Bug#818499: marked as done (busybox: CVE-2016-2147: OOB heap write due to integer underflow)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 17 Sep 2017 17:19:07 +0000
with message-id <E1dtdDn-000IgC-H0@fasolo.debian.org>
and subject line Bug#818499: fixed in busybox 1:1.27.2-1
has caused the Debian Bug report #818499,
regarding busybox: CVE-2016-2147: OOB heap write due to integer underflow
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
818499: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818499
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: busybox: CVE-2016-2147: OOB heap write due to integer underflow
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Thu, 17 Mar 2016 17:27:52 +0100
• Message-id: <145823207297.32055.18019966503735284093.reportbug@eldamar.local>

Source: busybox
Version: 1:1.20.0-7
Severity: normal
Tags: security upstream fixed-upstream

Hi,

the following vulnerability was published for busybox, filling for
tracking purpose.

CVE-2016-2147[0]:
OOB heap write due to integer underflow

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-2147

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 818499-close@bugs.debian.org
• Subject: Bug#818499: fixed in busybox 1:1.27.2-1
• From: Chris Boot <bootc@debian.org>
• Date: Sun, 17 Sep 2017 17:19:07 +0000
• Message-id: <E1dtdDn-000IgC-H0@fasolo.debian.org>

Source: busybox
Source-Version: 1:1.27.2-1

We believe that the bug you reported is fixed in the latest version of
busybox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 818499@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Boot <bootc@debian.org> (supplier of updated busybox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 17 Sep 2017 17:59:31 +0100
Source: busybox
Binary: busybox busybox-static busybox-udeb busybox-syslogd udhcpc udhcpd
Architecture: source
Version: 1:1.27.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Chris Boot <bootc@debian.org>
Description:
 busybox    - Tiny utilities for small and embedded systems
 busybox-static - Standalone rescue shell with tons of builtin utilities
 busybox-syslogd - Provides syslogd and klogd using busybox
 busybox-udeb - Tiny utilities for the debian-installer (udeb)
 udhcpc     - Provides the busybox DHCP client implementation
 udhcpd     - Provides the busybox DHCP server implementation
Closes: 794526 802702 803097 812074 818497 818499 873472
Changes:
 busybox (1:1.27.2-1) unstable; urgency=medium
 .
   * New upstream release. This addresses:
     - Segmentation fault when creating compressed tar files. (Closes: #812074)
     - Pointer misuse unziping files. (Closes: #803097)
     - Buffer overflow in the DHCP client [CVE-2016-2148]. (Closes: #818497)
     - Integer overflow in the DHCP client [CVE-2016-2147]. (Closes: #818499)
   * Postpone creation of symlinks with "suspicious" targets [CVE-2011-5325].
     (Closes: #802702)
   * Re-enable the test suite during build. (Closes: #794526)
   * udhcpc: correct a typo in /etc/udhcpc/default.script. (Closes: #873472)
   * Debian packaging changes:
     - Run wrap-and-sort -st.
     - Update debian/control:
       - Replace Uploaders with myself and Christoph Biedl. Many thanks to
         Bastian Blank and Michael Tokarev for having maintained busybox for
         many years prior.
       - Remove Build-Depends to avoid ancient broken libc-dev-bin.
       - Bump Build-Depends on debhelper to >= 10.
     - Rewrite debian/rules:
       - Simplify and use the dh sequencer.
       - Remove test for ancient broken libc6 versions with static binaries.
       - Strip -O2 from CFLAGS, falling back to -Os from the busybox
         configuration.
       - Abort the build if 'make oldconfig' changes the configuration at all.
     - Update busybox build configuration files for the new upstream release.
       - The udeb configuration mostly hasn't changed, but enable fgrep,
         blkdiscard, bzcat and lsscsi.
       - The deb and static configurations have had upstream recommendations
         enabled for new options.
     - Switch to debhelper compatibility level 10.
     - Add Depends on lsb-base to busybox-syslogd and udhcpd.
     - Update debian/.gitignore.
     - Update Standards-Version to 4.0.1:
       - Disable tests that require networking.
Checksums-Sha1:
 4c7441a1204b61438f0eb2f272698fe372eede71 2359 busybox_1.27.2-1.dsc
 11669e223cc38de646ce26080e91ca29b8d42ad9 2216527 busybox_1.27.2.orig.tar.bz2
 25b8ec9d11fe9fcb8e2d79621a32b760c7d3c10f 49272 busybox_1.27.2-1.debian.tar.xz
 54cf758c6edeaf2bda34d6b8e08a44ba062b68cf 7236 busybox_1.27.2-1_amd64.buildinfo
Checksums-Sha256:
 67947957df59b7e145af1453c1a8cd28c3cd39d9d13cf1f2e7a12b8d073b4e81 2359 busybox_1.27.2-1.dsc
 9d4be516b61e6480f156b11eb42577a13529f75d3383850bb75c50c285de63df 2216527 busybox_1.27.2.orig.tar.bz2
 f2ed3f2e3dc63487efec85d65167e6a4fb31f6b300f1a45fd284de0d10405b8c 49272 busybox_1.27.2-1.debian.tar.xz
 38714b5eb9f437dd78eca0bc12379a651c71ddbf2c99eba3e40289d651244b77 7236 busybox_1.27.2-1_amd64.buildinfo
Files:
 300538e8de0e12d9bd8939b3330357c2 2359 utils optional busybox_1.27.2-1.dsc
 476186f4bab81781dab2369bfd42734e 2216527 utils optional busybox_1.27.2.orig.tar.bz2
 4176babb785eb5f2b3289c24343ef7e1 49272 utils optional busybox_1.27.2-1.debian.tar.xz
 87423bdbf689420d433ee08c59ccb3e2 7236 utils optional busybox_1.27.2-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE2oqQ9X/7HWR+QDTaQRpzPmfWT/4FAlm+rDdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldERB
OEE5MEY1N0ZGQjFENjQ3RTQwMzREQTQxMUE3MzNFNjdENjRGRkUACgkQQRpzPmfW
T/5ExRAA6rbhIacnoEgLN3g5YImMrlqz+Cyvc2+Y6Rw/bkKlXDQ62QEDuyN7ylPS
O51RquWR1nTcK1YLqYiFaqYs/XkaNvhCpuuKPwEbwosaUhg52OQFT+U18B3dfaHw
/xVOekqYrEEJGC4X1lqE3xv3KQH04UZcrhPBu2L2FnGnx/sTIuWcqJlWS3GTRDCZ
9qpSvYWzuvj5yM6SmRbqx+lWD5QI5cjvxQYcQpbIuDUaqF8owHP+wHGxcrrSok0P
1kCUUMvdRUJ4BzRiVhjE1G1j1zDvRqBDywAeAVq4Ch0weHE0nLqz5+JXAtEktyVA
bYVnN6H2mb2P+JzzeXlK66eFu1CYKtPuq5v/sTCNadXJ84w5NyBry/fqXJjBqqkL
gvN7/WpZ8bX8BRh/YE3fJ31nSpvLIeY5wqBuSs0Pfy+Ob/K3Kk1uJVMc0JB8FCTK
hA0JGpU7PULSqVIEWFN1SvOUQsczLQCqi9bgHLOacWV2BfCdZpvUEl/kJJTU9AFt
sAu0EEdITZu8m8DRru9GM1VFARsViDwkfBSJp/D/kvHThC7VwPjBOrlDrn6/Vw/9
NCcYp43mmKO4WA90tZnvo0gmu5L3CikFfAYJalkC2D6yIQ11XwWe4FI4qrnxluv8
AGZ1M6CfSjGeC2REqWVu3VqjnRk8/nbC6wqkiwac1JBYjn1CyOY=
=AQ2U
-----END PGP SIGNATURE-----

--- End Message ---