CVE-2021-42373: A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is supplied but no page argument is given CVE-2021-42374: An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that CVE-2021-42375: An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input. CVE-2021-42376: A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input. CVE-2021-42377: An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input. CVE-2021-42378: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function CVE-2021-42379: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function CVE-2021-42380: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function CVE-2021-42381: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function CVE-2021-42382: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function CVE-2021-42383: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function CVE-2021-42384: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function CVE-2021-42385: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function CVE-2021-42386: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4953f8ef033673023485d1b05b96137166a812cf commit 4953f8ef033673023485d1b05b96137166a812cf Author: Viorel Munteanu <ceamac.paragon@gmail.com> AuthorDate: 2022-07-01 11:44:33 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-07-03 23:52:43 +0000 sys-apps/busybox: drop 1.32.1-r1, 1.33.1, 1.33.1-r2 They have security issues Bug: https://bugs.gentoo.org/824222 Signed-off-by: Viorel Munteanu <ceamac.paragon@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/26180 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/busybox/Manifest | 2 - sys-apps/busybox/busybox-1.32.1-r1.ebuild | 337 ----------------------------- sys-apps/busybox/busybox-1.33.1-r2.ebuild | 345 ------------------------------ sys-apps/busybox/busybox-1.33.1.ebuild | 337 ----------------------------- 4 files changed, 1021 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=007d2cf2a945eb860b990e5233e6ff13c3ae497c commit 007d2cf2a945eb860b990e5233e6ff13c3ae497c Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-07-05 09:49:36 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-07-05 09:49:51 +0000 [ GLSA 202407-17 ] BusyBox: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/824222 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202407-17.xml | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+)
