Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 635392 (CVE-2017-15873, CVE-2017-15874)

Summary: <sys-apps/busybox-1.28.0: two integer overflow
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: embedded
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: A2 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 638258    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2017-10-25 07:24:58 UTC
CVE-2017-15873 (
The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation.

CVE-2017-15874 (
archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integer Underflow that leads to a read access violation.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Herbert Wantesh 2017-11-22 19:21:20 UTC
the maintainer fixed all this bugs allready but doesn't mark them with the corresponding CVE number and he doesn't release a new version that fixes all of this vulnerabilities:

CVE-2017-15873 - fixed with this commit

CVE-2017-15874 - fixed with
Comment 2 Larry the Git Cow gentoo-dev 2018-01-24 04:16:43 UTC
The bug has been referenced in the following commit(s):

commit 7271c533c68a35f72cdb907d3e2743275505c5c6
Author:     Mike Frysinger <>
AuthorDate: 2018-01-24 04:11:19 +0000
Commit:     Mike Frysinger <>
CommitDate: 2018-01-24 04:14:46 +0000

    sys-apps/busybox: version bump to 1.28.0 #563756 #635392 #638258

 sys-apps/busybox/Manifest              |   1 +
 sys-apps/busybox/busybox-1.28.0.ebuild | 310 +++++++++++++++++++++++++++++++++
 2 files changed, 311 insertions(+)}
Comment 3 Anthony Basile gentoo-dev 2018-01-27 23:46:00 UTC
Note: stabilization called for in bug #638258
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2018-03-26 16:27:08 UTC
This issue was resolved and addressed in
 GLSA 201803-12 at
by GLSA coordinator Aaron Bauman (b-man).