ESB-2018.2183.3 - UPDATE [UNIX/Linux][Appliance][Debian] busybox: Multiple vulnerabilities 2018-08-06

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.2183.3
                          busybox security update
                               6 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           busybox
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
                   Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Modify Arbitrary Files          -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Unauthorised Access             -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000517 CVE-2017-16544 CVE-2017-15873
                   CVE-2016-2148 CVE-2016-2147 CVE-2015-9621
                   CVE-2015-9261 CVE-2014-9645 CVE-2014-4607
                   CVE-2013-1813 CVE-2011-5325 

Reference:         ESB-2017.0518
                   ESB-2016.2784
                   ESB-2013.1680
                   ESB-2013.1661

Original Bulletin: 
   https://security-tracker.debian.org/tracker/DLA-1445-1
   https://security-tracker.debian.org/tracker/DLA-1445-2

Revision History:  August  6 2018: Fixes regression introduced by DLA-1445-1
                   August  2 2018: Fixes regression introduced by DLA-1445-1
                   July   27 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : busybox
Version        : 1:1.22.0-9+deb8u4

It was found that the security update of busybox announced as
DLA-1445-1  to prevent the exploitation of CVE-2011-5325, a symlinking
attack, was too strict in case of cpio archives. This update restores
the old behavior.

For Debian 8 "Jessie", this problem has been fixed in version
1:1.22.0-9+deb8u4.

We recommend that you upgrade your busybox packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAltj5aVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQg5hAAgS4x6OW2obh2DayhsOTNrpVD9aXpgScQNmt/jj+B9SrZUKxn55RF+Vk0
uqa+YJmjVasBfchq5tO2qdq5y2opFpDhuReVD0CM4jQyszIoNujYm5k7uQFl7nM0
9u2idA3KmZdmLx053jTfUJl+ReCLWgeXCGNnBGik32eYvPp+o28KlZ+2SzAlBd0Z
nKhTIjf5uguV0LanE5jbedXB86VVYmT+aKI7gPMOkf9EroVtK6PDRI90Rp6T00mH
nk67m/HiDIyFTWwzsGceDjz/ZUPDulV4PL8DRLzVVptDhWaxXZnes3nXNsd889qF
8CaoJfFnf9fkv02KiL5AgnpxUCBZlNc2mPRri6xy6uklFXSnOQRmd/6bvDgBSH60
n9jmQNJE5rFHsYbL5sjyl5F0et73LQp2esblj63nbbjG8W3qZprQm8AgEaRM8EE1
HuoJBDalcvltW/ODTBKX9m2VceWyV3h10MIqbEyjRaSmaHt87tXRy0y6SxjQIb4x
kLVkFunW7CDL5lFJDzwg5qxcEfY73g4+z5SfFk8XLGU4IALVCftgHfA9u2o10VzU
J0CveWMLm8uhFTtr7K0XSY5iRAOa/48isJVCFFRVfavls4DGPcL39jXR5P1kbxYM
zcNBBVG1u1NdmCC884a0hdYvxa6h4H7OKyKiv5fHeWHcqWBY6Wg=
=r6Yy
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : busybox
Version        : 1:1.22.0-9+deb8u3

The security update of busybox announced as DLA-1445-1 introduced a
regression due to an incomplete fix for CVE-2015-9261. It was no
longer possible to decompress gzip archives which exceeded a certain
file size.

For Debian 8 "Jessie", this problem has been fixed in version
1:1.22.0-9+deb8u3.

We recommend that you upgrade your busybox packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAltiW+1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeS2lBAAlM/ci0lYGc94ksVfZhCAYg4LtwfAS8yWuU1OedDfQUQtNQBdAIvhg35r
vXs23AjCtHOTynbhx6tny0Tk80+dsqfdjJDxeuzQxODaeWtGgRe90wTFptU9zzjk
10cm1rDz7WpOMlSG139Bid931+mGSg8LIbTFHiClCFAWbaWPf6pf1HHgz07KwLRo
CFVvy+s31nq4ynQ8Mb4HbKLmHquMAo8dq9KE834Fe59/HcNP8epdDoqE7gtJhaBa
QwOP14aBt5Z0LuaF8NZlYH1i0ditFp1ZWifLjk9co0z888DvaS7g4DHwbo43KTwN
eFFz6aqNWvkETxYcyvG1pYaGHtwG8vYOj+HoqmHC+KWOyYmyOaD1Ea6hA0HZd+k4
7lY1pa6bIELWRVTTOFeW3R7hLd/jcxIOVn3Um4LcOqna/gZlh5u3Hd9dl08u3QV4
RkgeiK5dPnXz/CeiE0LX+U4alqQ1H3hmc2hKqZXbTmbDp4E/rUaZ01l8G8+Cc0J1
hQh7nolrz4H82Qq1SoxfOfXM8cvxc40CgfKQvpJ/RUqqRPPwn8v7yW5+QeyNgcJu
IyvcDJ4F/HmOEv/phayCopfZfXFnIJU0XKQ2iOqFkBsnavsnRoNT3RzRl0XClUOa
oxFpVhZ0okAOwFQ2tbncV9QlkdZxPiN2eRNb+3phU/clOwA1K0Q=
=4PQW
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : busybox
Version        : 1:1.22.0-9+deb8u2
CVE ID         : CVE-2011-5325 CVE-2014-9645 CVE-2015-9261 CVE-2016-2147
                 CVE-2016-2148 CVE-2017-15873 CVE-2017-16544
                 CVE-2018-1000517
Debian Bug     : 902724 882258 879732 818497 818499 803097 802702

Busybox, utility programs for small and embedded systems, was affected
by several security vulnerabilities. The Common Vulnerabilities and
Exposures project identifies the following issues.

CVE-2011-5325

    A path traversal vulnerability was found in Busybox implementation
    of tar. tar will extract a symlink that points outside of the
    current working directory and then follow that symlink when
    extracting other files. This allows for a directory traversal
    attack when extracting untrusted tarballs.

CVE-2013-1813

    When device node or symlink in /dev should be created inside
    2-or-deeper subdirectory (/dev/dir1/dir2.../node), the intermediate
    directories are created with incorrect permissions.

CVE-2014-4607

    An integer overflow may occur when processing any variant of a
   "literal run" in the lzo1x_decompress_safe function. Each of these
    three locations is subject to an integer overflow when processing
    zero bytes. This exposes the code that copies literals to memory
    corruption.

CVE-2014-9645

    The add_probe function in modutils/modprobe.c in BusyBox allows
    local users to bypass intended restrictions on loading kernel
    modules via a / (slash) character in a module name, as demonstrated
    by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none
    /" command.

CVE-2016-2147

    Integer overflow in the DHCP client (udhcpc) in BusyBox allows
    remote attackers to cause a denial of service (crash) via a
    malformed RFC1035-encoded domain name, which triggers an
    out-of-bounds heap write.

CVE-2016-2148

    Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox
    allows remote attackers to have unspecified impact via vectors
    involving OPTION_6RD parsing.

CVE-2017-15873

    The get_next_block function in archival/libarchive
    /decompress_bunzip2.c in BusyBox has an Integer Overflow that may
    lead to a write access violation.

CVE-2017-16544

    In the add_match function in libbb/lineedit.c in BusyBox, the tab
    autocomplete feature of the shell, used to get a list of filenames
    in a directory, does not sanitize filenames and results in executing
    any escape sequence in the terminal. This could potentially result
    in code execution, arbitrary file writes, or other attacks.

CVE-2018-1000517

    BusyBox contains a Buffer Overflow vulnerability in
    Busybox wget that can result in a heap-based buffer overflow.
    This attack appears to be exploitable via network connectivity.

CVE-2015-9621

    Unziping a specially crafted zip file results in a computation of an
    invalid pointer and a crash reading an invalid address.

For Debian 8 "Jessie", these problems have been fixed in version
1:1.22.0-9+deb8u2.

We recommend that you upgrade your busybox packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAltaoglfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRnVxAArdHXCM3ZXg+f06E5EulO4qnaw37QNYynBcEmyars39cCdl6G50cu+PF0
Z8GYWjYafDPeAj/T6+2plDVi5NGkuumvb6wT4Na8tLTYXHYKu6GY3Ei4XCYiC1ft
dVF3LO6a/++3GSLqCQdwLDCcnDk8Y/46OY80GNQLl5Mnay9tcLS/lGbp7lPzzr/L
w4v7YlqQZHIYq9QaK8jkXMj1ek0Cdf9FLuntqK+POSlJ4nl10ChHTHp5MdtOPxnY
3ml5bwkyoBYs52FjKnOoDovhTYTCc46bXj6AV/WX/QVsQ0S57Pxqid00o7EEUyx5
B4g2qDagk5Xo/3KiHdimGXKVUUkUiqrihaulq7p15lOyw7uYcLCcBaheqEPHYR1d
fzWHVszULZowcx4tZIdQfegkkkDECikBKJJR3danAYIYlT3v7iRMxfDPom1L2q8c
2vF6DAI9Tww1Rtb7++sfZIQer5pjEXMHSTqDWEansVvB+lOQUCMPOH7sfYA52Lqy
+mjGeVSR/qvWZh0aZuGGCXkBLFaH+qFNgbfTYQ46WcK795o+QTw6Cf+dMvvlcycJ
zQWz2Y7AbmiN+LfWjgT5MHJtJD4BHlJMa6nZ+3jfSGlGyCKO+fg5iyApMu8rAGgG
Do1ELTYf1wdx4oGSOx7P77SkvgdZo5tAfpA2zjy0ZMMB9M2vwVQ=
=stUS
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW2eMH2aOgq3Tt24GAQg9lRAAq7HRkaTBR8iWLUmsuVsT9hvziSvslC27
9JwU4J272GtWa/y6+PM1xmc6kwkty87UkXQUZeep4MKXVB/GWjvwyl8RWnw3c403
DlfGn0ZoWZQYhca0craQ70zEwj73YGUKdudQcRssYtwOa24qCIh1ewAMm4oXqkMT
NlB6IilzIZSTUq0rwJRnWrrjrf3RGacSC7ZAoBRPso/pWGrOcQ+mKZUwXEayPrS5
MdbJFYvWNJERJap00RNKODNf4Ba+AjTKrC/cdTiiyGEURNqGlRtthugrL9Kpjkw6
iUwx0krx+gIc+FunB2gBUbjsXHRenY+H1s9EdIsymaYy0qsV69sMX7UCBGNz7Xcf
kjxc8WK0ezcHOCJZsH3fxYFHBNlWq/6RJxAjIXOBOjR4cIlD+NeeCnjo4LilYy2h
CzCvHMbF1aWp4Vg/Berl4RQKS+Gl7dqj2UgtO1gNm8QtcLYQO40c/MJH63lwhWe1
TQe6rDuT89SDdEw85v10BKYjcQy0p4kAwQbQsPxpcHFeylijGdIrFOvjn7FtyRFl
9ckYuMNsTHaN3UIutWT/IGpa7E2JuVjyezqkzQfU1jU2Jz5fnIoFsWgrNQoDpc7u
S2auccnxAla2yY6ygv8sWb8rZIJpMH4H6KvegJ6Uz6sdOfB7dM66rd86/XWN9vCx
Qs+WwT+MwP4=
=3oYg
-----END PGP SIGNATURE-----

« Back to bulletins