Bug#1120795: busybox: CVE-2025-60876

To: Moritz Mühlenhoff <jmm@inutil.org>, 1120795@bugs.debian.org
Subject: Bug#1120795: busybox: CVE-2025-60876
From: Bastian Blank <waldi@debian.org>
Date: Sun, 16 Nov 2025 14:30:04 +0100
Message-id: <[🔎] 20251116133004.6ba7xmtmg6umwguj@shell.thinkmo.de>
Reply-to: Bastian Blank <waldi@debian.org>, 1120795@bugs.debian.org
In-reply-to: <[🔎] aRnOk_exBV11hHdv@pisco.westfalen.local>
References: <[🔎] aRnOk_exBV11hHdv@pisco.westfalen.local> <[🔎] aRnOk_exBV11hHdv@pisco.westfalen.local>

On Sun, Nov 16, 2025 at 02:16:03PM +0100, Moritz Mühlenhoff wrote:
> CVE-2025-60876[0]:
> | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other
> | C0 control bytes in the HTTP request-target (path/query), allowing
> | the request line to be split and attacker-controlled headers to be
> | injected. To preserve the HTTP/1.1 request-line shape METHOD SP
> | request-target SP HTTP/1.1, a raw space (0x20) in the request-target
> | must also be rejected (clients should use %20).

They talk about the URL provided on the command line?  Where is the
attacker in this view?

Bastian

-- 
A father doesn't destroy his children.
		-- Lt. Carolyn Palamas, "Who Mourns for Adonais?",
		   stardate 3468.1.

Reply to:

References:
- Bug#1120795: busybox: CVE-2025-60876
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Bug#1120795: busybox: CVE-2025-60876
Next by Date: Processed: tagging 1120797, bug 1120797 is forwarded to https://tracker.ceph.com/issues/72669 ...
Previous by thread: Bug#1120795: busybox: CVE-2025-60876
Next by thread: Processed: tagging 1120797, bug 1120797 is forwarded to https://tracker.ceph.com/issues/72669 ...
Index(es):
- Date
- Thread