diff --git a/backport-CVE-2025-46394.patch b/backport-CVE-2025-46394.patch new file mode 100644 index 0000000000000000000000000000000000000000..15895acf09b053b4e35d7d23549c9ae60b342690 --- /dev/null +++ b/backport-CVE-2025-46394.patch @@ -0,0 +1,104 @@ +From 06aa62ef884a3073e68b67fb17d054e6a48ee016 Mon Sep 17 00:00:00 2001 +From: liuxu +Date: Wed, 16 Jul 2025 17:55:27 +0800 +Subject: [PATCH] Prevent unprintable bytes including terminal escapes being + printed when listing tar file contents in a terminal as this can be used to + hide malicious archive content from users prior to unpacking a file. + +Fixes #16018 + +Also added bb_safe_dump_str() to include/libbb.h + +Conflict:Yes +Reference:https://lists.busybox.net/pipermail/busybox/2025-April/091461.html + +Signed-off-by: liuxu +--- + archival/libarchive/header_list.c | 3 ++- + archival/libarchive/header_verbose_list.c | 14 +++++++------- + include/libbb.h | 8 ++++++++ + 3 files changed, 17 insertions(+), 8 deletions(-) + +diff --git a/archival/libarchive/header_list.c b/archival/libarchive/header_list.c +index 0621aa4..9ee69aa 100644 +--- a/archival/libarchive/header_list.c ++++ b/archival/libarchive/header_list.c +@@ -8,5 +8,6 @@ + void FAST_FUNC header_list(const file_header_t *file_header) + { + //TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */ +- puts(file_header->name); ++ bb_safe_dump_str(stdout, file_header->name); ++ bb_putchar('\n'); + } +diff --git a/archival/libarchive/header_verbose_list.c b/archival/libarchive/header_verbose_list.c +index be5140f..dd3f59a 100644 +--- a/archival/libarchive/header_verbose_list.c ++++ b/archival/libarchive/header_verbose_list.c +@@ -28,7 +28,7 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header) + /*sprintf(gid, "%u", (unsigned)file_header->gid);*/ + group = utoa(file_header->gid); + } +- printf("%s %s/%s %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u %s", ++ printf("%s %s/%s %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u ", + bb_mode_string(file_header->mode), + user, + group, +@@ -38,14 +38,13 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header) + ptm->tm_mday, + ptm->tm_hour, + ptm->tm_min, +- ptm->tm_sec, +- file_header->name); ++ ptm->tm_sec); + + #else /* !FEATURE_TAR_UNAME_GNAME */ + + localtime_r(&file_header->mtime, ptm); + +- printf("%s %u/%u %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u %s", ++ printf("%s %u/%u %9"OFF_FMT"u %4u-%02u-%02u %02u:%02u:%02u ", + bb_mode_string(file_header->mode), + (unsigned)file_header->uid, + (unsigned)file_header->gid, +@@ -55,14 +54,15 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header) + ptm->tm_mday, + ptm->tm_hour, + ptm->tm_min, +- ptm->tm_sec, +- file_header->name); ++ ptm->tm_sec); + + #endif /* FEATURE_TAR_UNAME_GNAME */ + ++ bb_safe_dump_str(stdout, file_header->name); + /* NB: GNU tar shows "->" for symlinks and "link to" for hardlinks */ + if (file_header->link_target) { +- printf(" -> %s", file_header->link_target); ++ printf(" -> "); ++ bb_safe_dump_str(stdout, file_header->link_target); + } + bb_putchar('\n'); + } +diff --git a/include/libbb.h b/include/libbb.h +index 021100d..47106f1 100644 +--- a/include/libbb.h ++++ b/include/libbb.h +@@ -2285,6 +2285,14 @@ static ALWAYS_INLINE unsigned char bb_ascii_tolower(unsigned char a) + #define isgraph_asciionly(a) ((unsigned)((a) - 0x21) <= 0x7e - 0x21) + #define isprint_asciionly(a) ((unsigned)((a) - 0x20) <= 0x7e - 0x20) + ++/* Print msg to a file-descriptor, replacing any unprintable and terminal escape bytes with '?' if fd is a TTY */ ++static ALWAYS_INLINE void bb_safe_dump_str(FILE* fd, const char* msg) { ++ int fdno = fileno(fd); ++ if (isatty(fdno)) { ++ msg = printable_string(msg); ++ } ++ fprintf(fd, "%s", msg); ++} + + /* Simple unit-testing framework */ + +-- +2.43.0 + diff --git a/busybox.spec b/busybox.spec index 6a791dbc821f55d575e2e1975f2c787ae48348b1..ed7e463afe6faca8375b9ca404846f32ef23f0e0 100644 --- a/busybox.spec +++ b/busybox.spec @@ -4,7 +4,7 @@ %endif %if "%{!?RELEASE:1}" -%define RELEASE 24 +%define RELEASE 25 %endif Epoch: 1 @@ -34,6 +34,7 @@ Patch6010: backport-CVE-2023-42363.patch Patch6011: backport-CVE-2023-42364-CVE-2023-42365.patch Patch6012: backport-CVE-2023-42366.patch Patch6013: backport-CVE-2023-39810.patch +Patch6014: backport-CVE-2025-46394.patch BuildRoot: %_topdir/BUILDROOT #Dependency @@ -109,6 +110,12 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1 %{_mandir}/man1/busybox.petitboot.1.gz %changelog +* Mon Jul 21 2025 dongyuzhen - 1:1.31.1-25 +- Type:CVE +- Id:NA +- SUG:NA +- DESC:fix CVE-2025-46394 + * Mon Jul 07 2025 Funda Wang - 1:1.31.1-24 - Type:CVE - Id:NA