Unverified Commit 582c53e6 authored by K900's avatar K900 Committed by GitHub
Browse files

busybox: backport some security fixes (#490717)

parents 84265ce5 3aa07b8f

pkgs/os-specific/linux/busybox/default.nix

+14 −0
Original line number Diff line number Diff line
@@ -3,6 +3,7 @@ 
  lib,

  buildPackages,

  fetchurl,

  fetchpatch,

  fetchFromGitLab,

  enableStatic ? stdenv.hostPlatform.isStatic,

  enableMinimal ? false,
@@ -79,6 +80,19 @@ stdenv.mkDerivation rec { 
    # Fix aarch64 build failure: sha1_process_block64_shaNI is x86-specific

    # https://lists.busybox.net/pipermail/busybox/2024-September/090943.html

    ./fix-aarch64-sha1.patch

    # archival: disallow path traversals (CVE-2023-39810)

    (fetchpatch {

      name = "CVE-2023-39810.patch";

      url = "https://git.busybox.net/busybox/patch/?id=9a8796436b9b0641e13480811902ea2ac57881d3";

      hash = "sha256-pOARbCwiucrkNITBoOMpLF3GniYvJiyBeBi2/Aw2JY8=";

    })

    # tar: strip unsafe hardlink components - GNU tar does the same

    (fetchpatch {

      name = "CVE-2026-26157_CVE-2026-26158.patch";

      url = "https://git.busybox.net/busybox/patch/?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb";

      excludes = [ "networking/httpd_ratelimit_cgi.c" ]; # New since release.

      hash = "sha256-Msm9sDZrVx7ofunnvnTS73SPKUUpR3Tv5xZ/wBd+rts=";

    })

  ]

  ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch;