Hello, On Sat Feb 21, 2026 at 2:05 AM CET, Livin Sunny via lists.openembedded.org wrote: > > This patch addresses CVE-2025-60876[1], which allows malicious URLs to inject > HTTP headers. It has been accepted by Debian[2] and is tracked here [4]. > The upstream fix has been submitted [3] and is pending merge. > > [1] https://nvd.nist.gov/vuln/detail/CVE-2025-60876 > [2] https://bugs.debian.org/1120795 > [3] https://lists.busybox.net/pipermail/busybox/2025-November/091840.html > [4] https://security-tracker.debian.org/tracker/CVE-2025-60876
Thank for the patch. CVE-2025-60876 also impacts master and whinlatter. Please send a patch to master and, then, request a backport for stable branches. > > Signed-off-by: Livin Sunny <[email protected]> > --- > Changes in v2: > - Updated the commit message to include details from debian. > - Updated the upstream status to submitted. > --- > ...control-chars-in-URLs-CVE-2025-60876.patch | 42 +++++++++++++++++++ > meta/recipes-core/busybox/busybox_1.36.1.bb | 1 + > 2 files changed, 43 insertions(+) > create mode 100644 > meta/recipes-core/busybox/busybox/wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch > > diff --git > a/meta/recipes-core/busybox/busybox/wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch > > b/meta/recipes-core/busybox/busybox/wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch > new file mode 100644 > index 0000000000..aafd0ec60b > --- /dev/null > +++ > b/meta/recipes-core/busybox/busybox/wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch > @@ -0,0 +1,42 @@ > +From: Radoslav Kolev <[email protected]> > +Date: Fri, 21 Nov 2025 11:21:18 +0200 > +Subject: wget: don't allow control characters or spaces in the URL > +Bug-Debian: https://bugs.debian.org/1120795 > + > +Fixes CVE-2025-60876 malicious URL can be used to inject > +HTTP headers in the request. > + > +Signed-off-by: Radoslav Kolev <[email protected]> > +Reviewed-by: Emmanuel Deloget <[email protected]> > + > +Upstream-Status: Submitted > [https://lists.busybox.net/pipermail/busybox/2025-November/091840.html] > + > +CVE: CVE-2025-60876 > + > +Signed-off-by: Livin Sunny <[email protected]> > +--- > + networking/wget.c | 9 +++++++++ > + 1 file changed, 9 insertions(+) > + > +diff --git a/networking/wget.c b/networking/wget.c > +index ec3767793..fa555427b 100644 > +--- a/networking/wget.c > ++++ b/networking/wget.c > +@@ -536,6 +536,15 @@ static void parse_url(const char *src_url, struct > host_info *h) > + { > + char *url, *p, *sp; > + > ++ /* Fix for CVE-2025-60876 - don't allow control characters or spaces in > the URL */ > ++ /* otherwise a malicious URL can be used to inject HTTP headers in the > request */ > ++ const unsigned char *u = (void *) src_url; > ++ while (*u) { > ++ if (*u <= ' ') > ++ bb_simple_error_msg_and_die("Unencoded control > character found in the URL!"); > ++ u++; > ++ } > ++ > + free(h->allocated); > + h->allocated = url = xstrdup(src_url); > + > +-- > +2.47.3 > diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb > b/meta/recipes-core/busybox/busybox_1.36.1.bb > index d3f259d45b..b7a8ad2ed5 100644 > --- a/meta/recipes-core/busybox/busybox_1.36.1.bb > +++ b/meta/recipes-core/busybox/busybox_1.36.1.bb > @@ -61,6 +61,7 @@ SRC_URI = > "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ > file://CVE-2023-39810.patch \ > file://CVE-2025-46394-01.patch \ > file://CVE-2025-46394-02.patch \ > + file://wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch \ As a matter of conventions, name this file CVE-2025-60876.patch. > " > SRC_URI:append:libc-musl = " file://musl.cfg " > # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html > -- > 2.53.0 Regards, -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231719): https://lists.openembedded.org/g/openembedded-core/message/231719 Mute This Topic: https://lists.openembedded.org/mt/117920260/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
