Bug 29697

Summary: busybox new security issues CVE-2021-4237[6-9] and CVE-2021-4238[0-6]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: busybox-1.32.1-1.1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-11-25 15:08:33 CET 
Fedora has issued an advisory today (November 25):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/

The issues are fixed upstream in 1.34.0.
David Walser 2021-11-25 15:08:49 CET

Status comment: (none) => Fixed upstream in 1.34.0
CC: (none) => nicolas.salguero

Comment 1 Nicolas Salguero 2021-11-25 17:00:28 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input. (CVE-2021-42376)

An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input. (CVE-2021-42377)

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function. (CVE-2021-42378)

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function. (CVE-2021-42379)

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function. (CVE-2021-42380)

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function. (CVE-2021-42381)

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function. (CVE-2021-42382)

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function. (CVE-2021-42383)

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function. (CVE-2021-42384)

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function. (CVE-2021-42385)

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function. (CVE-2021-42386)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42376
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42377
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42378
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42379
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42380
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42381
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42382
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42383
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42384
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42385
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42386
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
========================

Updated packages in core/updates_testing:
========================
busybox-1.34.1-1.mga8
busybox-static-1.34.1-1.mga8

from SRPM:
busybox-1.34.1-1.mga8.src.rpm

Status comment: Fixed upstream in 1.34.0 => (none)
Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED

Comment 2 Herman Viaene 2021-11-27 20:57:52 CET 
MGA8-64 Plasma on Lenovo B50
No installation issues
Ref bug 23367 Comment 7
$ busybox --list
[
[[
acpid
addgroup
adduser
adjtimex
ar
arch
etc ......
$ busybox pwd
/home/tester8/Documenten
[tester8@mach5 Documenten]$ busybox ls
bugs               cryptest_v         libcairo.txt       libzapojit.txt     mirror.readme      plib.txt           SOFTWARE           tutorialredis.txt  win10reg           ziekenhuis
Charts             jetty              libtinyxml.txt     main.js            php                qtwebengin.txt     thumbnail.py       volkstuintjes      wiresh
[tester8@mach5 Documenten]$ busybox cd php
cd: applet not found
Indeed, cd was not in the list mentioned above......
[tester8@mach5 Documenten]$ cd php
[tester8@mach5 php]$ busybox ls
create-png.php  one.png         sample.php
[tester8@mach5 php]$ busybox more create-png.php
<?php
  header('Content-type: image/png');
  $png_image = imagecreate(150, 150);
  imagecolorallocate($png_image, 15, 142, 210);
  imagepng($png_image);
  $path_image = 'one.png';
  imagepng($png_image, $path_image);
  imagedestroy($png_image);
?>
[tester8@mach5 php]$  busybox ipaddr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp8s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel qlen 1000
    link/ether f0:76:1c:ed:de:00 brd ff:ff:ff:ff:ff:ff
3: wlp9s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue qlen 1000
    link/ether b4:6d:83:0d:0c:14 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.5/24 brd 192.168.2.255 scope global wlp9s0
       valid_lft forever preferred_lft forever
    inet6 fe80::b66d:83ff:fe0d:c14/64 scope link 
       valid_lft forever preferred_lft forever
[tester8@mach5 php]$ busybox lsmod | grep iwlwifi
iwlwifi 348160 1 iwlmvm, Live 0x0000000000000000
cfg80211 1032192 3 iwlmvm,mac80211,iwlwifi, Live 0x0000000000000000

Seems to work OK, it's strange to me that the cd command is not there.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2021-11-28 16:14:20 CET 
After doing a bit of reading it sounded strange to me too, Herman. But then I looked at the documentation at https://www.busybox.net/downloads/BusyBox.html and while there are a host of available commands, cd isn't one of them.

Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-12-01 22:33:37 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2021-12-02 17:50:47 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0533.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED