The first sounds particularly bad, it's a shell injection in the autocompletion code. The others are issues in the embedded compression tools. Unfortunately there's no fixed release yet, but the severity of particularly the first issue probably justifies to have an ebuild with patches.
(In reply to Hanno Boeck from comment #0) > The first sounds particularly bad, it's a shell injection in the > autocompletion code. The others are issues in the embedded compression tools. > > Unfortunately there's no fixed release yet, but the severity of particularly > the first issue probably justifies to have an ebuild with patches. Thank you Hanno, setting URL to the patch. Other bugs are already reported in bug 635392. @Maintainers please call for stabilization when ready.
fixed with this commit https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7271c533c68a35f72cdb907d3e2743275505c5c6 commit 7271c533c68a35f72cdb907d3e2743275505c5c6 Author: Mike Frysinger <vapier@gentoo.org> AuthorDate: 2018-01-24 04:11:19 +0000 Commit: Mike Frysinger <vapier@gentoo.org> CommitDate: 2018-01-24 04:14:46 +0000 sys-apps/busybox: version bump to 1.28.0 #563756 #635392 #638258 Bug: https://bugs.gentoo.org/563756 Bug: https://bugs.gentoo.org/635392 Bug: https://bugs.gentoo.org/638258 sys-apps/busybox/Manifest | 1 + sys-apps/busybox/busybox-1.28.0.ebuild | 310 +++++++++++++++++++++++++++++++++ 2 files changed, 311 insertions(+)}
> @Maintainers please call for stabilization when ready. I think we need to do this. KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
amd64 stable
x86 stable
Stable on alpha.
Pro tip: if you want "sparc", you should CC sparc.
commit 573c581adc8caaf90b79432d1ec9902975f73e25 Author: Rolf Eike Beer <eike@sf-mail.de> Date: Wed Jan 31 18:38:21 2018 +0100 sys-apps/busybox: stable 1.28.0 for sparc, bug #638258
arm stable
commit f34b677906cdd137f8fa0602a2bcde3914732e85 Author: Rolf Eike Beer <eike@sf-mail.de> Date: Wed Feb 7 00:13:48 2018 +0100 sys-apps/busybox: stable 1.28.0 for hppa, bug #638258
ia64 stable
arm64 stable
ppc stable
ppc64 done. last arch done
Thank you, new GLSA request filed. @Maintainers please remove vulnerable versions.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a0dba014e668def84853ddae587d1198bbfefd2 commit 3a0dba014e668def84853ddae587d1198bbfefd2 Author: Mikle Kolyada <zlogene@gentoo.org> AuthorDate: 2018-03-25 18:38:06 +0000 Commit: Mikle Kolyada <zlogene@gentoo.org> CommitDate: 2018-03-25 18:48:53 +0000 sys-apps/busybox: Cleanup insecure versions Bug: https://bugs.gentoo.org/638258 Package-Manager: Portage-2.3.24, Repoman-2.3.6 sys-apps/busybox/Manifest | 3 - sys-apps/busybox/busybox-1.25.1.ebuild | 308 ----------------------------- sys-apps/busybox/busybox-1.26.2-r1.ebuild | 316 ------------------------------ sys-apps/busybox/busybox-1.27.2.ebuild | 316 ------------------------------ 4 files changed, 943 deletions(-)}
This issue was resolved and addressed in GLSA 201803-12 at https://security.gentoo.org/glsa/201803-12 by GLSA coordinator Aaron Bauman (b-man).