A security issue announced three years ago got a CVE assigned: http://openwall.com/lists/oss-security/2018/07/26/5 I don't know if it was ever fixed.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => shlomif
Seems it is CVE-2015-9261 and has been fixed in https://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e in Oct. 2015 From git it seems to be fixed since 1.25.0 git tag --contains 1de25a6e87e0e627aa34298105a3d17c60a1f44e | head -1 1_25_0 So I think we can close that BR
CC: (none) => brunoResolution: (none) => INVALIDStatus: NEW => RESOLVED
Then it's not invalid for Mageia 6.
Source RPM: busybox-1.28.4-1.mga7.src.rpm => busybox-1.24.2-2.mga6.src.rpmStatus: RESOLVED => REOPENEDVersion: Cauldron => 6Resolution: INVALID => (none)Whiteboard: MGA6TOO => (none)
Right ! Thanks for the check. So I've now pushed busybox 1.25.1 to core/updates_testing Interestingly enough I was able to keep 2 patches for CVE-2014-9645 & CVE-2016-6301 without conflict, meaning that contrary to what the date suggests some older fixes were not included.
Target Milestone: --- => Mageia 6Assignee: shlomif => qa-bugs
Advisory: ======================== Updated busybox packages fixes security vulnerability: Unziping a specially crafted zip file results in a computation of an invalid pointer and a crash reading an invalid address (CVE-2015-9261). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9261 https://www.openwall.com/lists/oss-security/2018/07/26/5 ======================== Updated packages in core/updates_testing: ======================== busybox-1.25.1-1.1.mga6 busybox-static-1.25.1-1.1.mga6 from busybox-1.25.1-1.1.mga6.src.rpm
Target Milestone: Mageia 6 => ---
Mageia 6, x86_64 CVE-2015-9261 https://www.openwall.com/lists/oss-security/2018/07/26/5 Before update: $ busybox unzip x_6170921383890712452.bin Archive: x_6170921383890712452.bin inflating: ]3j½r«IK-%Ix unzip: corrupted data unzip: inflate error $ ls ']3j½r«I'$'\033\022''K-%Ix' '#report.23367#' x_6170921383890712452.bin After update: $ busybox unzip x_6170921383890712452.bin Archive: x_6170921383890712452.bin replace ]3j½r«IK-%Ix? [y]es, [n]o, [A]ll, [N]one, [r]ename: n unzip: invalid zip magic 35143A36 Note that busybox.static gives the same result.
CC: (none) => tarazed25
Mageia 6, x86_64 CVE-2015-9261 https://www.openwall.com/lists/oss-security/2018/07/26/5 Before update: $ busybox unzip x_6170921383890712452.bin Archive: x_6170921383890712452.bin inflating: ]3j½r«IK-%Ix unzip: corrupted data unzip: inflate error $ ls ']3j½r«I'$'\033\022''K-%Ix' '#report.23367#' x_6170921383890712452.bin After update: $ busybox unzip x_6170921383890712452.bin Archive: x_6170921383890712452.bin replace ]3j½r«IK-%Ix? [y]es, [n]o, [A]ll, [N]one, [r]ename: n unzip: invalid zip magic 35143A36 Note that busybox.static gives the same result. BusyBox is an application which provides many of the common functions of a Unix system. It makes it easier to install the Unix tools on embedded systems and the like where a smaller footprint is an advantage, smaller than GNU that is. Sample: $ busybox --list addgroup, adduser, adjtimex base64, beep, blkid, blockdev cat, chmod, chown, cp, crontab date, dd, diff, dmesg and so on, so testing this involves picking a small selection of shell commands and running the busybox equivalents and remember to include the $ busybox date Fri Oct 19 18:32:33 BST 2018 $ busybox dmesg > whatsgonewrongnow $ busybox ipaddr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel qlen 1000 link/ether d8:cb:8a:52:52:b4 brd ff:ff:ff:ff:ff:ff inet 192.168.1.103/24 brd 192.168.1.255 scope global enp3s0 valid_lft forever preferred_lft forever inet6 fe80::dacb:8aff:fe52:52b4/64 scope link valid_lft forever preferred_lft forever 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue link/ether 02:42:2e:b9:c5:53 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:2eff:feb9:c553/64 scope link valid_lft forever preferred_lft forever $ busybox lsmod | grep em28 em28xx 94208 0 - Live 0xffffffffc1ce0000 tveeprom 24576 1 em28xx, Live 0xffffffffc1cd9000 v4l2_common 16384 1 em28xx, Live 0xffffffffc1c92000 media 45056 2 em28xx,videodev, Live 0xffffffffc1c86000 usbcore 286720 8 em28xx,usbhid,uas,usb_storage,xhci_pci,xhci_hcd,ehci_pci,ehci_hcd, Live 0xffffffffc0296000 That seems to show that busybox can give users access to privileged commands. Show kernel parameter values: $ busybox sysctl -a [...] vm.stat_interval = 1 vm.swappiness = 60 vm.user_reserve_kbytes = 131072 vm.vfs_cache_pressure = 100 vm.watermark_scale_factor = 10 vm.zone_reclaim_mode = 0 unzip is the subject of the CVE so try that on a normal archive. $ busybox unzip gliese3.zip Archive: gliese3.zip inflating: GLIESE3.DAT inflating: GLIESE3.DOC Looks like it is OK for 64-bits.
Whiteboard: (none) => MGA6-64-OK
Sorry about the uninteneded repeat in comment #7.
Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0413.html
Resolution: (none) => FIXEDStatus: REOPENED => RESOLVED