Report forwarded
to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org: Bug#803097; Package buzybox.
(Mon, 26 Oct 2015 19:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to unknown-package@qa.debian.org.
(Mon, 26 Oct 2015 19:27:06 GMT) (full text, mbox, link).
Subject: busybox: segmentation fault while unzipping bad archive
Date: Mon, 26 Oct 2015 21:22:58 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: buzybox
Version: 1:1.22.0-15
Severity: normal
Tags: security, fixed-upstream
Unziping a specially crafted zip file results in a computation of an invalid
pointer and a crash reading an invalid address.
Mailing list post:
http://www.openwall.com/lists/oss-security/2015/10/25/3
Fix:
http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e
- --
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJWLn2SAAoJECet96ROqnV0Na0QAMltt4Ou89+Y1MygWLoME4or
TJTdvBlUmZhkZAKup6ZbnrdRsF/sUZZB62F/2DibIbtL3bEbSypfOHsg6P/+Q/j9
vxxxD/yJ1Ry1/Qqseox1Ye7IuoqIto2Gey88bhZVRjHNPBXY3wBQfBF7IbJIpnZH
+Lr5uVb8+4vIXy3iKbxLhXY7/hNj19Lg4n4AqQVq/Lbqz1ZLQUAdsOAulrN1l9bJ
lcFvtZ5kxWS8a2du+qIfpy14avdpv+rrD+StWbkzbemri9XZpDyGeeFvhg/BQMz/
n+4P5c8B5GVa7IZRxtVTc8tRV2gv3LvipewXxXdX7xxYfXt4iw8SHtFxvUxAD6JM
l8dXuSdWFxVKHkf7T8o7refxTyuZ0mY3fmRmpi1dLJiRRegoCarlSs/1YbgjCdp9
R0Y5aS+QWrVRrIcq9BYnCxDa+lBmuMpb6qNFYCVmXideI6RyR3Q+us/aNn/sOCPQ
AoKu2tHstHISigTzIjJMVERHBoJInciF4XnxpKJ6XXXIj/1UGNtlRyIpkfY6G2BP
ygiTwrtyKLAy3hXNd2rgoWjBW1MkSpg9izumH3E8Pfah+jLqJD/WuBR56yLFL76X
PECdqv/tojzqOTgSCxNsvqlP8h8f8FIxXH87xvKyXfOigPw+tMGTeO3q+uCSPak5
O1B2G9rwbzoiBpO7ungy
=PGtQ
-----END PGP SIGNATURE-----
Bug reassigned from package 'buzybox' to 'busybox'.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Fri, 30 Oct 2015 12:15:18 GMT) (full text, mbox, link).
No longer marked as found in versions 1:1.22.0-15.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Fri, 30 Oct 2015 12:15:19 GMT) (full text, mbox, link).
Marked as found in versions busybox/1:1.22.0-15.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Fri, 30 Oct 2015 12:15:20 GMT) (full text, mbox, link).
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Sat, 31 Oct 2015 04:51:04 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Sat, 31 Oct 2015 04:51:04 GMT) (full text, mbox, link).
Subject: Bug#803097: fixed in busybox 1:1.17.1-8+deb6u11
Date: Sat, 31 Oct 2015 04:48:51 +0000
Source: busybox
Source-Version: 1:1.17.1-8+deb6u11
We believe that the bug you reported is fixed in the latest version of
busybox, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 803097@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated busybox package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 31 Oct 2015 04:39:59 +0000
Source: busybox
Binary: busybox busybox-static busybox-udeb busybox-syslogd udhcpc udhcpd
Architecture: source all amd64
Version: 1:1.17.1-8+deb6u11
Distribution: squeeze-lts
Urgency: high
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
busybox - Tiny utilities for small and embedded systems
busybox-static - Standalone rescue shell with tons of builtin utilities
busybox-syslogd - Provides syslogd and klogd using busybox
busybox-udeb - Tiny utilities for the debian-installer (udeb)
udhcpc - Provides the busybox DHCP client implementation
udhcpd - Provides the busybox DHCP server implementation
Closes: 803097
Changes:
busybox (1:1.17.1-8+deb6u11) squeeze-lts; urgency=high
.
* Fix segmentation fault while unzipping bad archive (Closes: #803097)
Checksums-Sha1:
f91687e67c197caced447b5ef6f3f85d460ea810 1792 busybox_1.17.1-8+deb6u11.dsc
40c3f45830c936235e3086b584cd63935cff7f75 66759 busybox_1.17.1-8+deb6u11.debian.tar.gz
59bc4752ea751d4c1a592aad3395f58fd86f919c 13590 busybox-syslogd_1.17.1-8+deb6u11_all.deb
eea447ab967afb9eb5bd9ba464b6c04783bca959 11214 udhcpc_1.17.1-8+deb6u11_all.deb
6fac1b5219b86ae593b5a6535b670955fcd584c3 14526 udhcpd_1.17.1-8+deb6u11_all.deb
25db472490d4ec85555bea9cb582187a22e1724b 336554 busybox_1.17.1-8+deb6u11_amd64.deb
654d8ba6c1fcd83ef1a19aab74660b9d37567da6 959082 busybox-static_1.17.1-8+deb6u11_amd64.deb
ce80c4a42f28ac55e89c2a69341db2b5fbdde071 160216 busybox-udeb_1.17.1-8+deb6u11_amd64.udeb
Checksums-Sha256:
292502ef4f97da7070b7c8940f2ff6ccc0877cb0c341e68519b6b0433733652c 1792 busybox_1.17.1-8+deb6u11.dsc
e1d75aaa6323f9735e1ed35862fa34099e10aa40823d740039b6ebcd86a7053f 66759 busybox_1.17.1-8+deb6u11.debian.tar.gz
cdf3a689407c5bd707ddec369ed54056a0ae8df1a110ef6ece9792e1de9c2229 13590 busybox-syslogd_1.17.1-8+deb6u11_all.deb
6f7a1ba33ae906ea5c99c2c349bacedb34bf7e01d8c59948e37cb7ad91043f92 11214 udhcpc_1.17.1-8+deb6u11_all.deb
f26849dee5c31e3ccee9eb7c90f73203087e7a98a9328030eff1bfd5da83e324 14526 udhcpd_1.17.1-8+deb6u11_all.deb
4305684d6ea2a3fe230b9094bcf2676a6f9f01b740b7742967a346bedf4d0d6a 336554 busybox_1.17.1-8+deb6u11_amd64.deb
02d9e424fb7a62c03acb16675c1244e1ef12cd6b086f1f27d570a4869ac60c35 959082 busybox-static_1.17.1-8+deb6u11_amd64.deb
c82946c33d1c66eba33261e6e8a579d8f112a6bf23e587e98cff06e27dc134b8 160216 busybox-udeb_1.17.1-8+deb6u11_amd64.udeb
Files:
51a69f10195dd5c9d3decd0f6307a0b0 1792 utils optional busybox_1.17.1-8+deb6u11.dsc
9d698b439286cfcfe1d0a5a431315b7d 66759 utils optional busybox_1.17.1-8+deb6u11.debian.tar.gz
cac65a68920eb6d6b2a3528f3c5dec04 13590 utils optional busybox-syslogd_1.17.1-8+deb6u11_all.deb
e104409343fbaab779b5e5bb61f6db4a 11214 net optional udhcpc_1.17.1-8+deb6u11_all.deb
6d673ff48defbda3bcc16683f40231eb 14526 net optional udhcpd_1.17.1-8+deb6u11_all.deb
efa900cdf381287b38b02c01236b018d 336554 utils optional busybox_1.17.1-8+deb6u11_amd64.deb
9b248b5c3b43a54a290709b8bec5961f 959082 shells extra busybox-static_1.17.1-8+deb6u11_amd64.deb
73732e188feed6730aca35335d8bbc04 160216 debian-installer extra busybox-udeb_1.17.1-8+deb6u11_amd64.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWNEbWAAoJEB6VPifUMR5Y3kEQAIQDb50FP0ABXEJvoXd/HxTz
mkaLIs5LfkznNtKB1sFXqnFgNqbYF/Fnad3dFHd5dhoudSc4Tnw5iR/oqXnNc9dB
NXQcjceFZao5Lh+gaV3Fc9/pDKNXTNIJcR9N7EqYqut3VFiRl7K66z3HDEszIkIU
D6HTqsCdI7jI9XNMWQOWpj5yWZTVLYATkb0EPnROcmbSx8/ZNSfCWKiOMEdTAin9
zA/T+Y87+60wf2XAzhqZvSmXlObcOMW18tT9n43gV+tGTCU9KXI/cUCdk9Jr3mBb
KOx8nvrpyMqoDnDsWcUl5DS8ZWCtI/5ssEjVPUjWl8M10K8Ng4R+cUHCHWq0vpSB
iHA48Xasm4X1SYnguRfoj+Z1N0OV0FI3UoQYixnkOvMwpnXKuPlIqE9fvw5kPHwx
b/j9BfUrzwf4V+9qmGygLZJlXAq1Rnhc22g7XG4WwVatXHpalzRqVgi3o4+E/98v
MMea1XXT5RgoFbJTjR/9XhP6bnVGSbnzb0D0gwk24KH98lOifzw/px8caI6qBCOl
bmquCYgydovnIuoV9obzG/9VhuhaM1B1WaCNa270WP0/0TQRDqcuBbxRZmrY2GZf
s8+PG3u9bYit14MlUfnw9Sg2GwMn+97PRXUxU+kE/QG7EDL0efRYDesxWkqiUbxu
50oi8R0funkl7OYQjfPj
=OWH+
-----END PGP SIGNATURE-----
Bug reopened
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 31 Oct 2015 05:33:03 GMT) (full text, mbox, link).
No longer marked as fixed in versions busybox/1:1.17.1-8+deb6u11.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 31 Oct 2015 05:33:04 GMT) (full text, mbox, link).
Marked as found in versions busybox/1:1.17.1-8.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 31 Oct 2015 05:33:05 GMT) (full text, mbox, link).
Marked as fixed in versions busybox/1:1.17.1-8+deb6u11.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 31 Oct 2015 05:33:06 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 31 Oct 2015 05:42:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>: Bug#803097; Package busybox.
(Sun, 01 Nov 2015 11:57:03 GMT) (full text, mbox, link).
No longer marked as found in versions busybox/1:1.17.1-8.
Request was from Andrei POPESCU <andreimpopescu@gmail.com>
to 803097-submit@bugs.debian.org.
(Sun, 01 Nov 2015 11:57:03 GMT) (full text, mbox, link).
Marked as found in versions busybox/1:1.17.1-8.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 01 Nov 2015 15:03:04 GMT) (full text, mbox, link).
Reply sent
to Chris Boot <bootc@debian.org>:
You have taken responsibility.
(Sun, 17 Sep 2017 17:21:14 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Sun, 17 Sep 2017 17:21:14 GMT) (full text, mbox, link).
Source: busybox
Source-Version: 1:1.27.2-1
We believe that the bug you reported is fixed in the latest version of
busybox, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 803097@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Boot <bootc@debian.org> (supplier of updated busybox package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 17 Sep 2017 17:59:31 +0100
Source: busybox
Binary: busybox busybox-static busybox-udeb busybox-syslogd udhcpc udhcpd
Architecture: source
Version: 1:1.27.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Chris Boot <bootc@debian.org>
Description:
busybox - Tiny utilities for small and embedded systems
busybox-static - Standalone rescue shell with tons of builtin utilities
busybox-syslogd - Provides syslogd and klogd using busybox
busybox-udeb - Tiny utilities for the debian-installer (udeb)
udhcpc - Provides the busybox DHCP client implementation
udhcpd - Provides the busybox DHCP server implementation
Closes: 794526802702803097812074818497818499873472
Changes:
busybox (1:1.27.2-1) unstable; urgency=medium
.
* New upstream release. This addresses:
- Segmentation fault when creating compressed tar files. (Closes: #812074)
- Pointer misuse unziping files. (Closes: #803097)
- Buffer overflow in the DHCP client [CVE-2016-2148]. (Closes: #818497)
- Integer overflow in the DHCP client [CVE-2016-2147]. (Closes: #818499)
* Postpone creation of symlinks with "suspicious" targets [CVE-2011-5325].
(Closes: #802702)
* Re-enable the test suite during build. (Closes: #794526)
* udhcpc: correct a typo in /etc/udhcpc/default.script. (Closes: #873472)
* Debian packaging changes:
- Run wrap-and-sort -st.
- Update debian/control:
- Replace Uploaders with myself and Christoph Biedl. Many thanks to
Bastian Blank and Michael Tokarev for having maintained busybox for
many years prior.
- Remove Build-Depends to avoid ancient broken libc-dev-bin.
- Bump Build-Depends on debhelper to >= 10.
- Rewrite debian/rules:
- Simplify and use the dh sequencer.
- Remove test for ancient broken libc6 versions with static binaries.
- Strip -O2 from CFLAGS, falling back to -Os from the busybox
configuration.
- Abort the build if 'make oldconfig' changes the configuration at all.
- Update busybox build configuration files for the new upstream release.
- The udeb configuration mostly hasn't changed, but enable fgrep,
blkdiscard, bzcat and lsscsi.
- The deb and static configurations have had upstream recommendations
enabled for new options.
- Switch to debhelper compatibility level 10.
- Add Depends on lsb-base to busybox-syslogd and udhcpd.
- Update debian/.gitignore.
- Update Standards-Version to 4.0.1:
- Disable tests that require networking.
Checksums-Sha1:
4c7441a1204b61438f0eb2f272698fe372eede71 2359 busybox_1.27.2-1.dsc
11669e223cc38de646ce26080e91ca29b8d42ad9 2216527 busybox_1.27.2.orig.tar.bz2
25b8ec9d11fe9fcb8e2d79621a32b760c7d3c10f 49272 busybox_1.27.2-1.debian.tar.xz
54cf758c6edeaf2bda34d6b8e08a44ba062b68cf 7236 busybox_1.27.2-1_amd64.buildinfo
Checksums-Sha256:
67947957df59b7e145af1453c1a8cd28c3cd39d9d13cf1f2e7a12b8d073b4e81 2359 busybox_1.27.2-1.dsc
9d4be516b61e6480f156b11eb42577a13529f75d3383850bb75c50c285de63df 2216527 busybox_1.27.2.orig.tar.bz2
f2ed3f2e3dc63487efec85d65167e6a4fb31f6b300f1a45fd284de0d10405b8c 49272 busybox_1.27.2-1.debian.tar.xz
38714b5eb9f437dd78eca0bc12379a651c71ddbf2c99eba3e40289d651244b77 7236 busybox_1.27.2-1_amd64.buildinfo
Files:
300538e8de0e12d9bd8939b3330357c2 2359 utils optional busybox_1.27.2-1.dsc
476186f4bab81781dab2369bfd42734e 2216527 utils optional busybox_1.27.2.orig.tar.bz2
4176babb785eb5f2b3289c24343ef7e1 49272 utils optional busybox_1.27.2-1.debian.tar.xz
87423bdbf689420d433ee08c59ccb3e2 7236 utils optional busybox_1.27.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE2oqQ9X/7HWR+QDTaQRpzPmfWT/4FAlm+rDdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldERB
OEE5MEY1N0ZGQjFENjQ3RTQwMzREQTQxMUE3MzNFNjdENjRGRkUACgkQQRpzPmfW
T/5ExRAA6rbhIacnoEgLN3g5YImMrlqz+Cyvc2+Y6Rw/bkKlXDQ62QEDuyN7ylPS
O51RquWR1nTcK1YLqYiFaqYs/XkaNvhCpuuKPwEbwosaUhg52OQFT+U18B3dfaHw
/xVOekqYrEEJGC4X1lqE3xv3KQH04UZcrhPBu2L2FnGnx/sTIuWcqJlWS3GTRDCZ
9qpSvYWzuvj5yM6SmRbqx+lWD5QI5cjvxQYcQpbIuDUaqF8owHP+wHGxcrrSok0P
1kCUUMvdRUJ4BzRiVhjE1G1j1zDvRqBDywAeAVq4Ch0weHE0nLqz5+JXAtEktyVA
bYVnN6H2mb2P+JzzeXlK66eFu1CYKtPuq5v/sTCNadXJ84w5NyBry/fqXJjBqqkL
gvN7/WpZ8bX8BRh/YE3fJ31nSpvLIeY5wqBuSs0Pfy+Ob/K3Kk1uJVMc0JB8FCTK
hA0JGpU7PULSqVIEWFN1SvOUQsczLQCqi9bgHLOacWV2BfCdZpvUEl/kJJTU9AFt
sAu0EEdITZu8m8DRru9GM1VFARsViDwkfBSJp/D/kvHThC7VwPjBOrlDrn6/Vw/9
NCcYp43mmKO4WA90tZnvo0gmu5L3CikFfAYJalkC2D6yIQ11XwWe4FI4qrnxluv8
AGZ1M6CfSjGeC2REqWVu3VqjnRk8/nbC6wqkiwac1JBYjn1CyOY=
=AQ2U
-----END PGP SIGNATURE-----
Changed Bug title to 'busybox: CVE-2015-9261: segmentation fault while unzipping bad archive' from 'busybox: segmentation fault while unzipping bad archive'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 26 Jul 2018 19:09:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 05 Jun 2019 08:42:41 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.