Bug#1055307: marked as done (busybox: CVE-2023-39810)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 31 Oct 2025 10:05:39 +0000
with message-id <E1vEm0p-00A4ym-2Q@fasolo.debian.org>
and subject line Bug#1055307: fixed in busybox 1:1.37.0-7
has caused the Debian Bug report #1055307,
regarding busybox: CVE-2023-39810
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1055307: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055307
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: busybox: CVE-2023-39810
• From: Moritz Mühlenhoff <jmm@inutil.org>
• Date: Fri, 3 Nov 2023 20:26:28 +0100
• Message-id: <ZUVJZGv54W+nMTM2@pisco.westfalen.local>

Source: busybox
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for busybox.

CVE-2023-39810[0]:
| An issue in the CPIO command of Busybox v1.33.2 allows attackers to
| execute a directory traversal.

https://www.pentagrid.ch/en/blog/busybox-cpio-directory-traversal-vulnerability/

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-39810
    https://www.cve.org/CVERecord?id=CVE-2023-39810

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

• To: 1055307-close@bugs.debian.org
• Subject: Bug#1055307: fixed in busybox 1:1.37.0-7
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 31 Oct 2025 10:05:39 +0000
• Message-id: <E1vEm0p-00A4ym-2Q@fasolo.debian.org>
• Reply-to: Michael Tokarev <mjt@tls.msk.ru>

Source: busybox
Source-Version: 1:1.37.0-7
Done: Michael Tokarev <mjt@tls.msk.ru>

We believe that the bug you reported is fixed in the latest version of
busybox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1055307@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated busybox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 31 Oct 2025 12:47:09 +0300
Source: busybox
Architecture: source
Version: 1:1.37.0-7
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Closes: 1055307 1119539
Changes:
 busybox (1:1.37.0-7) unstable; urgency=medium
 .
   * patches/archival-disallow-path-traversals-CVE-2023-39810.patch
     (Closes: #1055307, CVE-2023-39810)
   * archival-disallow-path-traversals-CVE-2023-39810.patch:
     use the correct "echo" when constructing the archive
   * d/config/pkg/* CONFIG_FEATURE_PATH_TRAVERSAL_PROTECTION=y
   * enable chattr and lsattr applets (Closes: #1119539)
   * udeb: install all links in /usr/, do not touch /bin & /sbin
Checksums-Sha1:
 9bcc3aa50d9ad73e611ec714f84d489b094a3f89 2377 busybox_1.37.0-7.dsc
 9b6817999237674feee9aef35fff0dec261b2cb2 66864 busybox_1.37.0-7.debian.tar.xz
 4e4c91bb74b879c0645bb54df879bf9c7a989804 5613 busybox_1.37.0-7_source.buildinfo
Checksums-Sha256:
 2f3944fccc4e1dae361bebb29631f703a29751d2bca4f50e3e582876b1af8c8e 2377 busybox_1.37.0-7.dsc
 f92b18875c8411c4bb5d024899fc0592b799e500fb0e4792a764352d380d2255 66864 busybox_1.37.0-7.debian.tar.xz
 d94ac1e65cd72b5d6c899eb55533fcde79177ef7de145de2e519cf4bada93b38 5613 busybox_1.37.0-7_source.buildinfo
Files:
 267448354ab2a2ae41ee15c01672ee2a 2377 utils optional busybox_1.37.0-7.dsc
 dd7c740817de9e86a3e1b83a1c8a9d4d 66864 utils optional busybox_1.37.0-7.debian.tar.xz
 40f11fae73b08fc24bbd595d31aebd0b 5613 utils optional busybox_1.37.0-7_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJpBIWwCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmfBT4SEoErUBHc/OzQpxFSlo+AeiNdNXg6NlcB67FHZ
fBYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AADY1A/7BbLbXTxWPSGrKh7PrJ8Esbv8
GXTmadalyjABzquzHN0FZwl7pBriapx7GXiH0FHN3ciixlmMHR7DBUgOcBnc/nvf
EOZeUqXRu6wauM1iyF9Rv/xD8pnPHluFAu2zM9Rz9MSLGLpK31WbXTfw/gSOPjMk
da2Pp7+/wfImlkfkaJTwy2exBzjW0MdwKV++LNOCygf161jfCkii4hw1YlKj7zH1
bJnVLDHImGC6QT2D2hKXwT9k+n7SzRzGTxaKKeLKi1FANguma3KIgl3stbrxeH1p
cOvaKqKUxS0Y8ehcoH9a+R5qCyBHc4f4+PEMVhufpAzJ8K+eHum2goi7rC49dt/p
mPE6j6CVHYsibytcmVTP7Q7h3M15Id2wMxQuo30rYZ12CSPz2mymqubxSWD4UvBx
v9Li4MFAFwWyvMVOk/160c3xqiN7c2fTVzHscCOcYmb8HyMijBs3nE04cFlQX0sk
LBYcF3vL7P05Biy7HiAt50d3UhSroDCWQhP9P9KpPF9cUng4/JwFfECRRJXH+nwl
j0h4vuhhtJimhom6teKydNxP3TTQrTLy8boY+nPwv6NrKHxmGizUwXRwXg1Gx9be
SHoP8xzhzl2oYTzYn4mUVmgAtWjOGnbugcTlZN5wGeAqOe5gp3SU1qq/xWMc+qPF
5baoA54DjoB84Ts2cVI=
=7xeF
-----END PGP SIGNATURE-----

Attachment: pgp7dhKe8Hodv.pgp
Description: PGP signature

--- End Message ---