Debian Bug report logs -
#882258
busybox: CVE-2017-16544: lineedit: do not tab-complete any strings which have control characters
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 20 Nov 2017 19:51:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in versions busybox/1:1.27.2-1, busybox/1:1.22.0-19, busybox/1:1.22.0-9+deb8u1, busybox/1:1.20.0-7
Fixed in version 1:1.27.2-2
Done: Chris Boot <bootc@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Install System Team <debian-boot@lists.debian.org>
:
Bug#882258
; Package src:busybox
.
(Mon, 20 Nov 2017 19:51:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Install System Team <debian-boot@lists.debian.org>
.
(Mon, 20 Nov 2017 19:51:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: busybox
Version: 1:1.27.2-1
Severity: grave
Tags: security
Hi,
the following vulnerability was published for busybox. I realize you
know of the issue already but just filling to have a tracking bug as
well in the BTS.
CVE-2017-16544[0]:
| In the add_match function in libbb/lineedit.c in BusyBox through
| 1.27.2, the tab autocomplete feature of the shell, used to get a list
| of filenames in a directory, does not sanitize filenames and results in
| executing any escape sequence in the terminal. This could potentially
| result in code execution, arbitrary file writes, or other attacks.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-16544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16544
[1] https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8
Please adjust the affected versions in the BTS as needed, only
unstable checked so far.
Regards,
Salvatore
Severity set to 'important' from 'grave'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 20 Nov 2017 19:57:12 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 20 Nov 2017 19:57:13 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>
:
Bug#882258
; Package src:busybox
.
(Mon, 20 Nov 2017 20:06:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>
.
(Mon, 20 Nov 2017 20:06:07 GMT) (full text, mbox, link).
Message #14 received at 882258@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
found 882258 1:1.20.0-7
found 882258 1:1.22.0-9+deb8u1
found 882258 1:1.22.0-19
found 882258 1:1.27.2-1
thanks
Salvatore Bonaccorso wrote...
> Please adjust the affected versions in the BTS as needed, only
> unstable checked so far.
Can help with that: All versions back to and including wheezy are
affected. Luckily the fix applies sanely everywhere, updated packages
will follow ASAP.
Christoph
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions busybox/1:1.20.0-7.
Request was from Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
to control@bugs.debian.org
.
(Mon, 20 Nov 2017 20:06:11 GMT) (full text, mbox, link).
Marked as found in versions busybox/1:1.22.0-9+deb8u1.
Request was from Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
to control@bugs.debian.org
.
(Mon, 20 Nov 2017 20:06:12 GMT) (full text, mbox, link).
Marked as found in versions busybox/1:1.22.0-19.
Request was from Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
to control@bugs.debian.org
.
(Mon, 20 Nov 2017 20:06:12 GMT) (full text, mbox, link).
Reply sent
to Chris Boot <bootc@debian.org>
:
You have taken responsibility.
(Mon, 05 Feb 2018 11:00:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Mon, 05 Feb 2018 11:00:13 GMT) (full text, mbox, link).
Message #25 received at 882258-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 1:1.27.2-2
Hi Salvatore,
This was fixed in the last upload of busybox but the bug wasn't closed,
sorry. I see that the security tracker has been updated already, though.
Cheers,
Chris
--
Chris Boot
bootc@debian.org
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>
:
Bug#882258
; Package src:busybox
.
(Mon, 05 Feb 2018 12:00:14 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>
.
(Mon, 05 Feb 2018 12:00:14 GMT) (full text, mbox, link).
Message #30 received at 882258@bugs.debian.org (full text, mbox, reply):
Hi
On Mon, Feb 05, 2018 at 11:52:28AM +0100, Chris Boot wrote:
> Version: 1:1.27.2-2
>
> Hi Salvatore,
>
> This was fixed in the last upload of busybox but the bug wasn't closed,
> sorry. I see that the security tracker has been updated already, though.
Thanks for the notice! Yes we did already update the tracker (which
presumalby was after we checked the 1:1.27.2-2 upload).
Regards,
Salvatore
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 21 Mar 2018 07:28:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:53:27 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.