This addresses CVE-2025-60876[1], which allows malicious URLs to inject HTTP headers. It has been accepted by Debian[2] and is tracked here [4]. The upstream fix has been submitted [3] and is pending merge.
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-60876 [2] https://bugs.debian.org/1120795 [3] https://lists.busybox.net/pipermail/busybox/2025-November/091840.html [4] https://security-tracker.debian.org/tracker/CVE-2025-60876 Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-November/0918 40.html] Signed-off-by: Livin Sunny <[email protected]> --- .../busybox/busybox/CVE-2025-60876.patch | 42 +++++++++++++++++++ meta/recipes-core/busybox/busybox_1.37.0.bb | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox/CVE-2025-60876.patch diff --git a/meta/recipes-core/busybox/busybox/CVE-2025-60876.patch b/meta/recipes-core/busybox/busybox/CVE-2025-60876.patch new file mode 100644 index 0000000000..1cf29680e0 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2025-60876.patch @@ -0,0 +1,42 @@ +From: Radoslav Kolev <[email protected]> +Date: Fri, 21 Nov 2025 11:21:18 +0200 +Subject: wget: don't allow control characters or spaces in the URL +Bug-Debian: https://bugs.debian.org/1120795 + +Fixes CVE-2025-60876 malicious URL can be used to inject +HTTP headers in the request. + +Signed-off-by: Radoslav Kolev <[email protected]> +Reviewed-by: Emmanuel Deloget <[email protected]> + +Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-November/091840.html] + +CVE: CVE-2025-60876 + +Signed-off-by: Livin Sunny <[email protected]> +--- + networking/wget.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/networking/wget.c b/networking/wget.c +index ec3767793..fa555427b 100644 +--- a/networking/wget.c ++++ b/networking/wget.c +@@ -536,6 +536,15 @@ static void parse_url(const char *src_url, struct host_info *h) + { + char *url, *p, *sp; + ++ /* Fix for CVE-2025-60876 - don't allow control characters or spaces in the URL */ ++ /* otherwise a malicious URL can be used to inject HTTP headers in the request */ ++ const unsigned char *u = (void *) src_url; ++ while (*u) { ++ if (*u <= ' ') ++ bb_simple_error_msg_and_die("Unencoded control character found in the URL!"); ++ u++; ++ } ++ + free(h->allocated); + h->allocated = url = xstrdup(src_url); + +-- +2.47.3 diff --git a/meta/recipes-core/busybox/busybox_1.37.0.bb b/meta/recipes-core/busybox/busybox_1.37.0.bb index 9e6a7b7b4c..d3851a27b9 100644 --- a/meta/recipes-core/busybox/busybox_1.37.0.bb +++ b/meta/recipes-core/busybox/busybox_1.37.0.bb @@ -58,6 +58,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://0001-busybox-Add-awk-gsub-erroneous-word-start-match-test.patch \ file://CVE-2025-46394-01.patch \ file://CVE-2025-46394-02.patch \ + file://CVE-2025-60876.patch \ " SRC_URI:append:libc-musl = " file://musl.cfg" SRC_URI:append:x86-64 = " file://sha_accel.cfg" -- 2.53.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#232117): https://lists.openembedded.org/g/openembedded-core/message/232117 Mute This Topic: https://lists.openembedded.org/mt/118039209/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
