Loading...

Type: Security Vulnerability
Resolution: Fixed
Priority: Severe (Users)
Fix Version/s: None
Component/s: None
Labels:
None

Impact:

Hide
Older versions of busybox (used in initramfs in genkernel and as a stand-alone ebuild by Funtoo users) have awk exploits and other odd network exploits. Since busybox is not used by default in Funtoo, likely negative impact to users is very low but we should investigate autogen and update of genkernel to fixed versions.

Show
Older versions of busybox (used in initramfs in genkernel and as a stand-alone ebuild by Funtoo users) have awk exploits and other odd network exploits. Since busybox is not used by default in Funtoo, likely negative impact to users is very low but we should investigate autogen and update of genkernel to fixed versions.

Busybox has many cve errors. Many of them would be solved by the autogen mechanism. I remember that at the beginning with @drobins we weren't sure if it should be autogen. I personally already have autogen and I have no problems but maybe someone more experienced should look at it.

[
  {
    "id": "CVE-2021-42376",
    "is_known_exploited_vuln": false,
    "description": "A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \\x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.",
    "urls": [
      "https://nvd.nist.gov/vuln/detail/CVE-2021-42376",
      "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/",
      "https://security.netapp.com/advisory/ntap-20211223-0002/"
    ]
  },
  {
    "id": "CVE-2022-28391",
    "is_known_exploited_vuln": false,
    "description": "BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.",
    "urls": [
      "https://nvd.nist.gov/vuln/detail/CVE-2022-28391",
      "https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch",
      "https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661",
      "https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch"
    ]
  },
  {
    "id": "CVE-2021-42378",
    "is_known_exploited_vuln": false,
    "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function",
    "urls": [
      "https://nvd.nist.gov/vuln/detail/CVE-2021-42378",
      "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/",
      "https://security.netapp.com/advisory/ntap-20211223-0002/"
    ]
  },
  {
    "id": "CVE-2021-42386",
    "is_known_exploited_vuln": false,
    "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function",
    "urls": [
      "https://nvd.nist.gov/vuln/detail/CVE-2021-42386",
      "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/",
      "https://security.netapp.com/advisory/ntap-20211223-0002/"
    ]
  },
  {
    "id": "CVE-2021-42374",
    "is_known_exploited_vuln": false,
    "description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that",
    "urls": [
      "https://nvd.nist.gov/vuln/detail/CVE-2021-42374",
      "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/",
      "https://security.netapp.com/advisory/ntap-20211223-0002/"
    ]
  },
  {
    "id": "CVE-2021-42379",
    "is_known_exploited_vuln": false,
    "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function",
    "urls": [
      "https://nvd.nist.gov/vuln/detail/CVE-2021-42379",
      "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/",
      "https://security.netapp.com/advisory/ntap-20211223-0002/"
    ]
  },
  {
    "id": "CVE-2021-42381",
    "is_known_exploited_vuln": false,
    "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function",
    "urls": [
      "https://nvd.nist.gov/vuln/detail/CVE-2021-42381",
      "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/",
      "https://security.netapp.com/advisory/ntap-20211223-0002/"
    ]
  },
  {
    "id": "CVE-2021-42382",
    "is_known_exploited_vuln": false,
    "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function",
    "urls": [
      "https://nvd.nist.gov/vuln/detail/CVE-2021-42382",
      "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/",
      "https://security.netapp.com/advisory/ntap-20211223-0002/"
    ]
  },
  {
    "id": "CVE-2021-42384",
    "is_known_exploited_vuln": false,
    "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function",
    "urls": [
      "https://nvd.nist.gov/vuln/detail/CVE-2021-42384",
      "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/",
      "https://security.netapp.com/advisory/ntap-20211223-0002/"
    ]
  },
  {
    "id": "CVE-2021-28831",
    "is_known_exploited_vuln": false,
    "description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.",
    "urls": [
      "https://nvd.nist.gov/vuln/detail/CVE-2021-28831",
      "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/",
      "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html",
      "https://security.gentoo.org/glsa/202105-09"
    ]
  },
  {
    "id": "CVE-2021-42385",
    "is_known_exploited_vuln": false,
    "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function",
    "urls": [
      "https://nvd.nist.gov/vuln/detail/CVE-2021-42385",
      "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/",
      "https://security.netapp.com/advisory/ntap-20211223-0002/"
    ]
  },
  {
    "id": "CVE-2021-42380",
    "is_known_exploited_vuln": false,
    "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function",
    "urls": [
      "https://nvd.nist.gov/vuln/detail/CVE-2021-42380",
      "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/",
      "https://security.netapp.com/advisory/ntap-20211223-0002/"
    ]
  }
]

relates to

FL-10364 [next] sys-apps/busybox-1.35.0::core-kit build failed

Closed

Details

Description

Attachments

Issue Links

Activity

People

Dates