commit busybox for openSUSE:Factory

Sun, 10 May 2026 07:48:16 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package busybox for openSUSE:Factory checked 
in at 2026-05-10 16:46:59
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/busybox (Old)
 and      /work/SRC/openSUSE:Factory/.busybox.new.1966 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "busybox"

Sun May 10 16:46:59 2026 rev:97 rq:1351513 version:1.37.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/busybox/busybox.changes  2026-02-26 
18:36:49.380040120 +0100
+++ /work/SRC/openSUSE:Factory/.busybox.new.1966/busybox.changes        
2026-05-10 16:47:13.306071989 +0200
@@ -1,0 +2,8 @@
+Fri May  8 04:36:01 UTC 2026 - Radoslav Kolev <[email protected]>
+
+- Fix heap buffer overflow vulnerability in the DHCPv6 client 
+  (CVE-2026-29004, bsc#1263989)
+  * 0001-udhcpc6-fix-buffer-overflow.patch
+  * 0002-udhcpc6-check-the-size-of-D6_OPT_IAPREFIX-option.patch
+
+-------------------------------------------------------------------

New:
----
  0001-udhcpc6-fix-buffer-overflow.patch
  0002-udhcpc6-check-the-size-of-D6_OPT_IAPREFIX-option.patch

----------(New B)----------
  New:  (CVE-2026-29004, bsc#1263989)
  * 0001-udhcpc6-fix-buffer-overflow.patch
  * 0002-udhcpc6-check-the-size-of-D6_OPT_IAPREFIX-option.patch
  New:  * 0001-udhcpc6-fix-buffer-overflow.patch
  * 0002-udhcpc6-check-the-size-of-D6_OPT_IAPREFIX-option.patch
----------(New E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ busybox.spec ++++++
--- /var/tmp/diff_new_pack.r7Ur0S/_old  2026-05-10 16:47:14.222109477 +0200
+++ /var/tmp/diff_new_pack.r7Ur0S/_new  2026-05-10 16:47:14.222109477 +0200
@@ -67,6 +67,9 @@
 Patch16:        0001-tar-strip-unsafe-hardlink-components-GNU-tar-does-th.patch
 # PATCH-FIX-UPSTREAM - The fix above introducesa problem rewriting symlink 
targets too
 Patch17:        0002-tar-only-strip-unsafe-components-from-hardlinks-not-.patch
+# PATCH-FIX-UPSTREAM - Fix bsc#1263989, (CVE-2026-29004) from upsrteam commits 
42202bf, d368f3f
+Patch18:        0001-udhcpc6-fix-buffer-overflow.patch
+Patch19:        0002-udhcpc6-check-the-size-of-D6_OPT_IAPREFIX-option.patch
 
 # other patches
 Patch100:       busybox.install.patch

++++++ 0001-udhcpc6-fix-buffer-overflow.patch ++++++
>From 42202bfb1e6ac51fa995beda8be4d7b654aeee2a Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <[email protected]>
Date: Thu, 12 Mar 2026 07:25:38 +0100
Subject: [PATCH 1/2] udhcpc6: fix buffer overflow

Signed-off-by: Denys Vlasenko <[email protected]>
---
 networking/udhcp/d6_dhcpc.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c
index f17a12151..5f81c7c6b 100644
--- a/networking/udhcp/d6_dhcpc.c
+++ b/networking/udhcp/d6_dhcpc.c
@@ -369,15 +369,15 @@ static void option_to_env(const uint8_t *option, const 
uint8_t *option_end)
                        addrs = option[3] >> 4;
 
                        /* Setup environment variable */
-                       *new_env() = dlist = xmalloc(4 + addrs * 40 - 1);
+                       *new_env() = dlist = xmalloc(4 + addrs * 40 + 1);
                        dlist = stpcpy(dlist, "dns=");
                        option_offset = 0;
 
-                       while (addrs--) {
+                       while (addrs-- != 0) {
                                sprint_nip6(dlist, option + 4 + option_offset);
                                dlist += 39;
                                option_offset += 16;
-                               if (addrs)
+                               if (addrs != 0)
                                        *dlist++ = ' ';
                        }
 
-- 
2.53.0


++++++ 0002-udhcpc6-check-the-size-of-D6_OPT_IAPREFIX-option.patch ++++++
>From d368f3f7836d1c2484c8f839316e5c93e76d4409 Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <[email protected]>
Date: Thu, 12 Mar 2026 13:23:48 +0100
Subject: [PATCH 2/2] udhcpc6: check the size of D6_OPT_IAPREFIX option

function                                             old     new   delta
option_to_env                                        694     711     +17

Signed-off-by: Denys Vlasenko <[email protected]>
---
 networking/udhcp/d6_dhcpc.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c
index 5f81c7c6b..7233c5fbe 100644
--- a/networking/udhcp/d6_dhcpc.c
+++ b/networking/udhcp/d6_dhcpc.c
@@ -305,8 +305,8 @@ static void option_to_env(const uint8_t *option, const 
uint8_t *option_end)
  * |                        valid-lifetime                         |
  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  */
-                       /* Make sure payload contains an address */
-                       if (option[3] < 24)
+                       /* Make sure payload exists */
+                       if (option[3] < (16 + 4 + 4))
                                break;
 
                        sprint_nip6(ipv6str, option + 4);
@@ -350,6 +350,9 @@ static void option_to_env(const uint8_t *option, const 
uint8_t *option_end)
  * |               |
  * +-+-+-+-+-+-+-+-+
  */
+                       /* Make sure payload exists */
+                       if (option[3] < (4 + 4 + 1 + 16))
+                               break;
                        move_from_unaligned32(v32, option + 4 + 4);
                        v32 = ntohl(v32);
                        *new_env() = xasprintf("ipv6prefix_lease=%u", 
(unsigned)v32);
-- 
2.53.0

Reply via email to