Ubuntu 3935-1: BusyBox vulnerabilities

    Date03 Apr 2019
    CategoryUbuntu
    2481
    Posted ByLinuxSecurity Advisories
    Several security issues were fixed in BusyBox.
    ==========================================================================
    Ubuntu Security Notice USN-3935-1
    April 03, 2019
    
    busybox vulnerabilities
    ==========================================================================
    
    A security issue affects these releases of Ubuntu and its derivatives:
    
    - Ubuntu 18.10
    - Ubuntu 18.04 LTS
    - Ubuntu 16.04 LTS
    - Ubuntu 14.04 LTS
    
    Summary:
    
    Several security issues were fixed in BusyBox.
    
    Software Description:
    - busybox: Tiny utilities for small and embedded systems
    
    Details:
    
    Tyler Hicks discovered that BusyBox incorrectly handled symlinks inside tar
    archives. If a user or automated system were tricked into processing a
    specially crafted tar archive, a remote attacker could overwrite arbitrary
    files outside of the current directory. This issue only affected Ubuntu
    14.04 LTS and Ubuntu 16.04 LTS. (CVE-2011-5325)
    
    Mathias Krause discovered that BusyBox incorrectly handled kernel module
    loading restrictions. A local attacker could possibly use this issue to
    bypass intended restrictions. This issue only affected Ubuntu 14.04 LTS.
    (CVE-2014-9645)
    
    It was discovered that BusyBox incorrectly handled certain ZIP archives. If
    a user or automated system were tricked into processing a specially crafted
    ZIP archive, a remote attacker could cause BusyBox to crash, leading to a
    denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu
    16.04 LTS. (CVE-2015-9261)
    
    Nico Golde discovered that the BusyBox DHCP client incorrectly handled
    certain malformed domain names. A remote attacker could possibly use this
    issue to cause the DHCP client to crash, leading to a denial of service.
    This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
    (CVE-2016-2147)
    
    Nico Golde discovered that the BusyBox DHCP client incorrectly handled
    certain 6RD options. A remote attacker could use this issue to cause the
    DHCP client to crash, leading to a denial of service, or possibly execute
    arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04
    LTS. (CVE-2016-2148)
    
    It was discovered that BusyBox incorrectly handled certain bzip2 archives.
    If a user or automated system were tricked into processing a specially
    crafted bzip2 archive, a remote attacker could cause BusyBox to crash,
    leading to a denial of service, or possibly execute arbitrary code. This
    issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-15873)
    
    It was discovered that BusyBox incorrectly handled tab completion. A local
    attacker could possibly use this issue to execute arbitrary code. This
    issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-16544)
    
    It was discovered that the BusyBox wget utility incorrectly handled certain
    responses. A remote attacker could use this issue to cause BusyBox to
    crash, resulting in a denial of service, or possibly execute arbitrary
    code. (CVE-2018-1000517)
    
    It was discovered that the BusyBox DHCP utilities incorrectly handled
    certain memory operations. A remote attacker could possibly use this issue
    to access sensitive information. (CVE-2018-20679, CVE-2019-5747)
    
    Update instructions:
    
    The problem can be corrected by updating your system to the following
    package versions:
    
    Ubuntu 18.10:
      busybox                         1:1.27.2-2ubuntu4.1
      busybox-initramfs               1:1.27.2-2ubuntu4.1
      busybox-static                  1:1.27.2-2ubuntu4.1
      udhcpc                          1:1.27.2-2ubuntu4.1
      udhcpd                          1:1.27.2-2ubuntu4.1
    
    Ubuntu 18.04 LTS:
      busybox                         1:1.27.2-2ubuntu3.2
      busybox-initramfs               1:1.27.2-2ubuntu3.2
      busybox-static                  1:1.27.2-2ubuntu3.2
      udhcpc                          1:1.27.2-2ubuntu3.2
      udhcpd                          1:1.27.2-2ubuntu3.2
    
    Ubuntu 16.04 LTS:
      busybox                         1:1.22.0-15ubuntu1.4
      busybox-initramfs               1:1.22.0-15ubuntu1.4
      busybox-static                  1:1.22.0-15ubuntu1.4
      udhcpc                          1:1.22.0-15ubuntu1.4
      udhcpd                          1:1.22.0-15ubuntu1.4
    
    Ubuntu 14.04 LTS:
      busybox                         1:1.21.0-1ubuntu1.4
      busybox-initramfs               1:1.21.0-1ubuntu1.4
      busybox-static                  1:1.21.0-1ubuntu1.4
      udhcpc                          1:1.21.0-1ubuntu1.4
      udhcpd                          1:1.21.0-1ubuntu1.4
    
    In general, a standard system update will make all the necessary changes.
    
    References:
      https://usn.ubuntu.com/usn/usn-3935-1
      CVE-2011-5325, CVE-2014-9645, CVE-2015-9261, CVE-2016-2147,
      CVE-2016-2148, CVE-2017-15873, CVE-2017-16544, CVE-2018-1000517,
      CVE-2018-20679, CVE-2019-5747
    
    Package Information:
      https://launchpad.net/ubuntu/+source/busybox/1:1.27.2-2ubuntu4.1
      https://launchpad.net/ubuntu/+source/busybox/1:1.27.2-2ubuntu3.2
      https://launchpad.net/ubuntu/+source/busybox/1:1.22.0-15ubuntu1.4
      https://launchpad.net/ubuntu/+source/busybox/1:1.21.0-1ubuntu1.4
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"64","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.39,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.46,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.