Headline
Red Hat Security Advisory 2023-5178-01
Red Hat Security Advisory 2023-5178-01 - BusyBox is a binary file that combines a large number of common system utilities into a single executable file. BusyBox provides replacements for most GNU file utilities, shell utilities, and other command-line tools. Issues addressed include a code execution vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: busybox security update
Advisory ID: RHSA-2023:5178-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:5178
Issue date: 2023-09-18
CVE Names: CVE-2022-48174
=====================================================================
- Summary:
An update for busybox is now available for Red Hat Enterprise Linux 6
Extended Lifecycle Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Server (v. 6 ELS) - i386, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6 ELS) - i386, s390x, x86_64
- Description:
BusyBox is a binary file that combines a large number of common system
utilities into a single executable file. BusyBox provides replacements for
most GNU file utilities, shell utilities, and other command-line tools.
Security Fix(es):
- busybox: stack overflow vulnerability in ash.c leads to arbitrary code
execution (CVE-2022-48174)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2237153 - CVE-2022-48174 busybox: stack overflow vulnerability in ash.c leads to arbitrary code execution
- Package List:
Red Hat Enterprise Linux Server (v. 6 ELS):
Source:
busybox-1.15.1-21.el6_10.1.src.rpm
i386:
busybox-1.15.1-21.el6_10.1.i686.rpm
s390x:
busybox-1.15.1-21.el6_10.1.s390x.rpm
x86_64:
busybox-1.15.1-21.el6_10.1.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6 ELS):
i386:
busybox-petitboot-1.15.1-21.el6_10.1.i686.rpm
s390x:
busybox-petitboot-1.15.1-21.el6_10.1.s390x.rpm
x86_64:
busybox-petitboot-1.15.1-21.el6_10.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-48174
https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJlCBfTAAoJENzjgjWX9erEzmAP/RmwDHGe14y/euLvv4vGmIgO
FRZMAl+9/yUcqDuVh0p3u8P3mvkXCAlIiztE5azhqB3vre5Qm/SXUNlUtP0arji/
w6aCZAQNGGRQkAqzTktGNrRtgMkWxJvUCerohVjqFZvOlVor7fmKMFLYFUcYhLiO
p+ivsZOvfI0AnvuuURnissQrKWnrun1/Cr0m6HsdDtdOayup82FRKvcLvHaKSmqJ
jrAbWWbO8s41lTAUlW0vcY3CHUwc7AbIpCCSX8J47pnelU36XVWqRTZBpcnolqEK
vZr3JZ8KAPNkH7xOX8poj6mQTLNskDaWAKj7+kexhmlvDaQx3f5B8HIwPV5j12kB
lpcOv/tk6Ae0LlXCIzOO6vFhALq/CgNl5dQCgAMJqZ2Nw2QNv46vzbE6ngsDjzG/
wV0HYrkHfM0HEH/99cZ78E5hLT/mOtQc3H7ULT+N1fT7PudhSXeQQZJ/3Wk3WoZp
qQYc4h+bSa99hx/tiPTnB6/Wq/0LEdW8GfgBtSBahsytSKXY0J97F7neNluWUWL1
42xAXqBZDuJrMW5ipZKN8iM77QJHptBBfniPpkUAHUv/jiwAL7UMDO9sEbzlMIC1
CgZ1wOmYq9GQZ+T2bmzGKw7LyIb8R7sS9MFufEdb3+GIrXa2d0FtBkxJdm+sqYtR
UGfyeke89lQjXxdkK6ng
=4nga
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Ubuntu Security Notice 6961-1 - It was discovered that BusyBox did not properly validate user input when performing certain arithmetic operations. If a user or automated system were tricked into processing a specially crafted file, an attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. It was discovered that BusyBox incorrectly managed memory when evaluating certain awk expressions. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. This issue only affected Ubuntu 24.04 LTS.
An update for busybox is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-48174: A vulnerability was found in the BusyBox package. This issue occurs via a stack overflow vulnerability in ash.c in BusyBox, which may allow arbitrary code execution.
Ubuntu Security Notice 6335-1 - It was discovered that BusyBox incorrectly handled certain malformed gzip archives. If a user or automated system were tricked into processing a specially crafted gzip archive, a remote attacker could use this issue to cause BusyBox to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. It was discovered that BusyBox did not properly validate user input when performing certain arithmetic operations. If a user or automated system were tricked into processing a specially crafted file, an attacker could possibly use this issue to cause BusyBox to crash, resulting in a denial of service, or execute arbitrary code.
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.