CVE-2021-42374

Published: 15 November 2021

An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that

Notes

Author	Note
mdeslaur	introduced in 1.27.0

Priority

CVSS 3 base score: 5.3

Status

Package	Release	Status
busybox Launchpad, Ubuntu, Debian	bionic	Released (1:1.27.2-2ubuntu3.4)
	focal	Released (1:1.30.1-4ubuntu6.4)
	hirsute	Released (1:1.30.1-6ubuntu2.1)
	impish	Released (1:1.30.1-6ubuntu3.1)
	jammy	Released (1:1.30.1-7ubuntu2)
	trusty	Not vulnerable
	upstream	Released (1.34.0)
	xenial	Not vulnerable
	Patches: upstream: https://git.busybox.net/busybox/commit/?id=04f052c56ded5ab6a904e3a264a73dc0412b2e78

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42374
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://ubuntu.com/security/notices/USN-5179-1
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›