Mageia alert MGASA-2021-0533 (busybox)
| From: | Mageia Updates <buildsystem-daemon@mageia.org> | |
| To: | updates-announce@ml.mageia.org | |
| Subject: | [updates-announce] MGASA-2021-0533: Updated busybox packages fix security vulnerability | |
| Date: | Thu, 02 Dec 2021 17:50:24 +0100 | |
| Message-ID: | <20211202165024.7D8869F9EC@duvel.mageia.org> | |
| Archive-link: | Article |
MGASA-2021-0533 - Updated busybox packages fix security vulnerability Publication date: 02 Dec 2021 URL: https://advisories.mageia.org/MGASA-2021-0533.html Type: security Affected Mageia releases: 8 CVE: CVE-2021-42376, CVE-2021-42377, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386 Description: A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input. (CVE-2021-42376) An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input. (CVE-2021-42377) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function. (CVE-2021-42378) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function. (CVE-2021-42379) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function. (CVE-2021-42380) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function. (CVE-2021-42381) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function. (CVE-2021-42382) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function. (CVE-2021-42383) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function. (CVE-2021-42384) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function. (CVE-2021-42385) A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function. (CVE-2021-42386) References: - https://bugs.mageia.org/show_bug.cgi?id=29697 - https://lists.fedoraproject.org/archives/list/package-ann... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4... SRPMS: - 8/core/busybox-1.34.1-1.mga8