Bug 28995

Summary: busybox new security issue CVE-2021-28831
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: busybox-1.32.1-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-05-28 22:46:16 CEST 
Debian-LTS has issued an advisory on April 1:
https://www.debian.org/lts/security/2021/dla-2614

Mageia 7 is also affected.
David Walser 2021-05-28 22:47:01 CEST

CC: (none) => nicolas.salguero
QA Contact: (none) => security
Whiteboard: (none) => MGA7TOO
Component: RPM Packages => Security
Status comment: (none) => Patch available from upstream

Comment 1 David Walser 2021-05-29 20:26:29 CEST 
Fedora has issued an advisory for this on March 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/
Comment 2 Lewis Smith 2021-05-29 21:44:12 CEST 
Assigning initially to Stig who has updated this a couple of times recently; please re-assign it if you wish (NicolasS is already CC'd).

Assignee: bugsquad => smelror

Comment 3 David Walser 2021-06-28 19:19:27 CEST 
Advisory:
========================

Updated busybox packages fix security vulnerability:

decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the
huft_build result pointer, with a resultant invalid free or segmentation fault,
via malformed gzip data (CVE-2021-28831).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/
========================

Updated packages in core/updates_testing:
========================
busybox-1.30.1-1.2.mga7
busybox-static-1.30.1-1.2.mga7
busybox-1.32.1-1.1.mga8
busybox-static-1.32.1-1.1.mga8

from SRPMS:
busybox-1.30.1-1.2.mga7.src.rpm
busybox-1.32.1-1.1.mga8.src.rpm

Assignee: smelror => qa-bugs
Status comment: Patch available from upstream => (none)

Comment 4 Thomas Andrews 2021-07-01 03:39:43 CEST 
Installed in mga7 without issues. 

Made a feeble attempt to trigger the problem before updating, by using "busybox gunzip -c [text file]" but the file was extracted and sent to the terminal window without incident. Same thing after the update, but the command appeared to work properly.

Tried a few more commands; all seemed to work as they should. This looks OK for mga7.

CC: (none) => andrewsfarm
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 5 Thomas Andrews 2021-07-01 03:57:22 CEST 
Same tests in mga8, with the same results. OK for mga 8. Validating. Advisory in comment 3.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Thomas Backlund 2021-07-04 02:33:51 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-07-04 04:15:15 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0310.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED