CVE-2017-15874 / CVE-2017-15873

Debian Bug report logs - #879732
CVE-2017-15874 / CVE-2017-15873

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2017-15874 / CVE-2017-15873

Date: Wed, 25 Oct 2017 08:52:34 +0200

Package: busybox
Version: 1:1.27.2-1
Severity: important
Tags: security

Hi,
please see:

CVE-2017-15873
The get_next_block function in archival/libarchive/decompress_bunzip2.c
in BusyBox 1.27.2 has an Integer Overflow that may lead to a write
access violation.

https://bugs.busybox.net/show_bug.cgi?id=10431
https://git.busybox.net/busybox/commit/?id=0402cb32df015d9372578e3db27db47b33d5c7b0


CVE-2017-15874
archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integer
Underflow that leads to a read access violation.

https://bugs.busybox.net/show_bug.cgi?id=10436

Cheers,
        Moritz

Message #10 received at 879732@bugs.debian.org (full text, mbox, reply):

From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>

To: team@security.debian.org, 879732@bugs.debian.org

Subject: Re: Bug#879732: CVE-2017-15874 / CVE-2017-15873

Date: Wed, 25 Oct 2017 19:27:42 +0200

[Message part 1 (text/plain, inline)]

Tags: upstream confirmed

Moritz Muehlenhoff wrote...

> Hi,
> please see:

Thanks for the heads-up, we'll try to get this fixed as soon as
possible. For the moment, I'm somewhat confused about the affected
distributions as listed in the security tracker. Could you please check?

> CVE-2017-15873
> The get_next_block function in archival/libarchive/decompress_bunzip2.c
> in BusyBox 1.27.2 has an Integer Overflow that may lead to a write
> access violation.

The reproducer works for all distributions here, back to and including
wheezy.

> CVE-2017-15874
> archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integer
> Underflow that leads to a read access violation.

This one works for sid and buster only. Otherwise, it just returns
"lzma: unexpected EOF".

Also, I noticed upstream did not provide a fix yet. I'll try to help,
details in the upstream bug tracker soon-ish.

    Christoph

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 879732@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>

Cc: team@security.debian.org, 879732@bugs.debian.org

Subject: Re: Bug#879732: CVE-2017-15874 / CVE-2017-15873

Date: Wed, 25 Oct 2017 19:49:30 +0200

On Wed, Oct 25, 2017 at 07:27:42PM +0200, Christoph Biedl wrote:
> Tags: upstream confirmed
> 
> Moritz Muehlenhoff wrote...
> 
> > Hi,
> > please see:
> 
> Thanks for the heads-up, we'll try to get this fixed as soon as
> possible. For the moment, I'm somewhat confused about the affected
> distributions as listed in the security tracker. Could you please check?

That's not surprising :-)

By default all older releases are marked as affected (unless specific
suites are updated to reflect that they are not vulnerable).

Cheers,
        Moritz

Message #20 received at 879732-close@bugs.debian.org (full text, mbox, reply):

From: Chris Boot <bootc@debian.org>

To: 879732-close@bugs.debian.org

Subject: Bug#879732: fixed in busybox 1:1.27.2-2

Date: Tue, 28 Nov 2017 15:07:21 +0000

Source: busybox
Source-Version: 1:1.27.2-2

We believe that the bug you reported is fixed in the latest version of
busybox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 879732@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Boot <bootc@debian.org> (supplier of updated busybox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 28 Nov 2017 13:45:04 +0000
Source: busybox
Binary: busybox busybox-static busybox-udeb busybox-syslogd udhcpc udhcpd
Architecture: source
Version: 1:1.27.2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Chris Boot <bootc@debian.org>
Description:
 busybox    - Tiny utilities for small and embedded systems
 busybox-static - Standalone rescue shell with tons of builtin utilities
 busybox-syslogd - Provides syslogd and klogd using busybox
 busybox-udeb - Tiny utilities for the debian-installer (udeb)
 udhcpc     - Provides the busybox DHCP client implementation
 udhcpd     - Provides the busybox DHCP server implementation
Closes: 549022 801850 879732
Changes:
 busybox (1:1.27.2-2) unstable; urgency=medium
 .
   * Trigger an initramfs rebuild on installation. (Closes: #549022)
   * Temporarily re-enable invalid variable names in the udeb flavour for
     debian-installer.
   * Install the readlink binary in /bin. (Closes: #801850)
   * Fix integer overflow in bzip2 decompresson [CVE-2017-15874].
     (Closes: #879732)
   * Fix integer underflow in LZMA decompressor [CVE-2017-15874].
     (Closes: #879732)
   * Prevent tab completion for strings containing control characters
     [CVE-2017-16544].
   * Debian packaging changes:
     - Update debian/control:
       - Update Standards-Version to 4.1.1.
       - Change Priority to optional for all packages.
     - Remove obsolete debian/gbp.conf.
     - Update debian/watch:
       - Switch to format=4.
       - Use HTTPS URI.
Checksums-Sha1:
 d2afe7231c6495f236956bf60c5fe3fd602612ff 2390 busybox_1.27.2-2.dsc
 9203e0477d5a6b3b15bb77ab661a28b332983d18 51960 busybox_1.27.2-2.debian.tar.xz
 9a983f623a6d69c3fe9e8056aec76a719ce9a938 7304 busybox_1.27.2-2_amd64.buildinfo
Checksums-Sha256:
 8459b7cb71ed347cdd5ae8fbb24dd8ca6b5ad40f01c030b46a08ed43ca540518 2390 busybox_1.27.2-2.dsc
 cc7da8546c7ce34ec672a2af2165511903718b50c609254105fe029afb7566c2 51960 busybox_1.27.2-2.debian.tar.xz
 fdad4be5829b381ac702e77f6b08a7782977f52ec6a6c20cc36517bd637f2a09 7304 busybox_1.27.2-2_amd64.buildinfo
Files:
 da807dea5c34248cf77409a7dbbc5ac0 2390 utils optional busybox_1.27.2-2.dsc
 dfbae48058431e53af36d843ceca4a98 51960 utils optional busybox_1.27.2-2.debian.tar.xz
 dc99c81e1a102d6de6b53777b5f2ecd8 7304 utils optional busybox_1.27.2-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKlBAEBCgCPFiEEakxNgo23DDPFqbsY1o29Dt2gqWQFAlodan1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDZB
NEM0RDgyOERCNzBDMzNDNUE5QkIxOEQ2OERCRDBFRERBMEE5NjQRHGJvb3RjQGRl
Ymlhbi5vcmcACgkQ1o29Dt2gqWSaQw//eflJb4Xbb4li0++XV5BMyaI5tlrRFIYk
9zQ/Sc4HwZClPcrso/7slF0yZc2qtqd4503pjnaIN519EdZxi2KEHPhO/k/JLAj+
rNcMs7rekCXcDyK9fpcEyYd3ZqBRT2VH+mc/Ghb9KtmA4Lfpqu6UbTQjXfoFd6kn
MLtSn1sDzXdJTM0spnG3IA8GS1jSdphxvsdkrXsJTH8tlVcV6SV+RUBRkl9sFGXj
wV3Q5r5C307ILT78bVLM8UWwxBrTFmqPG2zZ/WO4qdqXiTLfxtEEDNilbrRCxZLz
cgJ8pAxCeFioBfWD2LP/5BQ/558ELwVlHP9GUwtg0nStH1WczzU2L7X/4pp9dvTn
XJuVwQq2P0A8+oEKur+Ol0otbzLNvK4puVO4IoFnBbXoXSUE03OpB0Y+vc/O+XRK
yUs+BKwP293aVQf2dhS2sECswxnIdCCbpBqIGZig49QNJ89SdWF2N69gbHKvgUjz
k1brDcK+u5jb4zsMoBE0OCL7ZH4zxhT2SM5eWZb29w7/5tQVdjVrZlzHyaikHJJk
HpUWg1BQuZ2bAkbm2bYDVaIYK1F9eDHYYUk3LQ3AWd439Dk/TZoHFjbPPW9ulvl4
opRmxtUHARo/z1Mb4CqjbaDTWiAxK2ySoucSxZqTUOvWkkgZZ14pP1Et1FPC7sGp
NxPIujRHwFA=
=QFm0
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.