Re: [OE-core][wrynose][PATCH 2/2] busybox: fix CVE-2026-29004

Yoann Congal via lists.openembedded.org Wed, 20 May 2026 01:02:34 -0700

On Wed May 20, 2026 at 3:47 AM CEST, ChenQi wrote:
> On 5/20/26 06:36, Yoann Congal via lists.openembedded.org wrote:
>> On Tue May 19, 2026 at 7:27 AM CEST, Chen Qi via lists.openembedded.org 
>> wrote:
>>> From: Chen Qi <[email protected]>
>>>
>>> Backport two patches to fix CVE-2026-29004.
>>>
>>> Reference:
>>> https://nvd.nist.gov/vuln/detail/CVE-2026-29004
>>>
>>> Signed-off-by: Chen Qi <[email protected]>
>>> ---
>> Hello,
>>
>> As far as I can tell, this CVE-2026-29004 also applies to master (in
>> particular, it does not looked fixed in the recent 1.38.0 upgrade).
>>
>> I can't merge this on wrynose until a fix is merged on master.
>> Can you send the equivalent fix to master?
>
> I checked this before I sent out patches. I can confirm that the issue 
> has been fixed in 1.38.0.
>
> """
> $ grep -A 5 "Setup environment variable" 
> busybox-1.38.0/networking/udhcp/d6_dhcpc.c
>                          /* Setup environment variable */
>                          *new_env() = dlist = xmalloc(4 + addrs * 40 + 1);
>                          dlist = stpcpy(dlist, "dns=");
>                          option_offset = 0;
>
>                          while (addrs-- != 0) {
> """
>
> And Andrej has already sent the 1.38.0 update for master branch.


Ah right. The github mirror is missing the 1.38.0 tag. But the commit
is listed in the changelog. So I'll add this patch to my series.

Thanks!

>
> Regards,
> Qi
>
>>
>> Thanks!
>>
>>>   .../busybox/busybox/CVE-2026-29004-01.patch   | 42 +++++++++++++++++
>>>   .../busybox/busybox/CVE-2026-29004-02.patch   | 47 +++++++++++++++++++
>>>   meta/recipes-core/busybox/busybox_1.37.0.bb   |  2 +
>>>   3 files changed, 91 insertions(+)
>>>   create mode 100644 
>>> meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch
>>>   create mode 100644 
>>> meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch
>>>
>>> diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch 
>>> b/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch
>>> new file mode 100644
>>> index 0000000000..8ce4858adc
>>> --- /dev/null
>>> +++ b/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch
>>> @@ -0,0 +1,42 @@
>>> +From d9a718cc17535c31d38f31fccb904a30e823166d Mon Sep 17 00:00:00 2001
>>> +From: Denys Vlasenko <[email protected]>
>>> +Date: Thu, 12 Mar 2026 07:25:38 +0100
>>> +Subject: [PATCH 1/2] udhcpc6: fix buffer overflow
>>> +
>>> +Signed-off-by: Denys Vlasenko <[email protected]>
>>> +
>>> +CVE: CVE-2026-29004
>>> +
>>> +Upstream-Status: Backport 
>>> [https://github.com/vda-linux/busybox_mirror/commit/42202bfb1e6ac51fa995beda8be4d7b654aeee2a]
>>> +
>>> +Signed-off-by: Chen Qi <[email protected]>
>>> +---
>>> + networking/udhcp/d6_dhcpc.c | 6 +++---
>>> + 1 file changed, 3 insertions(+), 3 deletions(-)
>>> +
>>> +diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c
>>> +index 79cef1999..d13b05829 100644
>>> +--- a/networking/udhcp/d6_dhcpc.c
>>> ++++ b/networking/udhcp/d6_dhcpc.c
>>> +@@ -351,15 +351,15 @@ static void option_to_env(const uint8_t *option, 
>>> const uint8_t *option_end)
>>> +                   addrs = option[3] >> 4;
>>> +
>>> +                   /* Setup environment variable */
>>> +-                  *new_env() = dlist = xmalloc(4 + addrs * 40 - 1);
>>> ++                  *new_env() = dlist = xmalloc(4 + addrs * 40 + 1);
>>> +                   dlist = stpcpy(dlist, "dns=");
>>> +                   option_offset = 0;
>>> +
>>> +-                  while (addrs--) {
>>> ++                  while (addrs-- != 0) {
>>> +                           sprint_nip6(dlist, option + 4 + option_offset);
>>> +                           dlist += 39;
>>> +                           option_offset += 16;
>>> +-                          if (addrs)
>>> ++                          if (addrs != 0)
>>> +                                   *dlist++ = ' ';
>>> +                   }
>>> +
>>> +--
>>> +2.34.1
>>> +
>>> diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch 
>>> b/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch
>>> new file mode 100644
>>> index 0000000000..734f0bbbdb
>>> --- /dev/null
>>> +++ b/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch
>>> @@ -0,0 +1,47 @@
>>> +From 1e14c5c577a7bd46f42315e9bc445419770041a7 Mon Sep 17 00:00:00 2001
>>> +From: Denys Vlasenko <[email protected]>
>>> +Date: Thu, 12 Mar 2026 13:23:48 +0100
>>> +Subject: [PATCH 2/2] udhcpc6: check the size of D6_OPT_IAPREFIX option
>>> +
>>> +function                                             old     new   delta
>>> +option_to_env                                        694     711     +17
>>> +
>>> +Signed-off-by: Denys Vlasenko <[email protected]>
>>> +
>>> +CVE: CVE-2026-29004
>>> +
>>> +Upstream-Status: Backport 
>>> [https://github.com/vda-linux/busybox_mirror/commit/d368f3f7836d1c2484c8f839316e5c93e76d4409]
>>> +
>>> +Signed-off-by: Chen Qi <[email protected]>
>>> +---
>>> + networking/udhcp/d6_dhcpc.c | 7 +++++--
>>> + 1 file changed, 5 insertions(+), 2 deletions(-)
>>> +
>>> +diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c
>>> +index d13b05829..1851cee2a 100644
>>> +--- a/networking/udhcp/d6_dhcpc.c
>>> ++++ b/networking/udhcp/d6_dhcpc.c
>>> +@@ -287,8 +287,8 @@ static void option_to_env(const uint8_t *option, const 
>>> uint8_t *option_end)
>>> +  * |                        valid-lifetime                         |
>>> +  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>> +  */
>>> +-                  /* Make sure payload contains an address */
>>> +-                  if (option[3] < 24)
>>> ++                  /* Make sure payload exists */
>>> ++                  if (option[3] < (16 + 4 + 4))
>>> +                           break;
>>> +
>>> +                   sprint_nip6(ipv6str, option + 4);
>>> +@@ -332,6 +332,9 @@ static void option_to_env(const uint8_t *option, const 
>>> uint8_t *option_end)
>>> +  * |               |
>>> +  * +-+-+-+-+-+-+-+-+
>>> +  */
>>> ++                  /* Make sure payload exists */
>>> ++                  if (option[3] < (4 + 4 + 1 + 16))
>>> ++                          break;
>>> +                   move_from_unaligned32(v32, option + 4 + 4);
>>> +                   v32 = ntohl(v32);
>>> +                   *new_env() = xasprintf("ipv6prefix_lease=%u", 
>>> (unsigned)v32);
>>> +--
>>> +2.34.1
>>> +
>>> diff --git a/meta/recipes-core/busybox/busybox_1.37.0.bb 
>>> b/meta/recipes-core/busybox/busybox_1.37.0.bb
>>> index 4790899684..a6abfa2598 100644
>>> --- a/meta/recipes-core/busybox/busybox_1.37.0.bb
>>> +++ b/meta/recipes-core/busybox/busybox_1.37.0.bb
>>> @@ -64,6 +64,8 @@ SRC_URI = 
>>> "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
>>>              
>>> file://0001-tar-strip-unsafe-hardlink-components-GNU-tar-does-th.patch \
>>>              
>>> file://0002-tar-only-strip-unsafe-components-from-hardlinks-not-.patch \
>>>              file://CVE-2024-58251.patch \
>>> +           file://CVE-2026-29004-01.patch \
>>> +           file://CVE-2026-29004-02.patch \
>>>              "
>>>   SRC_URI:append:libc-musl = " file://musl.cfg"
>>>   SRC_URI:append:x86-64 = " file://sha_accel.cfg"
>>
>>
>> 
>>


-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#237389): 
https://lists.openembedded.org/g/openembedded-core/message/237389
Mute This Topic: https://lists.openembedded.org/mt/119386348/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][wrynose][PATCH 2/2] busybox: fix CVE-2026-29004

Reply via email to