From 74a6110dbf3351fd5d7dfe9d0c55306c0afa698f Mon Sep 17 00:00:00 2001
From: dongyuzhen <dongyuzhen@h-partners.com>
Date: Fri, 18 Jul 2025 16:08:41 +0800
Subject: [PATCH] fix CVE-2025-46394

(cherry picked from commit 1ca81f27278b48920de585edd5824d930cd7ecde)
---
 backport-CVE-2025-46394.patch | 104 ++++++++++++++++++++++++++++++++++
 busybox.spec                  |   9 ++-
 2 files changed, 112 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-46394.patch

diff --git a/backport-CVE-2025-46394.patch b/backport-CVE-2025-46394.patch
new file mode 100644
index 0000000..9873050
--- /dev/null
+++ b/backport-CVE-2025-46394.patch
@@ -0,0 +1,104 @@
+From 06aa62ef884a3073e68b67fb17d054e6a48ee016 Mon Sep 17 00:00:00 2001
+From: liuxu <liuxu156@huawei.com>
+Date: Wed, 16 Jul 2025 17:55:27 +0800
+Subject: [PATCH] Prevent unprintable bytes including terminal escapes being
+ printed when listing tar file contents in a terminal as this can be used to
+ hide malicious archive content from users prior to unpacking a file.
+
+Fixes #16018
+
+Also added bb_safe_dump_str() to include/libbb.h
+
+Conflict:Yes
+Reference:https://lists.busybox.net/pipermail/busybox/2025-April/091461.html
+
+Signed-off-by: liuxu <liuxu156@huawei.com>
+---
+ archival/libarchive/header_list.c         |  3 ++-
+ archival/libarchive/header_verbose_list.c | 14 +++++++-------
+ include/libbb.h                           |  8 ++++++++
+ 3 files changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/archival/libarchive/header_list.c b/archival/libarchive/header_list.c
+index 0621aa4..9ee69aa 100644
+--- a/archival/libarchive/header_list.c
++++ b/archival/libarchive/header_list.c
+@@ -8,5 +8,6 @@
+ void FAST_FUNC header_list(const file_header_t *file_header)
+ {
+ //TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */
+-	puts(file_header->name);
++	bb_safe_dump_str(stdout, file_header->name);
++	bb_putchar('\n');
+ }
+diff --git a/archival/libarchive/header_verbose_list.c b/archival/libarchive/header_verbose_list.c
+index a575a08..956589a 100644
+--- a/archival/libarchive/header_verbose_list.c
++++ b/archival/libarchive/header_verbose_list.c
+@@ -29,7 +29,7 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header)
+ 		/*sprintf(gid, "%u", (unsigned)file_header->gid);*/
+ 		group = utoa(file_header->gid);
+ 	}
+-	printf("%s %s/%s %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u %s",
++	printf("%s %s/%s %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u ",
+ 		bb_mode_string(modestr, file_header->mode),
+ 		user,
+ 		group,
+@@ -39,14 +39,13 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header)
+ 		ptm->tm_mday,
+ 		ptm->tm_hour,
+ 		ptm->tm_min,
+-		ptm->tm_sec,
+-		file_header->name);
++		ptm->tm_sec);
+ 
+ #else /* !FEATURE_TAR_UNAME_GNAME */
+ 
+ 	localtime_r(&file_header->mtime, ptm);
+ 
+-	printf("%s %u/%u %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u %s",
++	printf("%s %u/%u %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u ",
+ 		bb_mode_string(modestr, file_header->mode),
+ 		(unsigned)file_header->uid,
+ 		(unsigned)file_header->gid,
+@@ -56,14 +55,15 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header)
+ 		ptm->tm_mday,
+ 		ptm->tm_hour,
+ 		ptm->tm_min,
+-		ptm->tm_sec,
+-		file_header->name);
++		ptm->tm_sec);
+ 
+ #endif /* FEATURE_TAR_UNAME_GNAME */
+ 
++	bb_safe_dump_str(stdout, file_header->name);
+ 	/* NB: GNU tar shows "->" for symlinks and "link to" for hardlinks */
+ 	if (file_header->link_target) {
+-		printf(" -> %s", file_header->link_target);
++		printf(" -> ");
++		bb_safe_dump_str(stdout, file_header->link_target);
+ 	}
+ 	bb_putchar('\n');
+ }
+diff --git a/include/libbb.h b/include/libbb.h
+index cca33a1..378b189 100644
+--- a/include/libbb.h
++++ b/include/libbb.h
+@@ -2500,6 +2500,14 @@ static ALWAYS_INLINE unsigned char bb_ascii_tolower(unsigned char a)
+ #define isgraph_asciionly(a) ((unsigned)((a) - 0x21) <= 0x7e - 0x21)
+ #define isprint_asciionly(a) ((unsigned)((a) - 0x20) <= 0x7e - 0x20)
+ 
++/* Print msg to a file-descriptor, replacing any unprintable and terminal escape bytes with '?' if fd is a TTY */
++static ALWAYS_INLINE void bb_safe_dump_str(FILE* fd, const char* msg) {
++	int fdno = fileno(fd);
++	if (isatty(fdno)) {
++		msg = printable_string(msg);
++	}
++	fprintf(fd, "%s", msg);
++}
+ 
+ /* Simple unit-testing framework */
+ 
+-- 
+2.30.0
+
diff --git a/busybox.spec b/busybox.spec
index a8cff28..036492c 100644
--- a/busybox.spec
+++ b/busybox.spec
@@ -1,7 +1,7 @@
 Name: busybox
 Epoch: 1
 Version: 1.36.1
-Release: 10
+Release: 11
 Summary: The Swiss Army Knife of Embedded Linux
 License: GPL-2.0-only
 URL: https://www.busybox.net
@@ -18,6 +18,7 @@ Patch6002: backport-CVE-2023-42363.patch
 Patch6003: backport-CVE-2023-42364-CVE-2023-42365.patch
 Patch6004: backport-CVE-2023-42366.patch
 Patch6005: backport-CVE-2023-39810.patch
+Patch6006: backport-CVE-2025-46394.patch
 
 #Dependency
 BuildRequires: gcc glibc-static
@@ -89,6 +90,12 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1
 %{_mandir}/man1/busybox.petitboot.1*
 
 %changelog
+* Fri Jul 18 2025 dongyuzhen <dongyuzhen@h-partners.com> - 1:1.36.1-11
+- Type:CVE
+- Id:NA
+- SUG:NA
+- DESC:fix CVE-2025-46394
+
 * Thu Jul 17 2025 Funda Wang <fundawang@yeah.net> - 1:1.36.1-10
 - Type:BUG
 - Id:NA
-- 
Gitee