Bug 17071

Summary: busybox new DoS issue in unzip command and udhcp issues CVE-2016-214[78]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: David Walser <luigiwalser>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: minor    
Priority: Normal    
Version: 5   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/662784/
Whiteboard:
Source RPM: busybox-1.22.1-5.mga5.src.rpm CVE:
Status comment:
Bug Depends on: 19128    
Bug Blocks:    

Description David Walser 2015-11-02 21:18:13 CET 
An issue fixed upstream in busybox was posted to oss-security on October 25:
http://seclists.org/oss-sec/2015/q4/158

MITRE declined to assign a CVE for now:
http://openwall.com/lists/oss-security/2015/10/29/2

Debian-LTS has issued an advisory for this on October 31:
http://lwn.net/Alerts/662740/

I've already included the patch in Cauldron and it's checked into Mageia 5 SVN.  Any future update will include this fix.

Reproducible: 

Steps to Reproduce:
Comment 1 Samuel Verschelde 2016-02-23 15:00:57 CET 
Assigning to yourself David, since you've already patched the package for this issue.

Assignee: bugsquad => luigiwalser

Comment 2 David Walser 2016-03-14 17:24:33 CET 
Two more busybox fixes were posted to oss-security on March 11:
http://openwall.com/lists/oss-security/2016/03/11/16

They are CVE-2016-2147 and CVE-2016-2148.  They don't sound very serious either.  Fixed in Cauldron and patched in Mageia 5 SVN.

Summary: busybox new DoS issue in unzip command => busybox new DoS issue in unzip command and udhcp issues CVE-2016-214[78]

David Walser 2016-08-11 22:53:54 CEST

Depends on: (none) => 19128

Comment 3 David Walser 2016-08-11 22:54:21 CEST 
Fixes included in the Bug 19128 update.
Comment 4 David Walser 2016-08-11 23:39:30 CEST 
Marking as FIXED.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 5 David Walser 2016-12-05 20:24:22 CET 
LWN reference for CVE-2016-214[78]:
https://lwn.net/Vulnerabilities/708152/