diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch b/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch new file mode 100644 index 0000000000..8ce4858adc --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch @@ -0,0 +1,42 @@ +From d9a718cc17535c31d38f31fccb904a30e823166d Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Thu, 12 Mar 2026 07:25:38 +0100 +Subject: [PATCH 1/2] udhcpc6: fix buffer overflow + +Signed-off-by: Denys Vlasenko + +CVE: CVE-2026-29004 + +Upstream-Status: Backport [https://github.com/vda-linux/busybox_mirror/commit/42202bfb1e6ac51fa995beda8be4d7b654aeee2a] + +Signed-off-by: Chen Qi +--- + networking/udhcp/d6_dhcpc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c +index 79cef1999..d13b05829 100644 +--- a/networking/udhcp/d6_dhcpc.c ++++ b/networking/udhcp/d6_dhcpc.c +@@ -351,15 +351,15 @@ static void option_to_env(const uint8_t *option, const uint8_t *option_end) + addrs = option[3] >> 4; + + /* Setup environment variable */ +- *new_env() = dlist = xmalloc(4 + addrs * 40 - 1); ++ *new_env() = dlist = xmalloc(4 + addrs * 40 + 1); + dlist = stpcpy(dlist, "dns="); + option_offset = 0; + +- while (addrs--) { ++ while (addrs-- != 0) { + sprint_nip6(dlist, option + 4 + option_offset); + dlist += 39; + option_offset += 16; +- if (addrs) ++ if (addrs != 0) + *dlist++ = ' '; + } + +-- +2.34.1 + diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch b/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch new file mode 100644 index 0000000000..734f0bbbdb --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch @@ -0,0 +1,47 @@ +From 1e14c5c577a7bd46f42315e9bc445419770041a7 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Thu, 12 Mar 2026 13:23:48 +0100 +Subject: [PATCH 2/2] udhcpc6: check the size of D6_OPT_IAPREFIX option + +function old new delta +option_to_env 694 711 +17 + +Signed-off-by: Denys Vlasenko + +CVE: CVE-2026-29004 + +Upstream-Status: Backport [https://github.com/vda-linux/busybox_mirror/commit/d368f3f7836d1c2484c8f839316e5c93e76d4409] + +Signed-off-by: Chen Qi +--- + networking/udhcp/d6_dhcpc.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c +index d13b05829..1851cee2a 100644 +--- a/networking/udhcp/d6_dhcpc.c ++++ b/networking/udhcp/d6_dhcpc.c +@@ -287,8 +287,8 @@ static void option_to_env(const uint8_t *option, const uint8_t *option_end) + * | valid-lifetime | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ +- /* Make sure payload contains an address */ +- if (option[3] < 24) ++ /* Make sure payload exists */ ++ if (option[3] < (16 + 4 + 4)) + break; + + sprint_nip6(ipv6str, option + 4); +@@ -332,6 +332,9 @@ static void option_to_env(const uint8_t *option, const uint8_t *option_end) + * | | + * +-+-+-+-+-+-+-+-+ + */ ++ /* Make sure payload exists */ ++ if (option[3] < (4 + 4 + 1 + 16)) ++ break; + move_from_unaligned32(v32, option + 4 + 4); + v32 = ntohl(v32); + *new_env() = xasprintf("ipv6prefix_lease=%u", (unsigned)v32); +-- +2.34.1 + diff --git a/meta/recipes-core/busybox/busybox_1.37.0.bb b/meta/recipes-core/busybox/busybox_1.37.0.bb index 4790899684..a6abfa2598 100644 --- a/meta/recipes-core/busybox/busybox_1.37.0.bb +++ b/meta/recipes-core/busybox/busybox_1.37.0.bb @@ -64,6 +64,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://0001-tar-strip-unsafe-hardlink-components-GNU-tar-does-th.patch \ file://0002-tar-only-strip-unsafe-components-from-hardlinks-not-.patch \ file://CVE-2024-58251.patch \ + file://CVE-2026-29004-01.patch \ + file://CVE-2026-29004-02.patch \ " SRC_URI:append:libc-musl = " file://musl.cfg" SRC_URI:append:x86-64 = " file://sha_accel.cfg"