Debian-LTS has issued an advisory on April 1: https://www.debian.org/lts/security/2021/dla-2614 Mageia 7 is also affected.
CC: (none) => nicolas.salgueroQA Contact: (none) => securityWhiteboard: (none) => MGA7TOOComponent: RPM Packages => SecurityStatus comment: (none) => Patch available from upstream
Fedora has issued an advisory for this on March 27: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/
Assigning initially to Stig who has updated this a couple of times recently; please re-assign it if you wish (NicolasS is already CC'd).
Assignee: bugsquad => smelror
Advisory: ======================== Updated busybox packages fix security vulnerability: decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data (CVE-2021-28831). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/ ======================== Updated packages in core/updates_testing: ======================== busybox-1.30.1-1.2.mga7 busybox-static-1.30.1-1.2.mga7 busybox-1.32.1-1.1.mga8 busybox-static-1.32.1-1.1.mga8 from SRPMS: busybox-1.30.1-1.2.mga7.src.rpm busybox-1.32.1-1.1.mga8.src.rpm
Assignee: smelror => qa-bugsStatus comment: Patch available from upstream => (none)
Installed in mga7 without issues. Made a feeble attempt to trigger the problem before updating, by using "busybox gunzip -c [text file]" but the file was extracted and sent to the terminal window without incident. Same thing after the update, but the command appeared to work properly. Tried a few more commands; all seemed to work as they should. This looks OK for mga7.
CC: (none) => andrewsfarmWhiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
Same tests in mga8, with the same results. OK for mga 8. Validating. Advisory in comment 3.
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0310.html
Status: NEW => RESOLVEDResolution: (none) => FIXED