Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 638258 (CVE-2017-16544)

Summary: <sys-apps/busybox-1.28.0: Autocompletion vulnerability
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: embedded, kfm
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8
See Also: https://bugs.gentoo.org/show_bug.cgi?id=635392
Whiteboard: A2 [glsa+ cve]
Package list:
sys-apps/busybox-1.28.0
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 563756, 635392    

Description Hanno Böck gentoo-dev 2017-11-20 17:24:04 UTC
The first sounds particularly bad, it's a shell injection in the autocompletion code. The others are issues in the embedded compression tools.

Unfortunately there's no fixed release yet, but the severity of particularly the first issue probably justifies to have an ebuild with patches.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-20 17:35:28 UTC
(In reply to Hanno Boeck from comment #0)
> The first sounds particularly bad, it's a shell injection in the
> autocompletion code. The others are issues in the embedded compression tools.
> 
> Unfortunately there's no fixed release yet, but the severity of particularly
> the first issue probably justifies to have an ebuild with patches.

Thank you Hanno, setting URL to the patch.

Other bugs are already reported in bug 635392.

@Maintainers please call for stabilization when ready.
Comment 2 Herbert Wantesh 2017-11-22 19:24:19 UTC
fixed with this commit https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8
Comment 3 Larry the Git Cow gentoo-dev 2018-01-24 04:16:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7271c533c68a35f72cdb907d3e2743275505c5c6

commit 7271c533c68a35f72cdb907d3e2743275505c5c6
Author:     Mike Frysinger <vapier@gentoo.org>
AuthorDate: 2018-01-24 04:11:19 +0000
Commit:     Mike Frysinger <vapier@gentoo.org>
CommitDate: 2018-01-24 04:14:46 +0000

    sys-apps/busybox: version bump to 1.28.0 #563756 #635392 #638258
    
    Bug: https://bugs.gentoo.org/563756
    Bug: https://bugs.gentoo.org/635392
    Bug: https://bugs.gentoo.org/638258

 sys-apps/busybox/Manifest              |   1 +
 sys-apps/busybox/busybox-1.28.0.ebuild | 310 +++++++++++++++++++++++++++++++++
 2 files changed, 311 insertions(+)}
Comment 4 Anthony Basile gentoo-dev 2018-01-27 23:42:45 UTC
> @Maintainers please call for stabilization when ready.

I think we need to do this.

KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-01-28 00:36:24 UTC
amd64 stable
Comment 6 Anthony Basile gentoo-dev 2018-01-28 02:18:07 UTC
x86 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2018-01-28 18:24:23 UTC
Stable on alpha.
Comment 8 Rolf Eike Beer archtester 2018-01-28 21:21:47 UTC
Pro tip: if you want "sparc", you should CC sparc.
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-02 20:39:23 UTC
commit 573c581adc8caaf90b79432d1ec9902975f73e25
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Wed Jan 31 18:38:21 2018 +0100

    sys-apps/busybox: stable 1.28.0 for sparc, bug #638258
Comment 10 Markus Meier gentoo-dev 2018-02-05 21:20:48 UTC
arm stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-06 23:26:18 UTC
commit f34b677906cdd137f8fa0602a2bcde3914732e85
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Wed Feb 7 00:13:48 2018 +0100

    sys-apps/busybox: stable 1.28.0 for hppa, bug #638258
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-10 14:06:03 UTC
ia64 stable
Comment 13 Mart Raudsepp gentoo-dev 2018-03-02 11:45:44 UTC
arm64 stable
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-07 19:51:17 UTC
ppc stable
Comment 15 Matt Turner gentoo-dev 2018-03-12 02:26:36 UTC
ppc64 done. last arch done
Comment 16 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-13 17:57:47 UTC
Thank you, new GLSA request filed.

@Maintainers please remove vulnerable versions.
Comment 17 Larry the Git Cow gentoo-dev 2018-03-25 18:49:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a0dba014e668def84853ddae587d1198bbfefd2

commit 3a0dba014e668def84853ddae587d1198bbfefd2
Author:     Mikle Kolyada <zlogene@gentoo.org>
AuthorDate: 2018-03-25 18:38:06 +0000
Commit:     Mikle Kolyada <zlogene@gentoo.org>
CommitDate: 2018-03-25 18:48:53 +0000

    sys-apps/busybox: Cleanup insecure versions
    
    Bug: https://bugs.gentoo.org/638258
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 sys-apps/busybox/Manifest                 |   3 -
 sys-apps/busybox/busybox-1.25.1.ebuild    | 308 -----------------------------
 sys-apps/busybox/busybox-1.26.2-r1.ebuild | 316 ------------------------------
 sys-apps/busybox/busybox-1.27.2.ebuild    | 316 ------------------------------
 4 files changed, 943 deletions(-)}
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2018-03-26 16:27:16 UTC
This issue was resolved and addressed in
 GLSA 201803-12 at https://security.gentoo.org/glsa/201803-12
by GLSA coordinator Aaron Bauman (b-man).