27307 – busybox new security issue CVE-2018-1000500

Bug 27307 - busybox new security issue CVE-2018-1000500

Summary: busybox new security issue CVE-2018-1000500

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Duplicates (1):	27734 (view as bug list)
Depends on:
Blocks:

Reported:	2020-09-22 20:35 CEST by David Walser
Modified:	2021-01-08 16:36 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	busybox-1.30.1-1.mga7.src.rpm
CVE:	CVE-2018-1000500
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-09-22 20:35:41 CEST

Ubuntu has issued an advisory today (September 22):
https://ubuntu.com/security/notices/USN-4531-1

The issue is fixed upstream in 1.32.0.

Comment 1 Lewis Smith 2020-09-22 21:14:43 CEST

Assigning this to you, Stig, as the principle recent committer of this SRPM.

Assignee: bugsquad => smelror

Comment 2 Stig-Ørjan Smelror 2020-09-22 21:52:21 CEST

Thanks Lewis. This package belongs to Shlomi. Assigning to him as I do not have the time to take of this at the moment.

Assignee: smelror => shlomif

Comment 3 David Walser 2020-12-04 13:32:40 CET

*** Bug 27734 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu

David Walser 2020-12-27 23:47:46 CET

Assignee: shlomif => pkg-bugs

David Walser 2020-12-28 18:59:31 CET

Status comment: (none) => Patch available from Ubuntu

Comment 4 Nicolas Salguero 2020-12-29 14:02:25 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". (CVE-2018-1000500)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000500
https://ubuntu.com/security/notices/USN-4531-1
========================

Updated packages in core/updates_testing:
========================
busybox-1.30.1-1.1.mga7
busybox-static-1.30.1-1.1.mga7

from SRPM:
busybox-1.30.1-1.1.mga7.src.rpm

Status comment: Patch available from Ubuntu => (none)
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2018-1000500
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Comment 5 PC LX 2021-01-06 16:00:52 CET

Installed and tested without issues.

Tested a bunch of busybox commands (applets as called in busybox), including wget. Tested both dynamic and static busybox packages. No issues noticed.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep busybox
busybox-1.30.1-1.1.mga7
busybox-static-1.30.1-1.1.mga7

CC: (none) => mageia
Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2021-01-07 21:59:07 CET

Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Aurelien Oudelet 2021-01-08 14:32:46 CET

Advisory pushed to SVN.

Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 8 Mageia Robot 2021-01-08 16:36:07 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0009.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.