Summary: | <sys-apps/busybox-1.28.0: Autocompletion vulnerability | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | embedded, kfm |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=635392 | ||
Whiteboard: | A2 [glsa+ cve] | ||
Package list: |
sys-apps/busybox-1.28.0
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 563756, 635392 |
Description
Hanno Böck
2017-11-20 17:24:04 UTC
(In reply to Hanno Boeck from comment #0) > The first sounds particularly bad, it's a shell injection in the > autocompletion code. The others are issues in the embedded compression tools. > > Unfortunately there's no fixed release yet, but the severity of particularly > the first issue probably justifies to have an ebuild with patches. Thank you Hanno, setting URL to the patch. Other bugs are already reported in bug 635392. @Maintainers please call for stabilization when ready. fixed with this commit https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7271c533c68a35f72cdb907d3e2743275505c5c6 commit 7271c533c68a35f72cdb907d3e2743275505c5c6 Author: Mike Frysinger <vapier@gentoo.org> AuthorDate: 2018-01-24 04:11:19 +0000 Commit: Mike Frysinger <vapier@gentoo.org> CommitDate: 2018-01-24 04:14:46 +0000 sys-apps/busybox: version bump to 1.28.0 #563756 #635392 #638258 Bug: https://bugs.gentoo.org/563756 Bug: https://bugs.gentoo.org/635392 Bug: https://bugs.gentoo.org/638258 sys-apps/busybox/Manifest | 1 + sys-apps/busybox/busybox-1.28.0.ebuild | 310 +++++++++++++++++++++++++++++++++ 2 files changed, 311 insertions(+)}
> @Maintainers please call for stabilization when ready.
I think we need to do this.
KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
amd64 stable x86 stable Stable on alpha. Pro tip: if you want "sparc", you should CC sparc. commit 573c581adc8caaf90b79432d1ec9902975f73e25 Author: Rolf Eike Beer <eike@sf-mail.de> Date: Wed Jan 31 18:38:21 2018 +0100 sys-apps/busybox: stable 1.28.0 for sparc, bug #638258 arm stable commit f34b677906cdd137f8fa0602a2bcde3914732e85 Author: Rolf Eike Beer <eike@sf-mail.de> Date: Wed Feb 7 00:13:48 2018 +0100 sys-apps/busybox: stable 1.28.0 for hppa, bug #638258 ia64 stable arm64 stable ppc stable ppc64 done. last arch done Thank you, new GLSA request filed. @Maintainers please remove vulnerable versions. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a0dba014e668def84853ddae587d1198bbfefd2 commit 3a0dba014e668def84853ddae587d1198bbfefd2 Author: Mikle Kolyada <zlogene@gentoo.org> AuthorDate: 2018-03-25 18:38:06 +0000 Commit: Mikle Kolyada <zlogene@gentoo.org> CommitDate: 2018-03-25 18:48:53 +0000 sys-apps/busybox: Cleanup insecure versions Bug: https://bugs.gentoo.org/638258 Package-Manager: Portage-2.3.24, Repoman-2.3.6 sys-apps/busybox/Manifest | 3 - sys-apps/busybox/busybox-1.25.1.ebuild | 308 ----------------------------- sys-apps/busybox/busybox-1.26.2-r1.ebuild | 316 ------------------------------ sys-apps/busybox/busybox-1.27.2.ebuild | 316 ------------------------------ 4 files changed, 943 deletions(-)} This issue was resolved and addressed in GLSA 201803-12 at https://security.gentoo.org/glsa/201803-12 by GLSA coordinator Aaron Bauman (b-man). |