Alerts This Week
Warning Icon 1 1,149
Alerts This Week
Warning Icon 1 1,149

Debian: DLA-1445-1 Critical: Busybox Security Flaws Detected

debian lts
Calendar Grey July 27, 2018
Dist Debian Esm H88
Critical vulnerabilities have been identified in Busybox tools utilized by embedded systems, necessitating immediate updates for Debian 8 users.
Busybox, utility programs for small and embedded systems, was affected by several security vulnerabilities

Summary

A path traversal vulnerability was found in Busybox implementation
of tar. tar will extract a symlink that points outside of the
current working directory and then follow that symlink when
extracting other files. This allows for a directory traversal
attack when extracting untrusted tarballs.

CVE-2013-1813

When device node or symlink in /dev should be created inside
2-or-deeper subdirectory (/dev/dir1/dir2.../node), the intermediate
directories are created with incorrect permissions.

CVE-2014-4607

An integer overflow may occur when processing any variant of a
"literal run" in the lzo1x_decompress_safe function. Each of these
three locations is subject to an integer overflow when processing
zero bytes. This exposes the code that copies literals to memory
corruption.

CVE-2014-9645

The add_probe function in modutils/modprobe.c in BusyBox allows
local users to bypass intended restrictions on loading kernel

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: busybox
Version: 1:1.22.0-9+deb8u2
CVE ID: CVE-2011-5325 CVE-2014-9645 CVE-2015-9261 CVE-2016-2147
Debian Bug: 902724 882258 879732 818497 818499 803097 802702

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here