Alpine Linux has been granted a CVE for a security issue in busybox: https://nvd.nist.gov/vuln/detail/CVE-2022-28391 Alpine is working on a cleaner patch to send upstream that does more refactoring of the DNS code and doesn't introduce a memory leak like the currently referenced patch(es). Apparently the memory leak is only 128 bits and for only short lived process(es) so it's not a huge deal. It may be a while to be addressed upstream, as the upstream maintainer is currently unavailable (apparently due to the situation in Ukraine and this was announced on the busybox mailing list). This is a low-severity terminal sequence injection issue that you are unlikely to hit as long as you aren't using iTerm2. This is all according to one of the Alpine maintainers. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
From David's comment, this is an update of temporary worth; but if it fixes a security hole, better than nothing pending a more refined patch from upstream. Assigning this to Stig who has been the principle maintainer of 'busybox' for some time.
Assignee: bugsquad => smelror
Cauldron has been updated
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
Advisory ======== Busybox has been updated with 2 patches from Alpine Linux to fix CVE-2022-28391. CVE-2022-28391: BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. References ========== https://nvd.nist.gov/vuln/detail/CVE-2022-28391 https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661 Files ===== Uploaded to core/updates_testing busybox-static-1.34.1-1.1.mga8 busybox-1.34.1-1.1.mga8 from busybox-1.34.1-1.1.mga8.src.rpm
Source RPM: busybox-1.35.0-2.mga9.src.rpm => busybox-1.34.1-1.mga8.src.rpmCVE: (none) => CVE-2022-28391Assignee: smelror => qa-bugs
CC: (none) => smelror
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues Ref bug 29697 Comment 2 for testing: $ busybox --list [ [[ acpid addgroup adduser adjtimex ar and so on ....... $ busybox pwd /home/tester8/Documenten $ cd /mnt/beelden/ this is accessing an NFS share $ busybox ls accessbasis accessfinesses Afbeeldingen fotos Huishouden lost+found RawORF report.bug.xz rietmach2 usbsticks Xorg.0.log $ cd ~/Documenten/ $ busybox more create-png.php <?php header('Content-type: image/png'); $png_image = imagecreate(150, 150); imagecolorallocate($png_image, 15, 142, 210); imagepng($png_image); $path_image = 'one.png'; imagepng($png_image, $path_image); imagedestroy($png_image); ?> $ busybox ipaddr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp8s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel qlen 1000 link/ether f0:76:1c:ed:de:00 brd ff:ff:ff:ff:ff:ff 3: wlp9s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue qlen 1000 link/ether b4:6d:83:0d:0c:14 brd ff:ff:ff:ff:ff:ff inet 192.168.2.5/24 brd 192.168.2.255 scope global wlp9s0 valid_lft forever preferred_lft forever inet6 fe80::b66d:83ff:fe0d:c14/64 scope link valid_lft forever preferred_lft forever $ busybox lsmod | grep iwlwifi iwlwifi 352256 1 iwlmvm, Live 0x0000000000000000 cfg80211 1032192 3 iwlmvm,mac80211,iwlwifi, Live 0x0000000000000000 This looks all OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0135.html
Status: NEW => RESOLVEDResolution: (none) => FIXED