Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 836920 (CVE-2022-28391, CVE-2022-30065) - sys-apps/busybox: multiple vulnerabilities
Summary: sys-apps/busybox: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2022-28391, CVE-2022-30065
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://gitlab.alpinelinux.org/alpine...
Whiteboard: B2 [upstream/ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-04-06 13:06 UTC by John Helmert III
Modified: 2022-05-18 17:24 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-06 13:06:13 UTC
CVE-2022-28391:

BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.

Alpine has some patches:

https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch

But these are apparently less-than-perfect fixes:

09:23 <ajak> Ariadne: since i imagine it was an alpine person, no upstream references in https://nvd.nist.gov/vuln/detail/CVE-2022-28391 ? :(
09:25 <Ariadne> not yet, i am working on a cleaner patch to send upstream.
09:25 <Ariadne> the one we use in alpine to fix the sanitization problem introduces a memory leak
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-18 17:24:25 UTC
CVE-2022-30065 (https://bugs.busybox.net/show_bug.cgi?id=14781):

A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.