Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 954289 (CVE-2023-39810, CVE-2024-58251, CVE-2025-46394) - sys-apps/busybox: multiple vulnerabilities
Summary: sys-apps/busybox: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2023-39810, CVE-2024-58251, CVE-2025-46394
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://marc.info/?l=oss-security&m=1...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-04-23 17:25 UTC by Hank Leininger
Modified: 2025-04-23 21:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2025-04-23 17:25:45 UTC 
see $URL and the ensuing thread:

- no CVE yet: cpio and tar don't escape filenames, which can be used to hide real archive contents

- CVE-2023-39810: unpacking a cpio archive can escape the working directory (can be combined with the first to evade casual inspection prior to unpacking)

- also no CVE: overwriting argv[0] with ANSI escapes will cause netstat -p to process them, such as this POC to lock the terminal: https://bugs.busybox.net/show_bug.cgi?id=15922

Upstream has addressed some, like https://git.busybox.net/busybox/commit/?id=9a8796436b9b0641 for CVE-2023-39810, but no new release that incorporates that yet. Also this adds a new knob, ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION, which if I read correctly defaults to off so I think we'd need a busybox_config_option setting to enable it.