Bug 47519 - busybox: Multiple issues (4.2)
busybox: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
All Linux
: P3 normal (vote)
: UCS 4.2-4-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-09 10:17 CEST by Quality Assurance
Modified: 2018-08-15 16:19 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 5.6 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-08-09 10:17:19 CEST
New Debian busybox 1:1.22.0-9+deb8u4 fixes:
This update addresses the following issue(s):
* 
* Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. (CVE-2011-5325)
* The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. (CVE-2014-9645)
* huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file. (CVE-2015-9261)
* Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. (CVE-2016-2147)
* Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. (CVE-2016-2148)
CVE_2016-6301 is open
* The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation. (CVE-2017-15873)
* In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. (CVE-2017-16544)
CVE_2018-1000500 is open
* BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. (CVE-2018-1000517)

1:1.22.0-9+deb8u4 (Fri, 03 Aug 2018 05:43:46 +0200) * Non-maintainer upload the LTS team. * Regression update for CVE-2011-5325: It was found that the patch to prevent the exploitation of CVE-2011-5325 is too strict in case of cpio archives. This update restores the old behavior.

1:1.22.0-9+deb8u3 (Thu, 02 Aug 2018 01:40:03 +0200) * Non-maintainer upload by the LTS team. * Regression update for CVE-2015-9261: Decompressing gzip archives works as intended again.

1:1.22.0-9+deb8u2 (Fri, 27 Jul 2018 00:53:58 +0200) * Fix CVE-2011-5325: A path traversal vulnerability was found in Busybox implementation of tar. tar will extract a symlink that points outside of the current working directory and then follow that symlink when extracting other files. This allows for a directory traversal attack when extracting untrusted tarballs. * Fix CVE-2014-9645: The add_probe function in modutils/modprobe.c in BusyBox allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. * Fix CVE-2016-2147: Integer overflow in the DHCP client (udhcpc) in BusyBox allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. * Fix CVE-2016-2148: Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. * Fix CVE-2017-15873: The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox has an Integer Overflow that may lead to a write access violation. * Fix CVE-2017-16544: In the add_match function in libbb/lineedit.c in BusyBox, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. * Fix CVE-2018-1000517: BusyBox project BusyBox wget contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. * CVE-2015-9261: Unziping a specially crafted zip file results in a computation of an invalid pointer and a crash reading an invalid address.
* CVE-2011-5325 busybox: Path traversal via crafted tar file containing symlink (CVE-2011-5325)
* CVE-2014-9645 busybox: unprivileged arbitrary module load via basename abuse (CVE-2014-9645)
* CVE-2015-9261 busybox: Segmentation fault when unzipping specially crafted zip file (CVE-2015-9261)
* CVE-2016-2147 busybox: out of bounds write (heap) due to integer underflow in udhcpc (CVE-2016-2147)
* CVE-2016-2148 busybox: heap-based buffer overflow in OPTION_6RD parsing (CVE-2016-2148)
* CVE-2017-15873 busybox: Integer overflow in the get_next_block function (CVE-2017-15873)
* CVE-2017-16544 busybox: Insufficient sanitization of filenames when autocompleting (CVE-2017-16544)
* CVE-2018-1000517 busybox: wget: Heap-based buffer overflow in the retrieve_file_data() function (CVE-2018-1000517)
Comment 1 Quality Assurance univentionstaff 2018-08-09 18:43:58 CEST
--- mirror/ftp/4.2/unmaintained/4.2-0/source/busybox_1.22.0-9+deb8u1.dsc
+++ apt/ucs_4.2-0-errata4.2-4/source/busybox_1.22.0-9+deb8u4.dsc
@@ -1,3 +1,54 @@
+1:1.22.0-9+deb8u4 [Fri, 03 Aug 2018 05:43:46 +0200] Markus Koschany <apo@debian.org>:
+
+  * Non-maintainer upload the LTS team.
+  * Regression update for CVE-2011-5325: It was found that the patch to prevent
+    the exploitation of CVE-2011-5325 is too strict in case of cpio archives.
+    This update restores the old behavior.
+
+1:1.22.0-9+deb8u3 [Thu, 02 Aug 2018 01:40:03 +0200] Markus Koschany <apo@debian.org>:
+
+  * Non-maintainer upload by the LTS team.
+  * Regression update for CVE-2015-9261: Decompressing gzip archives works as
+    intended again.
+
+1:1.22.0-9+deb8u2 [Fri, 27 Jul 2018 00:53:58 +0200] Markus Koschany <apo@debian.org>:
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2011-5325:
+    A path traversal vulnerability was found in Busybox implementation of tar.
+    tar will extract a symlink that points outside of the current working
+    directory and then follow that symlink when extracting other files. This
+    allows for a directory traversal attack when extracting untrusted tarballs.
+  * Fix CVE-2014-9645:
+    The add_probe function in modutils/modprobe.c in BusyBox allows local users
+    to bypass intended restrictions on loading kernel modules via a / (slash)
+    character in a module name, as demonstrated by an "ifconfig /usbserial up"
+    command or a "mount -t /snd_pcm none /" command.
+  * Fix CVE-2016-2147:
+    Integer overflow in the DHCP client (udhcpc) in BusyBox allows remote
+    attackers to cause a denial of service (crash) via a malformed
+    RFC1035-encoded domain name, which triggers an out-of-bounds heap write.
+  * Fix CVE-2016-2148:
+    Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox allows
+    remote attackers to have unspecified impact via vectors involving
+    OPTION_6RD parsing.
+  * Fix CVE-2017-15873:
+    The get_next_block function in archival/libarchive/decompress_bunzip2.c in
+    BusyBox has an Integer Overflow that may lead to a write access violation.
+  * Fix CVE-2017-16544:
+    In the add_match function in libbb/lineedit.c in BusyBox, the tab
+    autocomplete feature of the shell, used to get a list of filenames in a
+    directory, does not sanitize filenames and results in executing any escape
+    sequence in the terminal. This could potentially result in code execution,
+    arbitrary file writes, or other attacks.
+  * Fix CVE-2018-1000517:
+    BusyBox project BusyBox wget contains a Buffer Overflow vulnerability in
+    Busybox wget that can result in heap buffer overflow. This attack appear to
+    be exploitable via network connectivity.
+  * CVE-2015-9261:
+    Unziping a specially crafted zip file results in a computation of an
+    invalid pointer and a crash reading an invalid address.
+
 1:1.22.0-9+deb8u1 [Tue, 17 Feb 2015 18:29:33 +0100] Mehdi Dogguy <mehdi@debian.org>:
 
   * Non-maintainer upload.

<http://10.200.17.11/4.2-4/#2662316668608342000>
Comment 2 Philipp Hahn univentionstaff 2018-08-10 10:08:17 CEST
OK: piuparts
OK: yaml
OK: errata-announce

[4.2-4] 1bbedb863b Bug #47519: busybox 1:1.22.0-9+deb8u4
 doc/errata/staging/busybox.yaml | 38 ++++++++++++--------------------------
 1 file changed, 12 insertions(+), 26 deletions(-)

[4.2-4] 236e313028 Bug #47519: busybox 1:1.22.0-9+deb8u4
 doc/errata/staging/busybox.yaml | 43 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
Comment 3 Arvid Requate univentionstaff 2018-08-15 16:19:34 CEST
<http://errata.software-univention.de/ucs/4.2/441.html>