[staging-nixos-26.05]: busybox: backport tar symlink bug fix (#537410)

This commit is contained in:
Florian Klink 2026-07-01 15:25:45 +00:00 committed by GitHub
commit 5c36c9aa1e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -90,6 +90,13 @@ stdenv.mkDerivation rec {
excludes = [ "networking/httpd_ratelimit_cgi.c" ]; # New since release.
hash = "sha256-Msm9sDZrVx7ofunnvnTS73SPKUUpR3Tv5xZ/wBd+rts=";
})
# tar: only strip unsafe components from hardlinks, not symlinks
# fix issue introduced by the previous patch (CVE-2026-26157_CVE-2026-26158.patch)
(fetchpatch {
name = "CVE-2026-26157_CVE-2026-26158-2.patch";
url = "https://github.com/vda-linux/busybox_mirror/commit/599f5dd8fac390c18b79cba4c14c334957605dae.patch";
hash = "sha256-go/KHSsuMSm21nC0yvKEtAQs8Jnjjqdcs5i8RWBGwT4=";
})
# syslogd: fix writing to local log file
# https://lists.busybox.net/pipermail/busybox/2024-October/090969.html
(fetchpatch {