This repository has been archived by the owner on Mar 16, 2022. It is now read-only.
1.278.0
·
8 commits
to master
since this release
Notably, this release addresses:
USN-3935-1 USN-3935-1: BusyBox vulnerabilities:
- CVE-2011-5325: Directory traversal vulnerability in the BusyBox implementation of tarbefore 1.22.0 v5 allows remote attackers to point to files outside thecurrent working directory via a symlink.
- CVE-2014-9645: The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0allows local users to bypass intended restrictions on loading kernelmodules via a / (slash) character in a module name, as demonstrated by an"ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command.
- CVE-2015-9261: huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before1.27.2 misuses a pointer, causing segfaults and an application crash duringan unzip operation on a specially crafted ZIP file.
- CVE-2016-2147: Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0allows remote attackers to cause a denial of service (crash) via amalformed RFC1035-encoded domain name, which triggers an out-of-bounds heapwrite.
- CVE-2016-2148: Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before1.25.0 allows remote attackers to have unspecified impact via vectorsinvolving OPTION_6RD parsing.
- CVE-2017-15873: The get_next_block function in archival/libarchive/decompress_bunzip2.c inBusyBox 1.27.2 has an Integer Overflow that may lead to a write accessviolation.
- CVE-2017-16544: In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2,the tab autocomplete feature of the shell, used to get a list of filenamesin a directory, does not sanitize filenames and results in executing anyescape sequence in the terminal. This could potentially result in codeexecution, arbitrary file writes, or other attacks.
- CVE-2018-1000517: BusyBox project BusyBox wget version prior to commit8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflowvulnerability in Busybox wget that can result in heap buffer overflow. Thisattack appear to be exploitable via network connectivity. Thisvulnerability appears to have been fixed in after commit8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.
- CVE-2018-20679: An issue was discovered in BusyBox before 1.30.0. An out of bounds read inudhcp components (consumed by the DHCP server, client, and relay) allows aremote attacker to leak sensitive information from the stack by sending acrafted DHCP message. This is related to verification in udhcp_get_option()in networking/udhcp/common.c that 4-byte options are indeed 4 bytes.
- CVE-2019-5747: An issue was discovered in BusyBox through 1.30.0. An out of bounds read inudhcp components (consumed by the DHCP server, client, and/or relay) mightallow a remote attacker to leak sensitive information from the stack bysending a crafted DHCP message. This is related to assurance of a 4-bytelength when decoding DHCP_SUBNET. NOTE: this issue exists because of anincomplete fix for CVE-2018-20679.
-ii busybox-initramfs 1:1.21.0-1ubuntu1 amd64 Standalone shell setup for initramfs
+ii busybox-initramfs 1:1.21.0-1ubuntu1.4 amd64 Standalone shell setup for initramfs
-ii libc-bin 2.19-0ubuntu6.14 amd64 Embedded GNU C Library: Binaries
-ii libc-dev-bin 2.19-0ubuntu6.14 amd64 Embedded GNU C Library: Development binaries
-ii libc6:amd64 2.19-0ubuntu6.14 amd64 Embedded GNU C Library: Shared libraries
-ii libc6-dev:amd64 2.19-0ubuntu6.14 amd64 Embedded GNU C Library: Development Libraries and Header Files
+ii libc-bin 2.19-0ubuntu6.15 amd64 Embedded GNU C Library: Binaries
+ii libc-dev-bin 2.19-0ubuntu6.15 amd64 Embedded GNU C Library: Development binaries
+ii libc6:amd64 2.19-0ubuntu6.15 amd64 Embedded GNU C Library: Shared libraries
+ii libc6-dev:amd64 2.19-0ubuntu6.15 amd64 Embedded GNU C Library: Development Libraries and Header Files
-ii multiarch-support 2.19-0ubuntu6.14 amd64 Transitional package to ensure multiarch compatibility
+ii multiarch-support 2.19-0ubuntu6.15 amd64 Transitional package to ensure multiarch compatibility