Re: BusyBox CVE-2022-48174 in Bookworm
On Tue, 2025-10-21 at 12:13 +0200, Christoph Biedl wrote:
> Wolfgang Ocker wrote...
>
> > Hello Busybox Package Maintainers:
> >
> > I hope I have found the correct email address for my question.
>
> It's good enough.
>
> > https://security-tracker.debian.org/tracker/CVE-2022-48174
> >
> > It says here that the stack overflow bug in Busybox (CVE-2022-
> > 48174)
> > has not yet been fixed in Bookworm because it is only a minor
> > issue.
>
> It seems this was fixed in 1:1.30.1-6+deb11u1 in January 2025:
I was wondering why the fix was made available for Bullseye and earlier
releases (and Trixie), but not for Bookworm. Bookworm provides busybox-
static 1:1.35.0-4+b5 ...
>
> > busybox (1:1.30.1-6+deb11u1) bullseye-security; urgency=high
> >
> > * Non-maintainer upload by the LTS Security Team.
> > * Import patches for
> > (Cherry-picked from 1:1.30-1.4ubuntu6.4)
> > - CVE-2021-28831 (Closes: #985674),
> > - CVE-2021-42374, CVE-2021-42378, CVE-2021-42379, CVE-2021-
> > 42380,
> > CVE-2021-42381, CVE-2021-42382, CVE-2021-42384, CVE-2021-
> > 42385,
> > CVE-2021-42386 (Closes: #999567),
> > (Cherry-picked from 1:1.30.1-7ubuntu3.1)
> ! - CVE-2022-48174 (Closes: #1059049)
> > * Backport patch for CVE-2023-42364. This patch also covers
> > CVE-2023-42365 (Closes: #1059051, #1059052)
> >
> > -- Tobias Frost <tobi@debian.org> Sun, 19 Jan 2025 10:30:58 +0100
>
> > I would be very interested to know why you came to this conclusion,
> > as
> > I can't find any reference to it in the corresponding bug tracker
> > entry:
> >
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059049
>
> This creates the question why the bits in the tracker were not
> updated
> properly. I'll ask around behind the curtain.
>
> Christoph
Thanks for the quick reply!
Wolfgang
Reply to: