-
Security Vulnerability
-
Resolution: Fixed
-
Severe (Users)
-
None
-
None
-
None
Busybox has many cve errors. Many of them would be solved by the autogen mechanism. I remember that at the beginning with @drobins we weren't sure if it should be autogen. I personally already have autogen and I have no problems but maybe someone more experienced should look at it.
[ { "id": "CVE-2021-42376", "is_known_exploited_vuln": false, "description": "A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \\x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-42376", "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", "https://security.netapp.com/advisory/ntap-20211223-0002/" ] }, { "id": "CVE-2022-28391", "is_known_exploited_vuln": false, "description": "BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2022-28391", "https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch", "https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661", "https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch" ] }, { "id": "CVE-2021-42378", "is_known_exploited_vuln": false, "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", "https://security.netapp.com/advisory/ntap-20211223-0002/" ] }, { "id": "CVE-2021-42386", "is_known_exploited_vuln": false, "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", "https://security.netapp.com/advisory/ntap-20211223-0002/" ] }, { "id": "CVE-2021-42374", "is_known_exploited_vuln": false, "description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", "https://security.netapp.com/advisory/ntap-20211223-0002/" ] }, { "id": "CVE-2021-42379", "is_known_exploited_vuln": false, "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", "https://security.netapp.com/advisory/ntap-20211223-0002/" ] }, { "id": "CVE-2021-42381", "is_known_exploited_vuln": false, "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", "https://security.netapp.com/advisory/ntap-20211223-0002/" ] }, { "id": "CVE-2021-42382", "is_known_exploited_vuln": false, "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", "https://security.netapp.com/advisory/ntap-20211223-0002/" ] }, { "id": "CVE-2021-42384", "is_known_exploited_vuln": false, "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", "https://security.netapp.com/advisory/ntap-20211223-0002/" ] }, { "id": "CVE-2021-28831", "is_known_exploited_vuln": false, "description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-28831", "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html", "https://security.gentoo.org/glsa/202105-09" ] }, { "id": "CVE-2021-42385", "is_known_exploited_vuln": false, "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", "https://security.netapp.com/advisory/ntap-20211223-0002/" ] }, { "id": "CVE-2021-42380", "is_known_exploited_vuln": false, "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", "https://security.netapp.com/advisory/ntap-20211223-0002/" ] } ]
- relates to
-
FL-10364 [next] sys-apps/busybox-1.35.0::core-kit build failed
- Closed