Bug 27734

Summary: busybox security vulnerability CVE-2018-1000500
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED DUPLICATE QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2018-1000500
Whiteboard:
Source RPM: busybox CVE: CVE-2019-5747
Status comment:

Description Zombie Ryushu 2020-12-04 10:24:05 CET 
Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file".
Comment 1 Zombie Ryushu 2020-12-04 10:24:54 CET 
An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679.

CVE: (none) => CVE-2019-5747

Comment 2 David Walser 2020-12-04 13:32:40 CET 
Already reported.

*** This bug has been marked as a duplicate of bug 27307 ***

Resolution: (none) => DUPLICATE
Status: NEW => RESOLVED