[kirkstone,06/17] busybox: patch CVE-2025-60876

Message ID	22440b3e1fa36ade36f5cf754d25104afab308e1.1773652940.git.yoann.congal@smile.fr
State	RFC, archived
Delegated to:	Yoann Congal
Headers	show Return-Path: <yoann.congal@smile.fr> ip: 209.85.221.46, mailfrom: yoann.congal@smile.fr) From: Yoann Congal <yoann.congal@smile.fr> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 06/17] busybox: patch CVE-2025-60876 Date: Mon, 16 Mar 2026 10:28:25 +0100 Message-ID: <22440b3e1fa36ade36f5cf754d25104afab308e1.1773652940.git.yoann.congal@smile.fr> In-Reply-To: <cover.1773652940.git.yoann.congal@smile.fr> References: <cover.1773652940.git.yoann.congal@smile.fr> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/17] libtheora: set CVE_PRODUCT \| expand [kirkstone,01/17] libtheora: set CVE_PRODUCT [kirkstone,02/17] alsa-lib: patch CVE-2026-25068 [kirkstone,03/17] gdk-pixbuf: Fix CVE-2025-6199 [kirkstone,04/17] ffmpeg: patch CVE-2025-10256 [kirkstone,05/17] inetutils: patch CVE-2026-28372 [kirkstone,06/17] busybox: patch CVE-2025-60876 [kirkstone,07/17] tiff: patch CVE-2025-61143 [kirkstone,08/17] tiff: patch CVE-2025-61144 [kirkstone,09/17] tiff: set status of CVE-2025-61145 as fixed by patch for CVE-2025-8961 [kirkstone,10/17] gtk+3: fix incompatible-pointer-types errors for native build on Fedora 41 [kirkstone,11/17] libpam: fix CVE-2024-10963 [kirkstone,12/17] libpam: re-add missing libgen include [kirkstone,13/17] lsb.py: strip ' from os-release file [kirkstone,14/17] python3-pip: Fix CVE-2026-1703 [kirkstone,15/17] scripts/install-buildtools: Update to 4.0.33 [kirkstone,16/17] libcomps: Fix libcomps-native build on GCC14 hosts (e.g. Fedora 41) [kirkstone,17/17] createrepo-c: Fix createrepo-c-native build on GCC14 hosts (e.g. Fedora 41)

Message ID

22440b3e1fa36ade36f5cf754d25104afab308e1.1773652940.git.yoann.congal@smile.fr

State

RFC, archived

Delegated to:

Yoann Congal

Headers

From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 06/17] busybox: patch CVE-2025-60876
Date: Mon, 16 Mar 2026 10:28:25 +0100
Message-ID: 
 <22440b3e1fa36ade36f5cf754d25104afab308e1.1773652940.git.yoann.congal@smile.fr>
In-Reply-To: <cover.1773652940.git.yoann.congal@smile.fr>
References: <cover.1773652940.git.yoann.congal@smile.fr>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/17] libtheora: set CVE_PRODUCT | expand

Commit Message

Yoann Congal March 16, 2026, 9:28 a.m. UTC

From: Peter Marko <peter.marko@siemens.com>

Although the patch was not merged yet, Debian already took it ([1]).
Since busybox CVE handling is slow, follow Debian decision.

[1] https://sources.debian.org/src/busybox/1:1.37.0-10.1/debian/patches/wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
[YC: fixed weird encoding in URL, added "CVE-" to subject]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../busybox/busybox/CVE-2025-60876.patch      | 38 +++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.35.0.bb   |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2025-60876.patch

diff --git a/meta/recipes-core/busybox/busybox/CVE-2025-60876.patch b/meta/recipes-core/busybox/busybox/CVE-2025-60876.patch
new file mode 100644
index 00000000000..72d7020f625
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2025-60876.patch
@@ -0,0 +1,38 @@ 
+From 32c0f6f240fcb041ae7df44a9bbf958d627a8212 Mon Sep 17 00:00:00 2001
+From: Radoslav Kolev <radoslav.kolev@suse.com>
+Date: Fri, 21 Nov 2025 11:21:18 +0200
+Subject: [PATCH] wget: don't allow control characters or spaces in the URL
+
+Fixes CVE-2025-60876 malicious URL can be used to inject
+HTTP headers in the request.
+
+Signed-off-by: Radoslav Kolev <radoslav.kolev@suse.com>
+Reviewed-by: Emmanuel Deloget <logout@free.fr>
+
+CVE: CVE-2025-60876
+Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-November/091840.html]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ networking/wget.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/networking/wget.c b/networking/wget.c
+index 9ec0e67..7602563 100644
+--- a/networking/wget.c
++++ b/networking/wget.c
+@@ -536,6 +536,15 @@ static void parse_url(const char *src_url, struct host_info *h)
+ {
+ 	char *url, *p, *sp;
+ 
++	/* Fix for CVE-2025-60876 - don't allow control characters or spaces in the URL */
++	/* otherwise a malicious URL can be used to inject HTTP headers in the request */
++	const unsigned char *u = (void *) src_url;
++	while (*u) {
++		if (*u <= ' ')
++			bb_simple_error_msg_and_die("Unencoded control character found in the URL!");
++		u++;
++	}
++
+ 	free(h->allocated);
+ 	h->allocated = url = xstrdup(src_url);
+ 
diff --git a/meta/recipes-core/busybox/busybox_1.35.0.bb b/meta/recipes-core/busybox/busybox_1.35.0.bb
index 57a5747a489..0b5ac220f5f 100644
--- a/meta/recipes-core/busybox/busybox_1.35.0.bb
+++ b/meta/recipes-core/busybox/busybox_1.35.0.bb
@@ -61,6 +61,7 @@  SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://CVE-2023-39810.patch \
            file://CVE-2025-46394-01.patch \
            file://CVE-2025-46394-02.patch \
+           file://CVE-2025-60876.patch \
            "
 SRC_URI:append:libc-musl = " file://musl.cfg "

[kirkstone,06/17] busybox: patch CVE-2025-60876

Commit Message

Patch