CVE-2018-1000517

Debian Bug report logs - #902724
CVE-2018-1000517

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2018-1000517

Date: Fri, 29 Jun 2018 23:07:32 +0200

Package: busybox
Version: 1:1.27.2-2
Severity: important
Tags: security

This was assigned CVE-2018-1000517:
https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e

Cheers,
        Moritz

Message #10 received at 902724-submitter@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 902724-submitter@bugs.debian.org

Subject: Bug #902724 in busybox marked as pending

Date: Fri, 13 Jul 2018 03:42:12 +0000

Control: tag -1 pending

Hello,

Bug #902724 in busybox reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/installer-team/busybox/commit/da3f26a36e3a6a0703473a3940237ffe3a33b35d

------------------------------------------------------------------------
Apply security fixes for wget from upstream

- wget: more thorough sanitization of other side's data
- wget: check chunk length for overflowing off_t (CVE-2018-1000517)
  (Closes: #902724)
- wget: handle URLs with @ or hash differently
- wget: emit a message that certificate verification is not implemented

------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/902724

Message #17 received at 902724-close@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 902724-close@bugs.debian.org

Subject: Bug#902724: fixed in busybox 1:1.27.2-3

Date: Fri, 13 Jul 2018 03:49:11 +0000

Source: busybox
Source-Version: 1:1.27.2-3

We believe that the bug you reported is fixed in the latest version of
busybox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 902724@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <ben@decadent.org.uk> (supplier of updated busybox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 13 Jul 2018 04:19:08 +0100
Source: busybox
Binary: busybox busybox-static busybox-udeb busybox-syslogd udhcpc udhcpd
Architecture: source
Version: 1:1.27.2-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Description:
 busybox    - Tiny utilities for small and embedded systems
 busybox-static - Standalone rescue shell with tons of builtin utilities
 busybox-syslogd - Provides syslogd and klogd using busybox
 busybox-udeb - Tiny utilities for the debian-installer (udeb)
 udhcpc     - Provides the busybox DHCP client implementation
 udhcpd     - Provides the busybox DHCP server implementation
Closes: 886506 902724
Changes:
 busybox (1:1.27.2-3) unstable; urgency=medium
 .
   [ Cyril Brulebois ]
   * Update Vcs-{Browser,Git} to point to salsa (alioth's replacement).
 .
   [ Chris Lamb ]
   * PEP8 fixes.
 .
   [ Ben Hutchings ]
   * Stop overriding stack alignment on i386 (Closes: #886506)
   * Apply security fixes for wget from upstream:
     - wget: more thorough sanitization of other side's data
     - wget: check chunk length for overflowing off_t (CVE-2018-1000517)
       (Closes: #902724)
     - wget: handle URLs with @ or hash differently
Checksums-Sha1:
 efb1505df34962853cf3ae29ad54af5bdec84d5e 2240 busybox_1.27.2-3.dsc
 a60a1544351f1d926b9786f1f22cbc50432442c7 56412 busybox_1.27.2-3.debian.tar.xz
 d108a27671ea486dc66187a51a9c6e0bf9db93ce 5939 busybox_1.27.2-3_source.buildinfo
Checksums-Sha256:
 cc8de54c17b58f0563cfd0f7c942d64ff909963443ba872f316e06f4f50812b1 2240 busybox_1.27.2-3.dsc
 369f054e959cde26a16849a62804bad18bd3a29dc003e77c6ac80444cfc0878d 56412 busybox_1.27.2-3.debian.tar.xz
 fada18f659a2e5a608e2b2e0e91918a22f58bbc3f5b5ab41319a77a09fb36b23 5939 busybox_1.27.2-3_source.buildinfo
Files:
 66b2f2f538d552d261b8f920ac0b8548 2240 utils optional busybox_1.27.2-3.dsc
 07e82f2c84b58f6781abdb7b1bff10f7 56412 utils optional busybox_1.27.2-3.debian.tar.xz
 bd5e8b78f4c435b5545f95bdf48dd319 5939 utils optional busybox_1.27.2-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAltIHeoACgkQ57/I7JWG
EQlpxRAAknoRBxSR/Ul6fllnMxO6nX4P7ns5MsQhsnrQ4Nq1gKlsD7muM+nkE/Xb
MVgqWr+0n2AwsOwb7PPTC/0WO8Q7KeDBsVvxoW4RkXFR+plYympQ/1HT5nMLF3PD
duBfAuaPsDztPjauiZVdQ2cP0x7NQSg9FNnAxUWpaq2kNzQzDfNc5rAASXMHcWqJ
MCn4VFQRe345ryBS14pccpCjrPp9oVJe+LPfg25m02lB6FEbOsXGxc0KW9UFNV+l
BJel6UlieIhdsOCvr3ulRR1zNkrF24ZcO3+2+UdbYe8LrJ9nKgIEddaaEg8VTcVY
FYSmurRdxWuoDIiFNi7pD3t8Ow16PUFi4TamnZ6iuKTgotjTAxvxXIFBBOorLAUt
8Rel0yzxO1YA+D6iVJWKERSZTNgUn0pUmKVJQPUUCEerOPisFVi2aC05EFL5z/zL
jMdim4KeFLivfJrh4H0VUUD8GK431aoU9HBkOZgyeJsYmzWkOhTMKdiBIGakWAQr
sZ1+lEQeV7w4m0ZLTFRE1GdR5L4VOxOiBMvkDaLf32G42QZN4f7IXFySc6ESMvxm
OUYhWV4PmukHzGT8NG2zG88uGdOyI75nmTk2RXaTk6e/N+2uLTSojWIfU3xBTQaV
CzEp18LbmjHDBMhdDYzC1OywO6ypSb2/AGn7u1oWSkonjRoeUFw=
=Nlmf
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.