Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0564
busybox security update
16 February 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: busybox
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-1000517 CVE-2017-16544 CVE-2017-15873
CVE-2016-2148 CVE-2016-2147 CVE-2015-9621
CVE-2015-9261 CVE-2014-9645 CVE-2014-4607
CVE-2013-1813 CVE-2011-5325
Reference: ESB-2019.1136
ESB-2016.2784
ESB-2014.1291
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2021/02/msg00020.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- ------------------------------------------------------------------------
Debian LTS Advisory DLA-2559-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
February 15, 2021 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : busybox
Version : 1:1.22.0-19+deb9u1
CVE ID : CVE-2011-5325 CVE-2015-9261 CVE-2016-2147 CVE-2016-214820
CVE-2017-15873 CVE-2017-16544 CVE-2018-1000517
Debian Bug : 902724 882258 879732 818497 818499 803097 802702
Busybox, utility programs for small and embedded systems, was affected
by several security vulnerabilities. The Common Vulnerabilities and
Exposures project identifies the following issues.
CVE-2011-5325
A path traversal vulnerability was found in Busybox implementation
of tar. tar will extract a symlink that points outside of the
current working directory and then follow that symlink when
extracting other files. This allows for a directory traversal
attack when extracting untrusted tarballs.
CVE-2013-1813
When device node or symlink in /dev should be created inside
2-or-deeper subdirectory (/dev/dir1/dir2.../node), the intermediate
directories are created with incorrect permissions.
CVE-2014-4607
An integer overflow may occur when processing any variant of a
"literal run" in the lzo1x_decompress_safe function. Each of these
three locations is subject to an integer overflow when processing
zero bytes. This exposes the code that copies literals to memory
corruption.
CVE-2014-9645
The add_probe function in modutils/modprobe.c in BusyBox allows
local users to bypass intended restrictions on loading kernel
modules via a / (slash) character in a module name, as demonstrated
by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none
/" command.
CVE-2016-2147
Integer overflow in the DHCP client (udhcpc) in BusyBox allows
remote attackers to cause a denial of service (crash) via a
malformed RFC1035-encoded domain name, which triggers an
out-of-bounds heap write.
CVE-2016-2148
Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox
allows remote attackers to have unspecified impact via vectors
involving OPTION_6RD parsing.
CVE-2017-15873
The get_next_block function in archival/libarchive
/decompress_bunzip2.c in BusyBox has an Integer Overflow that may
lead to a write access violation.
CVE-2017-16544
In the add_match function in libbb/lineedit.c in BusyBox, the tab
autocomplete feature of the shell, used to get a list of filenames
in a directory, does not sanitize filenames and results in executing
any escape sequence in the terminal. This could potentially result
in code execution, arbitrary file writes, or other attacks.
CVE-2018-1000517
BusyBox contains a Buffer Overflow vulnerability in
Busybox wget that can result in a heap-based buffer overflow.
This attack appears to be exploitable via network connectivity.
CVE-2015-9621
Unziping a specially crafted zip file results in a computation of an
invalid pointer and a crash reading an invalid address.
For Debian 9 stretch, these problems have been fixed in version
1:1.22.0-19+deb9u1.
We recommend that you upgrade your busybox packages.
For the detailed security status of busybox please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/busybox
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmAqYYRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRK/g/5AVIsov1Jv48LUIvaQUVL9qCk9bmlnPvKJENPs+4LkYQldjmX+Jjldtyw
iKDmgfqY6C9AwSG3cCDZYDKgO/FR8MCRmtqoy0BAyGd59dwNCMSbnBBowH26+e3M
TL+z7BkU5cE92w6g1w/unxBX0NUlhlU5ptnz+wKJbexWYLqShbtsrkB8u/CYqMlF
6fqkfabVHBQf/FzEPuF5cKZqUjHDhLshuNuXvSlfgZlSqDghcQgF433+xn1kMyT3
3pgcig3JIoI6Ry+8HwrcIIiliWtEDEwwgaIrbiW7OJYrJgQhXhMMvLhDkNR0s+kl
2UjVyhLs8/rWABN1LCfzs90fomViFoV4tDWG/wK3/OPazywiDqwtoPfLoh5GD0vW
3TPC97VOTkz9vg2gukfP24xdHTw1YZgkoVQn1amPH6LHoQu3gsX9mpo98YKRfocK
Zy0NI9cMC/G2qbFf1pxVNZnJufpFoizu0SoHRAUTom5FJBMKxUR4nRVAcgoadzqW
OsTX5/4h3Z7S0SURYj0CSxcbpkpXfHAdOBhXBLFadyt+3LTefbQJ3mzuyFdhgxUN
whl7Jxaqy6sCePHEwCx0KmQ1fxIXbg1HTTZIzMcmgjQ9g8A/t7uOrL8QzFTAKe1X
w8xzogcv2Hu5ReEsDjRciIjTHPb1XnEOfDqHW++t7NBKFUuL9Sg=
=R51w
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYCs7VuNLKJtyKPYoAQiD0xAAklvACsK41Tnw4xINwkkr8Bscq+IB98BZ
2j18yaiPD++US2FHjtTWNVTEy9fKvVuNwbua2yvS3O6XO8dYsDPt5Crlav+QeASw
lZ73ZvTVVr9qy18C3dOsBmvs9ree5xDU+mJKsj/uHJTfnUQQPbh5r515eN+sx7he
LAK+h8w2V7ECLY1vjjoyqERGp+xatI/88W69YbIYHrGdkDzaiMbTxZ50wwqB7aZy
O56IrDhWlEphVdmLO5KYgiF1JhKFXgAjIziB6JnibnrGq1oVdnfmZsvIrZ7w+8Qt
dkmsiAXV5Ab8L+o/2vWKWFazuMvipUNhmWlwoMyHfJQ2sf1OeyhUTdIGY6KK0kbG
n+5VDGHHT7KaLTV6d1cx8/vNqw4sO5g9tlH26CoW/khJhfWRZuqxScIxDBkxa0uR
VUKHZYQifR89nwEU+RDcnwQoQxqMP5KBx+vfZ5Oa8nwEfj+iMedmZL+1UBQaiykr
hoQqACp425k5ujgYXmfFQJ1ME2Eukt6Gy1sbX9T6yi2Msbx8Nb6C4M3q+/K5bu39
B496DVO1riXA6Mchec7rjcr5L2X+A7vQKGP5RuvaiZM0O4qEODZFkIJfmJb5RbfE
eQ/kUG7E/ESE5+ZYPSxZz6tYeSVEx63eXRxv2xH517VoV42xAyodwWMPBtAqQXv1
o1bZxtHs9I0=
=Iw3a
-----END PGP SIGNATURE-----