diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index e3e313e175ef..212953626216 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -90,6 +90,13 @@ stdenv.mkDerivation rec { excludes = [ "networking/httpd_ratelimit_cgi.c" ]; # New since release. hash = "sha256-Msm9sDZrVx7ofunnvnTS73SPKUUpR3Tv5xZ/wBd+rts="; }) + # tar: only strip unsafe components from hardlinks, not symlinks + # fix issue introduced by the previous patch (CVE-2026-26157_CVE-2026-26158.patch) + (fetchpatch { + name = "CVE-2026-26157_CVE-2026-26158-2.patch"; + url = "https://github.com/vda-linux/busybox_mirror/commit/599f5dd8fac390c18b79cba4c14c334957605dae.patch"; + hash = "sha256-go/KHSsuMSm21nC0yvKEtAQs8Jnjjqdcs5i8RWBGwT4="; + }) # syslogd: fix writing to local log file # https://lists.busybox.net/pipermail/busybox/2024-October/090969.html (fetchpatch {