-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 15 Feb 2021 11:42:15 +0100 Source: busybox Binary: busybox busybox-static busybox-udeb busybox-syslogd udhcpc udhcpd Architecture: source amd64 all Version: 1:1.22.0-19+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Install System Team <debian-boot@lists.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: busybox - Tiny utilities for small and embedded systems busybox-static - Standalone rescue shell with tons of builtin utilities busybox-syslogd - Provides syslogd and klogd using busybox busybox-udeb - Tiny utilities for the debian-installer (udeb) udhcpc - Provides the busybox DHCP client implementation udhcpd - Provides the busybox DHCP server implementation Changes: busybox (1:1.22.0-19+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2011-5325: A path traversal vulnerability was found in Busybox implementation of tar. tar will extract a symlink that points outside of the current working directory and then follow that symlink when extracting other files. This allows for a directory traversal attack when extracting untrusted tarballs. * Fix CVE-2014-9645: The add_probe function in modutils/modprobe.c in BusyBox allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. * Fix CVE-2016-2147: Integer overflow in the DHCP client (udhcpc) in BusyBox allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. * Fix CVE-2016-2148: Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. * Fix CVE-2017-15873: The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox has an Integer Overflow that may lead to a write access violation. * Fix CVE-2017-16544: In the add_match function in libbb/lineedit.c in BusyBox, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. * Fix CVE-2018-1000517: BusyBox project BusyBox wget contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appears to be exploitable via network connectivity. * CVE-2015-9261: Unziping a specially crafted zip file results in a computation of an invalid pointer and a crash reading an invalid address. Checksums-Sha1: 9118f0049604a07729841fb131850df18b9d5b7c 2449 busybox_1.22.0-19+deb9u1.dsc 486fb55c3efa71148fe07895fd713ea3a5ae343a 2218120 busybox_1.22.0.orig.tar.bz2 1c62cee71e7605133fa5aa6ab599d2c470ec89a9 65068 busybox_1.22.0-19+deb9u1.debian.tar.xz a2d42c905224eff64d93d13d88b4e8d1efdddb05 1383120 busybox-dbgsym_1.22.0-19+deb9u1_amd64.deb 7a2006ee63de423f59aaa79682e2b23d0098c849 1576320 busybox-static-dbgsym_1.22.0-19+deb9u1_amd64.deb ea80f5ac7f6789d09d77f46b98b6dd8dd6483664 856002 busybox-static_1.22.0-19+deb9u1_amd64.deb f30799f129ac20d4b9b445d85d06190bed143fc0 25048 busybox-syslogd_1.22.0-19+deb9u1_all.deb 6c89e849239f05a67be0e5c68122e9cf457e61e3 181078 busybox-udeb_1.22.0-19+deb9u1_amd64.udeb cbfa93eaf0a29a8589d820b01d15dfc59bdbab3a 8057 busybox_1.22.0-19+deb9u1_amd64.buildinfo 50c8170e04bdac9b26737dd22506f9f1f64834e8 405652 busybox_1.22.0-19+deb9u1_amd64.deb c32f4f186751ac29ebebcbbde2f0e385ed72ebd2 23226 udhcpc_1.22.0-19+deb9u1_amd64.deb 1bedc4a605ce6b9a32db044db737331228d3c127 25986 udhcpd_1.22.0-19+deb9u1_amd64.deb Checksums-Sha256: 3d5564a85e98d0ebc890ea55b0054a43d8b6a75c9054486617336b60bb1c520f 2449 busybox_1.22.0-19+deb9u1.dsc 92f00cd391b7d5fa2215c8450abe2ba15f9d16c226e8855fb21b6c9a5b723a53 2218120 busybox_1.22.0.orig.tar.bz2 89d983213df30b2f9828bb751f35776767bd19d9cfedf86b90349ae680a5217e 65068 busybox_1.22.0-19+deb9u1.debian.tar.xz 87f0d9420628e22deed0b405658d81b86f6a2d6521aaf96eb692237f215039a5 1383120 busybox-dbgsym_1.22.0-19+deb9u1_amd64.deb bebcc144c8e131e16b44ee4d120ee1498a814f42068da5680693831e38c569de 1576320 busybox-static-dbgsym_1.22.0-19+deb9u1_amd64.deb dd131cce144e1441889931385bf9689b654809710860a8cc2d7501d9037ae165 856002 busybox-static_1.22.0-19+deb9u1_amd64.deb 749c3945bd7a3b9e8deb51f4d6e1c562515b862e8fd84a0c806f367afff93e45 25048 busybox-syslogd_1.22.0-19+deb9u1_all.deb 1497c105aac7827fa0166b28c434ab463fea35c1dd87866c5ce2f0c75303eec5 181078 busybox-udeb_1.22.0-19+deb9u1_amd64.udeb 39cfcd0561f38b8be65fa3151e2278af7d2655bec1be6b19914cd63fe3d9eb72 8057 busybox_1.22.0-19+deb9u1_amd64.buildinfo 5d07cd5dc43cdf1b8d45beaf383f6fd0c61318c5a5fe74457ec778f449d987ae 405652 busybox_1.22.0-19+deb9u1_amd64.deb c30a5aad6678ea4eeb455dc03dbc5208e954ab5c7a040cf89078d595b7063c6d 23226 udhcpc_1.22.0-19+deb9u1_amd64.deb efafa3e315c1549bbfff613d94cb0ca0f47dce432afa6b6ae6f968290728a5b2 25986 udhcpd_1.22.0-19+deb9u1_amd64.deb Files: 087cb931546c82c7b5a7d51441f3c6c2 2449 utils optional busybox_1.22.0-19+deb9u1.dsc ac1881d1cdeb0729b22c663feaf1c663 2218120 utils optional busybox_1.22.0.orig.tar.bz2 4e1350df9534d4122b2fd8d59fd02bb1 65068 utils optional busybox_1.22.0-19+deb9u1.debian.tar.xz 6ea02bf4cdc5e21d63ff4ad81ca698bc 1383120 debug extra busybox-dbgsym_1.22.0-19+deb9u1_amd64.deb 552b92002c8e50e0202bdb72b33a2b4c 1576320 debug extra busybox-static-dbgsym_1.22.0-19+deb9u1_amd64.deb d15eb102bdb2d925306e6124a940fa67 856002 shells extra busybox-static_1.22.0-19+deb9u1_amd64.deb 7e3234723bd248afac6c7647336ef865 25048 utils optional busybox-syslogd_1.22.0-19+deb9u1_all.deb 31f0d7eb9a7232058cceec8d5423f36c 181078 debian-installer extra busybox-udeb_1.22.0-19+deb9u1_amd64.udeb d3be13642c85bee83fde1e7dc3b02057 8057 utils optional busybox_1.22.0-19+deb9u1_amd64.buildinfo 20fdd51377f9005feb031e999921d0dd 405652 utils optional busybox_1.22.0-19+deb9u1_amd64.deb 332a92e673903a1463d770b4054664c6 23226 net optional udhcpc_1.22.0-19+deb9u1_amd64.deb ff78f745c125ca4bd5a9c4e40f66b44e 25986 net optional udhcpd_1.22.0-19+deb9u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmAqU6xfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkLa0QAJSAHURxaFvweS3GfiMIhAQ0/meZ7SB8GMRM fMl1XSgazayRNIXazEJVWKJOQZLZ+uj40gMrkEYlrCuy/RUawYGkPx+3gqlasseQ oCzg2qm21l7Tw6VTFxKX63oTkt7Zp0Kfas2jE5jYAUuXl/Fia3guulXobJpcAPnX QpoZmqSifKIzBQsfRs/FLuG2j2m5Kob9sZ/mVQ0n5cmZtv5Z5O55BpbM6smCBtH1 tsoVyrrNChFW99jZf/n6NvPU36OumhGiVJTSoJIYhR2VMfC2SDN3lIGlzwSTeqS2 lKDnqh1xU08GvaxzF2Z8uip7W80SvlLkJQ8wdm1M22Qt3xA9JQVhxS/Cs6heHkny 0lthc3EoE/hsAN+D0k9UP+NzDjRzT1GM7tU87kJ7p8yBHrEs1uPnvbxYGTiI1QXE +OZI0YyrjBiuuEewdMrkTurP39azOD0TgpE6n52tVwbqNzeT/luLBVAZVHd5x43h +JqR+c6Z7rHbxZOpvEZsNrocacK00qsGLmZFqjyzAOHktGjePTRZGl6cJ75hLvvH uNhqAKdQ/gvAEK7RYXqL9Kf3Bvdck+iNkLm/7q3npcFCPCK4DmCfLfl4hHEVoY81 1W5W9OkX/2jbiS8JKUjOZAF3WoCkqphboG20a11re8uwoEKxAvHzcTMqMzRH2Wzh ZAIAOnns =UkgI -----END PGP SIGNATURE-----