[OE-core][wrynose][PATCH 2/2] busybox: fix CVE-2026-29004

Mon, 18 May 2026 22:27:42 -0700 

From: Chen Qi <[email protected]>

Backport two patches to fix CVE-2026-29004.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-29004

Signed-off-by: Chen Qi <[email protected]>
---
 .../busybox/busybox/CVE-2026-29004-01.patch   | 42 +++++++++++++++++
 .../busybox/busybox/CVE-2026-29004-02.patch   | 47 +++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.37.0.bb   |  2 +
 3 files changed, 91 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch

diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch 
b/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch
new file mode 100644
index 0000000000..8ce4858adc
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch
@@ -0,0 +1,42 @@
+From d9a718cc17535c31d38f31fccb904a30e823166d Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <[email protected]>
+Date: Thu, 12 Mar 2026 07:25:38 +0100
+Subject: [PATCH 1/2] udhcpc6: fix buffer overflow
+
+Signed-off-by: Denys Vlasenko <[email protected]>
+
+CVE: CVE-2026-29004
+
+Upstream-Status: Backport 
[https://github.com/vda-linux/busybox_mirror/commit/42202bfb1e6ac51fa995beda8be4d7b654aeee2a]
+
+Signed-off-by: Chen Qi <[email protected]>
+---
+ networking/udhcp/d6_dhcpc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c
+index 79cef1999..d13b05829 100644
+--- a/networking/udhcp/d6_dhcpc.c
++++ b/networking/udhcp/d6_dhcpc.c
+@@ -351,15 +351,15 @@ static void option_to_env(const uint8_t *option, const 
uint8_t *option_end)
+                       addrs = option[3] >> 4;
+ 
+                       /* Setup environment variable */
+-                      *new_env() = dlist = xmalloc(4 + addrs * 40 - 1);
++                      *new_env() = dlist = xmalloc(4 + addrs * 40 + 1);
+                       dlist = stpcpy(dlist, "dns=");
+                       option_offset = 0;
+ 
+-                      while (addrs--) {
++                      while (addrs-- != 0) {
+                               sprint_nip6(dlist, option + 4 + option_offset);
+                               dlist += 39;
+                               option_offset += 16;
+-                              if (addrs)
++                              if (addrs != 0)
+                                       *dlist++ = ' ';
+                       }
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch 
b/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch
new file mode 100644
index 0000000000..734f0bbbdb
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch
@@ -0,0 +1,47 @@
+From 1e14c5c577a7bd46f42315e9bc445419770041a7 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <[email protected]>
+Date: Thu, 12 Mar 2026 13:23:48 +0100
+Subject: [PATCH 2/2] udhcpc6: check the size of D6_OPT_IAPREFIX option
+
+function                                             old     new   delta
+option_to_env                                        694     711     +17
+
+Signed-off-by: Denys Vlasenko <[email protected]>
+
+CVE: CVE-2026-29004
+
+Upstream-Status: Backport 
[https://github.com/vda-linux/busybox_mirror/commit/d368f3f7836d1c2484c8f839316e5c93e76d4409]
+
+Signed-off-by: Chen Qi <[email protected]>
+---
+ networking/udhcp/d6_dhcpc.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c
+index d13b05829..1851cee2a 100644
+--- a/networking/udhcp/d6_dhcpc.c
++++ b/networking/udhcp/d6_dhcpc.c
+@@ -287,8 +287,8 @@ static void option_to_env(const uint8_t *option, const 
uint8_t *option_end)
+  * |                        valid-lifetime                         |
+  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+  */
+-                      /* Make sure payload contains an address */
+-                      if (option[3] < 24)
++                      /* Make sure payload exists */
++                      if (option[3] < (16 + 4 + 4))
+                               break;
+ 
+                       sprint_nip6(ipv6str, option + 4);
+@@ -332,6 +332,9 @@ static void option_to_env(const uint8_t *option, const 
uint8_t *option_end)
+  * |               |
+  * +-+-+-+-+-+-+-+-+
+  */
++                      /* Make sure payload exists */
++                      if (option[3] < (4 + 4 + 1 + 16))
++                              break;
+                       move_from_unaligned32(v32, option + 4 + 4);
+                       v32 = ntohl(v32);
+                       *new_env() = xasprintf("ipv6prefix_lease=%u", 
(unsigned)v32);
+-- 
+2.34.1
+
diff --git a/meta/recipes-core/busybox/busybox_1.37.0.bb 
b/meta/recipes-core/busybox/busybox_1.37.0.bb
index 4790899684..a6abfa2598 100644
--- a/meta/recipes-core/busybox/busybox_1.37.0.bb
+++ b/meta/recipes-core/busybox/busybox_1.37.0.bb
@@ -64,6 +64,8 @@ SRC_URI = 
"https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            
file://0001-tar-strip-unsafe-hardlink-components-GNU-tar-does-th.patch \
            
file://0002-tar-only-strip-unsafe-components-from-hardlinks-not-.patch \
            file://CVE-2024-58251.patch \
+           file://CVE-2026-29004-01.patch \
+           file://CVE-2026-29004-02.patch \
            "
 SRC_URI:append:libc-musl = " file://musl.cfg"
 SRC_URI:append:x86-64 = " file://sha_accel.cfg"
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#237268): 
https://lists.openembedded.org/g/openembedded-core/message/237268
Mute This Topic: https://lists.openembedded.org/mt/119386348/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to