Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 836920 (CVE-2022-28391, CVE-2022-30065)

Summary: sys-apps/busybox: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: allenwebb, embedded, gentoo.qxrin
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
See Also: https://bugs.busybox.net/show_bug.cgi?id=15001
Whiteboard: B2 [upstream/ebuild]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-06 13:06:13 UTC
CVE-2022-28391:

BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.

Alpine has some patches:

https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch

But these are apparently less-than-perfect fixes:

09:23 <ajak> Ariadne: since i imagine it was an alpine person, no upstream references in https://nvd.nist.gov/vuln/detail/CVE-2022-28391 ? :(
09:25 <Ariadne> not yet, i am working on a cleaner patch to send upstream.
09:25 <Ariadne> the one we use in alpine to fix the sanitization problem introduces a memory leak
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-18 17:24:25 UTC
CVE-2022-30065 (https://bugs.busybox.net/show_bug.cgi?id=14781):

A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.
Comment 2 Federico Justus Denkena 2022-09-17 20:32:17 UTC
Regarding CVE-2022-28391, the best available option seems to be https://gitlab.alpinelinux.org/alpine/aports/-/commit/2745de7e1b09e663b477a8141b84f7d81a049963. Is the new patch going to be ready soon? The alpine issue is closed: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661 while I have not yet found anything from busybox upstream.

CVE-2022-30065 seems to be fixed by https://git.busybox.net/busybox/commit/?id=e63d7cdfdac78c6fd27e9e63150335767592b85e. 
Should those patches be merged or is it better to wait and contact the alpine dev again for the aforementioned CVE-2022-28391 patch?
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-17 22:30:33 UTC
(In reply to 9ts641j2 from comment #2)
> Regarding CVE-2022-28391, the best available option seems to be
> https://gitlab.alpinelinux.org/alpine/aports/-/commit/
> 2745de7e1b09e663b477a8141b84f7d81a049963. Is the new patch going to be ready
> soon? The alpine issue is closed:
> https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661 while I have not
> yet found anything from busybox upstream.

Yeah, the Alpine people didn't want to report it upstream for geopolitical reasons(?), so I don't think the issue ever made it upstream.

> CVE-2022-30065 seems to be fixed by
> https://git.busybox.net/busybox/commit/
> ?id=e63d7cdfdac78c6fd27e9e63150335767592b85e. 
> Should those patches be merged or is it better to wait and contact the
> alpine dev again for the aforementioned CVE-2022-28391 patch?
Comment 4 Federico Justus Denkena 2022-09-19 07:44:30 UTC
So we should pull the patches for both issues?
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-19 15:24:51 UTC
(In reply to 9ts641j2 from comment #4)
> So we should pull the patches for both issues?

We should ideally report the first issue upstream, since no one else has done it.

This is relatively complex to exploit so I don't think we should be pressed for time here
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-19 15:46:29 UTC
(In reply to John Helmert III from comment #5)
> (In reply to 9ts641j2 from comment #4)
> > So we should pull the patches for both issues?
> 
> We should ideally report the first issue upstream, since no one else has
> done it.
> 
> This is relatively complex to exploit so I don't think we should be pressed
> for time here

https://bugs.busybox.net/show_bug.cgi?id=15001
Comment 7 Federico Justus Denkena 2023-02-27 17:15:34 UTC
Upstream never really reacted to the issue, thus I propose including the patch in gentoo.
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-02-27 17:18:53 UTC
(In reply to 9ts641j2 from comment #7)
> Upstream never really reacted to the issue, thus I propose including the
> patch in gentoo.

given:
>Alpine carries some patches but Ariadne says they're incorrect:

I'd rather not. Please ping on the upstream issue.