[Buildroot] [PATCH/RFC 1/1] package/busybox: security bump version to 1.38.0

[Buildroot] [PATCH/RFC 1/1] package/busybox: security bump version to 1.38.0

[Bernd Kuhls]

https://www.busybox.net/news.html

Removed patches which are included in this release, renumbered remaining
patches.

Patch 0006 was removed because its fix is included in upstream commit
https://github.com/vda-linux/busybox_mirror/commit/9a8796436b9b0641e13480811902ea2ac57881d3

which also adds a new Kconfig option, disabled by default, to fix
CVE-2023-39810. RFC: Should we enable this option by default?

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
 ...-failing-saying-ncurses-is-not-found.patch | 38 ------------
 ...Fix-compilation-with-Linux-v6.8-rc1.patch} |  0
 ...-awk.c-fix-CVE-2023-42366-bug-15874.patch} |  0
 ...-SYS_settimeofday-before-calling-sy.patch} |  0
 ...x-wrong-OPT_locallog-flag-detection.patch} |  0
 ...0-libbb-sha-add-missing-sha-NI-guard.patch | 54 -----------------
 ...tests-fix-test-after-cve-2025-46394.patch} |  0
 ...rol-characters-or-spaces-in-the-URL.patch} |  0
 ...archive-sanitize-filenames-on-output.patch | 58 -------------------
 package/busybox/busybox.hash                  |  4 +-
 package/busybox/busybox.mk                    |  2 +-
 11 files changed, 3 insertions(+), 153 deletions(-)
 delete mode 100644 package/busybox/0006-menuconfig-GCC-failing-saying-ncurses-is-not-found.patch
 rename package/busybox/{0007-tc-Fix-compilation-with-Linux-v6.8-rc1.patch => 0006-tc-Fix-compilation-with-Linux-v6.8-rc1.patch} (100%)
 rename package/busybox/{0008-awk.c-fix-CVE-2023-42366-bug-15874.patch => 0007-awk.c-fix-CVE-2023-42366-bug-15874.patch} (100%)
 rename package/busybox/{0009-hwclock-Check-for-SYS_settimeofday-before-calling-sy.patch => 0008-hwclock-Check-for-SYS_settimeofday-before-calling-sy.patch} (100%)
 rename package/busybox/{0011-syslogd-fix-wrong-OPT_locallog-flag-detection.patch => 0009-syslogd-fix-wrong-OPT_locallog-flag-detection.patch} (100%)
 delete mode 100644 package/busybox/0010-libbb-sha-add-missing-sha-NI-guard.patch
 rename package/busybox/{0013-testsuite-tar-tests-fix-test-after-cve-2025-46394.patch => 0010-testsuite-tar-tests-fix-test-after-cve-2025-46394.patch} (100%)
 rename package/busybox/{0014-wget-dont-allow-control-characters-or-spaces-in-the-URL.patch => 0011-wget-dont-allow-control-characters-or-spaces-in-the-URL.patch} (100%)
 delete mode 100644 package/busybox/0012-archival-libarchive-sanitize-filenames-on-output.patch

diff --git a/package/busybox/0006-menuconfig-GCC-failing-saying-ncurses-is-not-found.patch b/package/busybox/0006-menuconfig-GCC-failing-saying-ncurses-is-not-found.patch
deleted file mode 100644
index 594874471d..0000000000
--- a/package/busybox/0006-menuconfig-GCC-failing-saying-ncurses-is-not-found.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 7f0bb7f69f38298971aa8153d3fbe9b1fdda8ae7 Mon Sep 17 00:00:00 2001
-From: ctxnop <ctxnop@gmail.com>
-Date: Sun, 26 Jan 2025 20:59:20 +0100
-Subject: [PATCH] menuconfig: GCC failing saying ncurses is not found
-
-Newer GCC increased diagnostics levels resulting in considering the
-test code to be invalid. The resulting message was misleading, saying
-that ncurses was not found, while the check failed for an unrelated
-reason which was hidden because GCC stderr was redirected to
-/dev/null.
-
-Signed-off-by: ctxnop <ctxnop@gmail.com>
-Upstream: http://lists.busybox.net/pipermail/busybox/2024-July/090840.html
-[Fiona: rephrased commit message for clarity]
-Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
----
- scripts/kconfig/lxdialog/check-lxdialog.sh | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/scripts/kconfig/lxdialog/check-lxdialog.sh b/scripts/kconfig/lxdialog/check-lxdialog.sh
-index 5075ebf2d..08e4da3de 100755
---- a/scripts/kconfig/lxdialog/check-lxdialog.sh
-+++ b/scripts/kconfig/lxdialog/check-lxdialog.sh
-@@ -45,9 +45,9 @@ trap "rm -f $tmp" 0 1 2 3 15
- 
- # Check if we can link to ncurses
- check() {
--        $cc -x c - -o $tmp 2>/dev/null <<'EOF'
-+	$cc -x c - -o $tmp <<'EOF'
- #include CURSES_LOC
--main() {}
-+int main() { return 0; }
- EOF
- 	if [ $? != 0 ]; then
- 	    echo " *** Unable to find the ncurses libraries or the"       1>&2
--- 
-2.48.1
-
diff --git a/package/busybox/0007-tc-Fix-compilation-with-Linux-v6.8-rc1.patch b/package/busybox/0006-tc-Fix-compilation-with-Linux-v6.8-rc1.patch
similarity index 100%
rename from package/busybox/0007-tc-Fix-compilation-with-Linux-v6.8-rc1.patch
rename to package/busybox/0006-tc-Fix-compilation-with-Linux-v6.8-rc1.patch
diff --git a/package/busybox/0008-awk.c-fix-CVE-2023-42366-bug-15874.patch b/package/busybox/0007-awk.c-fix-CVE-2023-42366-bug-15874.patch
similarity index 100%
rename from package/busybox/0008-awk.c-fix-CVE-2023-42366-bug-15874.patch
rename to package/busybox/0007-awk.c-fix-CVE-2023-42366-bug-15874.patch
diff --git a/package/busybox/0009-hwclock-Check-for-SYS_settimeofday-before-calling-sy.patch b/package/busybox/0008-hwclock-Check-for-SYS_settimeofday-before-calling-sy.patch
similarity index 100%
rename from package/busybox/0009-hwclock-Check-for-SYS_settimeofday-before-calling-sy.patch
rename to package/busybox/0008-hwclock-Check-for-SYS_settimeofday-before-calling-sy.patch
diff --git a/package/busybox/0011-syslogd-fix-wrong-OPT_locallog-flag-detection.patch b/package/busybox/0009-syslogd-fix-wrong-OPT_locallog-flag-detection.patch
similarity index 100%
rename from package/busybox/0011-syslogd-fix-wrong-OPT_locallog-flag-detection.patch
rename to package/busybox/0009-syslogd-fix-wrong-OPT_locallog-flag-detection.patch
diff --git a/package/busybox/0010-libbb-sha-add-missing-sha-NI-guard.patch b/package/busybox/0010-libbb-sha-add-missing-sha-NI-guard.patch
deleted file mode 100644
index 0fd7014b50..0000000000
--- a/package/busybox/0010-libbb-sha-add-missing-sha-NI-guard.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From bba9e99026a3dafe75f608459533e0b6d8cf3874 Mon Sep 17 00:00:00 2001
-From: Andre Przywara <andre.przywara@arm.com>
-Date: Tue, 10 Sep 2024 14:32:46 +0100
-Subject: [PATCH] libbb/sha: add missing sha-NI guard
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The ENABLE_SHA1_HWACCEL Kconfig symbol is meant to be archicture
-agnostic, so can be enabled regardless of whether your build
-architecture provides hardware acceleration or not. At the moment only
-x86 implements this, so every piece of optimised code should be guarded
-by both ENABLE_SHA1_HWACCEL and (__x86_64__ || __i386__). This is missing
-at one place, so compiling for arm64 breaks when ENABLE_SHA1_HWACCEL is
-enabled:
-================================
-libbb/hash_md5_sha.c: In function ‘sha1_end’:
-libbb/hash_md5_sha.c:1316:28: error: ‘sha1_process_block64_shaNI’ undeclared (first use in this function); did you mean ‘sha1_process_block64’?
- 1316 |   || ctx->process_block == sha1_process_block64_shaNI
-      |                            ^~~~~~~~~~~~~~~~~~~~~~~~~~
-      |                            sha1_process_block64
-libbb/hash_md5_sha.c:1316:28: note: each undeclared identifier is reported only once for each function it appears in
-make[1]: *** [scripts/Makefile.build:197: libbb/hash_md5_sha.o] Error 1
-make: *** [Makefile:744: libbb] Error 2
-================================
-
-Add the missing guards around the call to sha1_process_block64_shaNI to
-fix the build on other architectures with ENABLE_SHA1_HWACCEL enabled.
-
-Change-Id: I40bba388422625f4230abf15a5de23e1fdc654fc
-Signed-off-by: Andre Przywara <andre.przywara@arm.com>
-Upstream: https://lists.busybox.net/pipermail/busybox/2024-September/090899.html
-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
----
- libbb/hash_md5_sha.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/libbb/hash_md5_sha.c b/libbb/hash_md5_sha.c
-index 57a801459..75a61c32c 100644
---- a/libbb/hash_md5_sha.c
-+++ b/libbb/hash_md5_sha.c
-@@ -1313,7 +1313,9 @@ unsigned FAST_FUNC sha1_end(sha1_ctx_t *ctx, void *resbuf)
- 	hash_size = 8;
- 	if (ctx->process_block == sha1_process_block64
- #if ENABLE_SHA1_HWACCEL
-+# if defined(__GNUC__) && (defined(__i386__) || defined(__x86_64__))
- 	 || ctx->process_block == sha1_process_block64_shaNI
-+# endif
- #endif
- 	) {
- 		hash_size = 5;
--- 
-2.48.1
-
diff --git a/package/busybox/0013-testsuite-tar-tests-fix-test-after-cve-2025-46394.patch b/package/busybox/0010-testsuite-tar-tests-fix-test-after-cve-2025-46394.patch
similarity index 100%
rename from package/busybox/0013-testsuite-tar-tests-fix-test-after-cve-2025-46394.patch
rename to package/busybox/0010-testsuite-tar-tests-fix-test-after-cve-2025-46394.patch
diff --git a/package/busybox/0014-wget-dont-allow-control-characters-or-spaces-in-the-URL.patch b/package/busybox/0011-wget-dont-allow-control-characters-or-spaces-in-the-URL.patch
similarity index 100%
rename from package/busybox/0014-wget-dont-allow-control-characters-or-spaces-in-the-URL.patch
rename to package/busybox/0011-wget-dont-allow-control-characters-or-spaces-in-the-URL.patch
diff --git a/package/busybox/0012-archival-libarchive-sanitize-filenames-on-output.patch b/package/busybox/0012-archival-libarchive-sanitize-filenames-on-output.patch
deleted file mode 100644
index 6af55c38c8..0000000000
--- a/package/busybox/0012-archival-libarchive-sanitize-filenames-on-output.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From f5e1bf966b19ea1821f00a8c9ecd7774598689b4 Mon Sep 17 00:00:00 2001
-From: Denys Vlasenko <vda.linux@googlemail.com>
-Date: Wed, 24 Sep 2025 03:28:47 +0200
-Subject: archival/libarchive: sanitize filenames on output (prevent control
- sequence attacks
-
-This fixes CVE-2025-46394 (terminal escape sequence injection)
-
-Original credit: Ian.Norton at entrust.com
-
-function                                             old     new   delta
-header_list                                            9      15      +6
-header_verbose_list                                  239     244      +5
-------------------------------------------------------------------------------
-(add/remove: 0/0 grow/shrink: 2/0 up/down: 11/0)               Total: 11 bytes
-
-Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-CVE: CVE-2025-46394
-Upstream: https://git.busybox.net/busybox/patch/?id=f5e1bf966b19ea1821f00a8c9ecd7774598689b4
-Signed-off-by: Thomas Perale <thomas.perale@mind.be>
----
- archival/libarchive/header_list.c         | 2 +-
- archival/libarchive/header_verbose_list.c | 4 ++--
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/archival/libarchive/header_list.c b/archival/libarchive/header_list.c
-index 0621aa406..9490b3635 100644
---- a/archival/libarchive/header_list.c
-+++ b/archival/libarchive/header_list.c
-@@ -8,5 +8,5 @@
- void FAST_FUNC header_list(const file_header_t *file_header)
- {
- //TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */
--	puts(file_header->name);
-+	puts(printable_string(file_header->name));
- }
-diff --git a/archival/libarchive/header_verbose_list.c b/archival/libarchive/header_verbose_list.c
-index a575a08a0..e7a09430d 100644
---- a/archival/libarchive/header_verbose_list.c
-+++ b/archival/libarchive/header_verbose_list.c
-@@ -57,13 +57,13 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header)
- 		ptm->tm_hour,
- 		ptm->tm_min,
- 		ptm->tm_sec,
--		file_header->name);
-+		printable_string(file_header->name));
- 
- #endif /* FEATURE_TAR_UNAME_GNAME */
- 
- 	/* NB: GNU tar shows "->" for symlinks and "link to" for hardlinks */
- 	if (file_header->link_target) {
--		printf(" -> %s", file_header->link_target);
-+		printf(" -> %s", printable_string(file_header->link_target));
- 	}
- 	bb_putchar('\n');
- }
--- 
-cgit v1.2.3
diff --git a/package/busybox/busybox.hash b/package/busybox/busybox.hash
index 39ca8915f3..73e88e49da 100644
--- a/package/busybox/busybox.hash
+++ b/package/busybox/busybox.hash
@@ -1,5 +1,5 @@
-# From https://busybox.net/downloads/busybox-1.37.0.tar.bz2.sha256
-sha256  3311dff32e746499f4df0d5df04d7eb396382d7e108bb9250e7b519b837043a4  busybox-1.37.0.tar.bz2
+# From https://www.busybox.net/downloads/busybox-1.38.0.tar.bz2.sha256
+sha256  34f9ea6ff8636f2c9241153b9114eefa9e65674a45318ae1ef95bb5f31c53bb2  busybox-1.38.0.tar.bz2
 # Locally computed
 sha256  bbfc9843646d483c334664f651c208b9839626891d8f17604db2146962f43548  LICENSE
 sha256  b5a136ed67798e51fe2e0ca0b2a21cb01b904ff0c9f7d563a6292e276607e58f  archival/libarchive/bz/LICENSE
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index ebe169cdb9..0e7c35fb5c 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-BUSYBOX_VERSION = 1.37.0
+BUSYBOX_VERSION = 1.38.0
 BUSYBOX_SITE = https://www.busybox.net/downloads
 BUSYBOX_SOURCE = busybox-$(BUSYBOX_VERSION).tar.bz2
 BUSYBOX_LICENSE = GPL-2.0, bzip2-1.0.4
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot