Bug 6673 - busybox new security issue CVE-2011-2716
: busybox new security issue CVE-2011-2716
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/482781/
: MGA1TOO mga2-64-OK mga1-64-OK MGA1-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-07-03 19:32 CEST by David Walser
Modified: 2012-07-19 02:07 CEST (History)
5 users (show)

See Also:
Source RPM: busybox-1.19.3-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-07-03 19:32:04 CEST
RedHat has issued an advisory on June 20:
https://rhn.redhat.com/errata/RHSA-2012-0810.html

This was fixed upstream in 1.20.0.

There is a link to the upstream bug report and commit to fix it here:
https://bugzilla.redhat.com/show_bug.cgi?id=725364

Mageia 1 and Mageia 2 are also affected.
Comment 1 David Walser 2012-07-10 23:13:46 CEST
I have this all ready for Mageia 2 (built locally) and Mageia 1.

It just will not build on Cauldron.  Seems to be a problem with the kernel.
Comment 2 Thomas Backlund 2012-07-10 23:24:00 CEST
Nope. its a uclibc issue
Comment 3 David Walser 2012-07-11 00:04:40 CEST
Thanks Thomas.

Shlomi, could you help fix this?
Comment 4 Shlomi Fish 2012-07-11 09:19:10 CEST
(In reply to comment #3)
> Thanks Thomas.
> 
> Shlomi, could you help fix this?

Well, there is a new uClibc package in svn+ssh://svn.mageia.org/svn/packages/cauldron/uClibc/current , and it installs fine, but I'm not sure if it is working properly. How can I test it?

Regards,

-- Shlomi Fish
Comment 5 David Walser 2012-07-11 14:01:42 CEST
Shlomi, upload it to Cauldron and then resubmit a build of busybox and see if it builds :o)
Comment 6 Shlomi Fish 2012-07-11 14:09:27 CEST
(In reply to comment #5)
> Shlomi, upload it to Cauldron and then resubmit a build of busybox and see if
> it builds :o)

OK.

Regards,

-- Shlomi Fish
Comment 7 David Walser 2012-07-11 22:04:33 CEST
Notes to self for eventual advisory:
Mageia 1 update also fixes CVE-2006-1168.
Mageia 2 update also fixes build issues with kernel 3.3.
Comment 8 David Walser 2012-07-17 18:00:28 CEST
Fixed in Cauldron by rtp.  Mageia 1 and Mageia 2 updates built by me.

Assigning to QA.  The advisory is slightly different for each, so it's separated.

Advisory (Mageia 1):
========================

Updated busybox packages fix security vulnerabilities:

A buffer underflow flaw was found in the way the uncompress utility of
BusyBox expanded certain archive files compressed using Lempel-Ziv
compression. If a user were tricked into expanding a specially-crafted
archive file with uncompress, it could cause BusyBox to crash or,
potentially, execute arbitrary code with the privileges of the user
running BusyBox (CVE-2006-1168).

The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain
options provided in DHCP server replies, such as the client hostname. A
malicious DHCP server could send such an option with a specially-crafted
value to a DHCP client. If this option's value was saved on the client
system, and then later insecurely evaluated by a process that assumes the
option is trusted, it could lead to arbitrary code execution with the
privileges of that process. Note: udhcpc is not used on Red Hat Enterprise
Linux by default, and no DHCP client script is provided with the busybox
packages (CVE-2011-2716).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1168
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2716
https://rhn.redhat.com/errata/RHSA-2012-0810.html
========================

Advisory (Mageia 2):
========================

Updated busybox packages fix security vulnerability:

The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain
options provided in DHCP server replies, such as the client hostname. A
malicious DHCP server could send such an option with a specially-crafted
value to a DHCP client. If this option's value was saved on the client
system, and then later insecurely evaluated by a process that assumes the
option is trusted, it could lead to arbitrary code execution with the
privileges of that process. Note: udhcpc is not used on Red Hat Enterprise
Linux by default, and no DHCP client script is provided with the busybox
packages (CVE-2011-2716).

Additionally, build issues with Linux kernel 3.3 have been fixed.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2716
https://rhn.redhat.com/errata/RHSA-2012-0810.html
========================

Updated packages in core/updates_testing:
========================
busybox-1.18.4-1.1.mga1
busybox-static-1.18.4-1.1.mga1
busybox-1.19.3-1.1.mga2
busybox-static-1.19.3-1.1.mga2

from SRPMS:
busybox-1.18.4-1.1.mga1.src.rpm
busybox-1.19.3-1.1.mga2.src.rpm
Comment 9 claire robinson 2012-07-17 18:19:14 CEST
Testing complete mga2 x86_64

Tested busybox and busybox-static using simple commands prefixed with either busybox or busybox.static

eg.

$ busybox ps
$ busybox ls
$ busybox cat <file>
$ busybox sleep 5
$ busybox.static ps
$ busybox.static ls
$ busybox.static cat <file
$ busybox.static sleep 5
Comment 10 claire robinson 2012-07-17 18:32:13 CEST
Testing complete mga1 x86_64
Comment 11 Dave Hodgins 2012-07-18 22:01:25 CEST
Testing complete on Mageia 1 i586.

I'll test Mageia 2 i586 shortly.
Comment 12 Dave Hodgins 2012-07-18 22:56:55 CEST
Testing complete on Mageia 2 i586.

Could someone from the sysadmin team push the srpm
busybox-1.19.3-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
busybox-1.18.4-1.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated busybox packages fix security vulnerability:

The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain
options provided in DHCP server replies, such as the client hostname. A
malicious DHCP server could send such an option with a specially-crafted
value to a DHCP client. If this option's value was saved on the client
system, and then later insecurely evaluated by a process that assumes the
option is trusted, it could lead to arbitrary code execution with the
privileges of that process. Note: udhcpc is not used on Red Hat Enterprise
Linux by default, and no DHCP client script is provided with the busybox
packages (CVE-2011-2716).

Additionally, build issues with Linux kernel 3.3 have been fixed.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2716
https://rhn.redhat.com/errata/RHSA-2012-0810.html

https://bugs.mageia.org/show_bug.cgi?id=6673
Comment 13 David Walser 2012-07-18 23:10:59 CEST
Just to be clear, the advisories are slightly different for Mageia 1 and Mageia 2.  You can find both in Comment 8.

Note You need to log in before you can comment on or make changes to this bug.