# HG changeset patch # User Pascal Bellard # Date 1760252004 0 # Node ID e4c74f0dea66928125877c10ef92c56b6e2c20d5 # Parent f95652388956dc633278083c8c65b31601e31712 busybox: add CVE-2025-46394 fix diff -r f95652388956 -r e4c74f0dea66 busybox/receipt --- a/busybox/receipt Fri Oct 10 07:36:26 2025 +0000 +++ b/busybox/receipt Sun Oct 12 06:53:24 2025 +0000 @@ -56,6 +56,7 @@ scriptreplay.u mkfs_vfat.u chown.u +CVE-2025-46394.u EOT cp $stuff/$PACKAGE-${VERSION%.*}.config .config cp $stuff/$PACKAGE-${VERSION%.*}.config . diff -r f95652388956 -r e4c74f0dea66 busybox/stuff/busybox-1.37-CVE-2025-46394.u --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/busybox/stuff/busybox-1.37-CVE-2025-46394.u Sun Oct 12 06:53:24 2025 +0000 @@ -0,0 +1,75 @@ +In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences. +--- a/archival/libarchive/header_list.c ++++ b/archival/libarchive/header_list.c +@@ -8,5 +8,6 @@ + void FAST_FUNC header_list(const file_header_t *file_header) + { + //TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */ +- puts(file_header->name); ++ bb_safe_dump_str(stdout, file_header->name); ++ bb_putchar('\n'); + } +--- a/archival/libarchive/header_verbose_list.c ++++ b/archival/libarchive/header_verbose_list.c +@@ -29,7 +29,7 @@ + /*sprintf(gid, "%u", (unsigned)file_header->gid);*/ + group = utoa(file_header->gid); + } +- printf("%s %s/%s %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u %s", ++ printf("%s %s/%s %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u", + bb_mode_string(modestr, file_header->mode), + user, + group, +@@ -39,14 +39,13 @@ + ptm->tm_mday, + ptm->tm_hour, + ptm->tm_min, +- ptm->tm_sec, +- file_header->name); ++ ptm->tm_sec); + + #else /* !FEATURE_TAR_UNAME_GNAME */ + + localtime_r(&file_header->mtime, ptm); + +- printf("%s %u/%u %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u %s", ++ printf("%s %u/%u %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u", + bb_mode_string(modestr, file_header->mode), + (unsigned)file_header->uid, + (unsigned)file_header->gid, +@@ -56,14 +55,15 @@ + ptm->tm_mday, + ptm->tm_hour, + ptm->tm_min, +- ptm->tm_sec, +- file_header->name); ++ ptm->tm_sec); + + #endif /* FEATURE_TAR_UNAME_GNAME */ + ++ bb_safe_dump_str(stdout, file_header->name); + /* NB: GNU tar shows "->" for symlinks and "link to" for hardlinks */ + if (file_header->link_target) { +- printf(" -> %s", file_header->link_target); ++ printf(" -> "); ++ bb_safe_dump_str(stdout, file_header->link_target); + } + bb_putchar('\n'); + } +--- a/include/libbb.h ++++ b/include/libbb.h +@@ -2524,6 +2524,14 @@ + #define isgraph_asciionly(a) ((unsigned)((a) - 0x21) <= 0x7e - 0x21) + #define isprint_asciionly(a) ((unsigned)((a) - 0x20) <= 0x7e - 0x20) + ++/* Print msg to a file-descriptor, replacing any unprintable and terminal escape bytes with '?' if fd is a TTY */ ++static ALWAYS_INLINE void bb_safe_dump_str(FILE* fd, const char* msg) { ++ int fdno = fileno(fd); ++ if (isatty(fdno)) { ++ msg = printable_string(msg); ++ } ++ fprintf(fd, "%s", msg); ++} + + /* Simple unit-testing framework */ + diff -r f95652388956 -r e4c74f0dea66 busybox/stuff/busybox-1.37.config --- a/busybox/stuff/busybox-1.37.config Fri Oct 10 07:36:26 2025 +0000 +++ b/busybox/stuff/busybox-1.37.config Sun Oct 12 06:53:24 2025 +0000 @@ -620,7 +620,7 @@ # CONFIG_FEATURE_FBVNC_AUTH is not set CONFIG_FDFORMAT=y CONFIG_FDISK=y -# CONFIG_FDISK_SUPPORT_LARGE_DISKS is not set +CONFIG_FDISK_SUPPORT_LARGE_DISKS=y CONFIG_FEATURE_FDISK_WRITABLE=y # CONFIG_FEATURE_AIX_LABEL is not set # CONFIG_FEATURE_SGI_LABEL is not set @@ -981,7 +981,7 @@ CONFIG_FEATURE_TELNET_WIDTH=y # CONFIG_TELNETD is not set # CONFIG_FEATURE_TELNETD_STANDALONE is not set -CONFIG_FEATURE_TELNETD_PORT_DEFAULT=0 +CONFIG_FEATURE_TELNETD_PORT_DEFAULT=23 # CONFIG_FEATURE_TELNETD_INETD_WAIT is not set CONFIG_TFTP=y CONFIG_FEATURE_TFTP_PROGRESS_BAR=y diff -r f95652388956 -r e4c74f0dea66 busybox/stuff/busybox-1.37.config-ssfs --- a/busybox/stuff/busybox-1.37.config-ssfs Fri Oct 10 07:36:26 2025 +0000 +++ b/busybox/stuff/busybox-1.37.config-ssfs Sun Oct 12 06:53:24 2025 +0000 @@ -972,7 +972,7 @@ # CONFIG_FEATURE_TELNET_WIDTH is not set # CONFIG_TELNETD is not set # CONFIG_FEATURE_TELNETD_STANDALONE is not set -CONFIG_FEATURE_TELNETD_PORT_DEFAULT=0 +CONFIG_FEATURE_TELNETD_PORT_DEFAULT=23 # CONFIG_FEATURE_TELNETD_INETD_WAIT is not set # CONFIG_TFTP is not set # CONFIG_FEATURE_TFTP_PROGRESS_BAR is not set @@ -1136,7 +1136,7 @@ CONFIG_ASH_OPTIMIZE_FOR_SIZE=y # CONFIG_ASH_INTERNAL_GLOB is not set CONFIG_ASH_BASH_COMPAT=y -# CONFIG_ASH_BASH_SOURCE_CURDIR is not set +CONFIG_ASH_BASH_SOURCE_CURDIR=y CONFIG_ASH_BASH_NOT_FOUND_HOOK=y CONFIG_ASH_JOB_CONTROL=y CONFIG_ASH_ALIAS=y diff -r f95652388956 -r e4c74f0dea66 busybox/stuff/busybox-1.37.config-static --- a/busybox/stuff/busybox-1.37.config-static Fri Oct 10 07:36:26 2025 +0000 +++ b/busybox/stuff/busybox-1.37.config-static Sun Oct 12 06:53:24 2025 +0000 @@ -233,7 +233,7 @@ # CONFIG_FEATURE_CP_LONG_OPTIONS is not set # CONFIG_FEATURE_CP_REFLINK is not set CONFIG_CUT=y -CONFIG_FEATURE_CUT_REGEX=y +# CONFIG_FEATURE_CUT_REGEX is not set # CONFIG_DATE is not set # CONFIG_FEATURE_DATE_ISOFMT is not set # CONFIG_FEATURE_DATE_NANO is not set @@ -980,7 +980,7 @@ # CONFIG_FEATURE_TELNET_WIDTH is not set # CONFIG_TELNETD is not set # CONFIG_FEATURE_TELNETD_STANDALONE is not set -CONFIG_FEATURE_TELNETD_PORT_DEFAULT=0 +CONFIG_FEATURE_TELNETD_PORT_DEFAULT=23 # CONFIG_FEATURE_TELNETD_INETD_WAIT is not set # CONFIG_TFTP is not set # CONFIG_FEATURE_TFTP_PROGRESS_BAR is not set @@ -1144,7 +1144,7 @@ CONFIG_ASH_OPTIMIZE_FOR_SIZE=y CONFIG_ASH_INTERNAL_GLOB=y CONFIG_ASH_BASH_COMPAT=y -# CONFIG_ASH_BASH_SOURCE_CURDIR is not set +CONFIG_ASH_BASH_SOURCE_CURDIR=y # CONFIG_ASH_BASH_NOT_FOUND_HOOK is not set # CONFIG_ASH_JOB_CONTROL is not set # CONFIG_ASH_ALIAS is not set diff -r f95652388956 -r e4c74f0dea66 dfbterm/receipt --- a/dfbterm/receipt Fri Oct 10 07:36:26 2025 +0000 +++ b/dfbterm/receipt Sun Oct 12 06:53:24 2025 +0000 @@ -8,7 +8,7 @@ LICENSE="GPL2" SOURCE="DFBTerm" TARBALL="${SOURCE}-${VERSION}.tar.gz" -WEB_SITE="https://www.directfb.org/index.php?path=Projects/DFBTerm" +WEB_SITE="https://web.archive.org/web/20150321033018/https://www.directfb.org/index.php?path=Projects/DFBTerm" WGET_URL="https://distro.ibiblio.org/slitaz/sources/packages/${TARBALL:0:1}/$TARBALL" HOST_ARCH="i486 arm" diff -r f95652388956 -r e4c74f0dea66 miniupnpc-dev/receipt --- a/miniupnpc-dev/receipt Fri Oct 10 07:36:26 2025 +0000 +++ b/miniupnpc-dev/receipt Sun Oct 12 06:53:24 2025 +0000 @@ -6,7 +6,7 @@ SHORT_DESC="UPnP Internet Gateway Device (IGD) specifications client development files." MAINTAINER="pascal.bellard@slitaz.org" LICENSE="BSD" -WEB_SITE="http://miniupnp.tuxfamily.org/" +WEB_SITE="https://github.com/miniupnp/miniupnp/" WANTED="miniupnpc" DEPENDS="miniupnpc pkg-config" diff -r f95652388956 -r e4c74f0dea66 miniupnpc/receipt --- a/miniupnpc/receipt Fri Oct 10 07:36:26 2025 +0000 +++ b/miniupnpc/receipt Sun Oct 12 06:53:24 2025 +0000 @@ -7,7 +7,7 @@ MAINTAINER="pascal.bellard@slitaz.org" LICENSE="BSD" TARBALL="${PACKAGE}_${VERSION/./_}.tar.gz" -WEB_SITE="https://miniupnp.tuxfamily.org/" +WEB_SITE="https://github.com/miniupnp/miniupnp/" WGET_URL="https://github.com/miniupnp/miniupnp/archive/$TARBALL" TAGS="upnp" @@ -18,7 +18,7 @@ current_version() { wget -O - ${WGET_URL%/arch*}/tags 2>/dev/null | \ - sed '/tag\//!d;s|.*tag/[a-z_]*||;s|".*||;s|_|.|g;q' + sed '/tag\//!d;/miniupnpc/!d;s|.*tag/[a-z_]*||;s|".*||;s|_|.|g;q' } # Rules to configure and make the package. diff -r f95652388956 -r e4c74f0dea66 miniupnpd/receipt --- a/miniupnpd/receipt Fri Oct 10 07:36:26 2025 +0000 +++ b/miniupnpd/receipt Sun Oct 12 06:53:24 2025 +0000 @@ -6,10 +6,11 @@ SHORT_DESC="UPnP Internet Gateway Device (IGD) specifications server." MAINTAINER="pascal.bellard@slitaz.org" LICENSE="BSD" -WEB_SITE="https://miniupnp.tuxfamily.org/" +WEB_SITE="https://github.com/miniupnp/miniupnp/" TARBALL="$PACKAGE-$VERSION.tar.gz" WGET_URL="$WEB_SITE/files/$TARBALL" +WGET_URL="https://github.com/miniupnp/miniupnp/archive/$TARBALL" TAGS="upnp" DEPENDS="iptables libssl" @@ -18,8 +19,8 @@ # What is the latest version available today? current_version() { - wget -O - ${WGET_URL%/*} 2>/dev/null | \ - sed '/miniupnpd-/!d;s|.*pnpd-||;s|.tar.*||;q' + wget -O - ${WGET_URL%/arch*}/tags 2>/dev/null | \ + sed '/tag\//!d;/miniupnpd/!d;s|.*tag/[a-z_]*||;s|".*||;s|_|.|g;q' } # Rules to configure and make the package.