On Thu Mar 19, 2026 at 12:40 PM CET, Hitendra Prajapati via lists.openembedded.org wrote: > Hi Team, > > I'm not able to load the official busybox repo form last week, so I used > mirror.
Yes, the busybox git host is sadly not reliable :( Khem found a mirror that looks trustworthy and up-to-date: https://gogs.librecmc.org/OWEALS/busybox/ In the hope that the busybox host will recover, let's put git.busybox.net in our upstream-status but add a note with this mirror. > If anyone have access, they may try to fix this or I will look into > these later. > > Regards, > > Hitendra > > On 19/03/26 4:35 pm, Fabien Thomas wrote: >> On Fri Mar 13, 2026 at 2:18 PM CET, Hitendra Prajapati via >> lists.openembedded.org wrote: >>> Although the patch was not merged yet, Debian already took it ([1] & [2]). >>> Since busybox CVE handling is slow, follow Debian decision. >>> >>> [1]https://sources.debian.org/src/busybox/1:1.37.0-10.1/debian/patches/0001-tar-strip-unsafe-hardlink-components-GNU-tar-does-th.patch >>> [2]https://sources.debian.org/src/busybox/1:1.37.0-10.1/debian/patches/0002-tar-only-strip-unsafe-components-from-hardlinks-not-.patch >>> >>> Signed-off-by: Hitendra Prajapati<[email protected]> >>> --- >>> .../CVE-2026-26157-CVE-2026-26158-01.patch | 35 ++++ >>> .../CVE-2026-26157-CVE-2026-26158-02.patch | 197 ++++++++++++++++++ >>> meta/recipes-core/busybox/busybox_1.35.0.bb | 2 + >>> 3 files changed, 234 insertions(+) >>> create mode 100644 >>> meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch >>> create mode 100644 >>> meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch >>> >>> diff --git >>> a/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch >>> b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch >>> new file mode 100644 >>> index 0000000000..306ccad511 >>> --- /dev/null >>> +++ >>> b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch >>> @@ -0,0 +1,35 @@ >>> +From 038e0e4d791ea4e8a8da5e06904756142fc6b8dc Mon Sep 17 00:00:00 2001 >>> +From: Radoslav Kolev<[email protected]> >>> +Date: Mon, 16 Feb 2026 11:50:04 +0200 >>> +Subject: tar: only strip unsafe components from hardlinks, not symlinks >>> + >>> +commit 3fb6b31c7 introduced a check for unsafe components in >>> +tar archive hardlinks, but it was being applied to symlinks too >>> +which broke "Symlinks and hardlinks coexist" tar test. >>> + >>> +Signed-off-by: Radoslav Kolev<[email protected]> >>> +Signed-off-by: Denys Vlasenko<[email protected]> >>> + >>> +CVE: CVE-2026-26157, CVE-2026-26158 >>> +Upstream-Status: Backport >>> [https://github.com/mirror/busybox/commit/3fb6b31c716669e12f75a2accd31bb7685b1a1cb] Maybe something like this? Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb] (Alternative mirrored URL: https://gogs.librecmc.org/OWEALS/busybox/commit/3fb6b31c716669e12f75a2accd31bb7685b1a1cb) >>> +Signed-off-by: Hitendra Prajapati<[email protected]> >>> +--- >>> + archival/libarchive/get_header_tar.c | 2 +- >>> + 1 file changed, 1 insertion(+), 1 deletion(-) >>> + >>> +diff --git a/archival/libarchive/get_header_tar.c >>> b/archival/libarchive/get_header_tar.c >>> +index dc0f7e0..a8c2ad8 100644 >>> +--- a/archival/libarchive/get_header_tar.c >>> ++++ b/archival/libarchive/get_header_tar.c >>> +@@ -453,7 +453,7 @@ char FAST_FUNC get_header_tar(archive_handle_t >>> *archive_handle) >>> + >>> + /* Everything up to and including last ".." component is stripped */ >>> + strip_unsafe_prefix(file_header->name); >>> +- if (file_header->link_target) { >>> ++ if (file_header->link_target && !S_ISLNK(file_header->mode)) { >>> + /* GNU tar 1.34 examples: >>> + * tar: Removing leading '/' from hard link targets >>> + * tar: Removing leading '../' from hard link targets >>> +-- >>> +2.50.1 >>> + >>> diff --git >>> a/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch >>> b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch >>> new file mode 100644 >>> index 0000000000..69e6e98c75 >>> --- /dev/null >>> +++ >>> b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch >>> @@ -0,0 +1,197 @@ >>> +From 0c20d6b353b058ab910dd3a0211e2b906802b105 Mon Sep 17 00:00:00 2001 >>> +From: Denys Vlasenko<[email protected]> >>> +Date: Thu, 29 Jan 2026 11:48:02 +0100 >>> +Subject: tar: strip unsafe hardlink components - GNU tar does the same >>> + >>> +Defends against files like these (python reproducer): >>> + >>> +import tarfile >>> +ti = tarfile.TarInfo("leak_hosts") >>> +ti.type = tarfile.LNKTYPE >>> +ti.linkname = "/etc/hosts" # or "../etc/hosts" or ".." >>> +ti.size = 0 >>> +with tarfile.open("/tmp/hardlink.tar", "w") as t: >>> + t.addfile(ti) >>> + >>> +function old new delta >>> +skip_unsafe_prefix - 127 +127 >>> +get_header_tar 1752 1754 +2 >>> +.rodata 106861 106856 -5 >>> +unzip_main 2715 2706 -9 >>> +strip_unsafe_prefix 102 18 -84 >>> +------------------------------------------------------------------------------ >>> +(add/remove: 1/0 grow/shrink: 1/3 up/down: 129/-98) Total: 31 >>> bytes >>> + >>> +Signed-off-by: Denys Vlasenko<[email protected]> >>> + >>> +CVE: CVE-2026-26157, CVE-2026-26158 >>> +Upstream-Status: Backport >>> [https://github.com/mirror/busybox/commit/3fb6b31c716669e12f75a2accd31bb7685b1a1cb] Use the same pattern as above. >>> +Signed-off-by: Hitendra Prajapati<[email protected]> >>> +--- >>> [...] >>> + >>> diff --git a/meta/recipes-core/busybox/busybox_1.35.0.bb >>> b/meta/recipes-core/busybox/busybox_1.35.0.bb >>> index 0b5ac220f5..bb07502ccc 100644 >>> --- a/meta/recipes-core/busybox/busybox_1.35.0.bb >>> +++ b/meta/recipes-core/busybox/busybox_1.35.0.bb >>> @@ -62,6 +62,8 @@ SRC_URI >>> ="https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ >>> file://CVE-2025-46394-01.patch \ file://CVE-2025-46394-02.patch \ >>> file://CVE-2025-60876.patch \ + >>> file://CVE-2026-26157-CVE-2026-26158-01.patch \ + >>> file://CVE-2026-26157-CVE-2026-26158-02.patch \ " >>> SRC_URI:append:libc-musl =" file://musl.cfg " >>> >> Hi Hitendra, >> >> I'm working with Yoann, helping him to support the maintenance of >> the stable branches. >> >> Thanks for the patch. Indeed, since the Busybox CVE handling is indeed slow, >> following Debian is acceptable. However, there are a few issues that need to >> be addressed before this can be merged: >> >> In the patch metadata (Upstream-Status / Backport): >> - Source URL: Please use the official upstream repository (git.busybox.net, >> which I'm aware is littlebit downish) instead of the GitHub mirror. >> - Commit Reference: The Debian patches you cited do not actually backport >> the commit 3fb6b31c716669e12f75a2accd31bb7685b1a1cb as claimed in the status. >> Seems that the first one is actually a backport of >> 599f5dd8fac390c18b79cba4c14c334957605dae, recently merged in busybox master. >> >> Please clarify the "Upstream-Status" to reflect exactly >> what these patches represent. >> >> The first patch (01.patch) fails to apply on the current Kirkstone >> busybox_1.35.0 recipe: >> >> ERROR: busybox-1.35.0-r0 do_patch: >> Applying patch 'CVE-2026-26157-CVE-2026-26158-01.patch' >> patching file archival/libarchive/get_header_tar.c >> Hunk #1 FAILED at 453. >> 1 out of 1 hunk FAILED -- rejects in file >> archival/libarchive/get_header_tar.c >> >> Please ensure the patches are rebased and tested against >> the kirkstone branch of openembedded-core. >> >> Best regards, Regards, -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#233644): https://lists.openembedded.org/g/openembedded-core/message/233644 Mute This Topic: https://lists.openembedded.org/mt/118296643/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
