Headline
Ubuntu Security Notice USN-6961-1
Ubuntu Security Notice 6961-1 - It was discovered that BusyBox did not properly validate user input when performing certain arithmetic operations. If a user or automated system were tricked into processing a specially crafted file, an attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. It was discovered that BusyBox incorrectly managed memory when evaluating certain awk expressions. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. This issue only affected Ubuntu 24.04 LTS.
==========================================================================Ubuntu Security Notice USN-6961-1August 14, 2024busybox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in BusyBox.Software Description:- busybox: Tiny utilities for small and embedded systemsDetails:It was discovered that BusyBox did not properly validate user input whenperforming certain arithmetic operations. If a user or automated systemwere tricked into processing a specially crafted file, an attacker couldpossibly use this issue to cause a denial of service, or execute arbitrarycode. (CVE-2022-48174)It was discovered that BusyBox incorrectly managed memory when evaluatingcertain awk expressions. An attacker could possibly use this issue to causea denial of service, or execute arbitrary code. This issue only affectedUbuntu 24.04 LTS. (CVE-2023-42363, CVE-2023-42364, CVE-2023-42365)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS busybox 1:1.36.1-6ubuntu3.1 busybox-initramfs 1:1.36.1-6ubuntu3.1 busybox-static 1:1.36.1-6ubuntu3.1Ubuntu 22.04 LTS busybox 1:1.30.1-7ubuntu3.1 busybox-initramfs 1:1.30.1-7ubuntu3.1 busybox-static 1:1.30.1-7ubuntu3.1Ubuntu 20.04 LTS busybox 1:1.30.1-4ubuntu6.5 busybox-initramfs 1:1.30.1-4ubuntu6.5 busybox-static 1:1.30.1-4ubuntu6.5In general, a standard system update will make all the necessary changes.References: https://ubuntu.com/security/notices/USN-6961-1 CVE-2022-48174, CVE-2023-42363, CVE-2023-42364, CVE-2023-42365Package Information: https://launchpad.net/ubuntu/+source/busybox/1:1.36.1-6ubuntu3.1 https://launchpad.net/ubuntu/+source/busybox/1:1.30.1-7ubuntu3.1 https://launchpad.net/ubuntu/+source/busybox/1:1.30.1-4ubuntu6.5Related news
A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.
A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.
A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.
Red Hat Security Advisory 2023-5178-01 - BusyBox is a binary file that combines a large number of common system utilities into a single executable file. BusyBox provides replacements for most GNU file utilities, shell utilities, and other command-line tools. Issues addressed include a code execution vulnerability.
An update for busybox is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-48174: A vulnerability was found in the BusyBox package. This issue occurs via a stack overflow vulnerability in ash.c in BusyBox, which may allow arbitrary code execution.
Ubuntu Security Notice 6335-1 - It was discovered that BusyBox incorrectly handled certain malformed gzip archives. If a user or automated system were tricked into processing a specially crafted gzip archive, a remote attacker could use this issue to cause BusyBox to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. It was discovered that BusyBox did not properly validate user input when performing certain arithmetic operations. If a user or automated system were tricked into processing a specially crafted file, an attacker could possibly use this issue to cause BusyBox to crash, resulting in a denial of service, or execute arbitrary code.
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.