Bug 31213 - busybox new security issue CVE-2022-30065
Summary: busybox new security issue CVE-2022-30065
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-12-02 17:33 CET by David Walser
Modified: 2022-12-13 23:10 CET (History)
4 users (show)

See Also:
Source RPM: busybox-1.35.0-3.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-12-02 17:33:26 CET 
openSUSE has issued an advisory on December 1:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DKNA5SMED6RSG7MVWBN6FWMQ4CMCW3HM/

Mageia 8 is also affected.
David Walser 2022-12-02 17:33:44 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from upstream

Comment 1 Lewis Smith 2022-12-02 20:33:29 CET 
Assigning to you, Stig as you seem to have been most involved with busybox recently.

Assignee: bugsquad => smelror

Comment 2 Stig-Ørjan Smelror 2022-12-02 21:35:18 CET 
Pushed fix to Cauldron.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 3 Stig-Ørjan Smelror 2022-12-02 21:47:29 CET 
Advisory
========
This update fixes CVE-2022-30065.

A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the copyvar
function.

References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30065


Files
=====

Uploaded to core/updates_testing

busybox-1.34.1-1.2.mga8
busybox-static-1.34.1-1.2.mga8

from busybox-1.34.1-1.2.mga8.src.rpm

Assignee: smelror => qa-bugs

David Walser 2022-12-02 21:49:42 CET

Status comment: Patch available from upstream => (none)

Comment 4 Brian Rockwell 2022-12-09 23:33:46 CET 
Installed above

usual commands working.  I'm a bit awkward in awk, but hey.

$ busybox sh
~ $ awk '{ print $1, $2, $3 , $4, $5, $6, $7, $8, $9 }' pg69503.txt

command worked and didn't crash

~/awktest $ awk '{sub(/Th/,"F")}1' *

last few lines in text

Fis website includes information about Project Gutenberg-tm,
including how to make donations to the Project Gutenberg Literary
Archive Foundation, how to help produce our new eBooks, and how to
subscribe to our email newsletter to hear about new eBooks.

more fun

~/awktest $ awk '{sub(/t/,"f")}1' *

This websife includes information about Project Gutenberg-tm,
including how fo make donations to the Project Gutenberg Literary
Archive Foundafion, how to help produce our new eBooks, and how to
subscribe fo our email newsletter to hear about new eBooks.


seems awk is working in busybox as are other commands.  I didn't test all 400 of them.

CC: (none) => brtians1

Comment 5 Brian Rockwell 2022-12-09 23:35:17 CET 
$ uname -a
Linux localhost.localdomain 5.15.79-desktop-1.mga8 #1 SMP Wed Nov 16 16:07:06 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2022-12-10 14:09:58 CET 
Validating. Advisory in comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-12-13 02:29:46 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2022-12-13 23:10:54 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0458.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.