CVE-2017-16544

Published: 20 November 2017

In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
busybox
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo)
Released (1:1.27.2-1ubuntu4)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1:1.27.2-1ubuntu4)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1:1.27.2-1ubuntu4)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1:1.22.0-15ubuntu1.4)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1:1.21.0-1ubuntu1.4)
Patches:
Upstream: https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8