Home / Security / USN-3935-1: BusyBox vulnerabilities | Ubuntu security notices

USN-3935-1: BusyBox vulnerabilities | Ubuntu security notices

3 April 2019

busybox vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in BusyBox.

Software Description

  • busybox – Tiny utilities for small and embedded systems

Details

Tyler Hicks discovered that BusyBox incorrectly handled symlinks inside tar
archives. If a user or automated system were tricked into processing a
specially crafted tar archive, a remote attacker could overwrite arbitrary
files outside of the current directory. This issue only affected Ubuntu
14.04 LTS and Ubuntu 16.04 LTS. (CVE-2011-5325)

Mathias Krause discovered that BusyBox incorrectly handled kernel module
loading restrictions. A local attacker could possibly use this issue to
bypass intended restrictions. This issue only affected Ubuntu 14.04 LTS.
(CVE-2014-9645)

It was discovered that BusyBox incorrectly handled certain ZIP archives. If
a user or automated system were tricked into processing a specially crafted
ZIP archive, a remote attacker could cause BusyBox to crash, leading to a
denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu
16.04 LTS. (CVE-2015-9261)

Nico Golde discovered that the BusyBox DHCP client incorrectly handled
certain malformed domain names. A remote attacker could possibly use this
issue to cause the DHCP client to crash, leading to a denial of service.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2016-2147)

Nico Golde discovered that the BusyBox DHCP client incorrectly handled
certain 6RD options. A remote attacker could use this issue to cause the
DHCP client to crash, leading to a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04
LTS. (CVE-2016-2148)

It was discovered that BusyBox incorrectly handled certain bzip2 archives.
If a user or automated system were tricked into processing a specially
crafted bzip2 archive, a remote attacker could cause BusyBox to crash,
leading to a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-15873)

It was discovered that BusyBox incorrectly handled tab completion. A local
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-16544)

It was discovered that the BusyBox wget utility incorrectly handled certain
responses. A remote attacker could use this issue to cause BusyBox to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2018-1000517)

It was discovered that the BusyBox DHCP utilities incorrectly handled
certain memory operations. A remote attacker could possibly use this issue
to access sensitive information. (CVE-2018-20679, CVE-2019-5747)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
busybox1:1.27.2-2ubuntu4.1
busybox-initramfs1:1.27.2-2ubuntu4.1
busybox-static1:1.27.2-2ubuntu4.1
udhcpc1:1.27.2-2ubuntu4.1
udhcpd1:1.27.2-2ubuntu4.1
Ubuntu 18.04 LTS
busybox1:1.27.2-2ubuntu3.2
busybox-initramfs1:1.27.2-2ubuntu3.2
busybox-static1:1.27.2-2ubuntu3.2
udhcpc1:1.27.2-2ubuntu3.2
udhcpd1:1.27.2-2ubuntu3.2
Ubuntu 16.04 LTS
busybox1:1.22.0-15ubuntu1.4
busybox-initramfs1:1.22.0-15ubuntu1.4
busybox-static1:1.22.0-15ubuntu1.4
udhcpc1:1.22.0-15ubuntu1.4
udhcpd1:1.22.0-15ubuntu1.4
Ubuntu 14.04 LTS
busybox1:1.21.0-1ubuntu1.4
busybox-initramfs1:1.21.0-1ubuntu1.4
busybox-static1:1.21.0-1ubuntu1.4
udhcpc1:1.21.0-1ubuntu1.4
udhcpd1:1.21.0-1ubuntu1.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

x

Check Also

Broadcom WiFi Driver Flaws Expose Computers, Phones, IoT to RCE Attacks

Broadcom WiFi Driver Flaws Expose Computers, Phones, IoT to RCE Attacks

Broadcom WiFi chipset drivers have been found to contain vulnerabilities impacting multiple operating systems and ...