Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package busybox for openSUSE:Factory checked in at 2025-12-20 21:45:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/busybox (Old) and /work/SRC/openSUSE:Factory/.busybox.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "busybox" Sat Dec 20 21:45:22 2025 rev:94 rq:1323642 version:1.37.0 Changes: -------- --- /work/SRC/openSUSE:Factory/busybox/busybox.changes 2025-08-14 11:36:16.851975615 +0200 +++ /work/SRC/openSUSE:Factory/.busybox.new.1928/busybox.changes 2025-12-20 21:45:40.557171752 +0100 @@ -1,0 +2,11 @@ +Fri Dec 19 07:56:40 UTC 2025 - Radoslav Kolev <[email protected]> + +- Fix tar hidden files via escape sequence (CVE-2025-46394, bsc#1241661) + * 0001-archival-libarchive-sanitize-filenames-on-output-pre.patch +- Fix HTTP request header injection in wget (CVE-2025-60876, bsc#1253245) + * wget-don-t-allow-control-characters-in-url.patch +- Set CONFIG_FIRST_SYSTEM_ID to 201 to avoid confclict (bsc#1236670) +- Fix unshare -mrpf sh core dump on ppc64le (bsc#1249237) + * 0001-nsenter-unshare-don-t-use-xvfork_parent_waits_and_ex.patch + +------------------------------------------------------------------- New: ---- 0001-archival-libarchive-sanitize-filenames-on-output-pre.patch 0001-nsenter-unshare-don-t-use-xvfork_parent_waits_and_ex.patch wget-don-t-allow-control-characters-in-url.patch ----------(New B)---------- New:- Fix tar hidden files via escape sequence (CVE-2025-46394, bsc#1241661) * 0001-archival-libarchive-sanitize-filenames-on-output-pre.patch - Fix HTTP request header injection in wget (CVE-2025-60876, bsc#1253245) New:- Fix unshare -mrpf sh core dump on ppc64le (bsc#1249237) * 0001-nsenter-unshare-don-t-use-xvfork_parent_waits_and_ex.patch New:- Fix HTTP request header injection in wget (CVE-2025-60876, bsc#1253245) * wget-don-t-allow-control-characters-in-url.patch - Set CONFIG_FIRST_SYSTEM_ID to 201 to avoid confclict (bsc#1236670) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ busybox.spec ++++++ --- /var/tmp/diff_new_pack.2L2LIZ/_old 2025-12-20 21:45:41.961229845 +0100 +++ /var/tmp/diff_new_pack.2L2LIZ/_new 2025-12-20 21:45:41.961229845 +0100 @@ -1,7 +1,7 @@ # # spec file for package busybox # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -57,6 +57,12 @@ Patch11: busybox-1.37.0-hexdump-add-tests-for-x-handle-little-big-endian-pro.patch # PATCH-FIX-UPSTREAM - Fix adduser inside containers (boo#1247779) Patch12: 0001-update_passwd-Avoid-selinux_preserve_fcontext-if-SEL.patch +# PATCH-FIX-UPSTREAM - Fix bsc#1241661 (CVE-2025-46394), from upstream commit f5e1bf966 +Patch13: 0001-archival-libarchive-sanitize-filenames-on-output-pre.patch +# PATCH-FIX-UPSTREAM - Fix bsc#1253245 (CVE-2025-60876), submitted to mailing list +Patch14: wget-don-t-allow-control-characters-in-url.patch +# PATCH-FIX-UPSTREAM - Fix bsc#1249237, from upstream commit 362159593 +Patch15: 0001-nsenter-unshare-don-t-use-xvfork_parent_waits_and_ex.patch # other patches Patch100: busybox.install.patch ++++++ 0001-archival-libarchive-sanitize-filenames-on-output-pre.patch ++++++ >From f5e1bf966b19ea1821f00a8c9ecd7774598689b4 Mon Sep 17 00:00:00 2001 From: Denys Vlasenko <[email protected]> Date: Wed, 24 Sep 2025 03:28:47 +0200 Subject: [PATCH 1/1] archival/libarchive: sanitize filenames on output (prevent control sequence attacks This fixes CVE-2025-46394 (terminal escape sequence injection) Original credit: Ian.Norton at entrust.com function old new delta header_list 9 15 +6 header_verbose_list 239 244 +5 ------------------------------------------------------------------------------ (add/remove: 0/0 grow/shrink: 2/0 up/down: 11/0) Total: 11 bytes Signed-off-by: Denys Vlasenko <[email protected]> --- archival/libarchive/header_list.c | 2 +- archival/libarchive/header_verbose_list.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/archival/libarchive/header_list.c b/archival/libarchive/header_list.c index 0621aa406..9490b3635 100644 --- a/archival/libarchive/header_list.c +++ b/archival/libarchive/header_list.c @@ -8,5 +8,5 @@ void FAST_FUNC header_list(const file_header_t *file_header) { //TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */ - puts(file_header->name); + puts(printable_string(file_header->name)); } diff --git a/archival/libarchive/header_verbose_list.c b/archival/libarchive/header_verbose_list.c index a575a08a0..e7a09430d 100644 --- a/archival/libarchive/header_verbose_list.c +++ b/archival/libarchive/header_verbose_list.c @@ -57,13 +57,13 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header) ptm->tm_hour, ptm->tm_min, ptm->tm_sec, - file_header->name); + printable_string(file_header->name)); #endif /* FEATURE_TAR_UNAME_GNAME */ /* NB: GNU tar shows "->" for symlinks and "link to" for hardlinks */ if (file_header->link_target) { - printf(" -> %s", file_header->link_target); + printf(" -> %s", printable_string(file_header->link_target)); } bb_putchar('\n'); } -- 2.51.1 ++++++ 0001-nsenter-unshare-don-t-use-xvfork_parent_waits_and_ex.patch ++++++ >From 3621595939e43a831d66f6b757d4f410029bff95 Mon Sep 17 00:00:00 2001 From: Denys Vlasenko <[email protected]> Date: Wed, 8 Oct 2025 14:49:26 +0200 Subject: [PATCH 1/1] nsenter,unshare: don't use xvfork_parent_waits_and_exits(), it SEGVs on ppc64le Signed-off-by: Denys Vlasenko <[email protected]> --- libbb/xfuncs_printf.c | 9 +++++++++ util-linux/nsenter.c | 9 ++++++++- util-linux/unshare.c | 9 ++++++++- 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/libbb/xfuncs_printf.c b/libbb/xfuncs_printf.c index 842d10cd2..d413c81e8 100644 --- a/libbb/xfuncs_printf.c +++ b/libbb/xfuncs_printf.c @@ -696,6 +696,14 @@ pid_t FAST_FUNC xfork(void) } #endif +#if 0 +/* DO NOT DO THIS. This can't be a function. + * It works on some arches (x86) but fails on others (ppc64le: SEGV). + * The reason is: the child returns from this function + * and likely pops up the stack in an arch-dependent way. + * When child eventually exits or execs, parent "reappear" + * in the now-unwound stack (!) and the behavior is undefined. + */ void FAST_FUNC xvfork_parent_waits_and_exits(void) { pid_t pid; @@ -711,6 +719,7 @@ void FAST_FUNC xvfork_parent_waits_and_exits(void) } /* Child continues */ } +#endif // Useful when we do know that pid is valid, and we just want to wait // for it to exit. Not existing pid is fatal. waitpid() status is not returned. diff --git a/util-linux/nsenter.c b/util-linux/nsenter.c index 9a250e43c..425d5175f 100644 --- a/util-linux/nsenter.c +++ b/util-linux/nsenter.c @@ -251,7 +251,14 @@ int nsenter_main(int argc UNUSED_PARAM, char **argv) * explicitly requested by the user not to. */ if (!(opts & OPT_nofork) && (opts & OPT_pid)) { - xvfork_parent_waits_and_exits(); + pid_t pid = xvfork(); + if (pid > 0) { + /* Parent */ + int exit_status = wait_for_exitstatus(pid); + if (WIFSIGNALED(exit_status)) + kill_myself_with_sig(WTERMSIG(exit_status)); + return WEXITSTATUS(exit_status); + } /* Child continues */ } diff --git a/util-linux/unshare.c b/util-linux/unshare.c index a9f56f388..f58cdd93e 100644 --- a/util-linux/unshare.c +++ b/util-linux/unshare.c @@ -333,7 +333,14 @@ int unshare_main(int argc UNUSED_PARAM, char **argv) * that'll become PID 1 in this new namespace. */ if (opts & OPT_fork) { - xvfork_parent_waits_and_exits(); + pid_t pid = xvfork(); + if (pid > 0) { + /* Parent */ + int exit_status = wait_for_exitstatus(pid); + if (WIFSIGNALED(exit_status)) + kill_myself_with_sig(WTERMSIG(exit_status)); + return WEXITSTATUS(exit_status); + } /* Child continues */ } -- 2.51.1 ++++++ busybox.config ++++++ --- /var/tmp/diff_new_pack.2L2LIZ/_old 2025-12-20 21:45:42.065234148 +0100 +++ /var/tmp/diff_new_pack.2L2LIZ/_new 2025-12-20 21:45:42.069234314 +0100 @@ -536,7 +536,7 @@ CONFIG_ADDUSER=y # CONFIG_FEATURE_CHECK_NAMES is not set CONFIG_LAST_ID=65535 -CONFIG_FIRST_SYSTEM_ID=101 +CONFIG_FIRST_SYSTEM_ID=201 CONFIG_LAST_SYSTEM_ID=999 CONFIG_CHPASSWD=y CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="sha512" ++++++ wget-don-t-allow-control-characters-in-url.patch ++++++ >From 9904185c589bb43f0c7f129bd16e885b140ae931 Mon Sep 17 00:00:00 2001 From: Radoslav Kolev <[email protected]> Date: Wed, 12 Nov 2025 19:46:15 +0200 Subject: [PATCH v2 1/1] wget: don't allow control characters or spaces in the URL Fixes CVE-2025-60876 malicious URL can be used to inject HTTP headers in the request. Signed-off-by: Radoslav Kolev <[email protected]> Reviewed-by: Emmanuel Deloget <[email protected]> --- networking/wget.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/networking/wget.c b/networking/wget.c index ec3767793..fa555427b 100644 --- a/networking/wget.c +++ b/networking/wget.c @@ -536,6 +536,15 @@ static void parse_url(const char *src_url, struct host_info *h) { char *url, *p, *sp; + /* Fix for CVE-2025-60876 - don't allow control characters or spaces in the URL */ + /* otherwise a malicious URL can be used to inject HTTP headers in the request */ + const unsigned char *u = (void *) src_url; + while (*u) { + if (*u <= ' ') + bb_simple_error_msg_and_die("Unencoded control character found in the URL!"); + u++; + } + free(h->allocated); h->allocated = url = xstrdup(src_url); -- 2.51.1
