Bug 27307

Summary: busybox new security issue CVE-2018-1000500
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, mageia, nicolas.salguero, ouaurelien, sysadmin-bugs, zombie_ryushu
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: busybox-1.30.1-1.mga7.src.rpm CVE: CVE-2018-1000500
Status comment:

Description David Walser 2020-09-22 20:35:41 CEST 
Ubuntu has issued an advisory today (September 22):
https://ubuntu.com/security/notices/USN-4531-1

The issue is fixed upstream in 1.32.0.
Comment 1 Lewis Smith 2020-09-22 21:14:43 CEST 
Assigning this to you, Stig, as the principle recent committer of this SRPM.

Assignee: bugsquad => smelror

Comment 2 Stig-Ørjan Smelror 2020-09-22 21:52:21 CEST 
Thanks Lewis. This package belongs to Shlomi. Assigning to him as I do not have the time to take of this at the moment.

Assignee: smelror => shlomif

Comment 3 David Walser 2020-12-04 13:32:40 CET 
*** Bug 27734 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu

David Walser 2020-12-27 23:47:46 CET

Assignee: shlomif => pkg-bugs

David Walser 2020-12-28 18:59:31 CET

Status comment: (none) => Patch available from Ubuntu

Comment 4 Nicolas Salguero 2020-12-29 14:02:25 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". (CVE-2018-1000500)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000500
https://ubuntu.com/security/notices/USN-4531-1
========================

Updated packages in core/updates_testing:
========================
busybox-1.30.1-1.1.mga7
busybox-static-1.30.1-1.1.mga7

from SRPM:
busybox-1.30.1-1.1.mga7.src.rpm

Status comment: Patch available from Ubuntu => (none)
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2018-1000500
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Comment 5 PC LX 2021-01-06 16:00:52 CET 
Installed and tested without issues.

Tested a bunch of busybox commands (applets as called in busybox), including wget. Tested both dynamic and static busybox packages. No issues noticed.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep busybox
busybox-1.30.1-1.1.mga7
busybox-static-1.30.1-1.1.mga7

CC: (none) => mageia
Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2021-01-07 21:59:07 CET 
Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Aurelien Oudelet 2021-01-08 14:32:46 CET 
Advisory pushed to SVN.

Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 8 Mageia Robot 2021-01-08 16:36:07 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0009.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED