Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 635392 (CVE-2017-15873, CVE-2017-15874) - <sys-apps/busybox-1.28.0: two integer overflow
Summary: <sys-apps/busybox-1.28.0: two integer overflow
Alias: CVE-2017-15873, CVE-2017-15874
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa+ cve]
Depends on: CVE-2017-16544
  Show dependency tree
Reported: 2017-10-25 07:24 UTC by Agostino Sarubbo
Modified: 2018-03-26 16:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-10-25 07:24:58 UTC
CVE-2017-15873 (
The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation.

CVE-2017-15874 (
archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integer Underflow that leads to a read access violation.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Herbert Wantesh 2017-11-22 19:21:20 UTC
the maintainer fixed all this bugs allready but doesn't mark them with the corresponding CVE number and he doesn't release a new version that fixes all of this vulnerabilities:

CVE-2017-15873 - fixed with this commit

CVE-2017-15874 - fixed with
Comment 2 Larry the Git Cow gentoo-dev 2018-01-24 04:16:43 UTC
The bug has been referenced in the following commit(s):

commit 7271c533c68a35f72cdb907d3e2743275505c5c6
Author:     Mike Frysinger <>
AuthorDate: 2018-01-24 04:11:19 +0000
Commit:     Mike Frysinger <>
CommitDate: 2018-01-24 04:14:46 +0000

    sys-apps/busybox: version bump to 1.28.0 #563756 #635392 #638258

 sys-apps/busybox/Manifest              |   1 +
 sys-apps/busybox/busybox-1.28.0.ebuild | 310 +++++++++++++++++++++++++++++++++
 2 files changed, 311 insertions(+)}
Comment 3 Anthony Basile gentoo-dev 2018-01-27 23:46:00 UTC
Note: stabilization called for in bug #638258
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2018-03-26 16:27:08 UTC
This issue was resolved and addressed in
 GLSA 201803-12 at
by GLSA coordinator Aaron Bauman (b-man).