From patchwork Sun May 10 09:26:34 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 87812 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 52602CD3427 for ; Sun, 10 May 2026 09:27:08 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.27420.1778405217969965505 for ; Sun, 10 May 2026 02:26:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=KT04+dfX; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-256628-20260510092655ed94b451af000207b7-_jpbmu@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20260510092655ed94b451af000207b7 for ; Sun, 10 May 2026 11:26:55 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=TLKvG3tKBcXqurrvOMv0WuuJDtXAcQeESyG5PeyZar4=; b=KT04+dfX/VVyga4l583J01pM3GX78SVQbjq3DfWYul0rlf9Iooe5WrnKJ+6wZ4QcADymxn N4q3I6gdhZcs6L7Ysa6QmhSe3Kor5QxX7uus1afqWYW4j9aYX1MUN/vKA2EjgSb49wPl1oD8 8un145fN8FG86m6ZvKRV8rB46w5WX1MzHP8/QxIw82m/hwl7b3k5YQ6p4ZPLJjM18Ar71+I6 yCVmDQGrdacWY4Ii2qDzmw5j61SgHC7CAV4AwUfsW2e3WWvlcb23+58LQOYk64lrEMOrK7og DMpFLfa6a4SwyBFXLBumc4BZWT+X0YhZRPwIuqS60UYY9+Z9o1LXpZlQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH] busybox: patch CVE-2024-58251 Date: Sun, 10 May 2026 11:26:34 +0200 Message-ID: <20260510092634.174864-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 10 May 2026 09:27:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236768 Pick patch applied by Debian [1]. I did not find any reference on busybox mailing list that this patch was submitted. Submitting patch for someone else would be inappropriate, and busybox is currently known to be very inactive, hence the unwanted Pending Upstream-Status status. Also note that the related busybox bugreport [2] is currently not public, so it is possible that it was submitted there. [1] https://sources.debian.org/patches/busybox/1:1.37.0-10.1/netstat-sanitize-argv0-for-p-CVE-2024-58251.patch/ [2] https://bugs.busybox.net/show_bug.cgi?id=15922 Signed-off-by: Peter Marko --- .../busybox/busybox/CVE-2024-58251.patch | 51 +++++++++++++++++++ meta/recipes-core/busybox/busybox_1.37.0.bb | 1 + 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox/CVE-2024-58251.patch diff --git a/meta/recipes-core/busybox/busybox/CVE-2024-58251.patch b/meta/recipes-core/busybox/busybox/CVE-2024-58251.patch new file mode 100644 index 0000000000..713d345ca8 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2024-58251.patch @@ -0,0 +1,51 @@ +From: Valery Ushakov +Date: Thu, 21 Aug 2025 12:31:53 +0000 +Subject: netstat: CVE-2024-58251 - sanitize argv0 for -p +Bug-Debian: https://bugs.debian.org/1104009 + +Signed-off-by: Valery Ushakov + +CVE: CVE-2024-58251 +Upstream-Status: Pending +Signed-off-by: Peter Marko +--- + networking/netstat.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/networking/netstat.c b/networking/netstat.c +index 807800a62..d979f6079 100644 +--- a/networking/netstat.c ++++ b/networking/netstat.c +@@ -41,6 +41,7 @@ + + #include "libbb.h" + #include "inet_common.h" ++#include "unicode.h" + + //usage:#define netstat_trivial_usage + //usage: "[-"IF_ROUTE("r")"al] [-tuwx] [-en"IF_FEATURE_NETSTAT_WIDE("W")IF_FEATURE_NETSTAT_PRG("p")"]" +@@ -314,9 +315,12 @@ static int FAST_FUNC dir_act(struct recursive_state *state, + return FALSE; + cmdline_buf[n] = '\0'; + ++ /* don't write process-controlled argv[0] to the user's terminal as-is */ ++ const char *argv0base = printable_string(bb_basename(cmdline_buf)); ++ + /* go through all files in /proc/PID/fd and check whether they are sockets */ + strcpy(proc_pid_fname + len - (sizeof("cmdline")-1), "fd"); +- pid_slash_progname = concat_path_file(pid, bb_basename(cmdline_buf)); /* "PID/argv0" */ ++ pid_slash_progname = concat_path_file(pid, argv0base); /* "PID/argv0" */ + n = recursive_action(proc_pid_fname, + ACTION_RECURSE | ACTION_QUIET, + add_to_prg_cache_if_socket, +@@ -686,6 +690,7 @@ int netstat_main(int argc UNUSED_PARAM, char **argv) + unsigned opt; + + INIT_G(); ++ init_unicode(); + + /* Option string must match NETSTAT_xxx constants */ + opt = getopt32(argv, NETSTAT_OPTS); +-- +2.34.1 + diff --git a/meta/recipes-core/busybox/busybox_1.37.0.bb b/meta/recipes-core/busybox/busybox_1.37.0.bb index 61ff602be6..4790899684 100644 --- a/meta/recipes-core/busybox/busybox_1.37.0.bb +++ b/meta/recipes-core/busybox/busybox_1.37.0.bb @@ -63,6 +63,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://0001-busybox-fix-printf-ptest-failure-with-glibc-2.43.patch \ file://0001-tar-strip-unsafe-hardlink-components-GNU-tar-does-th.patch \ file://0002-tar-only-strip-unsafe-components-from-hardlinks-not-.patch \ + file://CVE-2024-58251.patch \ " SRC_URI:append:libc-musl = " file://musl.cfg" SRC_URI:append:x86-64 = " file://sha_accel.cfg"