message-ID: <20250928230449.156501-1-jeroen@myspectrum.nl>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Series

busybox: add a minor workaround for CVE-2025-46394 | expand

Commit Message

Jeroen Hofstee Sept. 28, 2025, 11:04 p.m. UTC

From: Jeroen Hofstee <jhofstee@victronenergy.com>

It is low ranked CVE, but lets get it out of the reports.

https://nvd.nist.gov/vuln/detail/cve-2025-46394
Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com>
---
 ...ive-sanitize-filenames-on-output-pre.patch | 60 +++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.37.0.bb   |  1 +
 2 files changed, 61 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/0001-archival-libarchive-sanitize-filenames-on-output-pre.patch

diff --git a/meta/recipes-core/busybox/busybox/0001-archival-libarchive-sanitize-filenames-on-output-pre.patch b/meta/recipes-core/busybox/busybox/0001-archival-libarchive-sanitize-filenames-on-output-pre.patch
new file mode 100644
index 0000000000..7dac40125f
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-archival-libarchive-sanitize-filenames-on-output-pre.patch
@@ -0,0 +1,60 @@ 
+From 3ff057603c97cc0a5fe4ec0c5e58b8b1518336bb Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Wed, 24 Sep 2025 03:28:47 +0200
+Subject: [PATCH] archival/libarchive: sanitize filenames on output (prevent
+ control sequence attacks
+
+This fixes CVE-2025-46394 (terminal escape sequence injection)
+
+Original credit: Ian.Norton at entrust.com
+
+function                                             old     new   delta
+header_list                                            9      15      +6
+header_verbose_list                                  239     244      +5
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 2/0 up/down: 11/0)               Total: 11 bytes
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+(cherry picked from commit f5e1bf966b19ea1821f00a8c9ecd7774598689b4)
+Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com>
+Upstream-Status: Backport [f5e1bf966b19ea1821f00a8c9ecd7774598689b4]
+CVE: CVE-2025-46394
+---
+ archival/libarchive/header_list.c         | 2 +-
+ archival/libarchive/header_verbose_list.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/archival/libarchive/header_list.c b/archival/libarchive/header_list.c
+index 0621aa406..9490b3635 100644
+--- a/archival/libarchive/header_list.c
++++ b/archival/libarchive/header_list.c
+@@ -8,5 +8,5 @@
+ void FAST_FUNC header_list(const file_header_t *file_header)
+ {
+ //TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */
+-	puts(file_header->name);
++	puts(printable_string(file_header->name));
+ }
+diff --git a/archival/libarchive/header_verbose_list.c b/archival/libarchive/header_verbose_list.c
+index a575a08a0..e7a09430d 100644
+--- a/archival/libarchive/header_verbose_list.c
++++ b/archival/libarchive/header_verbose_list.c
+@@ -57,13 +57,13 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header)
+ 		ptm->tm_hour,
+ 		ptm->tm_min,
+ 		ptm->tm_sec,
+-		file_header->name);
++		printable_string(file_header->name));
+ 
+ #endif /* FEATURE_TAR_UNAME_GNAME */
+ 
+ 	/* NB: GNU tar shows "->" for symlinks and "link to" for hardlinks */
+ 	if (file_header->link_target) {
+-		printf(" -> %s", file_header->link_target);
++		printf(" -> %s", printable_string(file_header->link_target));
+ 	}
+ 	bb_putchar('\n');
+ }
+-- 
+2.43.0
+
diff --git a/meta/recipes-core/busybox/busybox_1.37.0.bb b/meta/recipes-core/busybox/busybox_1.37.0.bb
index bec25348b8..9c7fae73bf 100644
--- a/meta/recipes-core/busybox/busybox_1.37.0.bb
+++ b/meta/recipes-core/busybox/busybox_1.37.0.bb
@@ -56,6 +56,7 @@  SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://0001-archival-disallow-path-traversals-CVE-2023-39810.patch \
            file://0001-hwclock-Check-for-SYS_settimeofday-before-calling-sy.patch \
            file://0001-busybox-Add-awk-gsub-erroneous-word-start-match-test.patch \
+           file://0001-archival-libarchive-sanitize-filenames-on-output-pre.patch \
            "
 SRC_URI:append:libc-musl = " file://musl.cfg"
 SRC_URI:append:x86-64 = " file://sha_accel.cfg"

busybox: add a minor workaround for CVE-2025-46394

Commit Message

Patch