Wolfgang Ocker wrote...
> Hello Busybox Package Maintainers:
>
> I hope I have found the correct email address for my question.
It's good enough.
> https://security-tracker.debian.org/tracker/CVE-2022-48174
>
> It says here that the stack overflow bug in Busybox (CVE-2022-48174)
> has not yet been fixed in Bookworm because it is only a minor issue.
It seems this was fixed in 1:1.30.1-6+deb11u1 in January 2025:
| busybox (1:1.30.1-6+deb11u1) bullseye-security; urgency=high
|
| * Non-maintainer upload by the LTS Security Team.
| * Import patches for
| (Cherry-picked from 1:1.30-1.4ubuntu6.4)
| - CVE-2021-28831 (Closes: #985674),
| - CVE-2021-42374, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380,
| CVE-2021-42381, CVE-2021-42382, CVE-2021-42384, CVE-2021-42385,
| CVE-2021-42386 (Closes: #999567),
| (Cherry-picked from 1:1.30.1-7ubuntu3.1)
! - CVE-2022-48174 (Closes: #1059049)
| * Backport patch for CVE-2023-42364. This patch also covers
| CVE-2023-42365 (Closes: #1059051, #1059052)
|
| -- Tobias Frost <tobi@debian.org> Sun, 19 Jan 2025 10:30:58 +0100
> I would be very interested to know why you came to this conclusion, as
> I can't find any reference to it in the corresponding bug tracker
> entry:
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059049
This creates the question why the bits in the tracker were not updated
properly. I'll ask around behind the curtain.
Christoph
Attachment:
signature.asc
Description: PGP signature