Accepted busybox 1:1.22.0-19+deb9u1 (source amd64 all) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 15 Feb 2021 11:42:15 +0100
Source: busybox
Binary: busybox busybox-static busybox-udeb busybox-syslogd udhcpc udhcpd
Architecture: source amd64 all
Version: 1:1.22.0-19+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
busybox - Tiny utilities for small and embedded systems
busybox-static - Standalone rescue shell with tons of builtin utilities
busybox-syslogd - Provides syslogd and klogd using busybox
busybox-udeb - Tiny utilities for the debian-installer (udeb)
udhcpc - Provides the busybox DHCP client implementation
udhcpd - Provides the busybox DHCP server implementation
Changes:
busybox (1:1.22.0-19+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Fix CVE-2011-5325:
A path traversal vulnerability was found in Busybox implementation of tar.
tar will extract a symlink that points outside of the current working
directory and then follow that symlink when extracting other files. This
allows for a directory traversal attack when extracting untrusted tarballs.
* Fix CVE-2014-9645:
The add_probe function in modutils/modprobe.c in BusyBox allows local users
to bypass intended restrictions on loading kernel modules via a / (slash)
character in a module name, as demonstrated by an "ifconfig /usbserial up"
command or a "mount -t /snd_pcm none /" command.
* Fix CVE-2016-2147:
Integer overflow in the DHCP client (udhcpc) in BusyBox allows remote
attackers to cause a denial of service (crash) via a malformed
RFC1035-encoded domain name, which triggers an out-of-bounds heap write.
* Fix CVE-2016-2148:
Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox allows
remote attackers to have unspecified impact via vectors involving
OPTION_6RD parsing.
* Fix CVE-2017-15873:
The get_next_block function in archival/libarchive/decompress_bunzip2.c in
BusyBox has an Integer Overflow that may lead to a write access violation.
* Fix CVE-2017-16544:
In the add_match function in libbb/lineedit.c in BusyBox, the tab
autocomplete feature of the shell, used to get a list of filenames in a
directory, does not sanitize filenames and results in executing any escape
sequence in the terminal. This could potentially result in code execution,
arbitrary file writes, or other attacks.
* Fix CVE-2018-1000517:
BusyBox project BusyBox wget contains a Buffer Overflow vulnerability in
Busybox wget that can result in heap buffer overflow. This attack appears to
be exploitable via network connectivity.
* CVE-2015-9261:
Unziping a specially crafted zip file results in a computation of an
invalid pointer and a crash reading an invalid address.
Checksums-Sha1:
9118f0049604a07729841fb131850df18b9d5b7c 2449 busybox_1.22.0-19+deb9u1.dsc
486fb55c3efa71148fe07895fd713ea3a5ae343a 2218120 busybox_1.22.0.orig.tar.bz2
1c62cee71e7605133fa5aa6ab599d2c470ec89a9 65068 busybox_1.22.0-19+deb9u1.debian.tar.xz
a2d42c905224eff64d93d13d88b4e8d1efdddb05 1383120 busybox-dbgsym_1.22.0-19+deb9u1_amd64.deb
7a2006ee63de423f59aaa79682e2b23d0098c849 1576320 busybox-static-dbgsym_1.22.0-19+deb9u1_amd64.deb
ea80f5ac7f6789d09d77f46b98b6dd8dd6483664 856002 busybox-static_1.22.0-19+deb9u1_amd64.deb
f30799f129ac20d4b9b445d85d06190bed143fc0 25048 busybox-syslogd_1.22.0-19+deb9u1_all.deb
6c89e849239f05a67be0e5c68122e9cf457e61e3 181078 busybox-udeb_1.22.0-19+deb9u1_amd64.udeb
cbfa93eaf0a29a8589d820b01d15dfc59bdbab3a 8057 busybox_1.22.0-19+deb9u1_amd64.buildinfo
50c8170e04bdac9b26737dd22506f9f1f64834e8 405652 busybox_1.22.0-19+deb9u1_amd64.deb
c32f4f186751ac29ebebcbbde2f0e385ed72ebd2 23226 udhcpc_1.22.0-19+deb9u1_amd64.deb
1bedc4a605ce6b9a32db044db737331228d3c127 25986 udhcpd_1.22.0-19+deb9u1_amd64.deb
Checksums-Sha256:
3d5564a85e98d0ebc890ea55b0054a43d8b6a75c9054486617336b60bb1c520f 2449 busybox_1.22.0-19+deb9u1.dsc
92f00cd391b7d5fa2215c8450abe2ba15f9d16c226e8855fb21b6c9a5b723a53 2218120 busybox_1.22.0.orig.tar.bz2
89d983213df30b2f9828bb751f35776767bd19d9cfedf86b90349ae680a5217e 65068 busybox_1.22.0-19+deb9u1.debian.tar.xz
87f0d9420628e22deed0b405658d81b86f6a2d6521aaf96eb692237f215039a5 1383120 busybox-dbgsym_1.22.0-19+deb9u1_amd64.deb
bebcc144c8e131e16b44ee4d120ee1498a814f42068da5680693831e38c569de 1576320 busybox-static-dbgsym_1.22.0-19+deb9u1_amd64.deb
dd131cce144e1441889931385bf9689b654809710860a8cc2d7501d9037ae165 856002 busybox-static_1.22.0-19+deb9u1_amd64.deb
749c3945bd7a3b9e8deb51f4d6e1c562515b862e8fd84a0c806f367afff93e45 25048 busybox-syslogd_1.22.0-19+deb9u1_all.deb
1497c105aac7827fa0166b28c434ab463fea35c1dd87866c5ce2f0c75303eec5 181078 busybox-udeb_1.22.0-19+deb9u1_amd64.udeb
39cfcd0561f38b8be65fa3151e2278af7d2655bec1be6b19914cd63fe3d9eb72 8057 busybox_1.22.0-19+deb9u1_amd64.buildinfo
5d07cd5dc43cdf1b8d45beaf383f6fd0c61318c5a5fe74457ec778f449d987ae 405652 busybox_1.22.0-19+deb9u1_amd64.deb
c30a5aad6678ea4eeb455dc03dbc5208e954ab5c7a040cf89078d595b7063c6d 23226 udhcpc_1.22.0-19+deb9u1_amd64.deb
efafa3e315c1549bbfff613d94cb0ca0f47dce432afa6b6ae6f968290728a5b2 25986 udhcpd_1.22.0-19+deb9u1_amd64.deb
Files:
087cb931546c82c7b5a7d51441f3c6c2 2449 utils optional busybox_1.22.0-19+deb9u1.dsc
ac1881d1cdeb0729b22c663feaf1c663 2218120 utils optional busybox_1.22.0.orig.tar.bz2
4e1350df9534d4122b2fd8d59fd02bb1 65068 utils optional busybox_1.22.0-19+deb9u1.debian.tar.xz
6ea02bf4cdc5e21d63ff4ad81ca698bc 1383120 debug extra busybox-dbgsym_1.22.0-19+deb9u1_amd64.deb
552b92002c8e50e0202bdb72b33a2b4c 1576320 debug extra busybox-static-dbgsym_1.22.0-19+deb9u1_amd64.deb
d15eb102bdb2d925306e6124a940fa67 856002 shells extra busybox-static_1.22.0-19+deb9u1_amd64.deb
7e3234723bd248afac6c7647336ef865 25048 utils optional busybox-syslogd_1.22.0-19+deb9u1_all.deb
31f0d7eb9a7232058cceec8d5423f36c 181078 debian-installer extra busybox-udeb_1.22.0-19+deb9u1_amd64.udeb
d3be13642c85bee83fde1e7dc3b02057 8057 utils optional busybox_1.22.0-19+deb9u1_amd64.buildinfo
20fdd51377f9005feb031e999921d0dd 405652 utils optional busybox_1.22.0-19+deb9u1_amd64.deb
332a92e673903a1463d770b4054664c6 23226 net optional udhcpc_1.22.0-19+deb9u1_amd64.deb
ff78f745c125ca4bd5a9c4e40f66b44e 25986 net optional udhcpd_1.22.0-19+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmAqU6xfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkLa0QAJSAHURxaFvweS3GfiMIhAQ0/meZ7SB8GMRM
fMl1XSgazayRNIXazEJVWKJOQZLZ+uj40gMrkEYlrCuy/RUawYGkPx+3gqlasseQ
oCzg2qm21l7Tw6VTFxKX63oTkt7Zp0Kfas2jE5jYAUuXl/Fia3guulXobJpcAPnX
QpoZmqSifKIzBQsfRs/FLuG2j2m5Kob9sZ/mVQ0n5cmZtv5Z5O55BpbM6smCBtH1
tsoVyrrNChFW99jZf/n6NvPU36OumhGiVJTSoJIYhR2VMfC2SDN3lIGlzwSTeqS2
lKDnqh1xU08GvaxzF2Z8uip7W80SvlLkJQ8wdm1M22Qt3xA9JQVhxS/Cs6heHkny
0lthc3EoE/hsAN+D0k9UP+NzDjRzT1GM7tU87kJ7p8yBHrEs1uPnvbxYGTiI1QXE
+OZI0YyrjBiuuEewdMrkTurP39azOD0TgpE6n52tVwbqNzeT/luLBVAZVHd5x43h
+JqR+c6Z7rHbxZOpvEZsNrocacK00qsGLmZFqjyzAOHktGjePTRZGl6cJ75hLvvH
uNhqAKdQ/gvAEK7RYXqL9Kf3Bvdck+iNkLm/7q3npcFCPCK4DmCfLfl4hHEVoY81
1W5W9OkX/2jbiS8JKUjOZAF3WoCkqphboG20a11re8uwoEKxAvHzcTMqMzRH2Wzh
ZAIAOnns
=UkgI
-----END PGP SIGNATURE-----
Reply to: