Bug 52804 - busybox: Multiple issues (4.4)
busybox: Multiple issues (4.4)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.4
All Linux
: P3 normal (vote)
: UCS 4.4-7-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-02-16 19:35 CET by Quality Assurance
Modified: 2021-02-17 16:53 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 5.6 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2021-02-16 19:35:36 CET
New Debian busybox 1:1.22.0-19+deb9u1 fixes:
This update addresses the following issues:
* Path traversal via crafted tar file containing symlink (CVE-2011-5325)
* Segmentation fault when unzipping specially crafted zip file  (CVE-2015-9261)
* out of bounds write (heap) due to integer underflow in udhcpc  (CVE-2016-2147)
* heap-based buffer overflow in OPTION_6RD parsing (CVE-2016-2148)
* Integer overflow in the get_next_block function (CVE-2017-15873)
* Insufficient sanitization of filenames when autocompleting (CVE-2017-16544)
* wget: Heap-based buffer overflow in the retrieve_file_data() function  (CVE-2018-1000517)
Comment 1 Quality Assurance univentionstaff 2021-02-16 20:00:17 CET
--- mirror/ftp/4.3/unmaintained/4.3-0/source/busybox_1.22.0-19.dsc
+++ apt/ucs_4.4-0-errata4.4-7/source/busybox_1.22.0-19+deb9u1.dsc
@@ -1,3 +1,41 @@
+1:1.22.0-19+deb9u1 [Mon, 15 Feb 2021 11:42:15 +0100] Markus Koschany <apo@debian.org>:
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2011-5325:
+    A path traversal vulnerability was found in Busybox implementation of tar.
+    tar will extract a symlink that points outside of the current working
+    directory and then follow that symlink when extracting other files. This
+    allows for a directory traversal attack when extracting untrusted tarballs.
+  * Fix CVE-2014-9645:
+    The add_probe function in modutils/modprobe.c in BusyBox allows local users
+    to bypass intended restrictions on loading kernel modules via a / (slash)
+    character in a module name, as demonstrated by an "ifconfig /usbserial up"
+    command or a "mount -t /snd_pcm none /" command.
+  * Fix CVE-2016-2147:
+    Integer overflow in the DHCP client (udhcpc) in BusyBox allows remote
+    attackers to cause a denial of service (crash) via a malformed
+    RFC1035-encoded domain name, which triggers an out-of-bounds heap write.
+  * Fix CVE-2016-2148:
+    Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox allows
+    remote attackers to have unspecified impact via vectors involving
+    OPTION_6RD parsing.
+  * Fix CVE-2017-15873:
+    The get_next_block function in archival/libarchive/decompress_bunzip2.c in
+    BusyBox has an Integer Overflow that may lead to a write access violation.
+  * Fix CVE-2017-16544:
+    In the add_match function in libbb/lineedit.c in BusyBox, the tab
+    autocomplete feature of the shell, used to get a list of filenames in a
+    directory, does not sanitize filenames and results in executing any escape
+    sequence in the terminal. This could potentially result in code execution,
+    arbitrary file writes, or other attacks.
+  * Fix CVE-2018-1000517:
+    BusyBox project BusyBox wget contains a Buffer Overflow vulnerability in
+    Busybox wget that can result in heap buffer overflow. This attack appears to
+    be exploitable via network connectivity.
+  * CVE-2015-9261:
+    Unziping a specially crafted zip file results in a computation of an
+    invalid pointer and a crash reading an invalid address.
+
 1:1.22.0-19 [Sun, 17 Apr 2016 16:37:24 +0100] Ben Hutchings <ben@decadent.org.uk>:
 
   * busybox-udeb, udhcpc: Remove /udhcpc/usr/share/udhcpc/default.script,

<http://10.200.17.11/4.4-7/#8122716768348290748>
Comment 2 Philipp Hahn univentionstaff 2021-02-17 07:36:32 CET
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-7] 087536a751 Bug #52804: busybox 1:1.22.0-19+deb9u1
 doc/errata/staging/busybox.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

[4.4-7] e80b28b09f Bug #52804: busybox 1:1.22.0-19+deb9u1
 doc/errata/staging/busybox.yaml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)