Skip to content

busybox: Handle CVE-2025-60876#515158

Merged
vcunat merged 1 commit into
NixOS:staging-nextfrom
samueldr-at-cyberus:security/unstable/busybox-CVE-2025-60876
May 20, 2026
Merged

busybox: Handle CVE-2025-60876#515158
vcunat merged 1 commit into
NixOS:staging-nextfrom
samueldr-at-cyberus:security/unstable/busybox-CVE-2025-60876

Conversation

@samueldr-at-cyberus

@samueldr-at-cyberus samueldr-at-cyberus commented Apr 30, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Handle CVE-2025-60876 for busybox's wget applet by using the current most up-to-date fix from their ML.

The patch is the one used by Debian (search for wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch), but taken directly from the busybox mailing list archive.

curl --silent -L \
  'https://lists.busybox.net/pipermail/busybox/2025-November.txt.gz' \
  | gunzip \
  | grep -B7 -A32 'Message-ID: <20251121092118.3562853-2-radoslav.kolev@suse.com>' \
  > pkgs/os-specific/linux/busybox/CVE-2025-60876.patch

Things done

Since there's no package tests, my testing was limited to nix-build --attr busybox on nixos-unstable.

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

@samueldr-at-cyberus samueldr-at-cyberus marked this pull request as draft April 30, 2026 20:07
@samueldr-at-cyberus
busybox: Handle CVE-2025-60876
ab5d8f2 
curl --silent -L \
  'https://lists.busybox.net/pipermail/busybox/2025-November.txt.gz' \
  | gunzip \
  | grep -B7 -A32 'Message-ID: <20251121092118.3562853-2-radoslav.kolev@suse.com>' \
  > pkgs/os-specific/linux/busybox/CVE-2025-60876.patch
@samueldr-at-cyberus samueldr-at-cyberus force-pushed the security/unstable/busybox-CVE-2025-60876 branch from 9022f90 to ab5d8f2 Compare April 30, 2026 20:09
@samueldr-at-cyberus samueldr-at-cyberus changed the base branch from master to staging April 30, 2026 20:09
@samueldr-at-cyberus samueldr-at-cyberus marked this pull request as ready for review April 30, 2026 20:09
@nixpkgs-ci nixpkgs-ci Bot closed this Apr 30, 2026
@nixpkgs-ci nixpkgs-ci Bot reopened this Apr 30, 2026
@nixpkgs-ci nixpkgs-ci Bot requested review from a team, TethysSvensson, alyssais and balsoft and removed request for a team April 30, 2026 20:17
@nixpkgs-ci nixpkgs-ci Bot added 10.rebuild-linux: 101-500 This PR causes between 101 and 500 packages to rebuild on Linux. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-nixos-tests This PR causes rebuilds for all NixOS tests and should normally target the staging branches. labels Apr 30, 2026
@nixpkgs-ci nixpkgs-ci Bot requested a review from a team April 30, 2026 20:44
@balsoft

balsoft commented May 1, 2026

Copy link
Copy Markdown
Member

Since there's no package tests, my testing was limited to nix-build --attr busybox on nixos-unstable.

Consider helping to rectify this by reviewing #467609 :)

@nixpkgs-ci nixpkgs-ci Bot added 12.approvals: 1 This PR was reviewed and approved by one person. 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in any of the changed packages. labels May 1, 2026
@balsoft balsoft moved this from Needs Review to Reviewed in Nixpkgs security review May 1, 2026
@samueldr-at-cyberus samueldr-at-cyberus mentioned this pull request May 1, 2026
Merged
13 tasks
alyssais
alyssais approved these changes May 2, 2026
View reviewed changes

@alyssais alyssais left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should go to staging-nixos.

@nixpkgs-ci nixpkgs-ci Bot added 12.approvals: 2 This PR was reviewed and approved by two persons. and removed 12.approvals: 1 This PR was reviewed and approved by one person. labels May 2, 2026
@vcunat vcunat changed the base branch from staging to staging-next May 20, 2026 11:09
@nixpkgs-ci nixpkgs-ci Bot closed this May 20, 2026
@nixpkgs-ci nixpkgs-ci Bot reopened this May 20, 2026
@vcunat vcunat added this pull request to the merge queue May 20, 2026
Merged via the queue into NixOS:staging-next with commit 1d39c6e May 20, 2026
68 of 71 checks passed
@samueldr-at-cyberus samueldr-at-cyberus deleted the security/unstable/busybox-CVE-2025-60876 branch June 3, 2026 16:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alyssais alyssais alyssais approved these changes

@balsoft balsoft balsoft approved these changes

@TethysSvensson TethysSvensson Awaiting requested review from TethysSvensson

Assignees

No one assigned

Labels

10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 101-500 This PR causes between 101 and 500 packages to rebuild on Linux. 10.rebuild-nixos-tests This PR causes rebuilds for all NixOS tests and should normally target the staging branches. 12.approvals: 2 This PR was reviewed and approved by two persons. 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in any of the changed packages.

Projects

Nixpkgs security review
Status: Reviewed

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@samueldr-at-cyberus @balsoft @alyssais @vcunat