wok rev 25896
busybox: add CVE-2025-46394 fix
author | Pascal Bellard <pascal.bellard@slitaz.org> |
---|---|
date | Sun Oct 12 06:53:24 2025 +0000 (5 days ago) |
parents | f95652388956 |
children | 60d01af0b3c9 |
files | busybox/receipt busybox/stuff/busybox-1.37-CVE-2025-46394.u busybox/stuff/busybox-1.37.config busybox/stuff/busybox-1.37.config-ssfs busybox/stuff/busybox-1.37.config-static dfbterm/receipt miniupnpc-dev/receipt miniupnpc/receipt miniupnpd/receipt |
line diff
1.1 --- a/busybox/receipt Fri Oct 10 07:36:26 2025 +0000 1.2 +++ b/busybox/receipt Sun Oct 12 06:53:24 2025 +0000 1.3 @@ -56,6 +56,7 @@ 1.4 scriptreplay.u 1.5 mkfs_vfat.u 1.6 chown.u 1.7 +CVE-2025-46394.u 1.8 EOT 1.9 cp $stuff/$PACKAGE-${VERSION%.*}.config .config 1.10 cp $stuff/$PACKAGE-${VERSION%.*}.config .
2.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 2.2 +++ b/busybox/stuff/busybox-1.37-CVE-2025-46394.u Sun Oct 12 06:53:24 2025 +0000 2.3 @@ -0,0 +1,75 @@ 2.4 +In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences. 2.5 +--- a/archival/libarchive/header_list.c 2.6 ++++ b/archival/libarchive/header_list.c 2.7 +@@ -8,5 +8,6 @@ 2.8 + void FAST_FUNC header_list(const file_header_t *file_header) 2.9 + { 2.10 + //TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */ 2.11 +- puts(file_header->name); 2.12 ++ bb_safe_dump_str(stdout, file_header->name); 2.13 ++ bb_putchar('\n'); 2.14 + } 2.15 +--- a/archival/libarchive/header_verbose_list.c 2.16 ++++ b/archival/libarchive/header_verbose_list.c 2.17 +@@ -29,7 +29,7 @@ 2.18 + /*sprintf(gid, "%u", (unsigned)file_header->gid);*/ 2.19 + group = utoa(file_header->gid); 2.20 + } 2.21 +- printf("%s %s/%s %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u %s", 2.22 ++ printf("%s %s/%s %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u", 2.23 + bb_mode_string(modestr, file_header->mode), 2.24 + user, 2.25 + group, 2.26 +@@ -39,14 +39,13 @@ 2.27 + ptm->tm_mday, 2.28 + ptm->tm_hour, 2.29 + ptm->tm_min, 2.30 +- ptm->tm_sec, 2.31 +- file_header->name); 2.32 ++ ptm->tm_sec); 2.33 + 2.34 + #else /* !FEATURE_TAR_UNAME_GNAME */ 2.35 + 2.36 + localtime_r(&file_header->mtime, ptm); 2.37 + 2.38 +- printf("%s %u/%u %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u %s", 2.39 ++ printf("%s %u/%u %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u", 2.40 + bb_mode_string(modestr, file_header->mode), 2.41 + (unsigned)file_header->uid, 2.42 + (unsigned)file_header->gid, 2.43 +@@ -56,14 +55,15 @@ 2.44 + ptm->tm_mday, 2.45 + ptm->tm_hour, 2.46 + ptm->tm_min, 2.47 +- ptm->tm_sec, 2.48 +- file_header->name); 2.49 ++ ptm->tm_sec); 2.50 + 2.51 + #endif /* FEATURE_TAR_UNAME_GNAME */ 2.52 + 2.53 ++ bb_safe_dump_str(stdout, file_header->name); 2.54 + /* NB: GNU tar shows "->" for symlinks and "link to" for hardlinks */ 2.55 + if (file_header->link_target) { 2.56 +- printf(" -> %s", file_header->link_target); 2.57 ++ printf(" -> "); 2.58 ++ bb_safe_dump_str(stdout, file_header->link_target); 2.59 + } 2.60 + bb_putchar('\n'); 2.61 + } 2.62 +--- a/include/libbb.h 2.63 ++++ b/include/libbb.h 2.64 +@@ -2524,6 +2524,14 @@ 2.65 + #define isgraph_asciionly(a) ((unsigned)((a) - 0x21) <= 0x7e - 0x21) 2.66 + #define isprint_asciionly(a) ((unsigned)((a) - 0x20) <= 0x7e - 0x20) 2.67 + 2.68 ++/* Print msg to a file-descriptor, replacing any unprintable and terminal escape bytes with '?' if fd is a TTY */ 2.69 ++static ALWAYS_INLINE void bb_safe_dump_str(FILE* fd, const char* msg) { 2.70 ++ int fdno = fileno(fd); 2.71 ++ if (isatty(fdno)) { 2.72 ++ msg = printable_string(msg); 2.73 ++ } 2.74 ++ fprintf(fd, "%s", msg); 2.75 ++} 2.76 + 2.77 + /* Simple unit-testing framework */ 2.78 +
3.1 --- a/busybox/stuff/busybox-1.37.config Fri Oct 10 07:36:26 2025 +0000 3.2 +++ b/busybox/stuff/busybox-1.37.config Sun Oct 12 06:53:24 2025 +0000 3.3 @@ -620,7 +620,7 @@ 3.4 # CONFIG_FEATURE_FBVNC_AUTH is not set 3.5 CONFIG_FDFORMAT=y 3.6 CONFIG_FDISK=y 3.7 -# CONFIG_FDISK_SUPPORT_LARGE_DISKS is not set 3.8 +CONFIG_FDISK_SUPPORT_LARGE_DISKS=y 3.9 CONFIG_FEATURE_FDISK_WRITABLE=y 3.10 # CONFIG_FEATURE_AIX_LABEL is not set 3.11 # CONFIG_FEATURE_SGI_LABEL is not set 3.12 @@ -981,7 +981,7 @@ 3.13 CONFIG_FEATURE_TELNET_WIDTH=y 3.14 # CONFIG_TELNETD is not set 3.15 # CONFIG_FEATURE_TELNETD_STANDALONE is not set 3.16 -CONFIG_FEATURE_TELNETD_PORT_DEFAULT=0 3.17 +CONFIG_FEATURE_TELNETD_PORT_DEFAULT=23 3.18 # CONFIG_FEATURE_TELNETD_INETD_WAIT is not set 3.19 CONFIG_TFTP=y 3.20 CONFIG_FEATURE_TFTP_PROGRESS_BAR=y
4.1 --- a/busybox/stuff/busybox-1.37.config-ssfs Fri Oct 10 07:36:26 2025 +0000 4.2 +++ b/busybox/stuff/busybox-1.37.config-ssfs Sun Oct 12 06:53:24 2025 +0000 4.3 @@ -972,7 +972,7 @@ 4.4 # CONFIG_FEATURE_TELNET_WIDTH is not set 4.5 # CONFIG_TELNETD is not set 4.6 # CONFIG_FEATURE_TELNETD_STANDALONE is not set 4.7 -CONFIG_FEATURE_TELNETD_PORT_DEFAULT=0 4.8 +CONFIG_FEATURE_TELNETD_PORT_DEFAULT=23 4.9 # CONFIG_FEATURE_TELNETD_INETD_WAIT is not set 4.10 # CONFIG_TFTP is not set 4.11 # CONFIG_FEATURE_TFTP_PROGRESS_BAR is not set 4.12 @@ -1136,7 +1136,7 @@ 4.13 CONFIG_ASH_OPTIMIZE_FOR_SIZE=y 4.14 # CONFIG_ASH_INTERNAL_GLOB is not set 4.15 CONFIG_ASH_BASH_COMPAT=y 4.16 -# CONFIG_ASH_BASH_SOURCE_CURDIR is not set 4.17 +CONFIG_ASH_BASH_SOURCE_CURDIR=y 4.18 CONFIG_ASH_BASH_NOT_FOUND_HOOK=y 4.19 CONFIG_ASH_JOB_CONTROL=y 4.20 CONFIG_ASH_ALIAS=y
5.1 --- a/busybox/stuff/busybox-1.37.config-static Fri Oct 10 07:36:26 2025 +0000 5.2 +++ b/busybox/stuff/busybox-1.37.config-static Sun Oct 12 06:53:24 2025 +0000 5.3 @@ -233,7 +233,7 @@ 5.4 # CONFIG_FEATURE_CP_LONG_OPTIONS is not set 5.5 # CONFIG_FEATURE_CP_REFLINK is not set 5.6 CONFIG_CUT=y 5.7 -CONFIG_FEATURE_CUT_REGEX=y 5.8 +# CONFIG_FEATURE_CUT_REGEX is not set 5.9 # CONFIG_DATE is not set 5.10 # CONFIG_FEATURE_DATE_ISOFMT is not set 5.11 # CONFIG_FEATURE_DATE_NANO is not set 5.12 @@ -980,7 +980,7 @@ 5.13 # CONFIG_FEATURE_TELNET_WIDTH is not set 5.14 # CONFIG_TELNETD is not set 5.15 # CONFIG_FEATURE_TELNETD_STANDALONE is not set 5.16 -CONFIG_FEATURE_TELNETD_PORT_DEFAULT=0 5.17 +CONFIG_FEATURE_TELNETD_PORT_DEFAULT=23 5.18 # CONFIG_FEATURE_TELNETD_INETD_WAIT is not set 5.19 # CONFIG_TFTP is not set 5.20 # CONFIG_FEATURE_TFTP_PROGRESS_BAR is not set 5.21 @@ -1144,7 +1144,7 @@ 5.22 CONFIG_ASH_OPTIMIZE_FOR_SIZE=y 5.23 CONFIG_ASH_INTERNAL_GLOB=y 5.24 CONFIG_ASH_BASH_COMPAT=y 5.25 -# CONFIG_ASH_BASH_SOURCE_CURDIR is not set 5.26 +CONFIG_ASH_BASH_SOURCE_CURDIR=y 5.27 # CONFIG_ASH_BASH_NOT_FOUND_HOOK is not set 5.28 # CONFIG_ASH_JOB_CONTROL is not set 5.29 # CONFIG_ASH_ALIAS is not set
6.1 --- a/dfbterm/receipt Fri Oct 10 07:36:26 2025 +0000 6.2 +++ b/dfbterm/receipt Sun Oct 12 06:53:24 2025 +0000 6.3 @@ -8,7 +8,7 @@ 6.4 LICENSE="GPL2" 6.5 SOURCE="DFBTerm" 6.6 TARBALL="${SOURCE}-${VERSION}.tar.gz" 6.7 -WEB_SITE="https://www.directfb.org/index.php?path=Projects/DFBTerm" 6.8 +WEB_SITE="https://web.archive.org/web/20150321033018/https://www.directfb.org/index.php?path=Projects/DFBTerm" 6.9 WGET_URL="https://distro.ibiblio.org/slitaz/sources/packages/${TARBALL:0:1}/$TARBALL" 6.10 HOST_ARCH="i486 arm" 6.11
7.1 --- a/miniupnpc-dev/receipt Fri Oct 10 07:36:26 2025 +0000 7.2 +++ b/miniupnpc-dev/receipt Sun Oct 12 06:53:24 2025 +0000 7.3 @@ -6,7 +6,7 @@ 7.4 SHORT_DESC="UPnP Internet Gateway Device (IGD) specifications client development files." 7.5 MAINTAINER="pascal.bellard@slitaz.org" 7.6 LICENSE="BSD" 7.7 -WEB_SITE="http://miniupnp.tuxfamily.org/" 7.8 +WEB_SITE="https://github.com/miniupnp/miniupnp/" 7.9 WANTED="miniupnpc" 7.10 7.11 DEPENDS="miniupnpc pkg-config"
8.1 --- a/miniupnpc/receipt Fri Oct 10 07:36:26 2025 +0000 8.2 +++ b/miniupnpc/receipt Sun Oct 12 06:53:24 2025 +0000 8.3 @@ -7,7 +7,7 @@ 8.4 MAINTAINER="pascal.bellard@slitaz.org" 8.5 LICENSE="BSD" 8.6 TARBALL="${PACKAGE}_${VERSION/./_}.tar.gz" 8.7 -WEB_SITE="https://miniupnp.tuxfamily.org/" 8.8 +WEB_SITE="https://github.com/miniupnp/miniupnp/" 8.9 WGET_URL="https://github.com/miniupnp/miniupnp/archive/$TARBALL" 8.10 TAGS="upnp" 8.11 8.12 @@ -18,7 +18,7 @@ 8.13 current_version() 8.14 { 8.15 wget -O - ${WGET_URL%/arch*}/tags 2>/dev/null | \ 8.16 - sed '/tag\//!d;s|.*tag/[a-z_]*||;s|".*||;s|_|.|g;q' 8.17 + sed '/tag\//!d;/miniupnpc/!d;s|.*tag/[a-z_]*||;s|".*||;s|_|.|g;q' 8.18 } 8.19 8.20 # Rules to configure and make the package.
9.1 --- a/miniupnpd/receipt Fri Oct 10 07:36:26 2025 +0000 9.2 +++ b/miniupnpd/receipt Sun Oct 12 06:53:24 2025 +0000 9.3 @@ -6,10 +6,11 @@ 9.4 SHORT_DESC="UPnP Internet Gateway Device (IGD) specifications server." 9.5 MAINTAINER="pascal.bellard@slitaz.org" 9.6 LICENSE="BSD" 9.7 -WEB_SITE="https://miniupnp.tuxfamily.org/" 9.8 +WEB_SITE="https://github.com/miniupnp/miniupnp/" 9.9 9.10 TARBALL="$PACKAGE-$VERSION.tar.gz" 9.11 WGET_URL="$WEB_SITE/files/$TARBALL" 9.12 +WGET_URL="https://github.com/miniupnp/miniupnp/archive/$TARBALL" 9.13 TAGS="upnp" 9.14 9.15 DEPENDS="iptables libssl" 9.16 @@ -18,8 +19,8 @@ 9.17 # What is the latest version available today? 9.18 current_version() 9.19 { 9.20 - wget -O - ${WGET_URL%/*} 2>/dev/null | \ 9.21 - sed '/miniupnpd-/!d;s|.*pnpd-||;s|.tar.*||;q' 9.22 + wget -O - ${WGET_URL%/arch*}/tags 2>/dev/null | \ 9.23 + sed '/tag\//!d;/miniupnpd/!d;s|.*tag/[a-z_]*||;s|".*||;s|_|.|g;q' 9.24 } 9.25 9.26 # Rules to configure and make the package.