Re: [OE-core] [kirkstone][PATCH] busybox: fix for CVE-2026-26157, CVE-2026-26158

["Yoann Congal" <yoann.congal@smile.fr>]

On Thu Mar 19, 2026 at 12:40 PM CET, Hitendra Prajapati via lists.openembedded.org wrote:
> Hi Team,
>
> I'm not able to load the official busybox repo form last week, so I used 
> mirror.

Yes, the busybox git host is sadly not reliable :(
Khem found a mirror that looks trustworthy and up-to-date: https://gogs.librecmc.org/OWEALS/busybox/

In the hope that the busybox host will recover, let's put
git.busybox.net in our upstream-status but add a note with this mirror.

> If anyone have access, they may try to fix this or I will look into 
> these later.
>
> Regards,
>
> Hitendra
>
> On 19/03/26 4:35 pm, Fabien Thomas wrote:
>> On Fri Mar 13, 2026 at 2:18 PM CET, Hitendra Prajapati via lists.openembedded.org wrote:
>>> Although the patch was not merged yet, Debian already took it ([1] & [2]).
>>> Since busybox CVE handling is slow, follow Debian decision.
>>>
>>> [1]https://sources.debian.org/src/busybox/1:1.37.0-10.1/debian/patches/0001-tar-strip-unsafe-hardlink-components-GNU-tar-does-th.patch
>>> [2]https://sources.debian.org/src/busybox/1:1.37.0-10.1/debian/patches/0002-tar-only-strip-unsafe-components-from-hardlinks-not-.patch
>>>
>>> Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com>
>>> ---
>>>   .../CVE-2026-26157-CVE-2026-26158-01.patch    |  35 ++++
>>>   .../CVE-2026-26157-CVE-2026-26158-02.patch    | 197 ++++++++++++++++++
>>>   meta/recipes-core/busybox/busybox_1.35.0.bb   |   2 +
>>>   3 files changed, 234 insertions(+)
>>>   create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch
>>>   create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch
>>>
>>> diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch
>>> new file mode 100644
>>> index 0000000000..306ccad511
>>> --- /dev/null
>>> +++ b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch
>>> @@ -0,0 +1,35 @@
>>> +From 038e0e4d791ea4e8a8da5e06904756142fc6b8dc Mon Sep 17 00:00:00 2001
>>> +From: Radoslav Kolev<radoslav.kolev@suse.com>
>>> +Date: Mon, 16 Feb 2026 11:50:04 +0200
>>> +Subject: tar: only strip unsafe components from hardlinks, not symlinks
>>> +
>>> +commit 3fb6b31c7 introduced a check for unsafe components in
>>> +tar archive hardlinks, but it was being applied to symlinks too
>>> +which broke "Symlinks and hardlinks coexist" tar test.
>>> +
>>> +Signed-off-by: Radoslav Kolev<radoslav.kolev@suse.com>
>>> +Signed-off-by: Denys Vlasenko<vda.linux@googlemail.com>
>>> +
>>> +CVE: CVE-2026-26157, CVE-2026-26158
>>> +Upstream-Status: Backport [https://github.com/mirror/busybox/commit/3fb6b31c716669e12f75a2accd31bb7685b1a1cb]

Maybe something like this?
Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb]
(Alternative mirrored URL: https://gogs.librecmc.org/OWEALS/busybox/commit/3fb6b31c716669e12f75a2accd31bb7685b1a1cb) 

>>> +Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com>
>>> +---
>>> + archival/libarchive/get_header_tar.c | 2 +-
>>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>>> +
>>> +diff --git a/archival/libarchive/get_header_tar.c b/archival/libarchive/get_header_tar.c
>>> +index dc0f7e0..a8c2ad8 100644
>>> +--- a/archival/libarchive/get_header_tar.c
>>> ++++ b/archival/libarchive/get_header_tar.c
>>> +@@ -453,7 +453,7 @@ char FAST_FUNC get_header_tar(archive_handle_t *archive_handle)
>>> +
>>> + 	/* Everything up to and including last ".." component is stripped */
>>> + 	strip_unsafe_prefix(file_header->name);
>>> +-	if (file_header->link_target) {
>>> ++	if (file_header->link_target && !S_ISLNK(file_header->mode)) {
>>> + 		/* GNU tar 1.34 examples:
>>> + 		 * tar: Removing leading '/' from hard link targets
>>> + 		 * tar: Removing leading '../' from hard link targets
>>> +--
>>> +2.50.1
>>> +
>>> diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch
>>> new file mode 100644
>>> index 0000000000..69e6e98c75
>>> --- /dev/null
>>> +++ b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch
>>> @@ -0,0 +1,197 @@
>>> +From 0c20d6b353b058ab910dd3a0211e2b906802b105 Mon Sep 17 00:00:00 2001
>>> +From: Denys Vlasenko<vda.linux@googlemail.com>
>>> +Date: Thu, 29 Jan 2026 11:48:02 +0100
>>> +Subject: tar: strip unsafe hardlink components - GNU tar does the same
>>> +
>>> +Defends against files like these (python reproducer):
>>> +
>>> +import tarfile
>>> +ti = tarfile.TarInfo("leak_hosts")
>>> +ti.type = tarfile.LNKTYPE
>>> +ti.linkname = "/etc/hosts"  # or "../etc/hosts" or ".."
>>> +ti.size = 0
>>> +with tarfile.open("/tmp/hardlink.tar", "w") as t:
>>> +	t.addfile(ti)
>>> +
>>> +function                                             old     new   delta
>>> +skip_unsafe_prefix                                     -     127    +127
>>> +get_header_tar                                      1752    1754      +2
>>> +.rodata                                           106861  106856      -5
>>> +unzip_main                                          2715    2706      -9
>>> +strip_unsafe_prefix                                  102      18     -84
>>> +------------------------------------------------------------------------------
>>> +(add/remove: 1/0 grow/shrink: 1/3 up/down: 129/-98)            Total: 31 bytes
>>> +
>>> +Signed-off-by: Denys Vlasenko<vda.linux@googlemail.com>
>>> +
>>> +CVE: CVE-2026-26157, CVE-2026-26158
>>> +Upstream-Status: Backport [https://github.com/mirror/busybox/commit/3fb6b31c716669e12f75a2accd31bb7685b1a1cb]

Use the same pattern as above.

>>> +Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com>
>>> +---
>>> [...]
>>> +
>>> diff --git a/meta/recipes-core/busybox/busybox_1.35.0.bb b/meta/recipes-core/busybox/busybox_1.35.0.bb
>>> index 0b5ac220f5..bb07502ccc 100644
>>> --- a/meta/recipes-core/busybox/busybox_1.35.0.bb
>>> +++ b/meta/recipes-core/busybox/busybox_1.35.0.bb
>>> @@ -62,6 +62,8 @@ SRC_URI ="https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ 
>>> file://CVE-2025-46394-01.patch \ file://CVE-2025-46394-02.patch \ 
>>> file://CVE-2025-60876.patch \ + 
>>> file://CVE-2026-26157-CVE-2026-26158-01.patch \ + 
>>> file://CVE-2026-26157-CVE-2026-26158-02.patch \ "
>>>   SRC_URI:append:libc-musl =" file://musl.cfg "
>>>   
>> Hi Hitendra,
>>
>> I'm working with Yoann, helping him to support the maintenance of
>> the stable branches.
>>
>> Thanks for the patch. Indeed, since the Busybox CVE handling is indeed slow,
>> following Debian is acceptable. However, there are a few issues that need to
>> be addressed before this can be merged:
>>
>> In the patch metadata (Upstream-Status / Backport):
>> - Source URL: Please use the official upstream repository (git.busybox.net,
>> which I'm aware is littlebit downish) instead of the GitHub mirror.
>> - Commit Reference: The Debian patches you cited do not actually backport
>> the commit 3fb6b31c716669e12f75a2accd31bb7685b1a1cb as claimed in the status.
>> Seems that the first one is actually a backport of
>> 599f5dd8fac390c18b79cba4c14c334957605dae, recently merged in busybox master.
>>
>> Please clarify the "Upstream-Status" to reflect exactly
>> what these patches represent.
>>
>> The first patch (01.patch) fails to apply on the current Kirkstone
>> busybox_1.35.0 recipe:
>>
>> ERROR: busybox-1.35.0-r0 do_patch:
>> Applying patch 'CVE-2026-26157-CVE-2026-26158-01.patch'
>> patching file archival/libarchive/get_header_tar.c
>> Hunk #1 FAILED at 453.
>> 1 out of 1 hunk FAILED -- rejects in file archival/libarchive/get_header_tar.c
>>
>> Please ensure the patches are rebased and tested against
>> the kirkstone branch of openembedded-core.
>>
>> Best regards,

Regards,
-- 
Yoann Congal
Smile ECS