Recent Features
| |||||||||||||||||||
Mageia alert MGASA-2012-0171 (busybox)
MGASA-2012-0171 Date: July 19th, 2012 Affected releases: 1 Description: Updated busybox packages fix security vulnerabilities: A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially-crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox (CVE-2006-1168). The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially-crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Red Hat Enterprise Linux by default, and no DHCP client script is provided with the busybox packages (CVE-2011-2716). Updated Packages: busybox-1.18.4-1.1.mga1 busybox-static-1.18.4-1.1.mga1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1168 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2716 https://rhn.redhat.com/errata/RHSA-2012-0810.html https://bugs.mageia.org/show_bug.cgi?id=6673 https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-... (Log in to post comments)
|
|||||||||||||||||||