Unverified Commit 3aa07b8f authored by Alyssa Ross's avatar Alyssa Ross
Browse files

busybox: backport tar hardlink security fix 

Fixes: CVE-2026-26157
Fixes: CVE-2026-26158
Closes: https://github.com/NixOS/nixpkgs/issues/490697
Closes: https://github.com/NixOS/nixpkgs/issues/490699
parent 675a2272

pkgs/os-specific/linux/busybox/default.nix

+7 −0
Original line number Diff line number Diff line
@@ -86,6 +86,13 @@ stdenv.mkDerivation rec { 
      url = "https://git.busybox.net/busybox/patch/?id=9a8796436b9b0641e13480811902ea2ac57881d3";

      hash = "sha256-pOARbCwiucrkNITBoOMpLF3GniYvJiyBeBi2/Aw2JY8=";

    })

    # tar: strip unsafe hardlink components - GNU tar does the same

    (fetchpatch {

      name = "CVE-2026-26157_CVE-2026-26158.patch";

      url = "https://git.busybox.net/busybox/patch/?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb";

      excludes = [ "networking/httpd_ratelimit_cgi.c" ]; # New since release.

      hash = "sha256-Msm9sDZrVx7ofunnvnTS73SPKUUpR3Tv5xZ/wBd+rts=";

    })

  ]

  ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch;