Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

USN-3935-1: BusyBox vulnerabilities

3 April 2019

Several security issues were fixed in BusyBox.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

  • busybox - Tiny utilities for small and embedded systems

Details

Tyler Hicks discovered that BusyBox incorrectly handled symlinks inside tar
archives. If a user or automated system were tricked into processing a
specially crafted tar archive, a remote attacker could overwrite arbitrary
files outside of the current directory. This issue only affected Ubuntu
14.04 LTS and Ubuntu 16.04 LTS. (CVE-2011-5325)

Mathias Krause discovered that BusyBox incorrectly handled kernel module
loading restrictions. A local attacker could possibly use this issue to
bypass intended restrictions. This issue only affected Ubuntu 14.04 LTS.
(CVE-2014-9645)

It was discovered that BusyBox incorrectly handled certain ZIP archives. If
a user or automated system were tricked into processing a specially crafted
ZIP archive, a remote attacker could cause BusyBox to crash, leading to a
denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu
16.04 LTS. (CVE-2015-9261)

Nico Golde discovered that the BusyBox DHCP client incorrectly handled
certain malformed domain names. A remote attacker could possibly use this
issue to cause the DHCP client to crash, leading to a denial of service.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2016-2147)

Nico Golde discovered that the BusyBox DHCP client incorrectly handled
certain 6RD options. A remote attacker could use this issue to cause the
DHCP client to crash, leading to a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04
LTS. (CVE-2016-2148)

It was discovered that BusyBox incorrectly handled certain bzip2 archives.
If a user or automated system were tricked into processing a specially
crafted bzip2 archive, a remote attacker could cause BusyBox to crash,
leading to a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-15873)

It was discovered that BusyBox incorrectly handled tab completion. A local
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-16544)

It was discovered that the BusyBox wget utility incorrectly handled certain
responses. A remote attacker could use this issue to cause BusyBox to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2018-1000517)

It was discovered that the BusyBox DHCP utilities incorrectly handled
certain memory operations. A remote attacker could possibly use this issue
to access sensitive information. (CVE-2018-20679, CVE-2019-5747)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro