busybox-1.35.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11738-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z busybox-1.35.0-1.1 on GA media These are all security issues fixed in the busybox-1.35.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11738 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2011-5325/ SUSE CVE CVE-2011-5325 page https://www.suse.com/security/cve/CVE-2015-9261/ SUSE CVE CVE-2015-9261 page https://www.suse.com/security/cve/CVE-2016-2147/ SUSE CVE CVE-2016-2147 page https://www.suse.com/security/cve/CVE-2016-2148/ SUSE CVE CVE-2016-2148 page https://www.suse.com/security/cve/CVE-2016-6301/ SUSE CVE CVE-2016-6301 page https://www.suse.com/security/cve/CVE-2017-15873/ SUSE CVE CVE-2017-15873 page https://www.suse.com/security/cve/CVE-2017-15874/ SUSE CVE CVE-2017-15874 page https://www.suse.com/security/cve/CVE-2017-16544/ SUSE CVE CVE-2017-16544 page https://www.suse.com/security/cve/CVE-2018-1000500/ SUSE CVE CVE-2018-1000500 page https://www.suse.com/security/cve/CVE-2018-1000517/ SUSE CVE CVE-2018-1000517 page https://www.suse.com/security/cve/CVE-2018-20679/ SUSE CVE CVE-2018-20679 page https://www.suse.com/security/cve/CVE-2019-5747/ SUSE CVE CVE-2019-5747 page https://www.suse.com/security/cve/CVE-2021-28831/ SUSE CVE CVE-2021-28831 page https://www.suse.com/security/cve/CVE-2021-42373/ SUSE CVE CVE-2021-42373 page https://www.suse.com/security/cve/CVE-2021-42377/ SUSE CVE CVE-2021-42377 page https://www.suse.com/security/cve/CVE-2021-42381/ SUSE CVE CVE-2021-42381 page https://www.suse.com/security/cve/CVE-2021-42385/ SUSE CVE CVE-2021-42385 page openSUSE Tumbleweed busybox-1.35.0-1.1 busybox-static-1.35.0-1.1 busybox-testsuite-1.35.0-1.1 busybox-warewulf3-1.35.0-1.1 busybox-1.35.0-1.1 as a component of openSUSE Tumbleweed busybox-static-1.35.0-1.1 as a component of openSUSE Tumbleweed busybox-testsuite-1.35.0-1.1 as a component of openSUSE Tumbleweed busybox-warewulf3-1.35.0-1.1 as a component of openSUSE Tumbleweed Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. CVE-2011-5325 openSUSE Tumbleweed:busybox-1.35.0-1.1 openSUSE Tumbleweed:busybox-static-1.35.0-1.1 openSUSE Tumbleweed:busybox-testsuite-1.35.0-1.1 openSUSE Tumbleweed:busybox-warewulf3-1.35.0-1.1 moderate 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-5325.html CVE-2011-5325 https://bugzilla.suse.com/951562 SUSE Bug 951562 huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file. CVE-2015-9261 openSUSE Tumbleweed:busybox-1.35.0-1.1 openSUSE Tumbleweed:busybox-static-1.35.0-1.1 openSUSE Tumbleweed:busybox-testsuite-1.35.0-1.1 openSUSE Tumbleweed:busybox-warewulf3-1.35.0-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-9261.html CVE-2015-9261 https://bugzilla.suse.com/1102912 SUSE Bug 1102912 Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. CVE-2016-2147 openSUSE Tumbleweed:busybox-1.35.0-1.1 openSUSE Tumbleweed:busybox-static-1.35.0-1.1 openSUSE Tumbleweed:busybox-testsuite-1.35.0-1.1 openSUSE Tumbleweed:busybox-warewulf3-1.35.0-1.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2147.html CVE-2016-2147 https://bugzilla.suse.com/970663 SUSE Bug 970663 Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. CVE-2016-2148 openSUSE Tumbleweed:busybox-1.35.0-1.1 openSUSE Tumbleweed:busybox-static-1.35.0-1.1 openSUSE Tumbleweed:busybox-testsuite-1.35.0-1.1 openSUSE Tumbleweed:busybox-warewulf3-1.35.0-1.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2148.html CVE-2016-2148 https://bugzilla.suse.com/970662 SUSE Bug 970662 The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. CVE-2016-6301 openSUSE Tumbleweed:busybox-1.35.0-1.1 openSUSE Tumbleweed:busybox-static-1.35.0-1.1 openSUSE Tumbleweed:busybox-testsuite-1.35.0-1.1 openSUSE Tumbleweed:busybox-warewulf3-1.35.0-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6301.html CVE-2016-6301 https://bugzilla.suse.com/991940 SUSE Bug 991940 The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation. CVE-2017-15873 openSUSE Tumbleweed:busybox-1.35.0-1.1 openSUSE Tumbleweed:busybox-static-1.35.0-1.1 openSUSE Tumbleweed:busybox-testsuite-1.35.0-1.1 openSUSE Tumbleweed:busybox-warewulf3-1.35.0-1.1 moderate 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-15873.html CVE-2017-15873 https://bugzilla.suse.com/1064976 SUSE Bug 1064976 archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integer Underflow that leads to a read access violation. CVE-2017-15874 openSUSE Tumbleweed:busybox-1.35.0-1.1 openSUSE Tumbleweed:busybox-static-1.35.0-1.1 openSUSE Tumbleweed:busybox-testsuite-1.35.0-1.1 openSUSE Tumbleweed:busybox-warewulf3-1.35.0-1.1 low 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-15874.html CVE-2017-15874 https://bugzilla.suse.com/1064978 SUSE Bug 1064978 In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. CVE-2017-16544 openSUSE Tumbleweed:busybox-1.35.0-1.1 openSUSE Tumbleweed:busybox-static-1.35.0-1.1 openSUSE Tumbleweed:busybox-testsuite-1.35.0-1.1 openSUSE Tumbleweed:busybox-warewulf3-1.35.0-1.1 important 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-16544.html CVE-2017-16544 https://bugzilla.suse.com/1069412 SUSE Bug 1069412 Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". CVE-2018-1000500 openSUSE Tumbleweed:busybox-1.35.0-1.1 openSUSE Tumbleweed:busybox-static-1.35.0-1.1 openSUSE Tumbleweed:busybox-testsuite-1.35.0-1.1 openSUSE Tumbleweed:busybox-warewulf3-1.35.0-1.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1000500.html CVE-2018-1000500 https://bugzilla.suse.com/1099263 SUSE Bug 1099263 BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. CVE-2018-1000517 openSUSE Tumbleweed:busybox-1.35.0-1.1 openSUSE Tumbleweed:busybox-static-1.35.0-1.1 openSUSE Tumbleweed:busybox-testsuite-1.35.0-1.1 openSUSE Tumbleweed:busybox-warewulf3-1.35.0-1.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1000517.html CVE-2018-1000517 https://bugzilla.suse.com/1099260 SUSE Bug 1099260 An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. CVE-2018-20679 openSUSE Tumbleweed:busybox-1.35.0-1.1 openSUSE Tumbleweed:busybox-static-1.35.0-1.1 openSUSE Tumbleweed:busybox-testsuite-1.35.0-1.1 openSUSE Tumbleweed:busybox-warewulf3-1.35.0-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20679.html CVE-2018-20679 https://bugzilla.suse.com/1121426 SUSE Bug 1121426 https://bugzilla.suse.com/1121428 SUSE Bug 1121428 An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. CVE-2019-5747 openSUSE Tumbleweed:busybox-1.35.0-1.1 openSUSE Tumbleweed:busybox-static-1.35.0-1.1 openSUSE Tumbleweed:busybox-testsuite-1.35.0-1.1 openSUSE Tumbleweed:busybox-warewulf3-1.35.0-1.1 low 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-5747.html CVE-2019-5747 https://bugzilla.suse.com/1121426 SUSE Bug 1121426 https://bugzilla.suse.com/1121428 SUSE Bug 1121428 decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data. CVE-2021-28831 openSUSE Tumbleweed:busybox-1.35.0-1.1 openSUSE Tumbleweed:busybox-static-1.35.0-1.1 openSUSE Tumbleweed:busybox-testsuite-1.35.0-1.1 openSUSE Tumbleweed:busybox-warewulf3-1.35.0-1.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-28831.html CVE-2021-28831 https://bugzilla.suse.com/1184522 SUSE Bug 1184522 A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is supplied but no page argument is given CVE-2021-42373 openSUSE Tumbleweed:busybox-1.35.0-1.1 openSUSE Tumbleweed:busybox-static-1.35.0-1.1 openSUSE Tumbleweed:busybox-testsuite-1.35.0-1.1 openSUSE Tumbleweed:busybox-warewulf3-1.35.0-1.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-42373.html CVE-2021-42373 An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input. CVE-2021-42377 openSUSE Tumbleweed:busybox-1.35.0-1.1 openSUSE Tumbleweed:busybox-static-1.35.0-1.1 openSUSE Tumbleweed:busybox-testsuite-1.35.0-1.1 openSUSE Tumbleweed:busybox-warewulf3-1.35.0-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-42377.html CVE-2021-42377 A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function CVE-2021-42381 openSUSE Tumbleweed:busybox-1.35.0-1.1 openSUSE Tumbleweed:busybox-static-1.35.0-1.1 openSUSE Tumbleweed:busybox-testsuite-1.35.0-1.1 openSUSE Tumbleweed:busybox-warewulf3-1.35.0-1.1 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-42381.html CVE-2021-42381 A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function CVE-2021-42385 openSUSE Tumbleweed:busybox-1.35.0-1.1 openSUSE Tumbleweed:busybox-static-1.35.0-1.1 openSUSE Tumbleweed:busybox-testsuite-1.35.0-1.1 openSUSE Tumbleweed:busybox-warewulf3-1.35.0-1.1 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-42385.html CVE-2021-42385