> -----Original Message----- > From: [email protected] <openembedded- > [email protected]> On Behalf Of Livin Sunny via > lists.openembedded.org > Sent: Friday, February 20, 2026 22:49 > To: [email protected] > Cc: [email protected]; Livin Sunny <[email protected]> > Subject: [OE-core][scarthgap][PATCH] busybox: Fixes CVE-2025-60876 > malicious URL can be used to inject HTTP headers in the request. > > This is a backport of the fix from [1], which has been submitted to > the busybox upstream project and is tracked in [2]. > > [1] https://lists.busybox.net/pipermail/busybox/2025-November/091840.html > [2] https://security-tracker.debian.org/tracker/CVE-2025-60876 > > Signed-off-by: Livin Sunny <[email protected]> > --- > ...control-chars-in-URLs-CVE-2025-60876.patch | 42 +++++++++++++++++++ > meta/recipes-core/busybox/busybox_1.36.1.bb | 1 + > 2 files changed, 43 insertions(+) > create mode 100644 meta/recipes-core/busybox/busybox/wget-disallow-control- > chars-in-URLs-CVE-2025-60876.patch > > diff --git a/meta/recipes-core/busybox/busybox/wget-disallow-control-chars-in- > URLs-CVE-2025-60876.patch b/meta/recipes-core/busybox/busybox/wget- > disallow-control-chars-in-URLs-CVE-2025-60876.patch > new file mode 100644 > index 0000000000..aafd0ec60b > --- /dev/null > +++ b/meta/recipes-core/busybox/busybox/wget-disallow-control-chars-in-URLs- > CVE-2025-60876.patch > @@ -0,0 +1,42 @@ > +From: Radoslav Kolev <[email protected]> > +Date: Fri, 21 Nov 2025 11:21:18 +0200 > +Subject: wget: don't allow control characters or spaces in the URL > +Bug-Debian: https://bugs.debian.org/1120795 > + > +Fixes CVE-2025-60876 malicious URL can be used to inject > +HTTP headers in the request. > + > +Signed-off-by: Radoslav Kolev <[email protected]> > +Reviewed-by: Emmanuel Deloget <[email protected]> > + > +Upstream-Status: Backport [https://lists.busybox.net/pipermail/busybox/2025- > November/091840.html]
This is incorrect statement. It's not a backport, but only a submitted patch which was not yet accepted by busybox maintainer. Similarly, the commit message also wrongly says "backport". I'd also recommend to mention in commit message that Debian has taken this patch, which gives it some credibility. https://salsa.debian.org/installer-team/busybox/-/blob/debian/1%251.37.0-10/debian/patches/wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch Peter
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231554): https://lists.openembedded.org/g/openembedded-core/message/231554 Mute This Topic: https://lists.openembedded.org/mt/117917870/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
