wok rev 25896

busybox: add CVE-2025-46394 fix
author Pascal Bellard <pascal.bellard@slitaz.org>
date Sun Oct 12 06:53:24 2025 +0000 (5 days ago)
parents f95652388956
children 60d01af0b3c9
files busybox/receipt busybox/stuff/busybox-1.37-CVE-2025-46394.u busybox/stuff/busybox-1.37.config busybox/stuff/busybox-1.37.config-ssfs busybox/stuff/busybox-1.37.config-static dfbterm/receipt miniupnpc-dev/receipt miniupnpc/receipt miniupnpd/receipt
line diff
     1.1 --- a/busybox/receipt	Fri Oct 10 07:36:26 2025 +0000
     1.2 +++ b/busybox/receipt	Sun Oct 12 06:53:24 2025 +0000
     1.3 @@ -56,6 +56,7 @@
     1.4  scriptreplay.u
     1.5  mkfs_vfat.u
     1.6  chown.u
     1.7 +CVE-2025-46394.u
     1.8  EOT
     1.9      cp $stuff/$PACKAGE-${VERSION%.*}.config .config
    1.10      cp $stuff/$PACKAGE-${VERSION%.*}.config .
     2.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.2 +++ b/busybox/stuff/busybox-1.37-CVE-2025-46394.u	Sun Oct 12 06:53:24 2025 +0000
     2.3 @@ -0,0 +1,75 @@
     2.4 +In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.
     2.5 +--- a/archival/libarchive/header_list.c
     2.6 ++++ b/archival/libarchive/header_list.c
     2.7 +@@ -8,5 +8,6 @@
     2.8 + void FAST_FUNC header_list(const file_header_t *file_header)
     2.9 + {
    2.10 + //TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */
    2.11 +-	puts(file_header->name);
    2.12 ++	bb_safe_dump_str(stdout, file_header->name);
    2.13 ++	bb_putchar('\n');
    2.14 + }
    2.15 +--- a/archival/libarchive/header_verbose_list.c
    2.16 ++++ b/archival/libarchive/header_verbose_list.c
    2.17 +@@ -29,7 +29,7 @@
    2.18 + 		/*sprintf(gid, "%u", (unsigned)file_header->gid);*/
    2.19 + 		group = utoa(file_header->gid);
    2.20 + 	}
    2.21 +-	printf("%s %s/%s %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u %s",
    2.22 ++	printf("%s %s/%s %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u",
    2.23 + 		bb_mode_string(modestr, file_header->mode),
    2.24 + 		user,
    2.25 + 		group,
    2.26 +@@ -39,14 +39,13 @@
    2.27 + 		ptm->tm_mday,
    2.28 + 		ptm->tm_hour,
    2.29 + 		ptm->tm_min,
    2.30 +-		ptm->tm_sec,
    2.31 +-		file_header->name);
    2.32 ++		ptm->tm_sec);
    2.33 + 
    2.34 + #else /* !FEATURE_TAR_UNAME_GNAME */
    2.35 + 
    2.36 + 	localtime_r(&file_header->mtime, ptm);
    2.37 + 
    2.38 +-	printf("%s %u/%u %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u %s",
    2.39 ++	printf("%s %u/%u %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u",
    2.40 + 		bb_mode_string(modestr, file_header->mode),
    2.41 + 		(unsigned)file_header->uid,
    2.42 + 		(unsigned)file_header->gid,
    2.43 +@@ -56,14 +55,15 @@
    2.44 + 		ptm->tm_mday,
    2.45 + 		ptm->tm_hour,
    2.46 + 		ptm->tm_min,
    2.47 +-		ptm->tm_sec,
    2.48 +-		file_header->name);
    2.49 ++		ptm->tm_sec);
    2.50 + 
    2.51 + #endif /* FEATURE_TAR_UNAME_GNAME */
    2.52 + 
    2.53 ++	bb_safe_dump_str(stdout, file_header->name);
    2.54 + 	/* NB: GNU tar shows "->" for symlinks and "link to" for hardlinks */
    2.55 + 	if (file_header->link_target) {
    2.56 +-		printf(" -> %s", file_header->link_target);
    2.57 ++		printf(" -> ");
    2.58 ++		bb_safe_dump_str(stdout, file_header->link_target);
    2.59 + 	}
    2.60 + 	bb_putchar('\n');
    2.61 + }
    2.62 +--- a/include/libbb.h
    2.63 ++++ b/include/libbb.h
    2.64 +@@ -2524,6 +2524,14 @@
    2.65 + #define isgraph_asciionly(a) ((unsigned)((a) - 0x21) <= 0x7e - 0x21)
    2.66 + #define isprint_asciionly(a) ((unsigned)((a) - 0x20) <= 0x7e - 0x20)
    2.67 + 
    2.68 ++/* Print msg to a file-descriptor, replacing any unprintable and terminal escape bytes with '?' if fd is a TTY */
    2.69 ++static ALWAYS_INLINE void bb_safe_dump_str(FILE* fd, const char* msg) {
    2.70 ++	int fdno = fileno(fd);
    2.71 ++	if (isatty(fdno)) {
    2.72 ++		msg = printable_string(msg);
    2.73 ++	}
    2.74 ++	fprintf(fd, "%s", msg);
    2.75 ++}
    2.76 + 
    2.77 + /* Simple unit-testing framework */
    2.78 + 
     3.1 --- a/busybox/stuff/busybox-1.37.config	Fri Oct 10 07:36:26 2025 +0000
     3.2 +++ b/busybox/stuff/busybox-1.37.config	Sun Oct 12 06:53:24 2025 +0000
     3.3 @@ -620,7 +620,7 @@
     3.4  # CONFIG_FEATURE_FBVNC_AUTH is not set
     3.5  CONFIG_FDFORMAT=y
     3.6  CONFIG_FDISK=y
     3.7 -# CONFIG_FDISK_SUPPORT_LARGE_DISKS is not set
     3.8 +CONFIG_FDISK_SUPPORT_LARGE_DISKS=y
     3.9  CONFIG_FEATURE_FDISK_WRITABLE=y
    3.10  # CONFIG_FEATURE_AIX_LABEL is not set
    3.11  # CONFIG_FEATURE_SGI_LABEL is not set
    3.12 @@ -981,7 +981,7 @@
    3.13  CONFIG_FEATURE_TELNET_WIDTH=y
    3.14  # CONFIG_TELNETD is not set
    3.15  # CONFIG_FEATURE_TELNETD_STANDALONE is not set
    3.16 -CONFIG_FEATURE_TELNETD_PORT_DEFAULT=0
    3.17 +CONFIG_FEATURE_TELNETD_PORT_DEFAULT=23
    3.18  # CONFIG_FEATURE_TELNETD_INETD_WAIT is not set
    3.19  CONFIG_TFTP=y
    3.20  CONFIG_FEATURE_TFTP_PROGRESS_BAR=y
     4.1 --- a/busybox/stuff/busybox-1.37.config-ssfs	Fri Oct 10 07:36:26 2025 +0000
     4.2 +++ b/busybox/stuff/busybox-1.37.config-ssfs	Sun Oct 12 06:53:24 2025 +0000
     4.3 @@ -972,7 +972,7 @@
     4.4  # CONFIG_FEATURE_TELNET_WIDTH is not set
     4.5  # CONFIG_TELNETD is not set
     4.6  # CONFIG_FEATURE_TELNETD_STANDALONE is not set
     4.7 -CONFIG_FEATURE_TELNETD_PORT_DEFAULT=0
     4.8 +CONFIG_FEATURE_TELNETD_PORT_DEFAULT=23
     4.9  # CONFIG_FEATURE_TELNETD_INETD_WAIT is not set
    4.10  # CONFIG_TFTP is not set
    4.11  # CONFIG_FEATURE_TFTP_PROGRESS_BAR is not set
    4.12 @@ -1136,7 +1136,7 @@
    4.13  CONFIG_ASH_OPTIMIZE_FOR_SIZE=y
    4.14  # CONFIG_ASH_INTERNAL_GLOB is not set
    4.15  CONFIG_ASH_BASH_COMPAT=y
    4.16 -# CONFIG_ASH_BASH_SOURCE_CURDIR is not set
    4.17 +CONFIG_ASH_BASH_SOURCE_CURDIR=y
    4.18  CONFIG_ASH_BASH_NOT_FOUND_HOOK=y
    4.19  CONFIG_ASH_JOB_CONTROL=y
    4.20  CONFIG_ASH_ALIAS=y
     5.1 --- a/busybox/stuff/busybox-1.37.config-static	Fri Oct 10 07:36:26 2025 +0000
     5.2 +++ b/busybox/stuff/busybox-1.37.config-static	Sun Oct 12 06:53:24 2025 +0000
     5.3 @@ -233,7 +233,7 @@
     5.4  # CONFIG_FEATURE_CP_LONG_OPTIONS is not set
     5.5  # CONFIG_FEATURE_CP_REFLINK is not set
     5.6  CONFIG_CUT=y
     5.7 -CONFIG_FEATURE_CUT_REGEX=y
     5.8 +# CONFIG_FEATURE_CUT_REGEX is not set
     5.9  # CONFIG_DATE is not set
    5.10  # CONFIG_FEATURE_DATE_ISOFMT is not set
    5.11  # CONFIG_FEATURE_DATE_NANO is not set
    5.12 @@ -980,7 +980,7 @@
    5.13  # CONFIG_FEATURE_TELNET_WIDTH is not set
    5.14  # CONFIG_TELNETD is not set
    5.15  # CONFIG_FEATURE_TELNETD_STANDALONE is not set
    5.16 -CONFIG_FEATURE_TELNETD_PORT_DEFAULT=0
    5.17 +CONFIG_FEATURE_TELNETD_PORT_DEFAULT=23
    5.18  # CONFIG_FEATURE_TELNETD_INETD_WAIT is not set
    5.19  # CONFIG_TFTP is not set
    5.20  # CONFIG_FEATURE_TFTP_PROGRESS_BAR is not set
    5.21 @@ -1144,7 +1144,7 @@
    5.22  CONFIG_ASH_OPTIMIZE_FOR_SIZE=y
    5.23  CONFIG_ASH_INTERNAL_GLOB=y
    5.24  CONFIG_ASH_BASH_COMPAT=y
    5.25 -# CONFIG_ASH_BASH_SOURCE_CURDIR is not set
    5.26 +CONFIG_ASH_BASH_SOURCE_CURDIR=y 
    5.27  # CONFIG_ASH_BASH_NOT_FOUND_HOOK is not set
    5.28  # CONFIG_ASH_JOB_CONTROL is not set
    5.29  # CONFIG_ASH_ALIAS is not set
     6.1 --- a/dfbterm/receipt	Fri Oct 10 07:36:26 2025 +0000
     6.2 +++ b/dfbterm/receipt	Sun Oct 12 06:53:24 2025 +0000
     6.3 @@ -8,7 +8,7 @@
     6.4  LICENSE="GPL2"
     6.5  SOURCE="DFBTerm"
     6.6  TARBALL="${SOURCE}-${VERSION}.tar.gz"
     6.7 -WEB_SITE="https://www.directfb.org/index.php?path=Projects/DFBTerm"
     6.8 +WEB_SITE="https://web.archive.org/web/20150321033018/https://www.directfb.org/index.php?path=Projects/DFBTerm"
     6.9  WGET_URL="https://distro.ibiblio.org/slitaz/sources/packages/${TARBALL:0:1}/$TARBALL"
    6.10  HOST_ARCH="i486 arm"
    6.11  
     7.1 --- a/miniupnpc-dev/receipt	Fri Oct 10 07:36:26 2025 +0000
     7.2 +++ b/miniupnpc-dev/receipt	Sun Oct 12 06:53:24 2025 +0000
     7.3 @@ -6,7 +6,7 @@
     7.4  SHORT_DESC="UPnP Internet Gateway Device (IGD) specifications client development files."
     7.5  MAINTAINER="pascal.bellard@slitaz.org"
     7.6  LICENSE="BSD"
     7.7 -WEB_SITE="http://miniupnp.tuxfamily.org/"
     7.8 +WEB_SITE="https://github.com/miniupnp/miniupnp/"
     7.9  WANTED="miniupnpc"
    7.10  
    7.11  DEPENDS="miniupnpc pkg-config"
     8.1 --- a/miniupnpc/receipt	Fri Oct 10 07:36:26 2025 +0000
     8.2 +++ b/miniupnpc/receipt	Sun Oct 12 06:53:24 2025 +0000
     8.3 @@ -7,7 +7,7 @@
     8.4  MAINTAINER="pascal.bellard@slitaz.org"
     8.5  LICENSE="BSD"
     8.6  TARBALL="${PACKAGE}_${VERSION/./_}.tar.gz"
     8.7 -WEB_SITE="https://miniupnp.tuxfamily.org/"
     8.8 +WEB_SITE="https://github.com/miniupnp/miniupnp/"
     8.9  WGET_URL="https://github.com/miniupnp/miniupnp/archive/$TARBALL"
    8.10  TAGS="upnp"
    8.11  
    8.12 @@ -18,7 +18,7 @@
    8.13  current_version()
    8.14  {
    8.15  	wget -O - ${WGET_URL%/arch*}/tags 2>/dev/null | \
    8.16 -	sed '/tag\//!d;s|.*tag/[a-z_]*||;s|".*||;s|_|.|g;q'
    8.17 +	sed '/tag\//!d;/miniupnpc/!d;s|.*tag/[a-z_]*||;s|".*||;s|_|.|g;q'
    8.18  }
    8.19  
    8.20  # Rules to configure and make the package.
     9.1 --- a/miniupnpd/receipt	Fri Oct 10 07:36:26 2025 +0000
     9.2 +++ b/miniupnpd/receipt	Sun Oct 12 06:53:24 2025 +0000
     9.3 @@ -6,10 +6,11 @@
     9.4  SHORT_DESC="UPnP Internet Gateway Device (IGD) specifications server."
     9.5  MAINTAINER="pascal.bellard@slitaz.org"
     9.6  LICENSE="BSD"
     9.7 -WEB_SITE="https://miniupnp.tuxfamily.org/"
     9.8 +WEB_SITE="https://github.com/miniupnp/miniupnp/"
     9.9  
    9.10  TARBALL="$PACKAGE-$VERSION.tar.gz"
    9.11  WGET_URL="$WEB_SITE/files/$TARBALL"
    9.12 +WGET_URL="https://github.com/miniupnp/miniupnp/archive/$TARBALL"
    9.13  TAGS="upnp"
    9.14  
    9.15  DEPENDS="iptables libssl"
    9.16 @@ -18,8 +19,8 @@
    9.17  # What is the latest version available today?
    9.18  current_version()
    9.19  {
    9.20 -	wget -O - ${WGET_URL%/*} 2>/dev/null | \
    9.21 -	sed '/miniupnpd-/!d;s|.*pnpd-||;s|.tar.*||;q'
    9.22 +	wget -O - ${WGET_URL%/arch*}/tags 2>/dev/null | \
    9.23 +	sed '/tag\//!d;/miniupnpd/!d;s|.*tag/[a-z_]*||;s|".*||;s|_|.|g;q'
    9.24  }
    9.25  
    9.26  # Rules to configure and make the package.