Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2196611/?format=api
{ "id": 2196611, "url": "http://patchwork.ozlabs.org/api/patches/2196611/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/patch/20260215141716.34571-1-thomas.perale@mind.be/", "project": { "id": 27, "url": "http://patchwork.ozlabs.org/api/projects/27/?format=api", "name": "Buildroot development", "link_name": "buildroot", "list_id": "buildroot.buildroot.org", "list_email": "buildroot@buildroot.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260215141716.34571-1-thomas.perale@mind.be>", "list_archive_url": null, "date": "2026-02-15T14:17:16", "name": "[1/1] package/busybox: patch CVE-2025-60876", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "409f3ba13e1782f7e2f1dd317a949ae4dbe3e40d", "submitter": { "id": 87308, "url": "http://patchwork.ozlabs.org/api/people/87308/?format=api", "name": "Thomas Perale", "email": "thomas.perale@mind.be" }, "delegate": { "id": 89618, "url": "http://patchwork.ozlabs.org/api/users/89618/?format=api", "username": "juju", "first_name": "Julien", "last_name": "Olivain", "email": "juju@cotds.org" }, "mbox": "http://patchwork.ozlabs.org/project/buildroot/patch/20260215141716.34571-1-thomas.perale@mind.be/mbox/", "series": [ { "id": 492219, "url": "http://patchwork.ozlabs.org/api/series/492219/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/list/?series=492219", "date": "2026-02-15T14:17:16", "name": "[1/1] package/busybox: patch CVE-2025-60876", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/492219/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2196611/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2196611/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<buildroot-bounces@buildroot.org>", "X-Original-To": [ "incoming-buildroot@patchwork.ozlabs.org", "buildroot@buildroot.org" ], "Delivered-To": [ "patchwork-incoming-buildroot@legolas.ozlabs.org", "buildroot@buildroot.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=C/y2ZjJl;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)" ], "Received": [ "from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fDSfG1xysz1xpl\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Mon, 16 Feb 2026 01:17:26 +1100 (AEDT)", "from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 5685E82308;\n\tSun, 15 Feb 2026 14:17:24 +0000 (UTC)", "from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 5hO5IMKkRw5K; Sun, 15 Feb 2026 14:17:23 +0000 (UTC)", "from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 0219981D5C;\n\tSun, 15 Feb 2026 14:17:23 +0000 (UTC)", "from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n by lists1.osuosl.org (Postfix) with ESMTP id DA1AB35B\n for <buildroot@buildroot.org>; Sun, 15 Feb 2026 14:17:21 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp3.osuosl.org (Postfix) with ESMTP id B8A32608F8\n for <buildroot@buildroot.org>; Sun, 15 Feb 2026 14:17:21 +0000 (UTC)", "from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id Qe4pCshZJraO for <buildroot@buildroot.org>;\n Sun, 15 Feb 2026 14:17:21 +0000 (UTC)", "from mail-wm1-x336.google.com (mail-wm1-x336.google.com\n [IPv6:2a00:1450:4864:20::336])\n by smtp3.osuosl.org (Postfix) with ESMTPS id 9CDED608F7\n for <buildroot@buildroot.org>; Sun, 15 Feb 2026 14:17:19 +0000 (UTC)", "by mail-wm1-x336.google.com with SMTP id\n 5b1f17b1804b1-482f454be5bso41065535e9.0\n for <buildroot@buildroot.org>; Sun, 15 Feb 2026 06:17:19 -0800 (PST)", "from arch ([79.132.229.53]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-4834d835f6bsm368732915e9.14.2026.02.15.06.17.17\n for <buildroot@buildroot.org>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Sun, 15 Feb 2026 06:17:17 -0800 (PST)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp1.osuosl.org 0219981D5C", "OpenDKIM Filter v2.11.0 smtp3.osuosl.org 9CDED608F7" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1771165043;\n\tbh=HIlZwYqCia2mEJGiD36n7YKOEhrctZH2KBtmRXOZOLA=;\n\th=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:\n\t List-Help:List-Subscribe:From:Reply-To:From;\n\tb=C/y2ZjJleDbRt1itkzbXe3F14YUUam23cQy7TgSByLz/20kFRJj5HZcOeJVg03Y7t\n\t kk3GiW/bYYE6dIFq0GL1iK3o1UYKzanGVJq220qW4B2ypU9WQFiOYHNgrJkQDa7y6l\n\t HSVPCIUSstOELSbzdQSGbEvcQIMDzBsyN6uNSSuRVgw0Xczs2WsNHdkF3YhoJiqBIo\n\t xSDBQuWE/yOdMs+coYFQOoZAiE0HOGnKk73BQfiJNsyjGxAAwPbqryaeicZtYbHWBp\n\t YeOAQvlTt/EaHvqaWlSdywtLkuNdb+tetaDzE/hbO8iIrO2bBK832HUQCV5AAO6rzg\n\t NB5ot2wND8pIQ==", "Received-SPF": "Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::336; helo=mail-wm1-x336.google.com;\n envelope-from=thomas.perale@essensium.com; receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp3.osuosl.org 9CDED608F7", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20230601; t=1771165038; x=1771769838;\n h=content-transfer-encoding:mime-version:message-id:date:subject:to\n :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=tG0FjTNenpL7Rykyl3tZM8PLp4W2Qnhe8ovaD9u2YPw=;\n b=VzxswGebrQTwD6o+Dglq+4ZMCG3mmF8zicagn16mEgOBIu6FmlEbx2NoAxc21iKFaw\n cahqOZBEb3Bn+JaN9gv3f/VvgeM2eaxzcENj8zaViucGU/rNdNmC03nFLhH7Z+ohLxqd\n jaMtrg9Jf3jpmi/7KWJh79LvOv8fHcfos6RcKooLzo/vJnDEXTynUQljJPgF4UvyQGLx\n 6TlisXMzIHDVNlHQkiqOYK0z9O4eb/vYNdv/HcwsG2GlzUnoE1SREZFpkCigxNFPpic9\n 9wLwUA35z2owACj8js1owrOHkadDcKvTbgIYC5UBjAVWpRsP4J9kprSiG203fi2seqjz\n jIGA==", "X-Gm-Message-State": "AOJu0YyQ1qcIJhIU99LhF/Mj/PdnX1cN07gbfyl0X9Rnf5DQSMxwof3J\n r2HgzzrMLnGS2/04b06CiYLn7l3K/5mFZKBYvDMpirOcxufjV7m/XqiN9Aaz6mG2cItDKSrhInC\n Fts5J", "X-Gm-Gg": "AZuq6aKkhSiW7ApOVtpDBesxjkFLIPu8QpexkyE82JsfaevzFNlA7j6Pocju1nkntoj\n GDlJGrPg4QI6XiaPHZEZysAk6rcsxmcKgPBQNOUhwgJr5RZ3Vwi8HOArKFxHlsLtl49QX68ceVe\n Dfp2Sm3Z/Uxty8PMYP4ACB2CMZdSa4Kh2HGygIEoW/eaLqvMaTvxdU9HOwZC5C9Fk3DOJq8T7zU\n GBvWRTukg8uozWgB+M+89Oa7iEd6WEKMvORtjsx3qAjOA0+piCjQ2dPd3x2zraipoAuMrvsJfu/\n jvVDFLtxv+/7djjVpBgCUHVJ1Ar3AXk1NNPa+qrc7s6c+wf/Y2ykm2EtKNTbVPUxO/J1lQtdhpA\n Qt0Xf0+TAFaFZyCgC3MXvuEpXZvlfggTOyWsVZGIAlBuGkBw0X2Gub4TTN63zklCBC4UW4iS7zS\n 6AR8++DxmNUu0en9k=", "X-Received": "by 2002:a05:600c:4e8e:b0:477:991c:a17c with SMTP id\n 5b1f17b1804b1-48378d62cbdmr104233445e9.6.1771165037526;\n Sun, 15 Feb 2026 06:17:17 -0800 (PST)", "To": "buildroot@buildroot.org", "Date": "Sun, 15 Feb 2026 15:17:16 +0100", "Message-ID": "<20260215141716.34571-1-thomas.perale@mind.be>", "X-Mailer": "git-send-email 2.52.0", "MIME-Version": "1.0", "X-Mailman-Original-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1771165037; x=1771769837; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:to\n :from:from:to:cc:subject:date:message-id:reply-to;\n bh=tG0FjTNenpL7Rykyl3tZM8PLp4W2Qnhe8ovaD9u2YPw=;\n b=HWW6kv2rAGgvE8Vj+dONY8EkXEJvqLJIK03UE0EotCjH9beE5rgBc6ZVBTG3hFkIUB\n X5FReZv7X2migzUA4BW2/rGTqw4/TjeUrResrGp6qeX9qrdZq9lENk69d1eQrmyBpBDW\n RVYRV4u7rPbYNXUnZZ8SAwlFjT0d0Ap7ZSrYYSJaFp8dAVKfwxqWertyEPBLsE2GylJl\n 0fWfJeBrASkyqtCx/mR/wGG0kyVGYmtiwP6r0j0HEh8m3VFs32bqDcu3s/0JjFk3lk+/\n KG7gchttCjRa3eB20ve72ThI2zdbGQTjHsM4KNCTQTI2PB3s7gikPaKvl7Kt7fcNPLtB\n DFAQ==", "X-Mailman-Original-Authentication-Results": [ "smtp3.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be", "smtp3.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=mind.be header.i=@mind.be header.a=rsa-sha256\n header.s=google header.b=HWW6kv2r" ], "Subject": "[Buildroot] [PATCH 1/1] package/busybox: patch CVE-2025-60876", "X-BeenThere": "buildroot@buildroot.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "Discussion and development of buildroot <buildroot.buildroot.org>", "List-Unsubscribe": "<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>", "List-Archive": "<http://lists.buildroot.org/pipermail/buildroot/>", "List-Post": "<mailto:buildroot@buildroot.org>", "List-Help": "<mailto:buildroot-request@buildroot.org?subject=help>", "List-Subscribe": "<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>", "From": "Thomas Perale via buildroot <buildroot@buildroot.org>", "Reply-To": "Thomas Perale <thomas.perale@mind.be>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "buildroot-bounces@buildroot.org", "Sender": "\"buildroot\" <buildroot-bounces@buildroot.org>" }, "content": "This commit fixes the following vulenerability:\n\n- CVE-2025-60876:\n BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0\n control bytes in the HTTP request-target (path/query), allowing the\n request line to be split and attacker-controlled headers to be\n injected. To preserve the HTTP/1.1 request-line shape METHOD SP\n request-target SP HTTP/1.1, a raw space (0x20) in the request-target\n must also be rejected (clients should use %20).\n\nFor more information, see:\n - https://www.cve.org/CVERecord?id=CVE-2025-60876\n - https://lists.busybox.net/pipermail/busybox/2025-November/091840.html\n - https://sources.debian.org/data/main/b/busybox/1%3A1.37.0-10/debian/patches/wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch\n\nSigned-off-by: Thomas Perale <thomas.perale@mind.be>\n---\n ...trol-characters-or-spaces-in-the-URL.patch | 42 +++++++++++++++++++\n package/busybox/busybox.mk | 3 ++\n 2 files changed, 45 insertions(+)\n create mode 100644 package/busybox/0014-wget-dont-allow-control-characters-or-spaces-in-the-URL.patch", "diff": "diff --git a/package/busybox/0014-wget-dont-allow-control-characters-or-spaces-in-the-URL.patch b/package/busybox/0014-wget-dont-allow-control-characters-or-spaces-in-the-URL.patch\nnew file mode 100644\nindex 0000000000..d0a31ed821\n--- /dev/null\n+++ b/package/busybox/0014-wget-dont-allow-control-characters-or-spaces-in-the-URL.patch\n@@ -0,0 +1,42 @@\n+From: Radoslav Kolev <radoslav.kolev@suse.com>\n+Date: Fri, 21 Nov 2025 11:21:18 +0200\n+Subject: wget: don't allow control characters or spaces in the URL\n+Forwarded: yes, https://lists.busybox.net/pipermail/busybox/2025-November/091840.html\n+Bug-Debian: https://bugs.debian.org/1120795\n+\n+Fixes CVE-2025-60876 malicious URL can be used to inject\n+HTTP headers in the request.\n+\n+Signed-off-by: Radoslav Kolev <radoslav.kolev@suse.com>\n+Reviewed-by: Emmanuel Deloget <logout@free.fr>\n+Upstream: https://sources.debian.org/data/main/b/busybox/1%3A1.37.0-10/debian/patches/wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch\n+Upstream: https://lists.busybox.net/pipermail/busybox/2025-November/091840.html\n+CVE: CVE-2025-60876\n+Signed-off-by: Thomas Perale <thomas.perale@mind.be>\n+---\n+ networking/wget.c | 9 +++++++++\n+ 1 file changed, 9 insertions(+)\n+\n+diff --git a/networking/wget.c b/networking/wget.c\n+index ec3767793..fa555427b 100644\n+--- a/networking/wget.c\n++++ b/networking/wget.c\n+@@ -536,6 +536,15 @@ static void parse_url(const char *src_url, struct host_info *h)\n+ {\n+ \tchar *url, *p, *sp;\n+ \n++\t/* Fix for CVE-2025-60876 - don't allow control characters or spaces in the URL */\n++\t/* otherwise a malicious URL can be used to inject HTTP headers in the request */\n++\tconst unsigned char *u = (void *) src_url;\n++\twhile (*u) {\n++\t\tif (*u <= ' ')\n++\t\t\tbb_simple_error_msg_and_die(\"Unencoded control character found in the URL!\");\n++\t\tu++;\n++\t}\n++\n+ \tfree(h->allocated);\n+ \th->allocated = url = xstrdup(src_url);\n+ \n+-- \n+2.47.3\n+\ndiff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk\nindex 7ae9c1d41e..a33548c355 100644\n--- a/package/busybox/busybox.mk\n+++ b/package/busybox/busybox.mk\n@@ -19,6 +19,9 @@ BUSYBOX_IGNORE_CVES += CVE-2022-28391\n # 0013-testsuite-tar-tests-fix-test-after-cve-2025-46394.patch\n BUSYBOX_IGNORE_CVES += CVE-2025-46394\n \n+# 0014-wget-dont-allow-control-characters-or-spaces-in-the-URL.patch\n+BUSYBOX_IGNORE_CVES += CVE-2025-60876\n+\n BUSYBOX_CFLAGS = \\\n \t$(TARGET_CFLAGS)\n \n", "prefixes": [ "1/1" ] }