Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-6335-1

Ubuntu Security Notice 6335-1 - It was discovered that BusyBox incorrectly handled certain malformed gzip archives. If a user or automated system were tricked into processing a specially crafted gzip archive, a remote attacker could use this issue to cause BusyBox to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. It was discovered that BusyBox did not properly validate user input when performing certain arithmetic operations. If a user or automated system were tricked into processing a specially crafted file, an attacker could possibly use this issue to cause BusyBox to crash, resulting in a denial of service, or execute arbitrary code.

Packet Storm
#vulnerability#ubuntu#dos#perl
==========================================================================Ubuntu Security Notice USN-6335-1September 04, 2023busybox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)- Ubuntu 14.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in BusyBox.Software Description:- busybox: Tiny utilities for small and embedded systemsDetails:It was discovered that BusyBox incorrectly handled certain malformed gziparchives. If a user or automated system were tricked into processing aspecially crafted gzip archive, a remote attacker could use this issue tocause BusyBox to crash, resulting in a denial of service, or executearbitrary code. This issue only affected Ubuntu 14.04 LTS.(CVE-2021-28831)It was discovered that BusyBox did not properly validate user input whenperforming certain arithmetic operations. If a user or automated systemwere tricked into processing a specially crafted file, an attacker couldpossibly use this issue to cause BusyBox to crash, resulting in a denialof service, or execute arbitrary code. (CVE-2022-48174)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS (Available with Ubuntu Pro):busybox 1:1.27.2-2ubuntu3.4+esm1busybox-initramfs 1:1.27.2-2ubuntu3.4+esm1busybox-static 1:1.27.2-2ubuntu3.4+esm1Ubuntu 16.04 LTS (Available with Ubuntu Pro):busybox 1:1.22.0-15ubuntu1.4+esm2busybox-initramfs 1:1.22.0-15ubuntu1.4+esm2busybox-static 1:1.22.0-15ubuntu1.4+esm2Ubuntu 14.04 LTS (Available with Ubuntu Pro):busybox 1:1.21.0-1ubuntu1.4+esm1busybox-initramfs 1:1.21.0-1ubuntu1.4+esm1busybox-static 1:1.21.0-1ubuntu1.4+esm1In general, a standard system update will make all the necessary changes.References:https://ubuntu.com/security/notices/USN-6335-1CVE-2021-28831, CVE-2022-48174

Related news

Ubuntu Security Notice USN-6961-1

Ubuntu Security Notice 6961-1 - It was discovered that BusyBox did not properly validate user input when performing certain arithmetic operations. If a user or automated system were tricked into processing a specially crafted file, an attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. It was discovered that BusyBox incorrectly managed memory when evaluating certain awk expressions. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. This issue only affected Ubuntu 24.04 LTS.

Red Hat Security Advisory 2023-5178-01

Red Hat Security Advisory 2023-5178-01 - BusyBox is a binary file that combines a large number of common system utilities into a single executable file. BusyBox provides replacements for most GNU file utilities, shell utilities, and other command-line tools. Issues addressed include a code execution vulnerability.

RHSA-2023:5178: Red Hat Security Advisory: busybox security update

An update for busybox is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-48174: A vulnerability was found in the BusyBox package. This issue occurs via a stack overflow vulnerability in ash.c in BusyBox, which may allow arbitrary code execution.

CVE-2022-48174: Invalid Bug ID

There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

Ubuntu Security Notice USN-5179-2

Ubuntu Security Notice 5179-2 - USN-5179-1 fixed vulnerabilities in BusyBox. This update provides the corresponding updates for Ubuntu 16.04 ESM. It was discovered that BusyBox incorrectly handled certain malformed gzip archives. If a user or automated system were tricked into processing a specially crafted gzip archive, a remote attacker could use this issue to cause BusyBox to crash, resulting in a denial of service, or possibly execute arbitrary code.

CVE-2021-28831

decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution