NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/busybox: security bump to version 1.33.2

Browse Source 
Fixes the following vulnerabilities:

- CVE-2021-42374: An out-of-bounds heap read in Busybox's unlzma applet
  leads to information leak and denial of service when crafted
  LZMA-compressed input is decompressed

- CVE-2021-42375: An incorrect handling of a special element in Busybox's
  ash applet leads to denial of service when processing a crafted shell
  command, due to the shell mistaking specific characters for reserved
  characters.  This may be used for DoS under rare conditions of filtered
  command input

- CVE-2021-42376: A NULL pointer dereference in Busybox's hush applet leads
  to denial of service when processing a crafted shell command, due to
  missing validation after a \x03 delimiter character.  This may be used for
  DoS under very rare conditions of filtered command input.

- CVE-2021-42377: An attacker-controlled pointer free in Busybox's hush
  applet leads to denial of service and possible code execution when
  processing a crafted shell command, due to the shell mishandling the &&&
  string.  This may be used for remote code execution under rare conditions
  of filtered command input.

For details, see:
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Peter Korsgaard 2021-12-14 13:16:07 +01:00
parent 32219136e2
commit 7f48212a2e
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
package/busybox/busybox.hash
View File

@ -1,5 +1,5 @@
# From https://busybox.net/downloads/busybox-1.33.1.tar.bz2.sha256
sha256 12cec6bd2b16d8a9446dd16130f2b92982f1819f6e1c5f5887b6db03f5660d28 busybox-1.33.1.tar.bz2
sha256 6843ba7977081e735fa0fdb05893e3c002c8c5ad7c9c80da206e603cc0ac47e7 busybox-1.33.2.tar.bz2
# Locally computed
sha256 bbfc9843646d483c334664f651c208b9839626891d8f17604db2146962f43548 LICENSE
sha256 b5a136ed67798e51fe2e0ca0b2a21cb01b904ff0c9f7d563a6292e276607e58f archival/libarchive/bz/LICENSE

2
package/busybox/busybox.mk
View File

@ -4,7 +4,7 @@
#
################################################################################
BUSYBOX_VERSION = 1.33.1
BUSYBOX_VERSION = 1.33.2
BUSYBOX_SITE = https://www.busybox.net/downloads
BUSYBOX_SOURCE = busybox-$(BUSYBOX_VERSION).tar.bz2
BUSYBOX_LICENSE = GPL-2.0, bzip2-1.0.4