Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2017-16544

Source

Debian Bug report logs - #882258
busybox: CVE-2017-16544: lineedit: do not tab-complete any strings which have control characters

Package: src:busybox; Maintainer for src:busybox is Debian Install System Team <debian-boot@lists.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 20 Nov 2017 19:51:02 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in versions busybox/1:1.27.2-1, busybox/1:1.22.0-19, busybox/1:1.22.0-9+deb8u1, busybox/1:1.20.0-7

Fixed in version 1:1.27.2-2

Done: Chris Boot <bootc@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#882258; Package src:busybox. (Mon, 20 Nov 2017 19:51:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Install System Team <debian-boot@lists.debian.org>. (Mon, 20 Nov 2017 19:51:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: busybox
Version: 1:1.27.2-1
Severity: grave
Tags: security

Hi,

the following vulnerability was published for busybox. I realize you
know of the issue already but just filling to have a tracking bug as
well in the BTS.

CVE-2017-16544[0]:
| In the add_match function in libbb/lineedit.c in BusyBox through
| 1.27.2, the tab autocomplete feature of the shell, used to get a list
| of filenames in a directory, does not sanitize filenames and results in
| executing any escape sequence in the terminal. This could potentially
| result in code execution, arbitrary file writes, or other attacks.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-16544
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16544
[1] https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8

Please adjust the affected versions in the BTS as needed, only
unstable checked so far.

Regards,
Salvatore

Severity set to 'important' from 'grave' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 20 Nov 2017 19:57:12 GMT) (full text, mbox, link).

Added tag(s) upstream and fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 20 Nov 2017 19:57:13 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#882258; Package src:busybox. (Mon, 20 Nov 2017 20:06:07 GMT) (full text, mbox, link).

Acknowledgement sent to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Mon, 20 Nov 2017 20:06:07 GMT) (full text, mbox, link).

Message #14 received at 882258@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

found 882258 1:1.20.0-7
found 882258 1:1.22.0-9+deb8u1
found 882258 1:1.22.0-19
found 882258 1:1.27.2-1
thanks

Salvatore Bonaccorso wrote...

> Please adjust the affected versions in the BTS as needed, only
> unstable checked so far.

Can help with that: All versions back to and including wheezy are
affected. Luckily the fix applies sanely everywhere, updated packages
will follow ASAP.

    Christoph

[signature.asc (application/pgp-signature, inline)]

Marked as found in versions busybox/1:1.20.0-7. Request was from Christoph Biedl <debian.axhn@manchmal.in-ulm.de> to control@bugs.debian.org. (Mon, 20 Nov 2017 20:06:11 GMT) (full text, mbox, link).

Marked as found in versions busybox/1:1.22.0-9+deb8u1. Request was from Christoph Biedl <debian.axhn@manchmal.in-ulm.de> to control@bugs.debian.org. (Mon, 20 Nov 2017 20:06:12 GMT) (full text, mbox, link).

Marked as found in versions busybox/1:1.22.0-19. Request was from Christoph Biedl <debian.axhn@manchmal.in-ulm.de> to control@bugs.debian.org. (Mon, 20 Nov 2017 20:06:12 GMT) (full text, mbox, link).

Reply sent to Chris Boot <bootc@debian.org>:
You have taken responsibility. (Mon, 05 Feb 2018 11:00:13 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 05 Feb 2018 11:00:13 GMT) (full text, mbox, link).

Message #25 received at 882258-done@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Version: 1:1.27.2-2

Hi Salvatore,

This was fixed in the last upload of busybox but the bug wasn't closed,
sorry. I see that the security tracker has been updated already, though.

Cheers,
Chris

-- 
Chris Boot
bootc@debian.org

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#882258; Package src:busybox. (Mon, 05 Feb 2018 12:00:14 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (Mon, 05 Feb 2018 12:00:14 GMT) (full text, mbox, link).

Message #30 received at 882258@bugs.debian.org (full text, mbox, reply):

Hi

On Mon, Feb 05, 2018 at 11:52:28AM +0100, Chris Boot wrote:
> Version: 1:1.27.2-2
> 
> Hi Salvatore,
> 
> This was fixed in the last upload of busybox but the bug wasn't closed,
> sorry. I see that the security tracker has been updated already, though.

Thanks for the notice! Yes we did already update the tracker (which
presumalby was after we checked the 1:1.27.2-2 upload).

Regards,
Salvatore

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 21 Mar 2018 07:28:23 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:53:27 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

busybox: CVE-2017-16544: lineedit: do not tab-complete any strings which have control characters

Debian Bug report logs - #882258
busybox: CVE-2017-16544: lineedit: do not tab-complete any strings which have control characters

Vulmon Search

About

Products

Connect

busybox: CVE-2017-16544: lineedit: do not tab-complete any strings which have control characters

Debian Bug report logs - #882258 busybox: CVE-2017-16544: lineedit: do not tab-complete any strings which have control characters

Vulmon Search

About

Products

Connect

Debian Bug report logs - #882258
busybox: CVE-2017-16544: lineedit: do not tab-complete any strings which have control characters