CVE-2022-28391: BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. Alpine has some patches: https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch But these are apparently less-than-perfect fixes: 09:23 <ajak> Ariadne: since i imagine it was an alpine person, no upstream references in https://nvd.nist.gov/vuln/detail/CVE-2022-28391 ? :( 09:25 <Ariadne> not yet, i am working on a cleaner patch to send upstream. 09:25 <Ariadne> the one we use in alpine to fix the sanitization problem introduces a memory leak
CVE-2022-30065 (https://bugs.busybox.net/show_bug.cgi?id=14781): A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.
