Published: 15 November 2021
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function
fix (importing awk.c from busybox version >= 1.34.0 due to large amount of changes made to the awk.c code) introduces a regression to busybox awk in xenial and earlier. Applying changes from the commit which prevents this regression from happening (237bedd499c) could result in further regressions being introduced to other applets in busybox. This happens because interfaces for applets are altered in this commit, and the calls to get them executed through busybox are modified. External applications which use busybox could end up with regressions as well because of this.
Launchpad, Ubuntu, Debian
Severity score breakdown