busybox: apply patch for CVE-2023-39810

Backport patch referencing this CVE. Note that the hardening is not activated by default, it adds defconfig option to enable it. Since it introduces a breaking change, it shouldn't be enabled in LTS release by default. This patch makes busybox cpio equivalent in this release to what is currently in master and in kirkstone. Also note that gnu cpio also does not have this hardening, but the CVE is created only against busybox. (From OE-Core rev: 3f2b235526d135094408e3895c01bff7b5b938fb) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-07-12 18:08:27 +0200
committer: Steve Sakoman <steve@sakoman.com> 2025-07-21 09:07:21 -0700
commit: ef6f8d5f462eea3921baad31982e8fa3fac56286 (patch)
tree: a4d5234ebc9be63e0c9dd7b4c7339de5bba102df /meta/recipes-core
parent: ae35f06bb16d4fb9d2cb99451bed0e7bda645476 (diff)
download: poky-ef6f8d5f462eea3921baad31982e8fa3fac56286.tar.gz
2 files changed, 137 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2023-39810.patch b/meta/recipes-core/busybox/busybox/CVE-2023-39810.patch
new file mode 100644
index 0000000000..821ab3508f
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2023-39810.patch
@@ -0,0 +1,136 @@
+From 9a8796436b9b0641e13480811902ea2ac57881d3 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Wed, 2 Oct 2024 10:12:05 +0200
+Subject: [PATCH] archival: disallow path traversals (CVE-2023-39810)
+Create new configure option for archival/libarchive based extractions to
+disallow path traversals.
+As this is a paranoid option and might introduce backward
+incompatibility, default it to no.
+Fixes: CVE-2023-39810
+Based on the patch by Peter Kaestle <peter.kaestle@nokia.com>
+function                                             old     new   delta
+data_extract_all                                     921     945     +24
+strip_unsafe_prefix                                  101     102      +1
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 2/0 up/down: 25/0)               Total: 25 bytes
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+CVE: CVE-2023-39810
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=9a8796436b9b0641e13480811902ea2ac57881d3]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ archival/Config.src                        | 11 +++++++++++
+ archival/libarchive/data_extract_all.c     |  8 ++++++++
+ archival/libarchive/unsafe_prefix.c        |  6 +++++-
+ scripts/kconfig/lxdialog/check-lxdialog.sh |  2 +-
+ testsuite/cpio.tests                       | 23 ++++++++++++++++++++++
+ 5 files changed, 48 insertions(+), 2 deletions(-)
+diff --git a/archival/Config.src b/archival/Config.src
+index 6f4f30c43..cbcd7217c 100644
+--- a/archival/Config.src
+++ b/archival/Config.src
+@@ -35,4 +35,15 @@ config FEATURE_LZMA_FAST
+        This option reduces decompression time by about 25% at the cost of
+        a 1K bigger binary.
+ 
+config FEATURE_PATH_TRAVERSAL_PROTECTION
+       bool "Prevent extraction of filenames with /../ path component"
+       default n
+       help
+       busybox tar and unzip remove "PREFIX/../" (if it exists)
+       from extracted names.
+       This option enables this behavior for all other unpacking applets,
+       such as cpio, ar, rpm.
+       GNU cpio 2.15 has NO such sanity check.
+# try other archivers and document their behavior?
+
+ endmenu
+diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c
+index 049c2c156..8a69711c1 100644
+--- a/archival/libarchive/data_extract_all.c
+++ b/archival/libarchive/data_extract_all.c
+@@ -65,6 +65,14 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
+                } while (--n != 0);
+        }
+ #endif
+#if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION
+       /* Strip leading "/" and up to last "/../" path component */
+       dst_name = (char *)strip_unsafe_prefix(dst_name);
+#endif
+// ^^^ This may be a problem if some applets do need to extract absolute names.
+// (Probably will need to invent ARCHIVE_ALLOW_UNSAFE_NAME flag).
+// You might think that rpm needs it, but in my tests rpm's internal cpio
+// archive has names like "./usr/bin/FOO", not "/usr/bin/FOO".
+ 
+        if (archive_handle->ah_flags & ARCHIVE_CREATE_LEADING_DIRS) {
+                char *slash = strrchr(dst_name, '/');
+diff --git a/archival/libarchive/unsafe_prefix.c b/archival/libarchive/unsafe_prefix.c
+index 33e487bf9..667081195 100644
+--- a/archival/libarchive/unsafe_prefix.c
+++ b/archival/libarchive/unsafe_prefix.c
+@@ -14,7 +14,11 @@ const char* FAST_FUNC strip_unsafe_prefix(const char *str)
+                        cp++;
+                        continue;
+                }
+-               if (is_prefixed_with(cp, "/../"+1)) {
+               /* We are called lots of times.
+                * is_prefixed_with(cp, "../") is slower than open-coding it,
+                * with minimal code growth (~few bytes).
+                */
+               if (cp[0] == '.' && cp[1] == '.' && cp[2] == '/') {
+                        cp += 3;
+                        continue;
+                }
+diff --git a/scripts/kconfig/lxdialog/check-lxdialog.sh b/scripts/kconfig/lxdialog/check-lxdialog.sh
+index 5075ebf2d..910ca1f7c 100755
+--- a/scripts/kconfig/lxdialog/check-lxdialog.sh
+++ b/scripts/kconfig/lxdialog/check-lxdialog.sh
+@@ -55,7 +55,7 @@ trap "rm -f $tmp" 0 1 2 3 15
+ check() {
+         $cc -x c - -o $tmp 2>/dev/null <<'EOF'
+ #include CURSES_LOC
+-main() {}
+int main() { return 0; }
+ EOF
+        if [ $? != 0 ]; then
+            echo " *** Unable to find the ncurses libraries or the"       1>&2
+diff --git a/testsuite/cpio.tests b/testsuite/cpio.tests
+index 85e746589..a4462c53e 100755
+--- a/testsuite/cpio.tests
+++ b/testsuite/cpio.tests
+@@ -154,6 +154,29 @@ testing "cpio -R with extract" \
+ " "" ""
+ SKIP=
+ 
+# Create an archive containing a file with "../dont_write" filename.
+# See that it will not be allowed to unpack.
+# NB: GNU cpio 2.15 DOES NOT do such checks.
+optional FEATURE_PATH_TRAVERSAL_PROTECTION
+rm -rf cpio.testdir
+mkdir -p cpio.testdir/prepare/inner
+echo "file outside of destination was written" > cpio.testdir/prepare/dont_write
+echo "data" > cpio.testdir/prepare/inner/to_extract
+mkdir -p cpio.testdir/extract
+testing "cpio extract file outside of destination" "\
+(cd cpio.testdir/prepare/inner && echo -e '../dont_write\nto_extract' | cpio -o -H newc) | (cd cpio.testdir/extract && cpio -vi 2>&1)
+echo \$?
+ls cpio.testdir/dont_write 2>&1" \
+"\
+cpio: removing leading '../' from member names
+../dont_write
+to_extract
+1 blocks
+0
+ls: cpio.testdir/dont_write: No such file or directory
+" "" ""
+SKIP=
+
+ # Clean up
+ rm -rf cpio.testdir cpio.testdir2 2>/dev/null
+ 
diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb
index 69e9555766..069544cc8a 100644
--- a/meta/recipes-core/busybox/busybox_1.36.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.36.1.bb
@@ -58,6 +58,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
           file://0001-awk.c-fix-CVE-2023-42366-bug-15874.patch \
           file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \
           file://CVE-2022-48174.patch \
+           file://CVE-2023-39810.patch \
           "
 SRC_URI:append:libc-musl = " file://musl.cfg "
 # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html
author	Peter Marko <peter.marko@siemens.com>	2025-07-12 18:08:27 +0200
committer	Steve Sakoman <steve@sakoman.com>	2025-07-21 09:07:21 -0700
commit	ef6f8d5f462eea3921baad31982e8fa3fac56286 (patch)
tree	a4d5234ebc9be63e0c9dd7b4c7339de5bba102df /meta/recipes-core
parent	ae35f06bb16d4fb9d2cb99451bed0e7bda645476 (diff)
download	poky-ef6f8d5f462eea3921baad31982e8fa3fac56286.tar.gz

diff --git a/meta/recipes-core/busybox/busybox/CVE-2023-39810.patch b/meta/recipes-core/busybox/busybox/CVE-2023-39810.patch new file mode 100644 index 0000000000..821ab3508f --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2023-39810.patch
@@ -0,0 +1,136 @@
		1	From 9a8796436b9b0641e13480811902ea2ac57881d3 Mon Sep 17 00:00:00 2001
		2	From: Denys Vlasenko <vda.linux@googlemail.com>
		3	Date: Wed, 2 Oct 2024 10:12:05 +0200
		4	Subject: [PATCH] archival: disallow path traversals (CVE-2023-39810)
		5
		6	Create new configure option for archival/libarchive based extractions to
		7	disallow path traversals.
		8	As this is a paranoid option and might introduce backward
		9	incompatibility, default it to no.
		10
		11	Fixes: CVE-2023-39810
		12
		13	Based on the patch by Peter Kaestle <peter.kaestle@nokia.com>
		14
		15	function old new delta
		16	data_extract_all 921 945 +24
		17	strip_unsafe_prefix 101 102 +1
		18	------------------------------------------------------------------------------
		19	(add/remove: 0/0 grow/shrink: 2/0 up/down: 25/0) Total: 25 bytes
		20
		21	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
		22
		23	CVE: CVE-2023-39810
		24	Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=9a8796436b9b0641e13480811902ea2ac57881d3]
		25	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		26	---
		27	archival/Config.src \| 11 +++++++++++
		28	archival/libarchive/data_extract_all.c \| 8 ++++++++
		29	archival/libarchive/unsafe_prefix.c \| 6 +++++-
		30	scripts/kconfig/lxdialog/check-lxdialog.sh \| 2 +-
		31	testsuite/cpio.tests \| 23 ++++++++++++++++++++++
		32	5 files changed, 48 insertions(+), 2 deletions(-)
		33
		34	diff --git a/archival/Config.src b/archival/Config.src
		35	index 6f4f30c43..cbcd7217c 100644
		36	--- a/archival/Config.src
		37	+++ b/archival/Config.src
		38	@@ -35,4 +35,15 @@ config FEATURE_LZMA_FAST
		39	This option reduces decompression time by about 25% at the cost of
		40	a 1K bigger binary.
		41
		42	+config FEATURE_PATH_TRAVERSAL_PROTECTION
		43	+ bool "Prevent extraction of filenames with /../ path component"
		44	+ default n
		45	+ help
		46	+ busybox tar and unzip remove "PREFIX/../" (if it exists)
		47	+ from extracted names.
		48	+ This option enables this behavior for all other unpacking applets,
		49	+ such as cpio, ar, rpm.
		50	+ GNU cpio 2.15 has NO such sanity check.
		51	+# try other archivers and document their behavior?
		52	+
		53	endmenu
		54	diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c
		55	index 049c2c156..8a69711c1 100644
		56	--- a/archival/libarchive/data_extract_all.c
		57	+++ b/archival/libarchive/data_extract_all.c
		58	@@ -65,6 +65,14 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
		59	} while (--n != 0);
		60	}
		61	#endif
		62	+#if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION
		63	+ /* Strip leading "/" and up to last "/../" path component */
		64	+ dst_name = (char *)strip_unsafe_prefix(dst_name);
		65	+#endif
		66	+// ^^^ This may be a problem if some applets do need to extract absolute names.
		67	+// (Probably will need to invent ARCHIVE_ALLOW_UNSAFE_NAME flag).
		68	+// You might think that rpm needs it, but in my tests rpm's internal cpio
		69	+// archive has names like "./usr/bin/FOO", not "/usr/bin/FOO".
		70
		71	if (archive_handle->ah_flags & ARCHIVE_CREATE_LEADING_DIRS) {
		72	char *slash = strrchr(dst_name, '/');
		73	diff --git a/archival/libarchive/unsafe_prefix.c b/archival/libarchive/unsafe_prefix.c
		74	index 33e487bf9..667081195 100644
		75	--- a/archival/libarchive/unsafe_prefix.c
		76	+++ b/archival/libarchive/unsafe_prefix.c
		77	@@ -14,7 +14,11 @@ const char* FAST_FUNC strip_unsafe_prefix(const char *str)
		78	cp++;
		79	continue;
		80	}
		81	- if (is_prefixed_with(cp, "/../"+1)) {
		82	+ /* We are called lots of times.
		83	+ * is_prefixed_with(cp, "../") is slower than open-coding it,
		84	+ * with minimal code growth (~few bytes).
		85	+ */
		86	+ if (cp[0] == '.' && cp[1] == '.' && cp[2] == '/') {
		87	cp += 3;
		88	continue;
		89	}
		90	diff --git a/scripts/kconfig/lxdialog/check-lxdialog.sh b/scripts/kconfig/lxdialog/check-lxdialog.sh
		91	index 5075ebf2d..910ca1f7c 100755
		92	--- a/scripts/kconfig/lxdialog/check-lxdialog.sh
		93	+++ b/scripts/kconfig/lxdialog/check-lxdialog.sh
		94	@@ -55,7 +55,7 @@ trap "rm -f $tmp" 0 1 2 3 15
		95	check() {
		96	$cc -x c - -o $tmp 2>/dev/null <<'EOF'
		97	#include CURSES_LOC
		98	-main() {}
		99	+int main() { return 0; }
		100	EOF
		101	if [ $? != 0 ]; then
		102	echo " *** Unable to find the ncurses libraries or the" 1>&2
		103	diff --git a/testsuite/cpio.tests b/testsuite/cpio.tests
		104	index 85e746589..a4462c53e 100755
		105	--- a/testsuite/cpio.tests
		106	+++ b/testsuite/cpio.tests
		107	@@ -154,6 +154,29 @@ testing "cpio -R with extract" \
		108	" "" ""
		109	SKIP=
		110
		111	+# Create an archive containing a file with "../dont_write" filename.
		112	+# See that it will not be allowed to unpack.
		113	+# NB: GNU cpio 2.15 DOES NOT do such checks.
		114	+optional FEATURE_PATH_TRAVERSAL_PROTECTION
		115	+rm -rf cpio.testdir
		116	+mkdir -p cpio.testdir/prepare/inner
		117	+echo "file outside of destination was written" > cpio.testdir/prepare/dont_write
		118	+echo "data" > cpio.testdir/prepare/inner/to_extract
		119	+mkdir -p cpio.testdir/extract
		120	+testing "cpio extract file outside of destination" "\
		121	+(cd cpio.testdir/prepare/inner && echo -e '../dont_write\nto_extract' \| cpio -o -H newc) \| (cd cpio.testdir/extract && cpio -vi 2>&1)
		122	+echo \$?
		123	+ls cpio.testdir/dont_write 2>&1" \
		124	+"\
		125	+cpio: removing leading '../' from member names
		126	+../dont_write
		127	+to_extract
		128	+1 blocks
		129	+0
		130	+ls: cpio.testdir/dont_write: No such file or directory
		131	+" "" ""
		132	+SKIP=
		133	+
		134	# Clean up
		135	rm -rf cpio.testdir cpio.testdir2 2>/dev/null
		136


diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb index 69e9555766..069544cc8a 100644 --- a/meta/recipes-core/busybox/busybox_1.36.1.bb +++ b/meta/recipes-core/busybox/busybox_1.36.1.bb
@@ -58,6 +58,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
58	file://0001-awk.c-fix-CVE-2023-42366-bug-15874.patch \	58	file://0001-awk.c-fix-CVE-2023-42366-bug-15874.patch \
59	file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \	59	file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \
60	file://CVE-2022-48174.patch \	60	file://CVE-2022-48174.patch \
		61	file://CVE-2023-39810.patch \
61	"	62	"
62	SRC_URI:append:libc-musl = " file://musl.cfg "	63	SRC_URI:append:libc-musl = " file://musl.cfg "
63	# TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html	64	# TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html