Univention Bugzilla – Bug 52804
busybox: Multiple issues (4.4)
Last modified: 2021-02-17 16:53:45 CET
New Debian busybox 1:1.22.0-19+deb9u1 fixes: This update addresses the following issues: * Path traversal via crafted tar file containing symlink (CVE-2011-5325) * Segmentation fault when unzipping specially crafted zip file (CVE-2015-9261) * out of bounds write (heap) due to integer underflow in udhcpc (CVE-2016-2147) * heap-based buffer overflow in OPTION_6RD parsing (CVE-2016-2148) * Integer overflow in the get_next_block function (CVE-2017-15873) * Insufficient sanitization of filenames when autocompleting (CVE-2017-16544) * wget: Heap-based buffer overflow in the retrieve_file_data() function (CVE-2018-1000517)
--- mirror/ftp/4.3/unmaintained/4.3-0/source/busybox_1.22.0-19.dsc +++ apt/ucs_4.4-0-errata4.4-7/source/busybox_1.22.0-19+deb9u1.dsc @@ -1,3 +1,41 @@ +1:1.22.0-19+deb9u1 [Mon, 15 Feb 2021 11:42:15 +0100] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Fix CVE-2011-5325: + A path traversal vulnerability was found in Busybox implementation of tar. + tar will extract a symlink that points outside of the current working + directory and then follow that symlink when extracting other files. This + allows for a directory traversal attack when extracting untrusted tarballs. + * Fix CVE-2014-9645: + The add_probe function in modutils/modprobe.c in BusyBox allows local users + to bypass intended restrictions on loading kernel modules via a / (slash) + character in a module name, as demonstrated by an "ifconfig /usbserial up" + command or a "mount -t /snd_pcm none /" command. + * Fix CVE-2016-2147: + Integer overflow in the DHCP client (udhcpc) in BusyBox allows remote + attackers to cause a denial of service (crash) via a malformed + RFC1035-encoded domain name, which triggers an out-of-bounds heap write. + * Fix CVE-2016-2148: + Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox allows + remote attackers to have unspecified impact via vectors involving + OPTION_6RD parsing. + * Fix CVE-2017-15873: + The get_next_block function in archival/libarchive/decompress_bunzip2.c in + BusyBox has an Integer Overflow that may lead to a write access violation. + * Fix CVE-2017-16544: + In the add_match function in libbb/lineedit.c in BusyBox, the tab + autocomplete feature of the shell, used to get a list of filenames in a + directory, does not sanitize filenames and results in executing any escape + sequence in the terminal. This could potentially result in code execution, + arbitrary file writes, or other attacks. + * Fix CVE-2018-1000517: + BusyBox project BusyBox wget contains a Buffer Overflow vulnerability in + Busybox wget that can result in heap buffer overflow. This attack appears to + be exploitable via network connectivity. + * CVE-2015-9261: + Unziping a specially crafted zip file results in a computation of an + invalid pointer and a crash reading an invalid address. + 1:1.22.0-19 [Sun, 17 Apr 2016 16:37:24 +0100] Ben Hutchings <ben@decadent.org.uk>: * busybox-udeb, udhcpc: Remove /udhcpc/usr/share/udhcpc/default.script, <http://10.200.17.11/4.4-7/#8122716768348290748>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-7] 087536a751 Bug #52804: busybox 1:1.22.0-19+deb9u1 doc/errata/staging/busybox.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) [4.4-7] e80b28b09f Bug #52804: busybox 1:1.22.0-19+deb9u1 doc/errata/staging/busybox.yaml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x894>