FS#56391 - [busybox] [mkinitcpio-busybox] CVE-2017-16544 autocompletion vulnerability
Attached to Project:
Community Packages
Opened by Anonymous (reallybmn) - Monday, 20 November 2017, 15:58 GMT
Last edited by Eli Schwartz (eschwartz) - Monday, 26 February 2018, 13:28 GMT
Opened by Anonymous (reallybmn) - Monday, 20 November 2017, 15:58 GMT
Last edited by Eli Schwartz (eschwartz) - Monday, 26 February 2018, 13:28 GMT
|
Details
Description:
In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. Additional info: * package version(s): 1.27.2 Steps to reproduce: Send specially crafted file to busybox and profit. https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/ Patch: https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8 - Upstream has not released version yet including the patch. |
This task depends upon
Closed by Eli Schwartz (eschwartz)
Monday, 26 February 2018, 13:28 GMT
Reason for closing: Fixed
Additional comments about closing: testing/mkinitcpio-busybox 1.28.1-1
community/busybox 1.28.1-1
Monday, 26 February 2018, 13:28 GMT
Reason for closing: Fixed
Additional comments about closing: testing/mkinitcpio-busybox 1.28.1-1
community/busybox 1.28.1-1
Comment by
Eli Schwartz (eschwartz) - Monday,
20 November 2017, 17:04 GMT
Comment by kikadf (kikadf) -
Thursday, 18 January 2018, 15:55 GMT
Comment by Sergej Pupykin (sergej) -
Monday, 26 February 2018, 12:22 GMT
- Field changed: Summary ([busybox] CVE-2017-16544 autocompletion vulnerability → [busybox] [mkinitcpio-busybox] CVE-2017-16544 autocompletion vulnerability)
- Task reassigned to Bartłomiej Piotrowski (Barthalion), Levente Polyak (anthraxx), Sergej Pupykin (sergej)
This should affect the stripped-down busybox build available in
[core] also, just because it is usually used as the initramfs
tools doesn't mean it cannot be equally used to start a busybox
ash shell (and possibly be symlinked as /bin/sh or something).
Upstream has released 1.28.0 (unstable) on 2 Jan 2018, which
including the relevant commit.
busybox updated to 1.28.1