Bug 23367 - busybox new security issue CVE-2015-9261
Summary: busybox new security issue CVE-2015-9261
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-07-29 19:38 CEST by David Walser
Modified: 2018-10-26 20:48 CEST (History)
6 users (show)

See Also:
Source RPM: busybox-1.24.2-2.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-07-29 19:38:45 CEST
A security issue announced three years ago got a CVE assigned:
http://openwall.com/lists/oss-security/2018/07/26/5

I don't know if it was ever fixed.
David Walser 2018-07-29 19:39:01 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-07-31 15:19:40 CEST
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 Bruno Cornec 2018-10-11 01:22:58 CEST
Seems it is CVE-2015-9261 and has been fixed in https://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e in Oct. 2015

From git it seems to be fixed since 1.25.0

git tag --contains 1de25a6e87e0e627aa34298105a3d17c60a1f44e | head -1
1_25_0

So I think we can close that BR

CC: (none) => bruno
Resolution: (none) => INVALID
Status: NEW => RESOLVED

Comment 3 David Walser 2018-10-12 01:06:43 CEST
Then it's not invalid for Mageia 6.

Source RPM: busybox-1.28.4-1.mga7.src.rpm => busybox-1.24.2-2.mga6.src.rpm
Status: RESOLVED => REOPENED
Version: Cauldron => 6
Resolution: INVALID => (none)
Whiteboard: MGA6TOO => (none)

Comment 4 Bruno Cornec 2018-10-13 01:09:39 CEST
Right ! Thanks for the check.

So I've now pushed busybox 1.25.1 to core/updates_testing

Interestingly enough I was able to keep 2 patches for CVE-2014-9645 & CVE-2016-6301 without conflict, meaning that contrary to what the date suggests some older fixes were not included.

Target Milestone: --- => Mageia 6
Assignee: shlomif => qa-bugs

Comment 5 David Walser 2018-10-13 05:03:05 CEST
Advisory:
========================

Updated busybox packages fixes security vulnerability:

Unziping a specially crafted zip file results in a computation of an invalid
pointer and a crash reading an invalid address (CVE-2015-9261).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9261
https://www.openwall.com/lists/oss-security/2018/07/26/5
========================

Updated packages in core/updates_testing:
========================
busybox-1.25.1-1.1.mga6
busybox-static-1.25.1-1.1.mga6

from busybox-1.25.1-1.1.mga6.src.rpm

Target Milestone: Mageia 6 => ---

Comment 6 Len Lawrence 2018-10-19 18:40:07 CEST
Mageia 6, x86_64

CVE-2015-9261
https://www.openwall.com/lists/oss-security/2018/07/26/5

Before update:
$ busybox unzip x_6170921383890712452.bin
Archive:  x_6170921383890712452.bin
  inflating: ]3j½r«IK-%Ix
unzip: corrupted data
unzip: inflate error
$ ls
']3j½r«I'$'\033\022''K-%Ix'  '#report.23367#'  x_6170921383890712452.bin

After update:
$ busybox unzip x_6170921383890712452.bin
Archive:  x_6170921383890712452.bin
replace ]3j½r«IK-%Ix? [y]es, [n]o, [A]ll, [N]one, [r]ename: n
unzip: invalid zip magic 35143A36

Note that busybox.static gives the same result.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2018-10-19 20:12:08 CEST
Mageia 6, x86_64

CVE-2015-9261
https://www.openwall.com/lists/oss-security/2018/07/26/5

Before update:
$ busybox unzip x_6170921383890712452.bin
Archive:  x_6170921383890712452.bin
  inflating: ]3j½r«IK-%Ix
unzip: corrupted data
unzip: inflate error
$ ls
']3j½r«I'$'\033\022''K-%Ix'  '#report.23367#'  x_6170921383890712452.bin

After update:
$ busybox unzip x_6170921383890712452.bin
Archive:  x_6170921383890712452.bin
replace ]3j½r«IK-%Ix? [y]es, [n]o, [A]ll, [N]one, [r]ename: n
unzip: invalid zip magic 35143A36

Note that busybox.static gives the same result.

BusyBox is an application which provides many of the common functions of a Unix system.  It makes it easier to install the Unix tools on embedded systems and the like where a smaller footprint is an advantage, smaller than GNU that is.

Sample:
$ busybox --list
addgroup, adduser, adjtimex
base64, beep, blkid, blockdev
cat, chmod, chown, cp, crontab
date, dd, diff, dmesg

and so on, so testing this involves picking a small selection of shell commands and running the busybox equivalents and remember to include the  

$ busybox date
Fri Oct 19 18:32:33 BST 2018
$ busybox dmesg > whatsgonewrongnow
$ busybox ipaddr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel qlen 1000
    link/ether d8:cb:8a:52:52:b4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.103/24 brd 192.168.1.255 scope global enp3s0
       valid_lft forever preferred_lft forever
    inet6 fe80::dacb:8aff:fe52:52b4/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 02:42:2e:b9:c5:53 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:2eff:feb9:c553/64 scope link 
       valid_lft forever preferred_lft forever

$ busybox lsmod | grep em28
em28xx 94208 0 - Live 0xffffffffc1ce0000
tveeprom 24576 1 em28xx, Live 0xffffffffc1cd9000
v4l2_common 16384 1 em28xx, Live 0xffffffffc1c92000
media 45056 2 em28xx,videodev, Live 0xffffffffc1c86000
usbcore 286720 8 em28xx,usbhid,uas,usb_storage,xhci_pci,xhci_hcd,ehci_pci,ehci_hcd, Live 0xffffffffc0296000

That seems to show that busybox can give users access to privileged commands.

Show kernel parameter values:
$ busybox sysctl -a
[...]
vm.stat_interval = 1
vm.swappiness = 60
vm.user_reserve_kbytes = 131072
vm.vfs_cache_pressure = 100
vm.watermark_scale_factor = 10
vm.zone_reclaim_mode = 0

unzip is the subject of the CVE so try that on a normal archive.
$ busybox unzip gliese3.zip
Archive:  gliese3.zip
  inflating: GLIESE3.DAT
  inflating: GLIESE3.DOC

Looks like it is OK for 64-bits.

Whiteboard: (none) => MGA6-64-OK

Comment 8 Len Lawrence 2018-10-19 20:13:38 CEST
Sorry about the uninteneded repeat in comment #7.
Comment 9 Thomas Andrews 2018-10-26 00:48:06 CEST
Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2018-10-26 15:48:21 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 10 Mageia Robot 2018-10-26 20:48:17 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0413.html

Resolution: (none) => FIXED
Status: REOPENED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.