UbuntuUpdates.org

Package "busybox-initramfs"

Name: busybox-initramfs

Description:

Standalone shell setup for initramfs

Latest version: 1:1.27.2-2ubuntu3.4
Release: bionic (18.04)
Level: updates
Repository: main
Head package: busybox
Homepage: http://www.busybox.net

Links


Download "busybox-initramfs"


Other versions of "busybox-initramfs" in Bionic

Repository Area Version
base main 1:1.27.2-2ubuntu3
security main 1:1.27.2-2ubuntu3.4

Changelog

Version: 1:1.27.2-2ubuntu3.4 2021-12-07 15:07:23 UTC

  busybox (1:1.27.2-2ubuntu3.4) bionic-security; urgency=medium

  * SECURITY UPDATE: invalid free or segfault via gzip data
    - debian/patches/CVE-2021-28831.patch: fix DoS if gzip is corrupt in
      archival/libarchive/decompress_gunzip.c.
    - CVE-2021-28831
  * SECURITY UPDATE: OOB read in unlzma
    - debian/patches/CVE-2021-42374.patch: fix a case where we could read
      before beginning of buffer in archival/libarchive/decompress_unlzma.c.
    - CVE-2021-42374
  * SECURITY UPDATE: multiple security issues in awk
    - debian/patches/CVE-2021-423xx-awk.patch: backport awk.c from
      busybox 1.34.1.
    - CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381,
      CVE-2021-42382, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386

 -- Marc Deslauriers <email address hidden> Wed, 24 Nov 2021 14:05:22 -0500

Source diff to previous version
CVE-2021-28831 decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentatio
CVE-2021-42374 An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompres
CVE-2021-42378 A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i
CVE-2021-42379 A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_inp
CVE-2021-42380 A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar f
CVE-2021-42381 A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_ini
CVE-2021-42382 A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s
CVE-2021-42384 A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_s
CVE-2021-42385 A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate
CVE-2021-42386 A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc

Version: 1:1.27.2-2ubuntu3.3 2020-09-22 16:07:12 UTC

  busybox (1:1.27.2-2ubuntu3.3) bionic-security; urgency=medium

  * SECURITY UPDATE: missing ssl cert validation in wget applet
    - debian/patches/CVE-2018-1000500-pre1.patch: emit a message that
      certificate verification is not implemented in networking/wget.c.
    - debian/patches/CVE-2018-1000500-pre2.patch: print warning only once
      in networking/wget.c.
    - debian/patches/CVE-2018-1000500-1.patch: implement TLS verification
      with ENABLE_FEATURE_WGET_OPENSSL in networking/wget.c.
    - debian/patches/CVE-2018-1000500-2.patch: fix openssl options for cert
      verification in networking/wget.c.
    - CVE-2018-1000500

 -- Marc Deslauriers <email address hidden> Fri, 18 Sep 2020 10:26:16 -0400

Source diff to previous version
CVE-2018-1000500 Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This at

Version: 1:1.27.2-2ubuntu3.2 2019-04-03 14:06:40 UTC

  busybox (1:1.27.2-2ubuntu3.2) bionic-security; urgency=medium

  * SECURITY UPDATE: buffer overflow in wget
    - debian/patches/CVE-2018-1000517.patch: check chunk length in
      networking/wget.c.
    - CVE-2018-1000517
  * SECURITY UPDATE: out-of-bounds read in udhcp
    - debian/patches/CVE-2018-20679.patch: check that 4-byte options are
      indeed 4-byte in networking/udhcp/common.*,
      networking/udhcp/dhcpc.c, networking/udhcp/dhcpd.c.
    - CVE-2018-20679
  * SECURITY UPDATE: incomplete fix for out-of-bounds read in udhcp
    - debian/patches/CVE-2019-5747.patch: when decoding DHCP_SUBNET, ensure
      it is 4 bytes long in networking/udhcp/common.*,
      networking/udhcp/dhcpc.c.
    - CVE-2019-5747

 -- Marc Deslauriers <email address hidden> Wed, 06 Mar 2019 15:51:41 -0500

Source diff to previous version
CVE-2018-1000517 BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wge
CVE-2018-20679 An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a
CVE-2019-5747 An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and/or relay) migh

Version: 1:1.27.2-2ubuntu3.1 2019-03-06 14:07:06 UTC

  busybox (1:1.27.2-2ubuntu3.1) bionic; urgency=medium

  * Fix symlink handling (LP: #1753572)
    - debian/patches/CVE-2011-5325-2.patch: re-enable patch.
    - debian/patches/CVE-2011-5325-3.patch:postpone creation of symlinks
      with "suspicious" targets in archival/libarchive/data_extract_all.c,
      archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
      include/bb_archive.h, testsuite/tar.tests.
    - debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks
      the same way tar/unzip does in archival/cpio.c.
    - debian/patches/CVE-2011-5325-5.patch: fix symlink creation in
      archival/libarchive/get_header_ar.c.

 -- Marc Deslauriers <email address hidden> Thu, 17 Jan 2019 13:16:38 -0500

1753572 cpio in Busybox 1.27 ingnores \
CVE-2011-5325 Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current



About   -   Send Feedback to @ubuntu_updates