Fedora has issued an advisory today (November 25): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/ The issues are fixed upstream in 1.34.0.
Status comment: (none) => Fixed upstream in 1.34.0CC: (none) => nicolas.salguero
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input. (CVE-2021-42376) An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input. (CVE-2021-42377) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function. (CVE-2021-42378) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function. (CVE-2021-42379) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function. (CVE-2021-42380) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function. (CVE-2021-42381) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function. (CVE-2021-42382) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function. (CVE-2021-42383) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function. (CVE-2021-42384) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function. (CVE-2021-42385) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function. (CVE-2021-42386) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42376 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42377 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42378 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42379 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42380 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42381 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42382 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42383 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42384 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42385 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42386 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/ ======================== Updated packages in core/updates_testing: ======================== busybox-1.34.1-1.mga8 busybox-static-1.34.1-1.mga8 from SRPM: busybox-1.34.1-1.mga8.src.rpm
Status comment: Fixed upstream in 1.34.0 => (none)Assignee: bugsquad => qa-bugsStatus: NEW => ASSIGNED
MGA8-64 Plasma on Lenovo B50 No installation issues Ref bug 23367 Comment 7 $ busybox --list [ [[ acpid addgroup adduser adjtimex ar arch etc ...... $ busybox pwd /home/tester8/Documenten [tester8@mach5 Documenten]$ busybox ls bugs cryptest_v libcairo.txt libzapojit.txt mirror.readme plib.txt SOFTWARE tutorialredis.txt win10reg ziekenhuis Charts jetty libtinyxml.txt main.js php qtwebengin.txt thumbnail.py volkstuintjes wiresh [tester8@mach5 Documenten]$ busybox cd php cd: applet not found Indeed, cd was not in the list mentioned above...... [tester8@mach5 Documenten]$ cd php [tester8@mach5 php]$ busybox ls create-png.php one.png sample.php [tester8@mach5 php]$ busybox more create-png.php <?php header('Content-type: image/png'); $png_image = imagecreate(150, 150); imagecolorallocate($png_image, 15, 142, 210); imagepng($png_image); $path_image = 'one.png'; imagepng($png_image, $path_image); imagedestroy($png_image); ?> [tester8@mach5 php]$ busybox ipaddr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp8s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel qlen 1000 link/ether f0:76:1c:ed:de:00 brd ff:ff:ff:ff:ff:ff 3: wlp9s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue qlen 1000 link/ether b4:6d:83:0d:0c:14 brd ff:ff:ff:ff:ff:ff inet 192.168.2.5/24 brd 192.168.2.255 scope global wlp9s0 valid_lft forever preferred_lft forever inet6 fe80::b66d:83ff:fe0d:c14/64 scope link valid_lft forever preferred_lft forever [tester8@mach5 php]$ busybox lsmod | grep iwlwifi iwlwifi 348160 1 iwlmvm, Live 0x0000000000000000 cfg80211 1032192 3 iwlmvm,mac80211,iwlwifi, Live 0x0000000000000000 Seems to work OK, it's strange to me that the cd command is not there.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
After doing a bit of reading it sounded strange to me too, Herman. But then I looked at the documentation at https://www.busybox.net/downloads/BusyBox.html and while there are a host of available commands, cd isn't one of them. Validating. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0533.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED