There are 18 open security issues in bullseye.
18 issues left for the package maintainer to handle:
- CVE-2021-28831:
(needs triaging)
decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
- CVE-2021-42377:
(needs triaging)
An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.
- CVE-2021-42378:
(needs triaging)
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function
- CVE-2021-42379:
(needs triaging)
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function
- CVE-2021-42380:
(needs triaging)
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function
- CVE-2021-42381:
(needs triaging)
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function
- CVE-2021-42382:
(needs triaging)
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function
- CVE-2021-42383:
(needs triaging)
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function
- CVE-2021-42384:
(needs triaging)
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function
- CVE-2021-42385:
(needs triaging)
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function
- CVE-2021-42386:
(needs triaging)
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function
- CVE-2022-28391:
(needs triaging)
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.
- CVE-2022-48174:
(needs triaging)
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.
- CVE-2023-39810:
(needs triaging)
An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.
- CVE-2023-42363:
(needs triaging)
A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.
- CVE-2023-42364:
(needs triaging)
A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.
- CVE-2023-42365:
(needs triaging)
A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.
- CVE-2023-42366:
(needs triaging)
A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.
You can find information about how to handle these issues in the security team's documentation.