Bug#918846: marked as done (busybox: CVE-2018-20679)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 02 Mar 2019 09:19:52 +0000
with message-id <E1h00oC-0004XA-Di@fasolo.debian.org>
and subject line Bug#918846: fixed in busybox 1:1.30.1-2
has caused the Debian Bug report #918846,
regarding busybox: CVE-2018-20679
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
918846: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918846
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: busybox: CVE-2018-20679
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Wed, 09 Jan 2019 21:39:33 +0100
• Message-id: <154706637398.7562.14060253783575842936.reportbug@eldamar.local>

Source: busybox
Version: 1:1.27.2-3
Severity: normal
Tags: patch security upstream
Forwarded: https://bugs.busybox.net/show_bug.cgi?id=11506

Hi,

The following vulnerability was published for busybox.

CVE-2018-20679[0]:
| An issue was discovered in BusyBox before 1.30.0. An out of bounds read
| in udhcp components (consumed by the DHCP server, client, and relay)
| allows a remote attacker to leak sensitive information from the stack
| by sending a crafted DHCP message. This is related to verification in
| udhcp_get_option() in networking/udhcp/common.c that 4-byte options are
| indeed 4 bytes.

Note that the only once commit initially referenced for CVE-2018-20679
is incomplete, but see security-tracker for further notes.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-20679
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20679

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 918846-close@bugs.debian.org
• Subject: Bug#918846: fixed in busybox 1:1.30.1-2
• From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
• Date: Sat, 02 Mar 2019 09:19:52 +0000
• Message-id: <E1h00oC-0004XA-Di@fasolo.debian.org>

Source: busybox
Source-Version: 1:1.30.1-2

We believe that the bug you reported is fixed in the latest version of
busybox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 918846@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Biedl <debian.axhn@manchmal.in-ulm.de> (supplier of updated busybox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 02 Mar 2019 09:11:13 +0100
Source: busybox
Architecture: source
Version: 1:1.30.1-2
Distribution: unstable
Urgency: high
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Closes: 918846
Changes:
 busybox (1:1.30.1-2) unstable; urgency=high
 .
   * Complete the fix for [CVE-2018-20679] Closes: #918846
Checksums-Sha1:
 09637ed12cf038f13b3617b486b930d4061040d4 2241 busybox_1.30.1-2.dsc
 914ead917695d5dee4b1350f0cf12e0139218a69 47832 busybox_1.30.1-2.debian.tar.xz
 8e97e2ece71d12312dcac2ed6e6ac81594dc44af 7032 busybox_1.30.1-2_powerpc.buildinfo
Checksums-Sha256:
 6959218277cdbd1026fc374e469730d403d13398e02bc0bcacae336207a0c24c 2241 busybox_1.30.1-2.dsc
 dfcc878e30e6ee15756f77f51d0dc3c71e345a52bfdfdaf84c09914d51a9b5d0 47832 busybox_1.30.1-2.debian.tar.xz
 6da944b066877f8390ff65775469435d01e5e34c437ff46bce2f230be30a0817 7032 busybox_1.30.1-2_powerpc.buildinfo
Files:
 661fe3b8dbfe1e3af28d4244fb455913 2241 utils optional busybox_1.30.1-2.dsc
 214df88e211875dfe165c807c1019f1f 47832 utils optional busybox_1.30.1-2.debian.tar.xz
 588feff4438ec7c5a0315ff1821d1f2c 7032 utils optional busybox_1.30.1-2_powerpc.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEWXMI+726A12MfJXdxCxY61kUkv0FAlx6RZAACgkQxCxY61kU
kv0eHBAAlazX3AwMmpKGdQBE7L7Tdx9vLDkyVVBETButfEj/b/K9C/vTm0GtKRce
Hp3/J2BYqzM0VgHLtG9cgZB1MHSU+6HpMrgFcqCLkh/lFPQFSaY3qtk0sfN+NE74
L8QAEVl1/B2g/BSITSoWVGazvoT1A6/1d8rtqMNIiLzeOwHsLwPutgEIzwEfeqNA
7s5+BwqA5lQ4I6V9FWFlE0T7yoCMpsmebHQdeIcwHqJOJXhjvm6vgWPqEedsibvi
XNwBoJhfWzi/gBvxUM+y8+0/lYqe6tkQrU2lfTLdYo1LoKbpz8D59FQ8K84vtEB3
d+zEZDUT/NFfOo6vTxC6KXp5USrrXYyehTm0qMwX4mw3OSw8HU6yiUfUboCSk0AY
oyUZz1Y7Vr51dBtd5fyUzX42bWZvpeWiK0VwlQ/6F6EY/4xYyGrgdmDSFnjdfb4V
ZvZpFJJW8rBb7zWHAmEajBN2ZvLIdkKl72DGmB+M9HS6LEhFnsd2vzxcaj+HyZGa
enm0HgmClOTXNmYit9jCJdu+BTxK0WV9IA5LRfp2Lg4Hr/DcqxyaoZURSA1iXHwr
bcBR+QB+L0i7mARA04HUhJSwZIL7K3NyVO9tLsjyg5q/Sqcs1YvG/Uapv55m871n
saXxkvsW8+UksWchp7lzDgOCzwwHw4u3x6dbVHDgUBwJG/TEkrQ=
=JZ1C
-----END PGP SIGNATURE-----

--- End Message ---