On 5/20/26 06:36, Yoann Congal via lists.openembedded.org wrote:
On Tue May 19, 2026 at 7:27 AM CEST, Chen Qi via lists.openembedded.org wrote:
From: Chen Qi <[email protected]>
Backport two patches to fix CVE-2026-29004.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-29004
Signed-off-by: Chen Qi <[email protected]>
---
Hello,
As far as I can tell, this CVE-2026-29004 also applies to master (in
particular, it does not looked fixed in the recent 1.38.0 upgrade).
I can't merge this on wrynose until a fix is merged on master.
Can you send the equivalent fix to master?
I checked this before I sent out patches. I can confirm that the issue
has been fixed in 1.38.0.
"""
$ grep -A 5 "Setup environment variable"
busybox-1.38.0/networking/udhcp/d6_dhcpc.c
/* Setup environment variable */
*new_env() = dlist = xmalloc(4 + addrs * 40 + 1);
dlist = stpcpy(dlist, "dns=");
option_offset = 0;
while (addrs-- != 0) {
"""
And Andrej has already sent the 1.38.0 update for master branch.
Regards,
Qi
Thanks!
.../busybox/busybox/CVE-2026-29004-01.patch | 42 +++++++++++++++++
.../busybox/busybox/CVE-2026-29004-02.patch | 47 +++++++++++++++++++
meta/recipes-core/busybox/busybox_1.37.0.bb | 2 +
3 files changed, 91 insertions(+)
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch
diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch
b/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch
new file mode 100644
index 0000000000..8ce4858adc
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch
@@ -0,0 +1,42 @@
+From d9a718cc17535c31d38f31fccb904a30e823166d Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <[email protected]>
+Date: Thu, 12 Mar 2026 07:25:38 +0100
+Subject: [PATCH 1/2] udhcpc6: fix buffer overflow
+
+Signed-off-by: Denys Vlasenko <[email protected]>
+
+CVE: CVE-2026-29004
+
+Upstream-Status: Backport
[https://github.com/vda-linux/busybox_mirror/commit/42202bfb1e6ac51fa995beda8be4d7b654aeee2a]
+
+Signed-off-by: Chen Qi <[email protected]>
+---
+ networking/udhcp/d6_dhcpc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c
+index 79cef1999..d13b05829 100644
+--- a/networking/udhcp/d6_dhcpc.c
++++ b/networking/udhcp/d6_dhcpc.c
+@@ -351,15 +351,15 @@ static void option_to_env(const uint8_t *option, const
uint8_t *option_end)
+ addrs = option[3] >> 4;
+
+ /* Setup environment variable */
+- *new_env() = dlist = xmalloc(4 + addrs * 40 - 1);
++ *new_env() = dlist = xmalloc(4 + addrs * 40 + 1);
+ dlist = stpcpy(dlist, "dns=");
+ option_offset = 0;
+
+- while (addrs--) {
++ while (addrs-- != 0) {
+ sprint_nip6(dlist, option + 4 + option_offset);
+ dlist += 39;
+ option_offset += 16;
+- if (addrs)
++ if (addrs != 0)
+ *dlist++ = ' ';
+ }
+
+--
+2.34.1
+
diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch
b/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch
new file mode 100644
index 0000000000..734f0bbbdb
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch
@@ -0,0 +1,47 @@
+From 1e14c5c577a7bd46f42315e9bc445419770041a7 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <[email protected]>
+Date: Thu, 12 Mar 2026 13:23:48 +0100
+Subject: [PATCH 2/2] udhcpc6: check the size of D6_OPT_IAPREFIX option
+
+function old new delta
+option_to_env 694 711 +17
+
+Signed-off-by: Denys Vlasenko <[email protected]>
+
+CVE: CVE-2026-29004
+
+Upstream-Status: Backport
[https://github.com/vda-linux/busybox_mirror/commit/d368f3f7836d1c2484c8f839316e5c93e76d4409]
+
+Signed-off-by: Chen Qi <[email protected]>
+---
+ networking/udhcp/d6_dhcpc.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c
+index d13b05829..1851cee2a 100644
+--- a/networking/udhcp/d6_dhcpc.c
++++ b/networking/udhcp/d6_dhcpc.c
+@@ -287,8 +287,8 @@ static void option_to_env(const uint8_t *option, const
uint8_t *option_end)
+ * | valid-lifetime |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+- /* Make sure payload contains an address */
+- if (option[3] < 24)
++ /* Make sure payload exists */
++ if (option[3] < (16 + 4 + 4))
+ break;
+
+ sprint_nip6(ipv6str, option + 4);
+@@ -332,6 +332,9 @@ static void option_to_env(const uint8_t *option, const
uint8_t *option_end)
+ * | |
+ * +-+-+-+-+-+-+-+-+
+ */
++ /* Make sure payload exists */
++ if (option[3] < (4 + 4 + 1 + 16))
++ break;
+ move_from_unaligned32(v32, option + 4 + 4);
+ v32 = ntohl(v32);
+ *new_env() = xasprintf("ipv6prefix_lease=%u",
(unsigned)v32);
+--
+2.34.1
+
diff --git a/meta/recipes-core/busybox/busybox_1.37.0.bb
b/meta/recipes-core/busybox/busybox_1.37.0.bb
index 4790899684..a6abfa2598 100644
--- a/meta/recipes-core/busybox/busybox_1.37.0.bb
+++ b/meta/recipes-core/busybox/busybox_1.37.0.bb
@@ -64,6 +64,8 @@ SRC_URI =
"https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://0001-tar-strip-unsafe-hardlink-components-GNU-tar-does-th.patch \
file://0002-tar-only-strip-unsafe-components-from-hardlinks-not-.patch \
file://CVE-2024-58251.patch \
+ file://CVE-2026-29004-01.patch \
+ file://CVE-2026-29004-02.patch \
"
SRC_URI:append:libc-musl = " file://musl.cfg"
SRC_URI:append:x86-64 = " file://sha_accel.cfg"
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#237377):
https://lists.openembedded.org/g/openembedded-core/message/237377
Mute This Topic: https://lists.openembedded.org/mt/119386348/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
