Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 379857 - <sys-apps/busybox-1.19.0: unpack_Z_stream() Buffer Underflow (CVE requested)
Summary: <sys-apps/busybox-1.19.0: unpack_Z_stream() Buffer Underflow (CVE requested)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://git.busybox.net/busybox/diff/a...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-08-19 11:13 UTC by Agostino Sarubbo
Modified: 2013-12-03 04:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-08-19 11:13:15 UTC 
The vulnerability is caused due to a boundary error within the "unpack_Z_stream()" function (archival/libarchive/decompress_uncompress.c) and can be exploited to cause a buffer underflow via a specially crafted datastream.

Fix at $URL
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-08-19 11:34:25 UTC 
When quoting text, please provide your source, in this case Secunia (http://secunia.com/advisories/45702/).
Comment 2 SpanKY gentoo-dev 2011-08-19 14:11:29 UTC 
i think this is fixed with upstream busybox-1.19.0-uncompress.patch which is part of the new busybox-1.19.0 ebuild that is in the tree now
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-08-19 14:51:54 UTC 
(In reply to comment #2)
> i think this is fixed with upstream busybox-1.19.0-uncompress.patch which is
> part of the new busybox-1.19.0 ebuild that is in the tree now

Great, thanks. Can we stabilize 1.19.0?
Comment 4 SpanKY gentoo-dev 2011-08-19 16:13:16 UTC 
i dont know of any blocking issues
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-08-19 16:34:38 UTC 
(In reply to comment #4)
> i dont know of any blocking issues

Ok, thanks.

Arches, please test and mark stable:
=sys-apps/busybox-1.19.0
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-08-19 16:52:54 UTC 
ppc/ppc64 stable
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-08-19 17:44:32 UTC 
x86 stable
Comment 8 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-08-19 20:39:32 UTC 
amd64: pass
Comment 9 Guy Martin (RETIRED) gentoo-dev 2011-08-20 13:00:45 UTC 
hppa stable
Comment 10 Ian Delaney (RETIRED) gentoo-dev 2011-08-20 13:11:47 UTC 
amd64:

passes all
Comment 11 Agostino Sarubbo gentoo-dev 2011-08-20 14:03:04 UTC 
amd64 ok

Take a look at bug 379965 that can't block this stabilization.
Comment 12 Markos Chandras (RETIRED) gentoo-dev 2011-08-23 17:13:50 UTC 
amd64 done. Thanks Agostino, Ian and Elijah
Comment 13 Markus Meier gentoo-dev 2011-08-24 19:18:50 UTC 
arm stable
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2011-08-27 18:43:37 UTC 
alpha/ia64/m68k/s390/sh/sparc stable
Comment 15 Agostino Sarubbo gentoo-dev 2011-08-27 19:06:17 UTC 
Thanks all, adding glsa request.
Comment 16 Tim Sammut (RETIRED) gentoo-dev 2011-08-28 02:07:14 UTC 
Thanks, folks. New GLSA request filed.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2013-12-03 04:18:16 UTC 
This issue was resolved and addressed in
 GLSA 201312-02 at http://security.gentoo.org/glsa/glsa-201312-02.xml
by GLSA coordinator Chris Reffett (creffett).