3 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch b/meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch
new file mode 100644
index 0000000000..c95cba3c33
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch
@@ -0,0 +1,57 @@
+From f5e1bf966b19ea1821f00a8c9ecd7774598689b4 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Wed, 24 Sep 2025 03:28:47 +0200
+Subject: [PATCH] archival/libarchive: sanitize filenames on output (prevent
+ control sequence attacks
+This fixes CVE-2025-46394 (terminal escape sequence injection)
+Original credit: Ian.Norton at entrust.com
+function                                             old     new   delta
+header_list                                            9      15      +6
+header_verbose_list                                  239     244      +5
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 2/0 up/down: 11/0)               Total: 11 bytes
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+CVE: CVE-2025-46394
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=f5e1bf966b19ea1821f00a8c9ecd7774598689b4]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ archival/libarchive/header_list.c         | 2 +-
+ archival/libarchive/header_verbose_list.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+diff --git a/archival/libarchive/header_list.c b/archival/libarchive/header_list.c
+index 0621aa406..9490b3635 100644
+--- a/archival/libarchive/header_list.c
+++ b/archival/libarchive/header_list.c
+@@ -8,5 +8,5 @@
+ void FAST_FUNC header_list(const file_header_t *file_header)
+ {
+ //TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */
+-       puts(file_header->name);
+       puts(printable_string(file_header->name));
+ }
+diff --git a/archival/libarchive/header_verbose_list.c b/archival/libarchive/header_verbose_list.c
+index a575a08a0..e7a09430d 100644
+--- a/archival/libarchive/header_verbose_list.c
+++ b/archival/libarchive/header_verbose_list.c
+@@ -57,13 +57,13 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header)
+                ptm->tm_hour,
+                ptm->tm_min,
+                ptm->tm_sec,
+-               file_header->name);
+               printable_string(file_header->name));
+ 
+ #endif /* FEATURE_TAR_UNAME_GNAME */
+ 
+        /* NB: GNU tar shows "->" for symlinks and "link to" for hardlinks */
+        if (file_header->link_target) {
+-               printf(" -> %s", file_header->link_target);
+               printf(" -> %s", printable_string(file_header->link_target));
+        }
+        bb_putchar('\n');
+ }
diff --git a/meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch b/meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch
new file mode 100644
index 0000000000..ec17b9285a
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch
@@ -0,0 +1,32 @@
+From 7378db981d87b4a2264e14d60340a7fb5c67ae59 Mon Sep 17 00:00:00 2001
+From: Peter Marko <peter.marko@siemens.com>
+Date: Fri, 3 Oct 2025 16:12:56 +0200
+Subject: [PATCH] testsuite/tar.tests: fix test after CVE-2025-46394
+tar now sanitizes output and this test needs to expect that.
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+CVE: CVE-2025-46394
+Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-October/091743.html]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ testsuite/tar.tests | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/testsuite/tar.tests b/testsuite/tar.tests
+index 0f2e89112..48fc38114 100755
+--- a/testsuite/tar.tests
+++ b/testsuite/tar.tests
+@@ -325,9 +325,9 @@ unset LANG
+ rm -rf etc usr
+ ' "\
+ etc/ssl/certs/3b2716e5.0
+-etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
+etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??.pem
+ etc/ssl/certs/f80cc7f6.0
+-usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
+usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??.crt
+ 0
+ etc/ssl/certs/3b2716e5.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
+ etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem -> /usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
diff --git a/meta/recipes-core/busybox/busybox_1.37.0.bb b/meta/recipes-core/busybox/busybox_1.37.0.bb
index bec25348b8..9e6a7b7b4c 100644
--- a/meta/recipes-core/busybox/busybox_1.37.0.bb
+++ b/meta/recipes-core/busybox/busybox_1.37.0.bb
@@ -56,6 +56,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
           file://0001-archival-disallow-path-traversals-CVE-2023-39810.patch \
           file://0001-hwclock-Check-for-SYS_settimeofday-before-calling-sy.patch \
           file://0001-busybox-Add-awk-gsub-erroneous-word-start-match-test.patch \
+           file://CVE-2025-46394-01.patch \
+           file://CVE-2025-46394-02.patch \
           "
 SRC_URI:append:libc-musl = " file://musl.cfg"
 SRC_URI:append:x86-64 = " file://sha_accel.cfg"

diff --git a/meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch b/meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch new file mode 100644 index 0000000000..c95cba3c33 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch
@@ -0,0 +1,57 @@
		1	From f5e1bf966b19ea1821f00a8c9ecd7774598689b4 Mon Sep 17 00:00:00 2001
		2	From: Denys Vlasenko <vda.linux@googlemail.com>
		3	Date: Wed, 24 Sep 2025 03:28:47 +0200
		4	Subject: [PATCH] archival/libarchive: sanitize filenames on output (prevent
		5	control sequence attacks
		6
		7	This fixes CVE-2025-46394 (terminal escape sequence injection)
		8
		9	Original credit: Ian.Norton at entrust.com
		10
		11	function old new delta
		12	header_list 9 15 +6
		13	header_verbose_list 239 244 +5
		14	------------------------------------------------------------------------------
		15	(add/remove: 0/0 grow/shrink: 2/0 up/down: 11/0) Total: 11 bytes
		16
		17	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
		18
		19	CVE: CVE-2025-46394
		20	Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=f5e1bf966b19ea1821f00a8c9ecd7774598689b4]
		21	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		22	---
		23	archival/libarchive/header_list.c \| 2 +-
		24	archival/libarchive/header_verbose_list.c \| 4 ++--
		25	2 files changed, 3 insertions(+), 3 deletions(-)
		26
		27	diff --git a/archival/libarchive/header_list.c b/archival/libarchive/header_list.c
		28	index 0621aa406..9490b3635 100644
		29	--- a/archival/libarchive/header_list.c
		30	+++ b/archival/libarchive/header_list.c
		31	@@ -8,5 +8,5 @@
		32	void FAST_FUNC header_list(const file_header_t *file_header)
		33	{
		34	//TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */
		35	- puts(file_header->name);
		36	+ puts(printable_string(file_header->name));
		37	}
		38	diff --git a/archival/libarchive/header_verbose_list.c b/archival/libarchive/header_verbose_list.c
		39	index a575a08a0..e7a09430d 100644
		40	--- a/archival/libarchive/header_verbose_list.c
		41	+++ b/archival/libarchive/header_verbose_list.c
		42	@@ -57,13 +57,13 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header)
		43	ptm->tm_hour,
		44	ptm->tm_min,
		45	ptm->tm_sec,
		46	- file_header->name);
		47	+ printable_string(file_header->name));
		48
		49	#endif /* FEATURE_TAR_UNAME_GNAME */
		50
		51	/* NB: GNU tar shows "->" for symlinks and "link to" for hardlinks */
		52	if (file_header->link_target) {
		53	- printf(" -> %s", file_header->link_target);
		54	+ printf(" -> %s", printable_string(file_header->link_target));
		55	}
		56	bb_putchar('\n');
		57	}


diff --git a/meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch b/meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch new file mode 100644 index 0000000000..ec17b9285a --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch
@@ -0,0 +1,32 @@
		1	From 7378db981d87b4a2264e14d60340a7fb5c67ae59 Mon Sep 17 00:00:00 2001
		2	From: Peter Marko <peter.marko@siemens.com>
		3	Date: Fri, 3 Oct 2025 16:12:56 +0200
		4	Subject: [PATCH] testsuite/tar.tests: fix test after CVE-2025-46394
		5
		6	tar now sanitizes output and this test needs to expect that.
		7
		8	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		9
		10	CVE: CVE-2025-46394
		11	Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-October/091743.html]
		12	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		13	---
		14	testsuite/tar.tests \| 4 ++--
		15	1 file changed, 2 insertions(+), 2 deletions(-)
		16
		17	diff --git a/testsuite/tar.tests b/testsuite/tar.tests
		18	index 0f2e89112..48fc38114 100755
		19	--- a/testsuite/tar.tests
		20	+++ b/testsuite/tar.tests
		21	@@ -325,9 +325,9 @@ unset LANG
		22	rm -rf etc usr
		23	' "\
		24	etc/ssl/certs/3b2716e5.0
		25	-etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
		26	+etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??.pem
		27	etc/ssl/certs/f80cc7f6.0
		28	-usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
		29	+usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??.crt
		30	0
		31	etc/ssl/certs/3b2716e5.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
		32	etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem -> /usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt


diff --git a/meta/recipes-core/busybox/busybox_1.37.0.bb b/meta/recipes-core/busybox/busybox_1.37.0.bb index bec25348b8..9e6a7b7b4c 100644 --- a/meta/recipes-core/busybox/busybox_1.37.0.bb +++ b/meta/recipes-core/busybox/busybox_1.37.0.bb
@@ -56,6 +56,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
56	file://0001-archival-disallow-path-traversals-CVE-2023-39810.patch \	56	file://0001-archival-disallow-path-traversals-CVE-2023-39810.patch \
57	file://0001-hwclock-Check-for-SYS_settimeofday-before-calling-sy.patch \	57	file://0001-hwclock-Check-for-SYS_settimeofday-before-calling-sy.patch \
58	file://0001-busybox-Add-awk-gsub-erroneous-word-start-match-test.patch \	58	file://0001-busybox-Add-awk-gsub-erroneous-word-start-match-test.patch \
		59	file://CVE-2025-46394-01.patch \
		60	file://CVE-2025-46394-02.patch \
59	"	61	"
60	SRC_URI:append:libc-musl = " file://musl.cfg"	62	SRC_URI:append:libc-musl = " file://musl.cfg"
61	SRC_URI:append:x86-64 = " file://sha_accel.cfg"	63	SRC_URI:append:x86-64 = " file://sha_accel.cfg"