The vulnerability is caused due to a boundary error within the "unpack_Z_stream()" function (archival/libarchive/decompress_uncompress.c) and can be exploited to cause a buffer underflow via a specially crafted datastream. Fix at $URL
When quoting text, please provide your source, in this case Secunia (http://secunia.com/advisories/45702/).
i think this is fixed with upstream busybox-1.19.0-uncompress.patch which is part of the new busybox-1.19.0 ebuild that is in the tree now
(In reply to comment #2) > i think this is fixed with upstream busybox-1.19.0-uncompress.patch which is > part of the new busybox-1.19.0 ebuild that is in the tree now Great, thanks. Can we stabilize 1.19.0?
i dont know of any blocking issues
(In reply to comment #4) > i dont know of any blocking issues Ok, thanks. Arches, please test and mark stable: =sys-apps/busybox-1.19.0 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
ppc/ppc64 stable
x86 stable
amd64: pass
hppa stable
amd64: passes all
amd64 ok Take a look at bug 379965 that can't block this stabilization.
amd64 done. Thanks Agostino, Ian and Elijah
arm stable
alpha/ia64/m68k/s390/sh/sparc stable
Thanks all, adding glsa request.
Thanks, folks. New GLSA request filed.
This issue was resolved and addressed in GLSA 201312-02 at http://security.gentoo.org/glsa/glsa-201312-02.xml by GLSA coordinator Chris Reffett (creffett).