[SECURITY] [DLA 1445-1] busybox security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1445-1] busybox security update
From: Markus Koschany <apo@debian.org>
Date: Fri, 27 Jul 2018 06:39:37 +0200
Message-id: <[🔎] d3af8d7a-7956-416a-f73d-e34845c4441f@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : busybox
Version        : 1:1.22.0-9+deb8u2
CVE ID         : CVE-2011-5325 CVE-2014-9645 CVE-2015-9261 CVE-2016-2147
                 CVE-2016-2148 CVE-2017-15873 CVE-2017-16544
                 CVE-2018-1000517
Debian Bug     : 902724 882258 879732 818497 818499 803097 802702

Busybox, utility programs for small and embedded systems, was affected
by several security vulnerabilities. The Common Vulnerabilities and
Exposures project identifies the following issues.

CVE-2011-5325

    A path traversal vulnerability was found in Busybox implementation
    of tar. tar will extract a symlink that points outside of the
    current working directory and then follow that symlink when
    extracting other files. This allows for a directory traversal
    attack when extracting untrusted tarballs.

CVE-2013-1813

    When device node or symlink in /dev should be created inside
    2-or-deeper subdirectory (/dev/dir1/dir2.../node), the intermediate
    directories are created with incorrect permissions.

CVE-2014-4607

    An integer overflow may occur when processing any variant of a
   "literal run" in the lzo1x_decompress_safe function. Each of these
    three locations is subject to an integer overflow when processing
    zero bytes. This exposes the code that copies literals to memory
    corruption.

CVE-2014-9645

    The add_probe function in modutils/modprobe.c in BusyBox allows
    local users to bypass intended restrictions on loading kernel
    modules via a / (slash) character in a module name, as demonstrated
    by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none
    /" command.

CVE-2016-2147

    Integer overflow in the DHCP client (udhcpc) in BusyBox allows
    remote attackers to cause a denial of service (crash) via a
    malformed RFC1035-encoded domain name, which triggers an
    out-of-bounds heap write.

CVE-2016-2148

    Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox
    allows remote attackers to have unspecified impact via vectors
    involving OPTION_6RD parsing.

CVE-2017-15873

    The get_next_block function in archival/libarchive
    /decompress_bunzip2.c in BusyBox has an Integer Overflow that may
    lead to a write access violation.

CVE-2017-16544

    In the add_match function in libbb/lineedit.c in BusyBox, the tab
    autocomplete feature of the shell, used to get a list of filenames
    in a directory, does not sanitize filenames and results in executing
    any escape sequence in the terminal. This could potentially result
    in code execution, arbitrary file writes, or other attacks.

CVE-2018-1000517

    BusyBox contains a Buffer Overflow vulnerability in
    Busybox wget that can result in a heap-based buffer overflow.
    This attack appears to be exploitable via network connectivity.

CVE-2015-9621

    Unziping a specially crafted zip file results in a computation of an
    invalid pointer and a crash reading an invalid address.

For Debian 8 "Jessie", these problems have been fixed in version
1:1.22.0-9+deb8u2.

We recommend that you upgrade your busybox packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAltaoglfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRnVxAArdHXCM3ZXg+f06E5EulO4qnaw37QNYynBcEmyars39cCdl6G50cu+PF0
Z8GYWjYafDPeAj/T6+2plDVi5NGkuumvb6wT4Na8tLTYXHYKu6GY3Ei4XCYiC1ft
dVF3LO6a/++3GSLqCQdwLDCcnDk8Y/46OY80GNQLl5Mnay9tcLS/lGbp7lPzzr/L
w4v7YlqQZHIYq9QaK8jkXMj1ek0Cdf9FLuntqK+POSlJ4nl10ChHTHp5MdtOPxnY
3ml5bwkyoBYs52FjKnOoDovhTYTCc46bXj6AV/WX/QVsQ0S57Pxqid00o7EEUyx5
B4g2qDagk5Xo/3KiHdimGXKVUUkUiqrihaulq7p15lOyw7uYcLCcBaheqEPHYR1d
fzWHVszULZowcx4tZIdQfegkkkDECikBKJJR3danAYIYlT3v7iRMxfDPom1L2q8c
2vF6DAI9Tww1Rtb7++sfZIQer5pjEXMHSTqDWEansVvB+lOQUCMPOH7sfYA52Lqy
+mjGeVSR/qvWZh0aZuGGCXkBLFaH+qFNgbfTYQ46WcK795o+QTw6Cf+dMvvlcycJ
zQWz2Y7AbmiN+LfWjgT5MHJtJD4BHlJMa6nZ+3jfSGlGyCKO+fg5iyApMu8rAGgG
Do1ELTYf1wdx4oGSOx7P77SkvgdZo5tAfpA2zjy0ZMMB9M2vwVQ=
=stUS
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1444-1] vim-syntastic security update
Next by Date: [SECURITY] [DLA 1446-1] intel-microcode security update
Previous by thread: [SECURITY] [DLA 1444-1] vim-syntastic security update
Next by thread: [SECURITY] [DLA 1446-1] intel-microcode security update
Index(es):
- Date
- Thread