-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 27 Jul 2018 00:53:58 +0200 Source: busybox Binary: busybox busybox-static busybox-udeb busybox-syslogd udhcpc udhcpd Architecture: source amd64 all Version: 1:1.22.0-9+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Debian Install System Team <debian-boot@lists.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: busybox - Tiny utilities for small and embedded systems busybox-static - Standalone rescue shell with tons of builtin utilities busybox-syslogd - Provides syslogd and klogd using busybox busybox-udeb - Tiny utilities for the debian-installer (udeb) udhcpc - Provides the busybox DHCP client implementation udhcpd - Provides the busybox DHCP server implementation Changes: busybox (1:1.22.0-9+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2011-5325: A path traversal vulnerability was found in Busybox implementation of tar. tar will extract a symlink that points outside of the current working directory and then follow that symlink when extracting other files. This allows for a directory traversal attack when extracting untrusted tarballs. * Fix CVE-2014-9645: The add_probe function in modutils/modprobe.c in BusyBox allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. * Fix CVE-2016-2147: Integer overflow in the DHCP client (udhcpc) in BusyBox allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. * Fix CVE-2016-2148: Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. * Fix CVE-2017-15873: The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox has an Integer Overflow that may lead to a write access violation. * Fix CVE-2017-16544: In the add_match function in libbb/lineedit.c in BusyBox, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. * Fix CVE-2018-1000517: BusyBox project BusyBox wget contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. * CVE-2015-9261: Unziping a specially crafted zip file results in a computation of an invalid pointer and a crash reading an invalid address. Checksums-Sha1: 730ae5e0673df385cb0c9938914c939d23528bb6 2390 busybox_1.22.0-9+deb8u2.dsc 486fb55c3efa71148fe07895fd713ea3a5ae343a 2218120 busybox_1.22.0.orig.tar.bz2 a432a9763ae75fbb2601d4a82396327c37f95c1a 65804 busybox_1.22.0-9+deb8u2.debian.tar.xz f7fce510cd305c1c7454325f80245052618aa59e 392398 busybox_1.22.0-9+deb8u2_amd64.deb 33e57f7d6f088b3c4713a4fad8d9dc3d62b55daf 840914 busybox-static_1.22.0-9+deb8u2_amd64.deb 8596508bf7ea648109e395af408e501816cddd38 174820 busybox-udeb_1.22.0-9+deb8u2_amd64.udeb 7d6d924fe17e19d9fe2b90602ec8623e48b7730c 24252 busybox-syslogd_1.22.0-9+deb8u2_all.deb 854602e237c1830a252f8227d55ba8429b84873d 22390 udhcpc_1.22.0-9+deb8u2_amd64.deb 1e74272de4316967d0922144845e79b7cb65eb5a 25136 udhcpd_1.22.0-9+deb8u2_amd64.deb Checksums-Sha256: 90d19800fb092b8f4dd192f73eb3805f7d47183eb2fed713aa8569b5427e3081 2390 busybox_1.22.0-9+deb8u2.dsc 92f00cd391b7d5fa2215c8450abe2ba15f9d16c226e8855fb21b6c9a5b723a53 2218120 busybox_1.22.0.orig.tar.bz2 be1388b08b154045f5e6804e2b77ce4225b82487e1558a15488c1e8693c2908f 65804 busybox_1.22.0-9+deb8u2.debian.tar.xz b9c6aa442b749cd9cba544e32cd27240d7697b0ae49553a3815265806f1fc746 392398 busybox_1.22.0-9+deb8u2_amd64.deb 5cbb2229b44bd70d0e72d53ad86da82762e92ef664492193ea800d7443fcc97b 840914 busybox-static_1.22.0-9+deb8u2_amd64.deb 60ad679d0613d8f4801e0a9d0f7435c233ed20fb203df7ac0611391495622b43 174820 busybox-udeb_1.22.0-9+deb8u2_amd64.udeb 0717ca71f8e2752a102ea6d65d9d601654b6a243ffd8fe1fbac075ab123a3626 24252 busybox-syslogd_1.22.0-9+deb8u2_all.deb fa00c856c96d2116a6a240cdf9c142918b983a437d0d2d91e321ff606900d6b0 22390 udhcpc_1.22.0-9+deb8u2_amd64.deb a4443afa028c06fd6fb7b91a4de3f059b7807c335a3787991e6cc2e4c7bc6851 25136 udhcpd_1.22.0-9+deb8u2_amd64.deb Files: 2a51abf39a5d1086a26e026d7d545e42 2390 utils optional busybox_1.22.0-9+deb8u2.dsc ac1881d1cdeb0729b22c663feaf1c663 2218120 utils optional busybox_1.22.0.orig.tar.bz2 d00031c8701691d3e8b72c481dc106c9 65804 utils optional busybox_1.22.0-9+deb8u2.debian.tar.xz ce15bfb9bbdfd1b6828453b34090e4d1 392398 utils optional busybox_1.22.0-9+deb8u2_amd64.deb 99e8bfa3334946ef76af84176a5ffc33 840914 shells extra busybox-static_1.22.0-9+deb8u2_amd64.deb 65d63a7bb5dc8fcc458c377bc2d2f8e2 174820 debian-installer extra busybox-udeb_1.22.0-9+deb8u2_amd64.udeb 2438fd3edd751a3504cbfba32299d55a 24252 utils optional busybox-syslogd_1.22.0-9+deb8u2_all.deb 6671292c543951daa52034a00aa4c5c4 22390 net optional udhcpc_1.22.0-9+deb8u2_amd64.deb 826252a84180aaef18496eedd6846983 25136 net optional udhcpd_1.22.0-9+deb8u2_amd64.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAltahzVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HksDEP/RH4j2L6wYZqlbAAvgX1LXhvPYQkbSD7IdSb KjbVxq1zSUmUW/WvLrfZBFOffHJerri0GkusKvYwBlWYmhcqdDNM2RmW6hHGr+it SqxpWfceeO9QEkZRJyw79/2JHzg7sDySBlVlZpP6A+AT3EEBC+8FHqUkYhwzZJCb OEau+SV5D1b4k/ptmbWCC348ptaTs0UcNXtsT5Pr0bTe2nBhwM5CSyyFg6yZcX4S EAswjLWMyRoFfIB4rSBqYakobuGgTFhsPNz43Pp8B2lRZJLwtMLjJ0ZHmtRib073 1SBadkV35hylrCTLytk9RQTptpoG+Wka5HqnunUYV0Q+A6AZmSTTsNme8AsrPNt9 tOaZJ+eVPBtipjeMZftHDdaPWLukzlxYBE6rNr19ERKz73DZ+qHhNjo9f3PxzK2+ AGGXJ5mp04bwFQ9IRFvgSWiPXqzx5LLIoe0TNhVArpsV83YXjeulfynD5fqW54EB /CEDyDfoyY9Yxq2NBx+vheW9uAODJRwLCtcfPVO+eXiXE5PXtshqy1DIl9ZnOaPw lXsFNYY2+5wJ/6T6vwQc1AQM8bCrv4UPAKygRpRrRyiQvNz2sXmy35vKKhVplWoq hPeevDu8+CtHfEjQOMXrFrg+kHxwwrQnSOZ9nsGF6ED+UdmPkkhUTFIf4KknhKJw d/hZKTYJ =cttF -----END PGP SIGNATURE-----