Unverified Commit a8f8a8fc authored by Alyssa Ross's avatar Alyssa Ross
Browse files

busybox: apply Alpine's patch for tar TOCTOU 

Link: https://lists.busybox.net/pipermail/busybox/2025-August/091665.html
parent 38178ed2

pkgs/os-specific/linux/busybox/default.nix

+4 −0
Original line number Diff line number Diff line
@@ -106,6 +106,10 @@ stdenv.mkDerivation rec { 
      url = "https://git.alpinelinux.org/aports/plain/main/busybox/CVE-2023-42364-CVE-2023-42365.patch?id=8a4bf5971168bf48201c05afda7bee0fbb188e13";

      hash = "sha256-nQPgT9eA1asCo38Z9X7LR9My0+Vz5YBPba3ARV3fWcc=";

    })

    (fetchurl {

      url = "https://git.alpinelinux.org/aports/plain/main/busybox/0001-tar-fix-TOCTOU-symlink-race-condition.patch?id=9e42dea5fba84a8afad1f1910b7d3884128a567e";

      hash = "sha256-GmXQhwB1/IPVjXXpGi5RjRvuGJgIMIb7lQKB63m306g=";

    })

  ]

  ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch;