USN-6335-1: BusyBox vulnerabilities
4 September 2023
Several security issues were fixed in BusyBox.
Releases
Packages
- busybox - Tiny utilities for small and embedded systems
Details
It was discovered that BusyBox incorrectly handled certain malformed gzip
archives. If a user or automated system were tricked into processing a
specially crafted gzip archive, a remote attacker could use this issue to
cause BusyBox to crash, resulting in a denial of service, or execute
arbitrary code. This issue only affected Ubuntu 14.04 LTS.
(CVE-2021-28831)
It was discovered that BusyBox did not properly validate user input when
performing certain arithmetic operations. If a user or automated system
were tricked into processing a specially crafted file, an attacker could
possibly use this issue to cause BusyBox to crash, resulting in a denial
of service, or execute arbitrary code. (CVE-2022-48174)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 18.04
-
busybox
-
1:1.27.2-2ubuntu3.4+esm1
Available with Ubuntu Pro
-
busybox-initramfs
-
1:1.27.2-2ubuntu3.4+esm1
Available with Ubuntu Pro
-
busybox-static
-
1:1.27.2-2ubuntu3.4+esm1
Available with Ubuntu Pro
Ubuntu 16.04
-
busybox
-
1:1.22.0-15ubuntu1.4+esm2
Available with Ubuntu Pro
-
busybox-initramfs
-
1:1.22.0-15ubuntu1.4+esm2
Available with Ubuntu Pro
-
busybox-static
-
1:1.22.0-15ubuntu1.4+esm2
Available with Ubuntu Pro
Ubuntu 14.04
-
busybox
-
1:1.21.0-1ubuntu1.4+esm1
Available with Ubuntu Pro
-
busybox-initramfs
-
1:1.21.0-1ubuntu1.4+esm1
Available with Ubuntu Pro
-
busybox-static
-
1:1.21.0-1ubuntu1.4+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References
Related notices
- USN-6961-1: busybox-static, busybox-initramfs, udhcpd, udhcpc, busybox-syslogd, busybox
- USN-5179-1: busybox-static, busybox-initramfs, udhcpd, udhcpc, busybox-syslogd, busybox
- USN-5179-2: busybox-static, busybox-initramfs, udhcpd, udhcpc, busybox-syslogd, busybox