| Message ID | 20260220215043.2883581-1-livinsunny519@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [scarthgap] busybox: Fixes CVE-2025-60876 malicious URL can be used to inject HTTP headers in the request. | expand |
Thank you for your submission. Patchtest identified one or more issues with the patch. Please see the log below for more information: --- Testing patch /home/patchtest/share/mboxes/scarthgap-busybox-Fixes-CVE-2025-60876-malicious-URL-can-be-used-to-inject-HTTP-headers-in-the-request..patch FAIL: test shortlog length: Edit shortlog so that it is 90 characters or less (currently 94 characters) (test_mbox.TestMbox.test_shortlog_length) PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format) PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence) PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence) PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format) PASS: test author valid (test_mbox.TestMbox.test_author_valid) PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence) PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags) PASS: test mbox format (test_mbox.TestMbox.test_mbox_format) PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade) PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format) PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list) SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint) SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format) SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint) SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head) --- Please address the issues identified and submit a new revision of the patch, or alternatively, reply to this email with an explanation of why the patch should be accepted. If you believe these results are due to an error in patchtest, please submit a bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category under 'Yocto Project Subprojects'). For more information on specific failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank you!
> -----Original Message----- > From: openembedded-core@lists.openembedded.org <openembedded- > core@lists.openembedded.org> On Behalf Of Livin Sunny via > lists.openembedded.org > Sent: Friday, February 20, 2026 22:49 > To: openembedded-core@lists.openembedded.org > Cc: JPEWhacker@gmail.com; Livin Sunny <livinsunny519@gmail.com> > Subject: [OE-core][scarthgap][PATCH] busybox: Fixes CVE-2025-60876 > malicious URL can be used to inject HTTP headers in the request. > > This is a backport of the fix from [1], which has been submitted to > the busybox upstream project and is tracked in [2]. > > [1] https://lists.busybox.net/pipermail/busybox/2025-November/091840.html > [2] https://security-tracker.debian.org/tracker/CVE-2025-60876 > > Signed-off-by: Livin Sunny <livinsunny519@gmail.com> > --- > ...control-chars-in-URLs-CVE-2025-60876.patch | 42 +++++++++++++++++++ > meta/recipes-core/busybox/busybox_1.36.1.bb | 1 + > 2 files changed, 43 insertions(+) > create mode 100644 meta/recipes-core/busybox/busybox/wget-disallow-control- > chars-in-URLs-CVE-2025-60876.patch > > diff --git a/meta/recipes-core/busybox/busybox/wget-disallow-control-chars-in- > URLs-CVE-2025-60876.patch b/meta/recipes-core/busybox/busybox/wget- > disallow-control-chars-in-URLs-CVE-2025-60876.patch > new file mode 100644 > index 0000000000..aafd0ec60b > --- /dev/null > +++ b/meta/recipes-core/busybox/busybox/wget-disallow-control-chars-in-URLs- > CVE-2025-60876.patch > @@ -0,0 +1,42 @@ > +From: Radoslav Kolev <radoslav.kolev@suse.com> > +Date: Fri, 21 Nov 2025 11:21:18 +0200 > +Subject: wget: don't allow control characters or spaces in the URL > +Bug-Debian: https://bugs.debian.org/1120795 > + > +Fixes CVE-2025-60876 malicious URL can be used to inject > +HTTP headers in the request. > + > +Signed-off-by: Radoslav Kolev <radoslav.kolev@suse.com> > +Reviewed-by: Emmanuel Deloget <logout@free.fr> > + > +Upstream-Status: Backport [https://lists.busybox.net/pipermail/busybox/2025- > November/091840.html] This is incorrect statement. It's not a backport, but only a submitted patch which was not yet accepted by busybox maintainer. Similarly, the commit message also wrongly says "backport". I'd also recommend to mention in commit message that Debian has taken this patch, which gives it some credibility. https://salsa.debian.org/installer-team/busybox/-/blob/debian/1%251.37.0-10/debian/patches/wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch Peter
diff --git a/meta/recipes-core/busybox/busybox/wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch b/meta/recipes-core/busybox/busybox/wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch new file mode 100644 index 0000000000..aafd0ec60b --- /dev/null +++ b/meta/recipes-core/busybox/busybox/wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch @@ -0,0 +1,42 @@ +From: Radoslav Kolev <radoslav.kolev@suse.com> +Date: Fri, 21 Nov 2025 11:21:18 +0200 +Subject: wget: don't allow control characters or spaces in the URL +Bug-Debian: https://bugs.debian.org/1120795 + +Fixes CVE-2025-60876 malicious URL can be used to inject +HTTP headers in the request. + +Signed-off-by: Radoslav Kolev <radoslav.kolev@suse.com> +Reviewed-by: Emmanuel Deloget <logout@free.fr> + +Upstream-Status: Backport [https://lists.busybox.net/pipermail/busybox/2025-November/091840.html] + +CVE: CVE-2025-60876 + +Signed-off-by: Livin Sunny <livinsunny519@gmail.com> +--- + networking/wget.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/networking/wget.c b/networking/wget.c +index ec3767793..fa555427b 100644 +--- a/networking/wget.c ++++ b/networking/wget.c +@@ -536,6 +536,15 @@ static void parse_url(const char *src_url, struct host_info *h) + { + char *url, *p, *sp; + ++ /* Fix for CVE-2025-60876 - don't allow control characters or spaces in the URL */ ++ /* otherwise a malicious URL can be used to inject HTTP headers in the request */ ++ const unsigned char *u = (void *) src_url; ++ while (*u) { ++ if (*u <= ' ') ++ bb_simple_error_msg_and_die("Unencoded control character found in the URL!"); ++ u++; ++ } ++ + free(h->allocated); + h->allocated = url = xstrdup(src_url); + +-- +2.47.3 diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb index d3f259d45b..b7a8ad2ed5 100644 --- a/meta/recipes-core/busybox/busybox_1.36.1.bb +++ b/meta/recipes-core/busybox/busybox_1.36.1.bb @@ -61,6 +61,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://CVE-2023-39810.patch \ file://CVE-2025-46394-01.patch \ file://CVE-2025-46394-02.patch \ + file://wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch \ " SRC_URI:append:libc-musl = " file://musl.cfg " # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html
This is a backport of the fix from [1], which has been submitted to the busybox upstream project and is tracked in [2]. [1] https://lists.busybox.net/pipermail/busybox/2025-November/091840.html [2] https://security-tracker.debian.org/tracker/CVE-2025-60876 Signed-off-by: Livin Sunny <livinsunny519@gmail.com> --- ...control-chars-in-URLs-CVE-2025-60876.patch | 42 +++++++++++++++++++ meta/recipes-core/busybox/busybox_1.36.1.bb | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox/wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch -- 2.53.0