577610 – <sys-apps/busybox-1.24.2: two heap overflow

Bug 577610 - <sys-apps/busybox-1.24.2: two heap overflow

Summary: <sys-apps/busybox-1.24.2: two heap overflow

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	A2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2016-03-17 11:53 UTC by Agostino Sarubbo
Modified:	2017-01-01 12:16 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2016-03-17 11:53:23 UTC

From ${URL} :

CVE-2016-2147 / OOB heap write due to integer underflow
https://git.busybox.net/busybox/commit/?id=d474ffc68290e0a83651c4432eeabfa62cd51e87

CVE-2016-2148 / heap overflow in OPTION_6RD parsing
https://git.busybox.net/busybox/commit/?id=352f79acbd759c14399e39baef21fc4ffe180ac2



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 SpanKY gentoo-dev

2016-03-21 18:49:04 UTC

bumped here:
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=596b078da777fa1b066d57366803a13855a0c652

should be fine for stable

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2016-03-21 23:40:48 UTC

@arches, please stabilize the following:

=sys-apps/busybox-1.24.2

Comment 3 Agostino Sarubbo gentoo-dev

2016-03-22 14:33:30 UTC

amd64 stable

Comment 4 Jeroen Roovers (RETIRED) gentoo-dev

2016-03-26 06:49:29 UTC

Stable for HPPA PPC64.

Comment 5 Agostino Sarubbo gentoo-dev

2016-03-27 10:17:28 UTC

ppc stable

Comment 6 Markus Meier gentoo-dev

2016-03-30 18:32:58 UTC

arm stable

Comment 7 Agostino Sarubbo gentoo-dev

2016-04-11 10:40:25 UTC

x86 stable

Comment 8 Matt Turner gentoo-dev

2016-05-02 03:33:55 UTC

alpha stable

Comment 9 Agostino Sarubbo gentoo-dev

2016-07-08 10:04:33 UTC

sparc stable

Comment 10 Agostino Sarubbo gentoo-dev

2016-07-08 12:04:04 UTC

ia64 stable

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2016-07-19 12:26:01 UTC

Removing unstable arches.

@maintainer(s), please remove the vulnerable versions.

Comment 12 Aaron Bauman (RETIRED) gentoo-dev

2016-11-27 11:27:44 UTC

Please cleanup.

Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev

2016-12-02 20:16:23 UTC

Added to existing GLSA.

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2016-12-04 06:41:16 UTC

This issue was resolved and addressed in
 GLSA 201612-04 at https://security.gentoo.org/glsa/201612-04
by GLSA coordinator Aaron Bauman (b-man).

Comment 15 Aaron Bauman (RETIRED) gentoo-dev

2016-12-04 06:43:04 UTC

@maintainer(s), please clean the vulnerable version from the tree:

=sys-apps/busybox-1.24.1

Comment 16 Aaron Bauman (RETIRED) gentoo-dev

2017-01-01 12:16:36 UTC

tree is clean