From: "Hugo SIMELIERE (Schneider Electric)" <[email protected]>
Pick patches from [1] and [2] as mentioned in Debian report in [3]. [1] https://git.busybox.net/busybox/commit/archival?id=42202bfb1e6ac51fa995beda8be4d7b654aeee2a [2] https://git.busybox.net/busybox/commit/archival?id=d368f3f7836d1c2484c8f839316e5c93e76d4409 [3] https://security-tracker.debian.org/tracker/CVE-2026-29004 Signed-off-by: Hugo SIMELIERE (Schneider Electric) <[email protected]> Reviewed-by: Bruno VERNAY <[email protected]> --- .../busybox/busybox/CVE-2026-29004-01.patch | 41 +++++++++++++++++ .../busybox/busybox/CVE-2026-29004-02.patch | 46 +++++++++++++++++++ meta/recipes-core/busybox/busybox_1.36.1.bb | 2 + 3 files changed, 89 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch b/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch new file mode 100644 index 0000000000..0423a76730 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch @@ -0,0 +1,41 @@ +From e49fb0f6ad0a0f924ec2cfe6838d04c4f1f4c3ba Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <[email protected]> +Date: Thu, 12 Mar 2026 07:25:38 +0100 +Subject: [PATCH 1/2] udhcpc6: fix buffer overflow + +CVE: CVE-2026-29004 +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/archival?id=42202bfb1e6ac51fa995beda8be4d7b654aeee2a] + +Signed-off-by: Denys Vlasenko <[email protected]> +(cherry picked from commit 42202bfb1e6ac51fa995beda8be4d7b654aeee2a) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <[email protected]> +--- + networking/udhcp/d6_dhcpc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c +index cdd06188e..62cc0f466 100644 +--- a/networking/udhcp/d6_dhcpc.c ++++ b/networking/udhcp/d6_dhcpc.c +@@ -351,15 +351,15 @@ static void option_to_env(const uint8_t *option, const uint8_t *option_end) + addrs = option[3] >> 4; + + /* Setup environment variable */ +- *new_env() = dlist = xmalloc(4 + addrs * 40 - 1); ++ *new_env() = dlist = xmalloc(4 + addrs * 40 + 1); + dlist = stpcpy(dlist, "dns="); + option_offset = 0; + +- while (addrs--) { ++ while (addrs-- != 0) { + sprint_nip6(dlist, option + 4 + option_offset); + dlist += 39; + option_offset += 16; +- if (addrs) ++ if (addrs != 0) + *dlist++ = ' '; + } + +-- +2.43.0 + diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch b/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch new file mode 100644 index 0000000000..ac8c031cc6 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch @@ -0,0 +1,46 @@ +From 4d8d5b7c4426e62375235cf4903b6cb53bb193d3 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <[email protected]> +Date: Thu, 12 Mar 2026 13:23:48 +0100 +Subject: [PATCH 2/2] udhcpc6: check the size of D6_OPT_IAPREFIX option + +function old new delta +option_to_env 694 711 +17 + +CVE: CVE-2026-29004 +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/archival?id=d368f3f7836d1c2484c8f839316e5c93e76d4409] + +Signed-off-by: Denys Vlasenko <[email protected]> +(cherry picked from commit d368f3f7836d1c2484c8f839316e5c93e76d4409) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <[email protected]> +--- + networking/udhcp/d6_dhcpc.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c +index 62cc0f466..64a41c9d8 100644 +--- a/networking/udhcp/d6_dhcpc.c ++++ b/networking/udhcp/d6_dhcpc.c +@@ -287,8 +287,8 @@ static void option_to_env(const uint8_t *option, const uint8_t *option_end) + * | valid-lifetime | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ +- /* Make sure payload contains an address */ +- if (option[3] < 24) ++ /* Make sure payload exists */ ++ if (option[3] < (16 + 4 + 4)) + break; + + sprint_nip6(ipv6str, option + 4); +@@ -332,6 +332,9 @@ static void option_to_env(const uint8_t *option, const uint8_t *option_end) + * | | + * +-+-+-+-+-+-+-+-+ + */ ++ /* Make sure payload exists */ ++ if (option[3] < (4 + 4 + 1 + 16)) ++ break; + move_from_unaligned32(v32, option + 4 + 4); + v32 = ntohl(v32); + *new_env() = xasprintf("ipv6prefix_lease=%u", (unsigned)v32); +-- +2.43.0 + diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb index 228bfdadd3..7929d396c8 100644 --- a/meta/recipes-core/busybox/busybox_1.36.1.bb +++ b/meta/recipes-core/busybox/busybox_1.36.1.bb @@ -64,6 +64,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://CVE-2025-60876.patch \ file://CVE-2026-26157-CVE-2026-26158-01.patch \ file://CVE-2026-26157-CVE-2026-26158-02.patch \ + file://CVE-2026-29004-01.patch \ + file://CVE-2026-29004-02.patch \ " SRC_URI:append:libc-musl = " file://musl.cfg " # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#237443): https://lists.openembedded.org/g/openembedded-core/message/237443 Mute This Topic: https://lists.openembedded.org/mt/119405715/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
