Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 824222 (CVE-2021-42373, CVE-2021-42374, CVE-2021-42375, CVE-2021-42376, CVE-2021-42377, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386) - <sys-apps/busybox-1.34.0: multiple vulnerabilities (CVE-2021-{42373,42374,42375,42376,42377,42378,42379,42380,42381,42382,42383,42384,42385,42386})
Summary: <sys-apps/busybox-1.34.0: multiple vulnerabilities (CVE-2021-{42373,42374,423...
Status: IN_PROGRESS
Alias: CVE-2021-42373, CVE-2021-42374, CVE-2021-42375, CVE-2021-42376, CVE-2021-42377, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://jfrog.com/blog/unboxing-busyb...
Whiteboard: B2 [glsa?]
Keywords: PullRequest
Depends on: 824226
Blocks:
  Show dependency tree
 
Reported: 2021-11-17 15:32 UTC by John Helmert III
Modified: 2023-08-11 07:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-17 15:32:33 UTC
CVE-2021-42373:

A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is supplied but no page argument is given

CVE-2021-42374:

An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that

CVE-2021-42375:

An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.

CVE-2021-42376:

A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.

CVE-2021-42377:

An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.

CVE-2021-42378:

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function

CVE-2021-42379:

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function

CVE-2021-42380:

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function

CVE-2021-42381:

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function

CVE-2021-42382:

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function

CVE-2021-42383:

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function

CVE-2021-42384:

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function

CVE-2021-42385:

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function

CVE-2021-42386:

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-20 17:17:21 UTC
Please cleanup.
Comment 2 Larry the Git Cow gentoo-dev 2022-07-03 23:54:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4953f8ef033673023485d1b05b96137166a812cf

commit 4953f8ef033673023485d1b05b96137166a812cf
Author:     Viorel Munteanu <ceamac.paragon@gmail.com>
AuthorDate: 2022-07-01 11:44:33 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-07-03 23:52:43 +0000

    sys-apps/busybox: drop 1.32.1-r1, 1.33.1, 1.33.1-r2
    
    They have security issues
    
    Bug: https://bugs.gentoo.org/824222
    Signed-off-by: Viorel Munteanu <ceamac.paragon@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/26180
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-apps/busybox/Manifest                 |   2 -
 sys-apps/busybox/busybox-1.32.1-r1.ebuild | 337 -----------------------------
 sys-apps/busybox/busybox-1.33.1-r2.ebuild | 345 ------------------------------
 sys-apps/busybox/busybox-1.33.1.ebuild    | 337 -----------------------------
 4 files changed, 1021 deletions(-)