On Tue May 19, 2026 at 7:27 AM CEST, Chen Qi via lists.openembedded.org wrote: > From: Chen Qi <[email protected]> > > Backport two patches to fix CVE-2026-29004. > > Reference: > https://nvd.nist.gov/vuln/detail/CVE-2026-29004 > > Signed-off-by: Chen Qi <[email protected]> > ---
Hello, As far as I can tell, this CVE-2026-29004 also applies to master (in particular, it does not looked fixed in the recent 1.38.0 upgrade). I can't merge this on wrynose until a fix is merged on master. Can you send the equivalent fix to master? Thanks! > .../busybox/busybox/CVE-2026-29004-01.patch | 42 +++++++++++++++++ > .../busybox/busybox/CVE-2026-29004-02.patch | 47 +++++++++++++++++++ > meta/recipes-core/busybox/busybox_1.37.0.bb | 2 + > 3 files changed, 91 insertions(+) > create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch > create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch > > diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch > b/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch > new file mode 100644 > index 0000000000..8ce4858adc > --- /dev/null > +++ b/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch > @@ -0,0 +1,42 @@ > +From d9a718cc17535c31d38f31fccb904a30e823166d Mon Sep 17 00:00:00 2001 > +From: Denys Vlasenko <[email protected]> > +Date: Thu, 12 Mar 2026 07:25:38 +0100 > +Subject: [PATCH 1/2] udhcpc6: fix buffer overflow > + > +Signed-off-by: Denys Vlasenko <[email protected]> > + > +CVE: CVE-2026-29004 > + > +Upstream-Status: Backport > [https://github.com/vda-linux/busybox_mirror/commit/42202bfb1e6ac51fa995beda8be4d7b654aeee2a] > + > +Signed-off-by: Chen Qi <[email protected]> > +--- > + networking/udhcp/d6_dhcpc.c | 6 +++--- > + 1 file changed, 3 insertions(+), 3 deletions(-) > + > +diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c > +index 79cef1999..d13b05829 100644 > +--- a/networking/udhcp/d6_dhcpc.c > ++++ b/networking/udhcp/d6_dhcpc.c > +@@ -351,15 +351,15 @@ static void option_to_env(const uint8_t *option, const > uint8_t *option_end) > + addrs = option[3] >> 4; > + > + /* Setup environment variable */ > +- *new_env() = dlist = xmalloc(4 + addrs * 40 - 1); > ++ *new_env() = dlist = xmalloc(4 + addrs * 40 + 1); > + dlist = stpcpy(dlist, "dns="); > + option_offset = 0; > + > +- while (addrs--) { > ++ while (addrs-- != 0) { > + sprint_nip6(dlist, option + 4 + option_offset); > + dlist += 39; > + option_offset += 16; > +- if (addrs) > ++ if (addrs != 0) > + *dlist++ = ' '; > + } > + > +-- > +2.34.1 > + > diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch > b/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch > new file mode 100644 > index 0000000000..734f0bbbdb > --- /dev/null > +++ b/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch > @@ -0,0 +1,47 @@ > +From 1e14c5c577a7bd46f42315e9bc445419770041a7 Mon Sep 17 00:00:00 2001 > +From: Denys Vlasenko <[email protected]> > +Date: Thu, 12 Mar 2026 13:23:48 +0100 > +Subject: [PATCH 2/2] udhcpc6: check the size of D6_OPT_IAPREFIX option > + > +function old new delta > +option_to_env 694 711 +17 > + > +Signed-off-by: Denys Vlasenko <[email protected]> > + > +CVE: CVE-2026-29004 > + > +Upstream-Status: Backport > [https://github.com/vda-linux/busybox_mirror/commit/d368f3f7836d1c2484c8f839316e5c93e76d4409] > + > +Signed-off-by: Chen Qi <[email protected]> > +--- > + networking/udhcp/d6_dhcpc.c | 7 +++++-- > + 1 file changed, 5 insertions(+), 2 deletions(-) > + > +diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c > +index d13b05829..1851cee2a 100644 > +--- a/networking/udhcp/d6_dhcpc.c > ++++ b/networking/udhcp/d6_dhcpc.c > +@@ -287,8 +287,8 @@ static void option_to_env(const uint8_t *option, const > uint8_t *option_end) > + * | valid-lifetime | > + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > + */ > +- /* Make sure payload contains an address */ > +- if (option[3] < 24) > ++ /* Make sure payload exists */ > ++ if (option[3] < (16 + 4 + 4)) > + break; > + > + sprint_nip6(ipv6str, option + 4); > +@@ -332,6 +332,9 @@ static void option_to_env(const uint8_t *option, const > uint8_t *option_end) > + * | | > + * +-+-+-+-+-+-+-+-+ > + */ > ++ /* Make sure payload exists */ > ++ if (option[3] < (4 + 4 + 1 + 16)) > ++ break; > + move_from_unaligned32(v32, option + 4 + 4); > + v32 = ntohl(v32); > + *new_env() = xasprintf("ipv6prefix_lease=%u", > (unsigned)v32); > +-- > +2.34.1 > + > diff --git a/meta/recipes-core/busybox/busybox_1.37.0.bb > b/meta/recipes-core/busybox/busybox_1.37.0.bb > index 4790899684..a6abfa2598 100644 > --- a/meta/recipes-core/busybox/busybox_1.37.0.bb > +++ b/meta/recipes-core/busybox/busybox_1.37.0.bb > @@ -64,6 +64,8 @@ SRC_URI = > "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ > > file://0001-tar-strip-unsafe-hardlink-components-GNU-tar-does-th.patch \ > > file://0002-tar-only-strip-unsafe-components-from-hardlinks-not-.patch \ > file://CVE-2024-58251.patch \ > + file://CVE-2026-29004-01.patch \ > + file://CVE-2026-29004-02.patch \ > " > SRC_URI:append:libc-musl = " file://musl.cfg" > SRC_URI:append:x86-64 = " file://sha_accel.cfg" -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#237345): https://lists.openembedded.org/g/openembedded-core/message/237345 Mute This Topic: https://lists.openembedded.org/mt/119386348/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
