CVE-2022-28391: BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. Alpine has some patches: https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch But these are apparently less-than-perfect fixes: 09:23 <ajak> Ariadne: since i imagine it was an alpine person, no upstream references in https://nvd.nist.gov/vuln/detail/CVE-2022-28391 ? :( 09:25 <Ariadne> not yet, i am working on a cleaner patch to send upstream. 09:25 <Ariadne> the one we use in alpine to fix the sanitization problem introduces a memory leak
CVE-2022-30065 (https://bugs.busybox.net/show_bug.cgi?id=14781): A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.
Regarding CVE-2022-28391, the best available option seems to be https://gitlab.alpinelinux.org/alpine/aports/-/commit/2745de7e1b09e663b477a8141b84f7d81a049963. Is the new patch going to be ready soon? The alpine issue is closed: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661 while I have not yet found anything from busybox upstream. CVE-2022-30065 seems to be fixed by https://git.busybox.net/busybox/commit/?id=e63d7cdfdac78c6fd27e9e63150335767592b85e. Should those patches be merged or is it better to wait and contact the alpine dev again for the aforementioned CVE-2022-28391 patch?
(In reply to 9ts641j2 from comment #2) > Regarding CVE-2022-28391, the best available option seems to be > https://gitlab.alpinelinux.org/alpine/aports/-/commit/ > 2745de7e1b09e663b477a8141b84f7d81a049963. Is the new patch going to be ready > soon? The alpine issue is closed: > https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661 while I have not > yet found anything from busybox upstream. Yeah, the Alpine people didn't want to report it upstream for geopolitical reasons(?), so I don't think the issue ever made it upstream. > CVE-2022-30065 seems to be fixed by > https://git.busybox.net/busybox/commit/ > ?id=e63d7cdfdac78c6fd27e9e63150335767592b85e. > Should those patches be merged or is it better to wait and contact the > alpine dev again for the aforementioned CVE-2022-28391 patch?
So we should pull the patches for both issues?
(In reply to 9ts641j2 from comment #4) > So we should pull the patches for both issues? We should ideally report the first issue upstream, since no one else has done it. This is relatively complex to exploit so I don't think we should be pressed for time here
(In reply to John Helmert III from comment #5) > (In reply to 9ts641j2 from comment #4) > > So we should pull the patches for both issues? > > We should ideally report the first issue upstream, since no one else has > done it. > > This is relatively complex to exploit so I don't think we should be pressed > for time here https://bugs.busybox.net/show_bug.cgi?id=15001
Upstream never really reacted to the issue, thus I propose including the patch in gentoo.
(In reply to 9ts641j2 from comment #7) > Upstream never really reacted to the issue, thus I propose including the > patch in gentoo. given: >Alpine carries some patches but Ariadne says they're incorrect: I'd rather not. Please ping on the upstream issue.