busybox - Debian Package Tracker

general

source: busybox (main)
version: 1:1.30.1-7
maintainer: Debian Install System Team (archive) (DMD)
uploaders: Chris Boot [DMD] – Christoph Biedl [DMD]
arch: all any
std-ver: 4.1.5
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:1.22.0-19
o-o-sec: 1:1.22.0-19+deb9u2
oldstable: 1:1.30.1-4
stable: 1:1.30.1-6
testing: 1:1.30.1-7
unstable: 1:1.30.1-7

versioned links

1:1.22.0-19: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:1.22.0-19+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:1.30.1-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:1.30.1-6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:1.30.1-7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

busybox (22 bugs: 0, 11, 11, 0)
busybox-static (6 bugs: 0, 4, 2, 0)
busybox-syslogd (2 bugs: 0, 2, 0, 0)
busybox-udeb (3 bugs: 0, 1, 2, 0)
udhcpc (3 bugs: 0, 0, 3, 0)
udhcpd (5 bugs: 0, 4, 1, 0)

action needed

A new upstream version is available: 1.35.0 high

A new upstream version 1.35.0 is available, you should consider packaging it.

Created: 2022-04-29 Last update: 2022-05-19 03:06

12 security issues in sid high

There are 12 open security issues in sid.

12 important issues:

CVE-2021-28831: decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
CVE-2021-42377: An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.
CVE-2021-42378: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function
CVE-2021-42379: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function
CVE-2021-42380: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function
CVE-2021-42381: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function
CVE-2021-42382: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function
CVE-2021-42383: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function
CVE-2021-42384: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function
CVE-2021-42385: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function
CVE-2021-42386: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function
CVE-2022-28391: BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.

Created: 2021-03-19 Last update: 2022-04-27 18:01

12 security issues in bookworm high

There are 12 open security issues in bookworm.

12 important issues:

CVE-2021-28831: decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
CVE-2021-42377: An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.
CVE-2021-42378: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function
CVE-2021-42379: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function
CVE-2021-42380: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function
CVE-2021-42381: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function
CVE-2021-42382: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function
CVE-2021-42383: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function
CVE-2021-42384: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function
CVE-2021-42385: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function
CVE-2021-42386: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function
CVE-2022-28391: BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.

Created: 2021-08-15 Last update: 2022-04-27 18:01

10 bugs tagged patch in the BTS normal

The BTS contains patches fixing 10 bugs, consider including or untagging them.

Created: 2021-08-14 Last update: 2022-05-19 04:30

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2020-08-25 Last update: 2022-05-19 03:08

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1:1.35.0-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 7b2b88ac462ebc48627b7a9b504352c4c70df32a
Author: Diederik de Haas <didi.debian@cknow.org>
Date:   Fri Nov 12 16:20:59 2021 +0100

    Enable FEATURE_TR_CLASSES and FEATURE_TR_EQUIV
    
    These settings were added 11 years ago as 'not set', so I couldn't find
    an explicit reason why it should be disabled. Also, in upstream it is
    enabled by default. And supporting classes and equivs is mandated by
    POSIX, so enable these options.
    
    Closes: #998803

commit 7955bfe4005cf62ed689fb7e1f718e90871ab812
Author: Diederik de Haas <didi.debian@cknow.org>
Date:   Wed Jan 12 11:45:16 2022 +0100

    Also close 985674 and 999567 with new upstream release
    
    Also mention the CVE's that get fixed by that.

commit 46366a931e2f032f5c3cb27815814d24a5f4132a
Author: Chris Boot <bootc@debian.org>
Date:   Tue Dec 28 22:52:00 2021 +0000

    Replace use-ash-echo-for-awk-tests.patch with upstream fix
    
    scripts-echo.c-fix-NUL-handling-in-abc-0-def.patch is an upstream patch
    fixing the scripts/echo.c / echo-ne program and fixing the failing test.

commit a60a1c11c1b5e5cd0da36a663a2526780e2bd157
Author: Chris Boot <bootc@debian.org>
Date:   Mon Dec 27 19:39:28 2021 +0000

    Don't run test suite in verbose mode: it's easier to read without

commit 4de95dd77ace604d7307b1b9471ea2c4d0047faa
Author: Chris Boot <bootc@debian.org>
Date:   Mon Dec 27 19:35:43 2021 +0000

    Add use-ash-echo-for-awk-tests.patch to work around a test failure
    
    Or, "use busybox ash's echo for awk.tests"
    
    dash's echo doesn't understand the -e flag, so the test suite uses a simple
    self-built echo binary (scripts/echo.c) instead. However that version cannot
    output NULs with '\0' which breaks the "awk printf('%c') can output NUL" test.
    Force awk.tests to use busybox ash and re-detect what to do with echo to avoid
    this issue.

commit 5d4233269392683d4dfb66bfbac3efb7bf9d2824
Author: Chris Boot <bootc@debian.org>
Date:   Mon Dec 27 15:19:37 2021 +0000

    Update busybox configurations for new upstream version

commit 17a92b5c45e8ac2a3d5e1691736434c81b0efe0d
Author: Chris Boot <bootc@debian.org>
Date:   Mon Dec 27 15:18:49 2021 +0000

    Continue patch rework for new upstream release

commit 60271ff0190342b7fc27b15fba5b512f3aa5983e
Author: Chris Boot <bootc@debian.org>
Date:   Mon Dec 27 14:07:20 2021 +0000

    Drop patches cherry-picked from upstream

commit 2c6634feaeb3da4b63a1f8ab69c7e4aebbce38c0
Author: Chris Boot <bootc@debian.org>
Date:   Mon Dec 27 14:05:11 2021 +0000

    d/changelog: bump version to 1.35.0-1

commit 7f46ea0efb0024ba0ce51e2d73fabb1e95e6558d
Merge: 3106c93a8 7ae50eede
Author: Chris Boot <bootc@debian.org>
Date:   Mon Dec 27 13:00:05 2021 +0000

    Update upstream source from tag 'upstream/1.35.0'
    
    Update to upstream version '1.35.0'
    with Debian dir 2db5c320185bf1439e51c45ed6bf7946b1b5fa4e

commit 3106c93a82cf218b57d855926eb0c56a70f7ac86
Author: Yuval Freund <yuval.freund@cloud.ionos.com>
Date:   Sun Sep 5 16:41:09 2021 +0200

    Add changelog entry

commit edb49bea4cf09db456858cdc10049009f1af9216
Merge: a1e233cef fb2e800aa
Author: Samuel Thibault <sthibault@debian.org>
Date:   Sun Sep 5 16:40:12 2021 +0200

    Merge branch 'yfreund/busybox-master'

commit a1e233cefe5223c89e7217f1e54d4dd9d84b6530
Merge: da806612d 87e5cd08e
Author: Samuel Thibault <sthibault@debian.org>
Date:   Sun Sep 5 16:35:24 2021 +0200

    Merge branch 'iwamatsu/busybox-stty-udeb'

commit da806612d8875677fce0e56fdab72e86074d01ed
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sun Aug 22 16:40:12 2021 +0200

    releasing package busybox version 1:1.30.1-7

commit 20603adbb8b58fc7a0ac2c08395b3520018a6f03
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sun Aug 22 15:40:42 2021 +0200

    Disable CONFIG_FEATURE_MOUNT_NFS. This option is to "Support mounting NFS file systems on Linux < 2.6.23", which are not supported anymore in Debian. It requires RPC support in glibc, which has just been removed.

commit f0bf4780f643a13ca8dc9171a01ed09d9bbf0491
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Mon Nov 16 08:02:28 2020 +0000

    Remove constraints unnecessary since stretch.
    
    * busybox: Drop versioned constraint on initramfs-tools in Breaks.
    
    Changes-By: deb-scrub-obsolete

commit 711422187c9cf88c17401211e716a739f92ac4ce
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sun Aug 16 12:18:32 2020 +0200

    releasing package busybox version 1:1.30.1-6

commit 72c3e19ff03a1d78a0c2450276bf19588af14fc5
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sun Aug 16 12:03:14 2020 +0200

    cherry-pick settimeofday for glibc v2.31+ compatibility fix for upstream. Closes: #966074.

commit 2c0d154bd5718cc2a59c95d15bf6ff00eafdafa2
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Mon Jul 13 22:16:11 2020 +0200

    releasing package busybox version 1:1.30.1-5

commit 41c5b399363825d674b64f323184b641f6eb2073
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Mon Jul 13 21:51:17 2020 +0200

    cherry-pick glibc 2.31 compatibility fix from upstream. Closes: #955368.

commit 87e5cd08ea1f4134af02f445f4c7dd4aff18a78a
Author: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Date:   Fri Jul 26 23:36:45 2019 +0900

    Enable stty applet in busybox-udeb. Closes: #891806
    
    Signed-off-by: Nobuhiro Iwamatsu <iwamatsu@debian.org>

commit fb2e800aa07a20878adfd0cef6a3ca37e5b9b238
Author: Yuval Freund <yuval.freund@cloud.ionos.com>
Date:   Sun Apr 21 13:30:16 2019 +0200

    Fix special case for /32 subnets
    
    The ip command fails to execute when the device is not specified.
    
    Closes #891857

commit 3f2b3b526d6bdd2dace9f72ea8d6fd535a9ec010
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Mon Apr 1 07:17:50 2019 +0200

    busybox 1:1.30.1-4

commit eff661f39b8e4d57ed40b78ae7a6deb3105e78da
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Sun Mar 31 11:15:10 2019 +0200

    Replace ip oneline patch with upstream version

commit 480d401d1135dc6e1d531189b09a08b1a86c993e
Author: Cyril Brulebois <kibi@debian.org>
Date:   Fri Mar 29 17:24:15 2019 +0100

    Reinstate temp-deb-installer-hack.patch and FEATURE_DI_ENV_HACK=y
    
    Restore them to the version before: 3ffbee87fa9bab42b75f826409e2317ab14138ab

commit cc53ca40f39a70ee9bdbb6d1e6bea6b7df516ed7
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Sun Mar 31 23:49:23 2019 +0100

    debian/rules: Enable verbose output (V=1) for "make oldconfig"

commit 213bb5b36d095b531d3852075ae5aa4174698e42
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Sun Mar 31 23:31:50 2019 +0100

    Drop "Stop overriding stack alignment on i386" as this behaviour is now configurable

commit caae82934aeb8cc01a3f3c055763b02a924119bb
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Sun Mar 31 23:27:34 2019 +0100

    debian/changelog: Restore full entry for version 1:1.27.2-3
    
    Most of this entry was deleted by commits e147966905f0 and 3ffbee87fa9b.

commit 30c7d108aaa6cebbf33722e134f6e01a99d71cc8
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Sun Mar 24 16:52:05 2019 +0100

    busybox 1:1.30.1-3

commit 32ddb85d80462f6eb89b3f6c1e5af0668cc05993
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Fri Mar 22 07:28:05 2019 +0100

    Fix ip oneline, thanks Dominik George. Closes: #924374

commit 0e1890c86f9baa93fe9d73c085b97c9fb15622d7
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Fri Mar 22 07:22:23 2019 +0100

    Ignore any valid_lft or preferred_lft parameters to ip, thanks Steve Langasek. Closes: #924442

commit 44f01d3e22fa1c7e873bccab19bb8c60a7243d25
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Sat Mar 2 09:11:13 2019 +0100

    busybox 1:1.30.1-2

commit 312768152a326ef71aeae052efbd855ffb5593c8
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Sat Mar 2 09:09:04 2019 +0100

    Complete the fix for [CVE-2018-20679] Closes: #918846

commit be081e2bfa319f4c60df86e19a00728c223224e3
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Fri Mar 1 21:19:43 2019 +0100

    busybox 1:1.30.1-1

commit 96e009f3f4bacc8924c8319f016adeaf87e56c5a
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Fri Mar 1 18:57:48 2019 +0100

    Update busybox configurations for 1.30.1

commit 58ea147ad8fae5fe63bc38c07c21d1a41b915f2e
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Fri Mar 1 18:32:46 2019 +0100

    Add a README for any package maintainer, document flavours and upgrading configurations

commit 98bdbe1f16c085052b724dce5a10b34c16fe9639
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Fri Mar 1 12:21:28 2019 +0100

    Refresh patch queue

commit b8fc3e7b891a3fb594bd0368b1897895acfbe3d7
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Fri Mar 1 17:48:45 2019 +0100

    Refresh patch queue

commit 96e6b37c66e43367d74f5f77dc881c4d40118a03
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Fri Mar 1 17:43:27 2019 +0100

    Remove patches that were cherry-picked from upstream

commit a04aae8f3a8aba8614e48ed78d2ac57e1331353c
Author: Chris Boot <bootc@bootc.net>
Date:   Sun Jul 8 15:09:32 2018 +0100

    d/udeb-sizes: remove; not updated since ~2012

commit dcaa75076826932b74367fdbef453b539022cb19
Author: Chris Boot <bootc@bootc.net>
Date:   Sun Jul 8 15:06:41 2018 +0100

    d/bin/genorig.py: remove; not needed since ~2008

commit eb6cfcb039e5ccd39fc3265b2666015074079c8a
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Jul 7 17:23:11 2018 +0100

    d/control: bump Standards-Version to 4.1.5
    
    No other changes required.

commit ec1b9d3d471ccac499b4392d6fd2c6672bd92814
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Jul 7 17:57:05 2018 +0100

    d/control: set Rules-Requires-Root: no

commit 94eb024d444bb4a2b46b15c79e0ef717b70bb566
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Feb 3 12:37:47 2018 +0100

    Switch to debhelper 11

commit 8a3889b726626ce01e1c23d7b95c533ae9eb8ef5
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Jul 7 15:42:09 2018 +0100

    d/rules: remove trailing whitespace

commit c265cdfd837bb8c90eb5485464f3da94a2e1c3c9
Author: Chris Boot <bootc@bootc.net>
Date:   Fri Feb 2 16:19:04 2018 +0000

    d/changelog: remove trailing whitespace

commit 51a753c34b9239ca0b6cd26bdc3c6b92be875805
Author: Chris Boot <bootc@bootc.net>
Date:   Tue Nov 28 15:30:34 2017 +0000

    Correct CVE reference in changelog entry for previous upload
    
    The bzip2 integer overflow is CVE-2017-15873 not 15874.

commit a46c8fefcbffce95306671171da051cedc0df59d
Author: Chris Boot <bootc@bootc.net>
Date:   Fri Feb 2 15:35:45 2018 +0000

    Update configuration files for 1.29.0
    
    - Refresh for new upstream release.
    - Enable new applets for use by initramfs-tools: nuke, resume, run-init.

commit 3ffbee87fa9bab42b75f826409e2317ab14138ab
Author: Chris Boot <bootc@bootc.net>
Date:   Fri Feb 2 15:14:50 2018 +0000

    Refresh and rework patches
    
    - Drop patches cherry-picked from upstream.
    - Drop temp-deb-installer-hack.patch: no longer needed.
    - Rework patches to account for upstream changes:
      - shell-ash-export-HOME.patch
      - version.patch
    - Refresh fuzzy patches.

commit e147966905f093f5a554250f7b45892fdbac9e9f
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Jul 7 15:48:48 2018 +0100

    Check signatures on upstream tarballs
    
    - d/watch: set opts=pgpsigurlmangle
    - d/upstream/signing-key.asc: import Denis Vlasenko's key

commit 9ab801f092c7422eeadf19f96e70ccb9d2bb96d8
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Fri Mar 1 16:59:39 2019 +0100

    Open busybox 1:1.30.1-1 for development

commit 6a7cc0bdbe15bc6032afe8ea61a66f6ba9aae7e5
Merge: b8c0ddaa9 b193de597
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Fri Mar 1 12:19:58 2019 +0100

    Merge upstream version 1.30.1

commit b8c0ddaa92695e62d47090d7918f04cb8eb2c5f5
Author: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Date:   Sun Jul 29 17:05:38 2018 +0900

    Fix segfault in microcom (Closes: #896902)
    
    Signed-off-by: Nobuhiro Iwamatsu <iwamatsu@debian.org>

commit b0a6108e6cc661cdf6b02cc458855f0be4d7c762
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Fri Jul 13 04:19:08 2018 +0100

    Prepare to release busybox (1:1.27.2-3).

commit da3f26a36e3a6a0703473a3940237ffe3a33b35d
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Fri Jul 13 03:42:55 2018 +0100

    Apply security fixes for wget from upstream
    
    - wget: more thorough sanitization of other side's data
    - wget: check chunk length for overflowing off_t (CVE-2018-1000517)
      (Closes: #902724)
    - wget: handle URLs with @ or hash differently
    - wget: emit a message that certificate verification is not implemented

commit 4c43f680fd04b2645bc0112bded61da92dac6819
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Fri Jul 13 02:23:46 2018 +0100

    Stop overriding stack alignment on i386 (Closes: #886506)

commit 28a3d057a02a67554c6cab6cb68836965540620a
Author: Colin Watson <cjwatson@debian.org>
Date:   Sat Jun 16 12:44:58 2018 +0100

    Add changelog for Chris Lamb's changes

commit 286b4fc36098b414a84f9b5a04a0682b427445f8
Merge: e76fd7cb0 3bd29ac61
Author: Colin Watson <cjwatson@debian.org>
Date:   Sat Jun 16 11:00:19 2018 +0000

    Merge branch 'pep8' into 'master'
    
    PEP8 fixes
    
    See merge request installer-team/busybox!2

commit 3bd29ac61f511a2a4b312ef09b0ce93c9b999c67
Author: Chris Lamb <lamby@debian.org>
Date:   Tue May 22 11:32:52 2018 +0200

    Put colon-separated compound statement on separate lines. (PEP8 E701)

commit e2eaf506da0b9e2b8f7984ccc3a87e5d91a782a3
Author: Chris Lamb <lamby@debian.org>
Date:   Tue May 22 11:32:51 2018 +0200

    Try to make lines fit within --max-line-length characters. (PEP8 E501)

commit ad658c504bb24685e8d387f76b694df523aa907c
Author: Chris Lamb <lamby@debian.org>
Date:   Tue May 22 11:32:51 2018 +0200

    Put imports on separate lines. (PEP8 E401)

commit e5dfe46e7c1a955dd0eed38dbde71eabf1d7ebfd
Author: Chris Lamb <lamby@debian.org>
Date:   Tue May 22 11:32:50 2018 +0200

    Add missing 2 blank lines after end of function or class. (PEP8 E305)

commit 90a914f8fe5fdc4e92fd01b3d0be8b00e3c2dd75
Author: Chris Lamb <lamby@debian.org>
Date:   Tue May 22 11:32:49 2018 +0200

    Add missing 2 blank lines. (PEP8 E302)

commit cede1e4bc9659b34bc4c1605cbef433a9102d4c9
Author: Chris Lamb <lamby@debian.org>
Date:   Tue May 22 11:32:47 2018 +0200

    Remove whitespace around parameter '=' sign. (PEP8 E251)

commit e76fd7cb08925fbfd609c5e23341f0cde079ea0f
Author: Cyril Brulebois <kibi@debian.org>
Date:   Fri Apr 27 03:52:05 2018 +0200

    Update Vcs-{Browser,Git} to point to salsa (alioth's replacement).

commit 95db0f5ad9727ef6d6da395944cb2291c671dd17
Author: Chris Boot <bootc@bootc.net>
Date:   Tue Nov 28 13:45:29 2017 +0000

    Upload busybox 1:1.27.2-2 to unstable

commit 25b2525b0f49fc777342e8a543a4d1937ba321c8
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Mon Nov 20 20:24:17 2017 +0100

    Prevent tab completion for strings containing control characters. [CVE-2017-16544]

commit 45cce88b5f4aa1a91866573e64f8e681f52d3ff4
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Mon Nov 20 20:21:53 2017 +0100

    Fix integer underflow in LZMA decompressor. Closes: #879732 [CVE-2017-15874]

commit fb6b55c00e3f24ee01df846f598e9e543f4eeec2
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Wed Oct 25 18:32:25 2017 +0200

    Fix integer overflow in bzip2 decompresson. Closes: #879732  [CVE-2017-15874]

commit d43a0f7b66167929285e177b2d0e445e87bb64e0
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Tue Oct 3 20:44:35 2017 +0200

    Install the readlink binary in /bin. Closes. #801850

commit bcf20e8b3e63683122c3e52c6e0e83b2ea6651de
Author: Chris Boot <bootc@bootc.net>
Date:   Sun Nov 26 14:35:49 2017 +0000

    Temporarily re-enable invalid variable names in the udeb
    
    Upstream busybox commit b6838b520 ("ash: [VAR] Sanitise environment
    variable names on entry") breaks assumptions used by debian-installer's
    preseed system. This results in settings passed to the installer on the
    kernel command-line getting stripped out if they contain invalid
    characters in the variable name, such as '/', which is actually very
    common in this use case.
    
    This is not a long term fix for this problem: a different approach is
    needed to parse the values from the kernel command-line, but we don't
    want to be responsible for holding up the debian-installer alpha
    release any longer than it has already.

commit 864c56cf8e1ff5c69d3da57276727e861b15ec92
Author: Chris Boot <bootc@bootc.net>
Date:   Thu Nov 23 16:46:41 2017 +0000

    Update debian/watch
    
    - Switch to format=4.
    - Use HTTPS URI.

commit ab4a65b4146212bf4aceead795c87ef66dbb0a89
Author: Chris Boot <bootc@bootc.net>
Date:   Thu Nov 23 16:39:50 2017 +0000

    Remove obsolete debian/gbp.conf

commit ede4e0ba6e5cb24a18a9f27aebc0dc594350c1b3
Author: Chris Boot <bootc@bootc.net>
Date:   Thu Nov 23 16:29:56 2017 +0000

    Update Standards-Version to 4.1.1
    
    Change Priority to optional for all packages.

commit 51868a90d3ee481f338593debbf46b3e90bf77b3
Author: Chris Boot <bootc@bootc.net>
Date:   Mon Sep 18 08:00:27 2017 +0100

    Trigger an initramfs rebuild on installation
    
    Closes: #549022

commit 8888b23d5199a811651943bb15565e1a1b5ebb08
Author: Chris Boot <bootc@bootc.net>
Date:   Mon Sep 18 07:57:07 2017 +0100

    Open busybox 1:1.27.2-2 for development

commit 04f045c79d069e9f5dba5a38062ad8f5f7cb24d9
Author: Chris Boot <bootc@bootc.net>
Date:   Sun Sep 17 17:59:50 2017 +0100

    Upload busybox 1:1.27.2-1 to unstable

commit 5167f3c22dc7c632be22f1d8a92c2f3ae75f995d
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Sep 9 21:05:34 2017 +0100

    Rewrite changelog to be somewhat more user friendly
    
    Put closed bugs and user-visible changes first, then group all the
    packaging changes together at the end.

commit db714af545f50381d7122965c95401ca28a33d4a
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Sep 9 20:58:30 2017 +0100

    Work around test failures in certain locales

commit 5b00be6c94dd25618c0b59f152c89ff5e8b05551
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Sep 9 20:29:27 2017 +0100

    udhcpc: correct a typo in /etc/udhcpc/default.script
    
    Closes: #873472

commit 6ab71433ed1d36191471a3b2e12c0954323a5081
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Aug 19 22:27:21 2017 +0100

    Update Standards-Version to 4.0.1
    
    Surprisingly it seems as though the only required change is disabling
    the elements of the test suite that require networking, which upstream
    provides a flag to do.

commit efcb9b633efca1a87bd18a74ea1d2c9a8518d6bc
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Aug 19 22:04:43 2017 +0100

    Replace Uploaders with myself and Christoph Biedl

commit 13e3ac14717a439e2a8a4bfc9a4dae5178fe5f4c
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Aug 19 21:20:42 2017 +0100

    Update debian/.gitignore

commit 82d37fc989a5f6f8456e002e0ad5952968e89363
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Aug 19 21:19:35 2017 +0100

    Add Depends on lsb-base to busybox-syslogd and udhcpd

commit a2bf4acc5ece1c13c2b6b115b0c92ce07bbff315
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Aug 19 21:07:38 2017 +0100

    Abort the build if 'make oldconfig' changes the configuration
    
    This will help us (the busybox maintainers) keep on top of configuration
    changes when upstream changes things around.

commit 8a115a910fb3cd7a525972e150a32f8aeb1da492
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Aug 19 21:03:06 2017 +0100

    Strip -O2 from CFLAGS

commit 55068d91d38d5cc9530fec7978f2ae8157e521b8
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Aug 19 20:57:20 2017 +0100

    Switch to debhelper compatibility level 10

commit 64750d9563e573e7f83f98b2f7eeeabc5c8557e9
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Aug 19 19:44:43 2017 +0100

    debian/rules: Rewrite, simplify and use the dh sequencer
    
    Modernise the rules file considerably. We still need some make-like
    constructs to maintain sanity when building busybox three times, but it
    should be much easier to follow and maintain now.

commit 25d6c9dec232126548b144f379d9acd0b1fa68ff
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Aug 19 19:26:33 2017 +0100

    Update busybox build configuration files
    
    The new upstream release considerably changes the configuration. This
    commit is the result of running 'make oldconfig' on the configuration
    files. For the udeb, the features remain mostly the same as before
    except for a handful of additions; for the deb and static
    configurations, most upstream defaults have been accepted and thus there
    are a number of additional new features enabled.

commit 03d4cd8c27f0ba09c17a56955909fa46939b87d0
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Aug 19 19:20:56 2017 +0100

    debian/rules: Remove test for ancient broken libc6
    
    During the jessie development cycle this was useful to avoid buildd
    chroots containing broken libc6 versions, but is no longer required.

commit 2e732c283a0d151e9de3c071bce8448317c8437f
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Aug 19 19:16:33 2017 +0100

    debian/control: Remove Build-Depends on libc-dev-bin
    
    These were required to avoid broken versions of libc6 which, at the
    time, produced broken static binaries. These old glibc versions were
    around during the jessie development process.

commit 498026b18514b69e0c7c501853c89eedfc992fa5
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Aug 19 19:13:49 2017 +0100

    Run wrap-and-sort -st

commit 93a7a1d2666e2aa19e9b4c4733828c2ee6ac4207
Author: Chris Boot <bootc@bootc.net>
Date:   Sat Aug 19 19:12:49 2017 +0100

    Update changelog for new upstream release

commit 9a71788cdee89b0dc6b973574636ab68a205754b
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Thu Aug 17 18:53:50 2017 +0200

    Postpone creation of symlinks with "suspicious" targets. Closes: #802702 [CVE-2011-5325]

commit b3ddafa485e0f431cbdf8de7261d84ea48da11fa
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Thu Aug 17 09:08:59 2017 +0200

    Refresh patch queue

commit 92342ba530b659b78a1268a4636c83a5242341d0
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Wed Aug 16 19:48:51 2017 +0200

    Remove patches that were cherry-picked or are applied upstream now
    
        * ash-in-bash-compat-mode-always-export-SHLVL.diff
        * libbb-fix-parsing-of-10101010-datetime-form.diff
        * testsuite-fix-last-which-change.diff
        * libarchive-open_zipped-does-not-need-to-check-extensions.diff
        * libbb-open_zipped-should-not-fail-on-non-compressed-files.diff
        * zcat:-complain-if-input-is-not-compressed.diff
        * lzop-add-overflow-check-CVE-2014-4607.patch
        * do-not-fail-on-missing-SIGPWR.patch
        * find:-support-perm-_BITS.diff
        * u-mount-FreeBSD-support.patch
        * swaponoff-FreeBSD-support.patch
        * modprobe-read-modules-builtin.patch
        * iproute-support-onelink-route-option-and-print-route-flags.patch
        * update-deb-format-support.patch
        * CVE-2014-9645.patch

commit 580d77857a7582a1aec73c8576ae34bd34e68928
Merge: 18cd41e93 3134d6a64
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Sun Aug 27 15:39:34 2017 +0200

    Merge upstream version 1.27.2

commit 18cd41e9349e6873ba347e7cc01fef4d759cd85d
Merge: e6f80dabb 7a0454449
Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date:   Mon Aug 7 19:08:01 2017 -0400

    Merge upstream version 1.27.1

commit e6f80dabb8e8a9736537e379de2cc8eed6eca487
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Sun Apr 17 16:37:39 2016 +0100

    Note removal of files included in 1:1.22.0-18 upload but never in git
    
    This was presumably due to a dirty working tree when bubulle built the
    previous source package.  So far as I can see, the extra files would
    never be used unless explicitly requested.

commit c199ee6281952066620018e0d53560f137a55929
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Sun Apr 17 15:55:07 2016 +0100

    Disable CONFIG_FEATURE_PREFER_APPLETS in standard build (Closes: #821307)

Created: 2021-09-05 Last update: 2022-05-16 07:48

lintian reports 7 warnings normal

Lintian reports 7 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2022-01-01 Last update: 2022-01-01 04:31

12 low-priority security issues in buster low

There are 12 open security issues in buster.

12 issues left for the package maintainer to handle:

CVE-2021-28831: (needs triaging) decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
CVE-2021-42377: (needs triaging) An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.
CVE-2021-42378: (needs triaging) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function
CVE-2021-42379: (needs triaging) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function
CVE-2021-42380: (needs triaging) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function
CVE-2021-42381: (needs triaging) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function
CVE-2021-42382: (needs triaging) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function
CVE-2021-42383: (needs triaging) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function
CVE-2021-42384: (needs triaging) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function
CVE-2021-42385: (needs triaging) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function
CVE-2021-42386: (needs triaging) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function
CVE-2022-28391: (needs triaging) BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-03-19 Last update: 2022-04-27 18:01

12 low-priority security issues in bullseye low

There are 12 open security issues in bullseye.

12 issues left for the package maintainer to handle:

CVE-2021-28831: (needs triaging) decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
CVE-2021-42377: (needs triaging) An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.
CVE-2021-42378: (needs triaging) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function
CVE-2021-42379: (needs triaging) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function
CVE-2021-42380: (needs triaging) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function
CVE-2021-42381: (needs triaging) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function
CVE-2021-42382: (needs triaging) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function
CVE-2021-42383: (needs triaging) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function
CVE-2021-42384: (needs triaging) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function
CVE-2021-42385: (needs triaging) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function
CVE-2021-42386: (needs triaging) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function
CVE-2022-28391: (needs triaging) BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-08-14 Last update: 2022-04-27 18:01

Build log checks report 2 warnings low

Build log checks report 2 warnings

Created: 2017-10-26 Last update: 2017-10-26 07:21

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.1.5).

Created: 2018-04-16 Last update: 2022-05-11 23:24

news

[rss feed]

[2021-08-28] busybox 1:1.30.1-7 MIGRATED to testing (Debian testing watch)
[2021-08-22] Accepted busybox 1:1.30.1-7 (source) into unstable (Aurelien Jarno)
[2021-04-01] Accepted busybox 1:1.22.0-19+deb9u2 (source) into oldstable (Markus Koschany)
[2021-02-15] Accepted busybox 1:1.22.0-19+deb9u1 (source amd64 all) into oldstable (Markus Koschany)
[2020-08-21] busybox 1:1.30.1-6 MIGRATED to testing (Debian testing watch)
[2020-08-16] Accepted busybox 1:1.30.1-6 (source) into unstable (Aurelien Jarno)
[2020-07-19] busybox 1:1.30.1-5 MIGRATED to testing (Debian testing watch)
[2020-07-13] Accepted busybox 1:1.30.1-5 (source) into unstable (Aurelien Jarno)
[2019-04-04] busybox 1:1.30.1-4 MIGRATED to testing (Debian testing watch)
[2019-04-02] Accepted busybox 1:1.30.1-4 (source) into unstable (Christoph Biedl)
[2019-04-01] busybox 1:1.30.1-3 MIGRATED to testing (Debian testing watch)
[2019-03-24] Accepted busybox 1:1.30.1-3 (source) into unstable (Christoph Biedl)
[2019-03-12] busybox 1:1.30.1-2 MIGRATED to testing (Debian testing watch)
[2019-03-02] Accepted busybox 1:1.30.1-2 (source) into unstable (Christoph Biedl)
[2019-03-01] Accepted busybox 1:1.30.1-1 (source) into unstable (Christoph Biedl)
[2018-08-03] Accepted busybox 1:1.22.0-9+deb8u4 (source amd64 all) into oldstable (Markus Koschany)
[2018-08-02] Accepted busybox 1:1.22.0-9+deb8u3 (source amd64 all) into oldstable (Markus Koschany)
[2018-07-27] Accepted busybox 1:1.22.0-9+deb8u2 (source amd64 all) into oldstable (Markus Koschany)
[2018-07-18] busybox 1:1.27.2-3 MIGRATED to testing (Debian testing watch)
[2018-07-13] Accepted busybox 1:1.27.2-3 (source) into unstable (Ben Hutchings)
[2017-12-03] busybox 1:1.27.2-2 MIGRATED to testing (Debian testing watch)
[2017-11-28] Accepted busybox 1:1.27.2-2 (source) into unstable (Chris Boot)
[2017-09-24] busybox 1:1.27.2-1 MIGRATED to testing (Debian testing watch)
[2017-09-17] Accepted busybox 1:1.27.2-1 (source) into unstable (Chris Boot)
[2016-04-23] busybox 1:1.22.0-19 MIGRATED to testing (Debian testing watch)
[2016-04-17] Accepted busybox 1:1.22.0-19 (source) into unstable (Ben Hutchings)
[2016-02-09] busybox 1:1.22.0-18 MIGRATED to testing (Debian testing watch)
[2016-02-04] Accepted busybox 1:1.22.0-18 (source i386 all) into unstable (Christian Perrier)
[2016-01-27] busybox 1:1.22.0-17 MIGRATED to testing (Debian testing watch)
[2016-01-22] Accepted busybox 1:1.22.0-17 (source i386 all) into unstable (Christian Perrier)

bugs [bug history graph]

all: 53 54
RC: 0
I&N: 25 26
M&W: 20
F&P: 8
patch: 10

links

homepage
lintian (0, 7)
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:1.30.1-7ubuntu3
37 bugs (3 patches)
patches for 1:1.30.1-7ubuntu3