Bug 30246

Summary: busybox new security issue CVE-2022-28391
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, smelror, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: busybox-1.34.1-1.mga8.src.rpm CVE: CVE-2022-28391
Status comment:

Description David Walser 2022-04-05 17:14:11 CEST 
Alpine Linux has been granted a CVE for a security issue in busybox:
https://nvd.nist.gov/vuln/detail/CVE-2022-28391

Alpine is working on a cleaner patch to send upstream that does more refactoring of the DNS code and doesn't introduce a memory leak like the currently referenced patch(es).  Apparently the memory leak is only 128 bits and for only short lived process(es) so it's not a huge deal.  It may be a while to be addressed upstream, as the upstream maintainer is currently unavailable (apparently due to the situation in Ukraine and this was announced on the busybox mailing list).  This is a low-severity terminal sequence injection issue that you are unlikely to hit as long as you aren't using iTerm2.  This is all according to one of the Alpine maintainers.

Mageia 8 is also affected.
David Walser 2022-04-05 17:17:41 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-04-05 19:32:20 CEST 
From David's comment, this is an update of temporary worth; but if it fixes a security hole, better than nothing pending a more refined patch from upstream.

Assigning this to Stig who has been the principle maintainer of 'busybox' for some time.

Assignee: bugsquad => smelror

Comment 2 Stig-Ørjan Smelror 2022-04-06 10:04:17 CEST 
Cauldron has been updated

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 3 Stig-Ørjan Smelror 2022-04-06 10:25:52 CEST 
Advisory
========

Busybox has been updated with 2 patches from Alpine Linux to fix CVE-2022-28391.

CVE-2022-28391: BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.

References
==========

https://nvd.nist.gov/vuln/detail/CVE-2022-28391
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661


Files
=====

Uploaded to core/updates_testing

busybox-static-1.34.1-1.1.mga8
busybox-1.34.1-1.1.mga8

from busybox-1.34.1-1.1.mga8.src.rpm

Source RPM: busybox-1.35.0-2.mga9.src.rpm => busybox-1.34.1-1.mga8.src.rpm
CVE: (none) => CVE-2022-28391
Assignee: smelror => qa-bugs

David Walser 2022-04-06 12:40:54 CEST

CC: (none) => smelror

Comment 4 Herman Viaene 2022-04-08 14:26:40 CEST 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues
Ref bug 29697 Comment 2 for testing:
$ busybox --list
[
[[
acpid
addgroup
adduser
adjtimex
ar
and so on .......

$ busybox pwd
/home/tester8/Documenten

$ cd /mnt/beelden/   this is accessing an NFS share
$ busybox ls
accessbasis     accessfinesses  Afbeeldingen    fotos           Huishouden      lost+found      RawORF          report.bug.xz   rietmach2       usbsticks       Xorg.0.log

$ cd ~/Documenten/

$ busybox more create-png.php
<?php
  header('Content-type: image/png');
  $png_image = imagecreate(150, 150);
  imagecolorallocate($png_image, 15, 142, 210);
  imagepng($png_image);
  $path_image = 'one.png';
  imagepng($png_image, $path_image);
  imagedestroy($png_image);
?> 

$ busybox ipaddr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp8s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel qlen 1000
    link/ether f0:76:1c:ed:de:00 brd ff:ff:ff:ff:ff:ff
3: wlp9s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue qlen 1000
    link/ether b4:6d:83:0d:0c:14 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.5/24 brd 192.168.2.255 scope global wlp9s0
       valid_lft forever preferred_lft forever
    inet6 fe80::b66d:83ff:fe0d:c14/64 scope link 
       valid_lft forever preferred_lft forever

$ busybox lsmod | grep iwlwifi
iwlwifi 352256 1 iwlmvm, Live 0x0000000000000000
cfg80211 1032192 3 iwlmvm,mac80211,iwlwifi, Live 0x0000000000000000
This looks all OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-04-09 00:18:54 CEST 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-04-09 19:58:20 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-04-09 23:21:54 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0135.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED