Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 824222 (CVE-2021-42373, CVE-2021-42374, CVE-2021-42375, CVE-2021-42376, CVE-2021-42377, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386)

Summary: <sys-apps/busybox-1.34.0: multiple vulnerabilities (CVE-2021-{42373,42374,42375,42376,42377,42378,42379,42380,42381,42382,42383,42384,42385,42386})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: embedded
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
See Also: https://github.com/gentoo/gentoo/pull/26180
Whiteboard: B2 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 824226    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-17 15:32:33 UTC 
CVE-2021-42373:

A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is supplied but no page argument is given

CVE-2021-42374:

An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that

CVE-2021-42375:

An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.

CVE-2021-42376:

A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.

CVE-2021-42377:

An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.

CVE-2021-42378:

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function

CVE-2021-42379:

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function

CVE-2021-42380:

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function

CVE-2021-42381:

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function

CVE-2021-42382:

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function

CVE-2021-42383:

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function

CVE-2021-42384:

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function

CVE-2021-42385:

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function

CVE-2021-42386:

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-20 17:17:21 UTC 
Please cleanup.
Comment 2 Larry the Git Cow gentoo-dev 2022-07-03 23:54:22 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4953f8ef033673023485d1b05b96137166a812cf

commit 4953f8ef033673023485d1b05b96137166a812cf
Author:     Viorel Munteanu <ceamac.paragon@gmail.com>
AuthorDate: 2022-07-01 11:44:33 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-07-03 23:52:43 +0000

    sys-apps/busybox: drop 1.32.1-r1, 1.33.1, 1.33.1-r2
    
    They have security issues
    
    Bug: https://bugs.gentoo.org/824222
    Signed-off-by: Viorel Munteanu <ceamac.paragon@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/26180
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-apps/busybox/Manifest                 |   2 -
 sys-apps/busybox/busybox-1.32.1-r1.ebuild | 337 -----------------------------
 sys-apps/busybox/busybox-1.33.1-r2.ebuild | 345 ------------------------------
 sys-apps/busybox/busybox-1.33.1.ebuild    | 337 -----------------------------
 4 files changed, 1021 deletions(-)