From 67c11a1b0c0b16bbfdeef17bbb4b99e9052951d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Santos=20Reis?= Date: Tue, 23 Jun 2026 15:05:12 +0100 Subject: [PATCH] busybox: backport tar symlink bug fix (cherry picked from commit 03aae1016e762e4c25bb5b158d3bebbb90a56d7a) --- pkgs/os-specific/linux/busybox/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index e3e313e175ef..212953626216 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -90,6 +90,13 @@ stdenv.mkDerivation rec { excludes = [ "networking/httpd_ratelimit_cgi.c" ]; # New since release. hash = "sha256-Msm9sDZrVx7ofunnvnTS73SPKUUpR3Tv5xZ/wBd+rts="; }) + # tar: only strip unsafe components from hardlinks, not symlinks + # fix issue introduced by the previous patch (CVE-2026-26157_CVE-2026-26158.patch) + (fetchpatch { + name = "CVE-2026-26157_CVE-2026-26158-2.patch"; + url = "https://github.com/vda-linux/busybox_mirror/commit/599f5dd8fac390c18b79cba4c14c334957605dae.patch"; + hash = "sha256-go/KHSsuMSm21nC0yvKEtAQs8Jnjjqdcs5i8RWBGwT4="; + }) # syslogd: fix writing to local log file # https://lists.busybox.net/pipermail/busybox/2024-October/090969.html (fetchpatch {