openRuyi-tutorials/buildroot
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
buildroot/package/busybox
T
History
Thomas Perale 073c6af03e package/busybox: patch CVE-2025-60876 
This commit fixes the following vulenerability:

- CVE-2025-60876:
    BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0
    control bytes in the HTTP request-target (path/query), allowing the
    request line to be split and attacker-controlled headers to be
    injected. To preserve the HTTP/1.1 request-line shape METHOD SP
    request-target SP HTTP/1.1, a raw space (0x20) in the request-target
    must also be rejected (clients should use %20).

For more information, see:
    - https://www.cve.org/CVERecord?id=CVE-2025-60876
    - https://lists.busybox.net/pipermail/busybox/2025-November/091840.html
    - https://sources.debian.org/data/main/b/busybox/1%3A1.37.0-10/debian/patches/wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
2026-02-15 16:29:57 +01:00
..
0001-networking-libiproute-use-linux-if_packet.h-instead-.patch
package/busybox bump version to 1.37.0
2025-02-04 09:55:25 +01:00
0002-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
package/busybox bump version to 1.37.0
2025-02-04 09:55:25 +01:00
0003-libbb-sockaddr2str-ensure-only-printable-characters-.patch
package/busybox bump version to 1.37.0
2025-02-04 09:55:25 +01:00
0004-nslookup-sanitize-all-printed-strings-with-printable.patch
package/busybox bump version to 1.37.0
2025-02-04 09:55:25 +01:00
0005-seedrng-fix-getrandom-detection-for-non-glibc-libc.patch
package/busybox bump version to 1.37.0
2025-02-04 09:55:25 +01:00
0006-menuconfig-GCC-failing-saying-ncurses-is-not-found.patch
package/busybox bump version to 1.37.0
2025-02-04 09:55:25 +01:00
0007-tc-Fix-compilation-with-Linux-v6.8-rc1.patch
package/busybox bump version to 1.37.0
2025-02-04 09:55:25 +01:00
0008-awk.c-fix-CVE-2023-42366-bug-15874.patch
package/busybox bump version to 1.37.0
2025-02-04 09:55:25 +01:00
0009-hwclock-Check-for-SYS_settimeofday-before-calling-sy.patch
package/busybox bump version to 1.37.0
2025-02-04 09:55:25 +01:00
0010-libbb-sha-add-missing-sha-NI-guard.patch
package/busybox bump version to 1.37.0
2025-02-04 09:55:25 +01:00
0011-syslogd-fix-wrong-OPT_locallog-flag-detection.patch
package/busybox bump version to 1.37.0
2025-02-04 09:55:25 +01:00
0012-archival-libarchive-sanitize-filenames-on-output.patch
package/busybox: add patch for CVE-2025-46394
2026-02-02 22:17:08 +01:00
0013-testsuite-tar-tests-fix-test-after-cve-2025-46394.patch
package/busybox: add patch for CVE-2025-46394
2026-02-02 22:17:08 +01:00
0014-wget-dont-allow-control-characters-or-spaces-in-the-URL.patch
package/busybox: patch CVE-2025-60876
2026-02-15 16:29:57 +01:00
busybox-minimal.config
package/busybox: save shell history only on exit
2025-04-21 23:52:18 +02:00
busybox.config
package/busybox: save shell history only on exit
2025-04-21 23:52:18 +02:00
busybox.hash
package/busybox bump version to 1.37.0
2025-02-04 09:55:25 +01:00
busybox.mk
package/busybox: patch CVE-2025-60876
2026-02-15 16:29:57 +01:00
Config.in
package/busybox: add httpd server startup script
2025-08-29 12:15:18 +02:00
inittab
mdev.conf
S01syslogd
S02klogd
package/busybox: tidy up klogd init script
2026-01-01 10:30:29 +01:00
S02sysctl
S10mdev
S15watchdog
S41ifplugd
S50crond
package/busybox: fix path for crond binary in S50crond during stop
2025-06-01 16:47:51 +02:00
S50telnet
S90httpd
package/busybox: add httpd server startup script
2025-08-29 12:15:18 +02:00
telnetd.service
udhcpc.script