Your submission was sent successfully! Close

CVE-2021-42379

Published: 15 November 2021

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function

Priority

Low

CVSS 3 base score: 7.2

Status

Package Release Status
busybox
Launchpad, Ubuntu, Debian
bionic
Released (1:1.27.2-2ubuntu3.4)
focal
Released (1:1.30.1-4ubuntu6.4)
hirsute
Released (1:1.30.1-6ubuntu2.1)
impish
Released (1:1.30.1-6ubuntu3.1)
jammy
Released (1:1.30.1-7ubuntu2)
trusty Ignored
(see notes)
upstream
Released (1.34.0)
xenial Ignored
(see notes)

Notes

AuthorNote
ccdm94
fix (importing awk.c from busybox version >= 1.34.0 due to large
amount of changes made to the awk.c code) introduces a regression
to busybox awk in xenial and earlier. Applying changes from the
commit which prevents this regression from happening (237bedd499c)
could result in further regressions being introduced to other
applets in busybox. This happens because interfaces for applets
are altered in this commit, and the calls to get them executed
through busybox are modified. External applications which use
busybox could end up with regressions as well because of this.

References