Message ID | 20211214121608.3309-1-peter@korsgaard.com |
---|---|
State | Accepted |
Headers | show |
Series | [PATCH-2021.02.x] package/busybox: security bump to version 1.33.2 | expand |
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following vulnerabilities: > - CVE-2021-42374: An out-of-bounds heap read in Busybox's unlzma applet > leads to information leak and denial of service when crafted > LZMA-compressed input is decompressed > - CVE-2021-42375: An incorrect handling of a special element in Busybox's > ash applet leads to denial of service when processing a crafted shell > command, due to the shell mistaking specific characters for reserved > characters. This may be used for DoS under rare conditions of filtered > command input > - CVE-2021-42376: A NULL pointer dereference in Busybox's hush applet leads > to denial of service when processing a crafted shell command, due to > missing validation after a \x03 delimiter character. This may be used for > DoS under very rare conditions of filtered command input. > - CVE-2021-42377: An attacker-controlled pointer free in Busybox's hush > applet leads to denial of service and possible code execution when > processing a crafted shell command, due to the shell mishandling the &&& > string. This may be used for remote code execution under rare conditions > of filtered command input. > For details, see: > https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/ > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2021.02.x, thanks.
diff --git a/package/busybox/busybox.hash b/package/busybox/busybox.hash index 3e9c30cad0..354db4bc5b 100644 --- a/package/busybox/busybox.hash +++ b/package/busybox/busybox.hash @@ -1,5 +1,5 @@ # From https://busybox.net/downloads/busybox-1.33.1.tar.bz2.sha256 -sha256 12cec6bd2b16d8a9446dd16130f2b92982f1819f6e1c5f5887b6db03f5660d28 busybox-1.33.1.tar.bz2 +sha256 6843ba7977081e735fa0fdb05893e3c002c8c5ad7c9c80da206e603cc0ac47e7 busybox-1.33.2.tar.bz2 # Locally computed sha256 bbfc9843646d483c334664f651c208b9839626891d8f17604db2146962f43548 LICENSE sha256 b5a136ed67798e51fe2e0ca0b2a21cb01b904ff0c9f7d563a6292e276607e58f archival/libarchive/bz/LICENSE diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk index 413939e28d..101b37c5ec 100644 --- a/package/busybox/busybox.mk +++ b/package/busybox/busybox.mk @@ -4,7 +4,7 @@ # ################################################################################ -BUSYBOX_VERSION = 1.33.1 +BUSYBOX_VERSION = 1.33.2 BUSYBOX_SITE = https://www.busybox.net/downloads BUSYBOX_SOURCE = busybox-$(BUSYBOX_VERSION).tar.bz2 BUSYBOX_LICENSE = GPL-2.0, bzip2-1.0.4
Fixes the following vulnerabilities: - CVE-2021-42374: An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed - CVE-2021-42375: An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input - CVE-2021-42376: A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input. - CVE-2021-42377: An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input. For details, see: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/busybox/busybox.hash | 2 +- package/busybox/busybox.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)