Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.boot > #76584

Bug#1120795: busybox: CVE-2025-60876

From Bastian Blank <waldi@debian.org>
Newsgroups linux.debian.bugs.dist, linux.debian.maint.boot
Subject Bug#1120795: busybox: CVE-2025-60876
Date 2025-11-16 14:40 +0100
Message-ID <LRL8Z-dpcp-3@gated-at.bofh.it> (permalink)
References <LRKPE-dp5H-9@gated-at.bofh.it> <LRKPE-dp5H-9@gated-at.bofh.it>
Organization linux.* mail to news gateway

Cross-posted to 2 groups.

Show all headers | View raw

On Sun, Nov 16, 2025 at 02:16:03PM +0100, Moritz Mühlenhoff wrote:
> CVE-2025-60876[0]:
> | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other
> | C0 control bytes in the HTTP request-target (path/query), allowing
> | the request line to be split and attacker-controlled headers to be
> | injected. To preserve the HTTP/1.1 request-line shape METHOD SP
> | request-target SP HTTP/1.1, a raw space (0x20) in the request-target
> | must also be rejected (clients should use %20).

They talk about the URL provided on the command line?  Where is the
attacker in this view?

Bastian

-- 
A father doesn't destroy his children.
		-- Lt. Carolyn Palamas, "Who Mourns for Adonais?",
		   stardate 3468.1.

Back to linux.debian.maint.boot | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Bug#1120795: busybox: CVE-2025-60876 Moritz Mühlenhoff <jmm@inutil.org> - 2025-11-16 14:20 +0100
  Bug#1120795: busybox: CVE-2025-60876 Bastian Blank <waldi@debian.org> - 2025-11-16 14:40 +0100
  Bug#1120795: marked as done (busybox: CVE-2025-60876) "Debian Bug Tracking System" <owner@bugs.debian.org> - 2026-02-01 18:00 +0100

csiph-web