Back to busybox PTS page

Accepted busybox 1:1.22.0-9+deb8u2 (source amd64 all) into oldstable

To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
Subject: Accepted busybox 1:1.22.0-9+deb8u2 (source amd64 all) into oldstable
From: Markus Koschany <apo@debian.org>
Date: Fri, 27 Jul 2018 03:00:26 +0000
Mail-followup-to: debian-lts@lists.debian.org
Message-id: <E1fiszS-0005Si-3k@seger.debian.org>
Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 27 Jul 2018 00:53:58 +0200
Source: busybox
Binary: busybox busybox-static busybox-udeb busybox-syslogd udhcpc udhcpd
Architecture: source amd64 all
Version: 1:1.22.0-9+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 busybox    - Tiny utilities for small and embedded systems
 busybox-static - Standalone rescue shell with tons of builtin utilities
 busybox-syslogd - Provides syslogd and klogd using busybox
 busybox-udeb - Tiny utilities for the debian-installer (udeb)
 udhcpc     - Provides the busybox DHCP client implementation
 udhcpd     - Provides the busybox DHCP server implementation
Changes:
 busybox (1:1.22.0-9+deb8u2) jessie-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2011-5325:
     A path traversal vulnerability was found in Busybox implementation of tar.
     tar will extract a symlink that points outside of the current working
     directory and then follow that symlink when extracting other files. This
     allows for a directory traversal attack when extracting untrusted tarballs.
   * Fix CVE-2014-9645:
     The add_probe function in modutils/modprobe.c in BusyBox allows local users
     to bypass intended restrictions on loading kernel modules via a / (slash)
     character in a module name, as demonstrated by an "ifconfig /usbserial up"
     command or a "mount -t /snd_pcm none /" command.
   * Fix CVE-2016-2147:
     Integer overflow in the DHCP client (udhcpc) in BusyBox allows remote
     attackers to cause a denial of service (crash) via a malformed
     RFC1035-encoded domain name, which triggers an out-of-bounds heap write.
   * Fix CVE-2016-2148:
     Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox allows
     remote attackers to have unspecified impact via vectors involving
     OPTION_6RD parsing.
   * Fix CVE-2017-15873:
     The get_next_block function in archival/libarchive/decompress_bunzip2.c in
     BusyBox has an Integer Overflow that may lead to a write access violation.
   * Fix CVE-2017-16544:
     In the add_match function in libbb/lineedit.c in BusyBox, the tab
     autocomplete feature of the shell, used to get a list of filenames in a
     directory, does not sanitize filenames and results in executing any escape
     sequence in the terminal. This could potentially result in code execution,
     arbitrary file writes, or other attacks.
   * Fix CVE-2018-1000517:
     BusyBox project BusyBox wget contains a Buffer Overflow vulnerability in
     Busybox wget that can result in heap buffer overflow. This attack appear to
     be exploitable via network connectivity.
   * CVE-2015-9261:
     Unziping a specially crafted zip file results in a computation of an
     invalid pointer and a crash reading an invalid address.
Checksums-Sha1:
 730ae5e0673df385cb0c9938914c939d23528bb6 2390 busybox_1.22.0-9+deb8u2.dsc
 486fb55c3efa71148fe07895fd713ea3a5ae343a 2218120 busybox_1.22.0.orig.tar.bz2
 a432a9763ae75fbb2601d4a82396327c37f95c1a 65804 busybox_1.22.0-9+deb8u2.debian.tar.xz
 f7fce510cd305c1c7454325f80245052618aa59e 392398 busybox_1.22.0-9+deb8u2_amd64.deb
 33e57f7d6f088b3c4713a4fad8d9dc3d62b55daf 840914 busybox-static_1.22.0-9+deb8u2_amd64.deb
 8596508bf7ea648109e395af408e501816cddd38 174820 busybox-udeb_1.22.0-9+deb8u2_amd64.udeb
 7d6d924fe17e19d9fe2b90602ec8623e48b7730c 24252 busybox-syslogd_1.22.0-9+deb8u2_all.deb
 854602e237c1830a252f8227d55ba8429b84873d 22390 udhcpc_1.22.0-9+deb8u2_amd64.deb
 1e74272de4316967d0922144845e79b7cb65eb5a 25136 udhcpd_1.22.0-9+deb8u2_amd64.deb
Checksums-Sha256:
 90d19800fb092b8f4dd192f73eb3805f7d47183eb2fed713aa8569b5427e3081 2390 busybox_1.22.0-9+deb8u2.dsc
 92f00cd391b7d5fa2215c8450abe2ba15f9d16c226e8855fb21b6c9a5b723a53 2218120 busybox_1.22.0.orig.tar.bz2
 be1388b08b154045f5e6804e2b77ce4225b82487e1558a15488c1e8693c2908f 65804 busybox_1.22.0-9+deb8u2.debian.tar.xz
 b9c6aa442b749cd9cba544e32cd27240d7697b0ae49553a3815265806f1fc746 392398 busybox_1.22.0-9+deb8u2_amd64.deb
 5cbb2229b44bd70d0e72d53ad86da82762e92ef664492193ea800d7443fcc97b 840914 busybox-static_1.22.0-9+deb8u2_amd64.deb
 60ad679d0613d8f4801e0a9d0f7435c233ed20fb203df7ac0611391495622b43 174820 busybox-udeb_1.22.0-9+deb8u2_amd64.udeb
 0717ca71f8e2752a102ea6d65d9d601654b6a243ffd8fe1fbac075ab123a3626 24252 busybox-syslogd_1.22.0-9+deb8u2_all.deb
 fa00c856c96d2116a6a240cdf9c142918b983a437d0d2d91e321ff606900d6b0 22390 udhcpc_1.22.0-9+deb8u2_amd64.deb
 a4443afa028c06fd6fb7b91a4de3f059b7807c335a3787991e6cc2e4c7bc6851 25136 udhcpd_1.22.0-9+deb8u2_amd64.deb
Files:
 2a51abf39a5d1086a26e026d7d545e42 2390 utils optional busybox_1.22.0-9+deb8u2.dsc
 ac1881d1cdeb0729b22c663feaf1c663 2218120 utils optional busybox_1.22.0.orig.tar.bz2
 d00031c8701691d3e8b72c481dc106c9 65804 utils optional busybox_1.22.0-9+deb8u2.debian.tar.xz
 ce15bfb9bbdfd1b6828453b34090e4d1 392398 utils optional busybox_1.22.0-9+deb8u2_amd64.deb
 99e8bfa3334946ef76af84176a5ffc33 840914 shells extra busybox-static_1.22.0-9+deb8u2_amd64.deb
 65d63a7bb5dc8fcc458c377bc2d2f8e2 174820 debian-installer extra busybox-udeb_1.22.0-9+deb8u2_amd64.udeb
 2438fd3edd751a3504cbfba32299d55a 24252 utils optional busybox-syslogd_1.22.0-9+deb8u2_all.deb
 6671292c543951daa52034a00aa4c5c4 22390 net optional udhcpc_1.22.0-9+deb8u2_amd64.deb
 826252a84180aaef18496eedd6846983 25136 net optional udhcpd_1.22.0-9+deb8u2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAltahzVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HksDEP/RH4j2L6wYZqlbAAvgX1LXhvPYQkbSD7IdSb
KjbVxq1zSUmUW/WvLrfZBFOffHJerri0GkusKvYwBlWYmhcqdDNM2RmW6hHGr+it
SqxpWfceeO9QEkZRJyw79/2JHzg7sDySBlVlZpP6A+AT3EEBC+8FHqUkYhwzZJCb
OEau+SV5D1b4k/ptmbWCC348ptaTs0UcNXtsT5Pr0bTe2nBhwM5CSyyFg6yZcX4S
EAswjLWMyRoFfIB4rSBqYakobuGgTFhsPNz43Pp8B2lRZJLwtMLjJ0ZHmtRib073
1SBadkV35hylrCTLytk9RQTptpoG+Wka5HqnunUYV0Q+A6AZmSTTsNme8AsrPNt9
tOaZJ+eVPBtipjeMZftHDdaPWLukzlxYBE6rNr19ERKz73DZ+qHhNjo9f3PxzK2+
AGGXJ5mp04bwFQ9IRFvgSWiPXqzx5LLIoe0TNhVArpsV83YXjeulfynD5fqW54EB
/CEDyDfoyY9Yxq2NBx+vheW9uAODJRwLCtcfPVO+eXiXE5PXtshqy1DIl9ZnOaPw
lXsFNYY2+5wJ/6T6vwQc1AQM8bCrv4UPAKygRpRrRyiQvNz2sXmy35vKKhVplWoq
hPeevDu8+CtHfEjQOMXrFrg+kHxwwrQnSOZ9nsGF6ED+UdmPkkhUTFIf4KknhKJw
d/hZKTYJ
=cttF
-----END PGP SIGNATURE-----