[wrynose,v2,08/28] busybox: patch CVE-2024-58251

Message ID	8f344d46b96fb16632501749dc39b97aa3e11836.1779264709.git.yoann.congal@smile.fr
State	New
Headers	show Return-Path: <yoann.congal@smile.fr> ip: 209.85.128.44, mailfrom: yoann.congal@smile.fr) From: Yoann Congal <yoann.congal@smile.fr> To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose v2 08/28] busybox: patch CVE-2024-58251 Date: Wed, 20 May 2026 10:20:09 +0200 Message-ID: <8f344d46b96fb16632501749dc39b97aa3e11836.1779264709.git.yoann.congal@smile.fr> In-Reply-To: <cover.1779264709.git.yoann.congal@smile.fr> References: <cover.1779264709.git.yoann.congal@smile.fr> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[wrynose,v2,01/28] README: Add wrynose subject-prefix to git-send-email suggestion \| expand [wrynose,v2,01/28] README: Add wrynose subject-prefix to git-send-email suggestion [wrynose,v2,02/28] python3-requests: Increase chardet upper limit [wrynose,v2,03/28] tzdata/tzcode-native: upgrade 2026a -> 2026b [wrynose,v2,04/28] wireless-regdb: upgrade 2026.02.04 -> 2026.03.18 [wrynose,v2,05/28] python3-sbom-cve-check: Update to version 1.3.1 [wrynose,v2,06/28] sbom-cve-check-update-cvelist-native: Update source revision [wrynose,v2,07/28] sbom-cve-check-update-nvd-native: Update source revision [wrynose,v2,08/28] busybox: patch CVE-2024-58251 [wrynose,v2,09/28] busybox: fix CVE-2026-29004 [wrynose,v2,10/28] b4-config: add send-prefixes for wrynose [wrynose,v2,11/28] libsoup: set status for CVE-2026-2369 [wrynose,v2,12/28] tiff: patch CVE-2026-4775 [wrynose,v2,13/28] libssh2: patch CVE-2026-7598 [wrynose,v2,14/28] libarchive: set status of CVE-2026-5745 [wrynose,v2,15/28] efivar: Backport patch to fix -march issue for ppc64le [wrynose,v2,16/28] oe-pkgdata-util: fix empty runtime-rprovides directory handling [wrynose,v2,17/28] oe-pkgdata-util: fix runtime-rprovides handling in lookup_pkg error path [wrynose,v2,18/28] libsoup: patch CVE-2026-2708 [wrynose,v2,19/28] utils: Handle unexpanded variables in DISTRO_FEATURES [wrynose,v2,20/28] shadow-native: Change upstream status of disable_syslog.patch [wrynose,v2,21/28] features-check.bbclass: add reference to required TUNE_FEATURES [wrynose,v2,22/28] scripts/makefile-getvar: quote MAKEFILE variable [wrynose,v2,23/28] qemu: fix iotlb_to_section() for different AddressSpace [wrynose,v2,24/28] sbom-cve-check: set PV from upstream tags and ensure version checks are correct [wrynose,v2,25/28] bluez5: add patches to fix 8.56 gatt issue [wrynose,v2,26/28] default-distrovars.inc: add missing spaces in append overrides [wrynose,v2,27/28] glibc: stable 2.43 branch updates [wrynose,v2,28/28] pseudo: Upgrade 1.9.6 -> 1.9.7

Message ID

8f344d46b96fb16632501749dc39b97aa3e11836.1779264709.git.yoann.congal@smile.fr

State

New

Headers

From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][wrynose v2 08/28] busybox: patch CVE-2024-58251
Date: Wed, 20 May 2026 10:20:09 +0200
Message-ID: 
 <8f344d46b96fb16632501749dc39b97aa3e11836.1779264709.git.yoann.congal@smile.fr>
In-Reply-To: <cover.1779264709.git.yoann.congal@smile.fr>
References: <cover.1779264709.git.yoann.congal@smile.fr>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[wrynose,v2,01/28] README: Add wrynose subject-prefix to git-send-email suggestion | expand

Commit Message

Yoann Congal May 20, 2026, 8:20 a.m. UTC

From: Peter Marko <peter.marko@siemens.com>

Pick patch applied by Debian [1].

I did not find any reference on busybox mailing list that this patch was
submitted. Submitting patch for someone else would be inappropriate,
and busybox is currently known to be very inactive, hence the unwanted
Pending Upstream-Status status.
Also note that the related busybox bugreport [2] is currently not
public, so it is possible that it was submitted there.

[1] https://sources.debian.org/patches/busybox/1:1.37.0-10.1/netstat-sanitize-argv0-for-p-CVE-2024-58251.patch/
[2] https://bugs.busybox.net/show_bug.cgi?id=15922

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
(cherry picked from commit 7261144785aa508377c995e52d7e2410a814f00b)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../busybox/busybox/CVE-2024-58251.patch      | 51 +++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.37.0.bb   |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2024-58251.patch

diff --git a/meta/recipes-core/busybox/busybox/CVE-2024-58251.patch b/meta/recipes-core/busybox/busybox/CVE-2024-58251.patch
new file mode 100644
index 00000000000..713d345ca83
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2024-58251.patch
@@ -0,0 +1,51 @@ 
+From: Valery Ushakov <valery.ushakov@bell-sw.com>
+Date: Thu, 21 Aug 2025 12:31:53 +0000
+Subject: netstat: CVE-2024-58251 - sanitize argv0 for -p
+Bug-Debian: https://bugs.debian.org/1104009
+
+Signed-off-by: Valery Ushakov <valery.ushakov@bell-sw.com>
+
+CVE: CVE-2024-58251
+Upstream-Status: Pending
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ networking/netstat.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/networking/netstat.c b/networking/netstat.c
+index 807800a62..d979f6079 100644
+--- a/networking/netstat.c
++++ b/networking/netstat.c
+@@ -41,6 +41,7 @@
+ 
+ #include "libbb.h"
+ #include "inet_common.h"
++#include "unicode.h"
+ 
+ //usage:#define netstat_trivial_usage
+ //usage:       "[-"IF_ROUTE("r")"al] [-tuwx] [-en"IF_FEATURE_NETSTAT_WIDE("W")IF_FEATURE_NETSTAT_PRG("p")"]"
+@@ -314,9 +315,12 @@ static int FAST_FUNC dir_act(struct recursive_state *state,
+ 		return FALSE;
+ 	cmdline_buf[n] = '\0';
+ 
++	/* don't write process-controlled argv[0] to the user's terminal as-is */
++	const char *argv0base = printable_string(bb_basename(cmdline_buf));
++
+ 	/* go through all files in /proc/PID/fd and check whether they are sockets */
+ 	strcpy(proc_pid_fname + len - (sizeof("cmdline")-1), "fd");
+-	pid_slash_progname = concat_path_file(pid, bb_basename(cmdline_buf)); /* "PID/argv0" */
++	pid_slash_progname = concat_path_file(pid, argv0base); /* "PID/argv0" */
+ 	n = recursive_action(proc_pid_fname,
+ 			ACTION_RECURSE | ACTION_QUIET,
+ 			add_to_prg_cache_if_socket,
+@@ -686,6 +690,7 @@ int netstat_main(int argc UNUSED_PARAM, char **argv)
+ 	unsigned opt;
+ 
+ 	INIT_G();
++	init_unicode();
+ 
+ 	/* Option string must match NETSTAT_xxx constants */
+ 	opt = getopt32(argv, NETSTAT_OPTS);
+-- 
+2.34.1
+
diff --git a/meta/recipes-core/busybox/busybox_1.37.0.bb b/meta/recipes-core/busybox/busybox_1.37.0.bb
index 61ff602be6f..47908996843 100644
--- a/meta/recipes-core/busybox/busybox_1.37.0.bb
+++ b/meta/recipes-core/busybox/busybox_1.37.0.bb
@@ -63,6 +63,7 @@  SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://0001-busybox-fix-printf-ptest-failure-with-glibc-2.43.patch \
            file://0001-tar-strip-unsafe-hardlink-components-GNU-tar-does-th.patch \
            file://0002-tar-only-strip-unsafe-components-from-hardlinks-not-.patch \
+           file://CVE-2024-58251.patch \
            "
 SRC_URI:append:libc-musl = " file://musl.cfg"
 SRC_URI:append:x86-64 = " file://sha_accel.cfg"

[wrynose,v2,08/28] busybox: patch CVE-2024-58251

Commit Message

Patch