busybox 1:1.22.0-15ubuntu1.4 source package in Ubuntu

Changelog

busybox (1:1.22.0-15ubuntu1.4) xenial-security; urgency=medium

  * SECURITY UPDATE: directory traversal via tar symlink extraction
    - debian/patches/CVE-2011-5325-1.patch: postpone creation of symlinks
      with "suspicious" targets in archival/libarchive/data_extract_all.c,
      archival/tar.c, archival/tar_symlink_attack, include/bb_archive.h,
      testsuite/tar.tests.
    - debian/patches/CVE-2011-5325-2.patch: do not extract unsafe symlinks
      unless env variable is set in archival/libarchive/Kbuild.src,
      archival/libarchive/data_extract_all.c,
      archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
      include/bb_archive.h, libbb/copy_file.c, testsuite/tar.tests.
    - debian/patches/CVE-2011-5325-3.patch: postpone creation of symlinks
      with "suspicious" targets in archival/libarchive/data_extract_all.c,
      archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
      include/bb_archive.h, testsuite/tar.tests.
    - debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks
      the same way tar/unzip does in archival/cpio.c.
    - debian/patches/CVE-2011-5325-5.patch: fix symlink creation in
      archival/libarchive/get_header_ar.c.
    - CVE-2011-5325
  * SECURITY UPDATE: integer overflow in the DHCP client
    - debian/patches/CVE-2016-2147-1.patch: fix a SEGV on malformed
      RFC1035-encoded domain name in networking/udhcp/domain_codec.c.
    - debian/patches/CVE-2016-2147-2.patch: fix a warning in debug code in
      networking/udhcp/domain_codec.c.
    - CVE-2016-2147
  * SECURITY UPDATE: heap-based buffer overflow in the DHCP client
    - debian/patches/CVE-2016-2148.patch: fix OPTION_6RD parsing in
      networking/udhcp/common.c, networking/udhcp/dhcpc.c.
    - CVE-2016-2148
  * SECURITY UPDATE: integer overflow in get_next_block
    - debian/patches/CVE-2017-15873.patch: fix runCnt overflow in
      archival/libarchive/decompress_bunzip2.c.
    - CVE-2017-15873
  * SECURITY UPDATE: code execution in tab autocomplete feature
    - debian/patches/CVE-2017-16544.patch: check for control characters in
      libbb/lineedit.c.
    - CVE-2017-16544
  * SECURITY UPDATE: DoS in unzip operations
    - debian/patches/CVE-2015-9261-1.patch: test for a bad archive in
      archival/libarchive/decompress_gunzip.c, added test in
      testsuite/unzip.tests.
    - debian/patches/CVE-2015-9261-2.patch: further fix decompression code
      in archival/libarchive/decompress_gunzip.c, testsuite/unzip.tests.
    - CVE-2015-9261
  * SECURITY UPDATE: buffer overflow in wget
    - debian/patches/CVE-2018-1000517.patch: check chunk length in
      networking/wget.c.
    - CVE-2018-1000517
  * SECURITY UPDATE: out-of-bounds read in udhcp
    - debian/patches/CVE-2018-20679.patch: check that 4-byte options are
      indeed 4-byte in networking/udhcp/common.*,
      networking/udhcp/dhcpc.c, networking/udhcp/dhcpd.c.
    - CVE-2018-20679
  * SECURITY UPDATE: incomplete fix for out-of-bounds read in udhcp
    - debian/patches/CVE-2019-5747.patch: when decoding DHCP_SUBNET, ensure
      it is 4 bytes long in networking/udhcp/common.*,
      networking/udhcp/dhcpc.c.
    - CVE-2019-5747
  * debian/rules: fix nocheck test so test suite gets run during build and
    set SKIP_INTERNET_TESTS=y.

 -- Marc Deslauriers <email address hidden>  Wed, 06 Mar 2019 11:51:19 -0500

Upload details

Uploaded by:
Marc Deslauriers on 2019-03-07
Uploaded to:
Xenial
Original maintainer:
Ubuntu Developers
Architectures:
any all
Section:
utils
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section
Xenial updates on 2019-04-03 main misc
Xenial security on 2019-04-03 main misc

Downloads

File Size SHA-256 Checksum
busybox_1.22.0.orig.tar.bz2 2.1 MiB 92f00cd391b7d5fa2215c8450abe2ba15f9d16c226e8855fb21b6c9a5b723a53
busybox_1.22.0-15ubuntu1.4.debian.tar.xz 75.0 KiB c14785f3b9552729b52242f671eb26d62747861788b38fa2d0377929dcb4a8aa
busybox_1.22.0-15ubuntu1.4.dsc 2.4 KiB 5a7b38d1f5371a6ccc53fdb3a4729f8a412579d4c7c91033fa47ba3e8b0355ee

Available diffs

  • diff from 1:1.22.0-15ubuntu1.3 to 1:1.22.0-15ubuntu1.4 (pending)

View changes file

Binary packages built by this source

busybox: Tiny utilities for small and embedded systems

 BusyBox combines tiny versions of many common UNIX utilities into a single
 small executable. It provides minimalist replacements for the most common
 utilities you would usually find on your desktop system (i.e., ls, cp, mv,
 mount, tar, etc.). The utilities in BusyBox generally have fewer options than
 their full-featured GNU cousins; however, the options that are included
 provide the expected functionality and behave very much like their GNU
 counterparts.
 .
 This package installs the BusyBox binary but does not install
 symlinks for any of the supported utilities. Some of the utilities
 can be used in the system by installing the busybox-syslogd,
 busybox-udhcpc or busybox-udhcpd packages.

busybox-dbgsym: debug symbols for package busybox

 BusyBox combines tiny versions of many common UNIX utilities into a single
 small executable. It provides minimalist replacements for the most common
 utilities you would usually find on your desktop system (i.e., ls, cp, mv,
 mount, tar, etc.). The utilities in BusyBox generally have fewer options than
 their full-featured GNU cousins; however, the options that are included
 provide the expected functionality and behave very much like their GNU
 counterparts.
 .
 This package installs the BusyBox binary but does not install
 symlinks for any of the supported utilities. Some of the utilities
 can be used in the system by installing the busybox-syslogd,
 busybox-udhcpc or busybox-udhcpd packages.

busybox-initramfs: Standalone shell setup for initramfs

 BusyBox combines tiny versions of many common UNIX utilities into a single
 small executable. It provides minimalist replacements for the most common
 utilities you would usually find on your desktop system (i.e., ls, cp, mv,
 mount, tar, etc.). The utilities in BusyBox generally have fewer options than
 their full-featured GNU cousins; however, the options that are included
 provide the expected functionality and behave very much like their GNU
 counterparts.
 .
 busybox-initramfs provides a simple stand alone shell that provides
 only the basic utilities needed for the initramfs.

busybox-initramfs-dbgsym: debug symbols for package busybox-initramfs

 BusyBox combines tiny versions of many common UNIX utilities into a single
 small executable. It provides minimalist replacements for the most common
 utilities you would usually find on your desktop system (i.e., ls, cp, mv,
 mount, tar, etc.). The utilities in BusyBox generally have fewer options than
 their full-featured GNU cousins; however, the options that are included
 provide the expected functionality and behave very much like their GNU
 counterparts.
 .
 busybox-initramfs provides a simple stand alone shell that provides
 only the basic utilities needed for the initramfs.

busybox-static: Standalone rescue shell with tons of builtin utilities

 BusyBox combines tiny versions of many common UNIX utilities into a single
 small executable. It provides minimalist replacements for the most common
 utilities you would usually find on your desktop system (i.e., ls, cp, mv,
 mount, tar, etc.). The utilities in BusyBox generally have fewer options than
 their full-featured GNU cousins; however, the options that are included
 provide the expected functionality and behave very much like their GNU
 counterparts.
 .
 busybox-static provides you with a statically linked simple stand alone shell
 that provides all the utilities available in BusyBox. This package is
 intended to be used as a rescue shell, in the event that you screw up your
 system. Invoke "busybox sh" and you have a standalone shell ready to save
 your system from certain destruction. Invoke "busybox", and it will list the
 available builtin commands.

busybox-static-dbgsym: debug symbols for package busybox-static

 BusyBox combines tiny versions of many common UNIX utilities into a single
 small executable. It provides minimalist replacements for the most common
 utilities you would usually find on your desktop system (i.e., ls, cp, mv,
 mount, tar, etc.). The utilities in BusyBox generally have fewer options than
 their full-featured GNU cousins; however, the options that are included
 provide the expected functionality and behave very much like their GNU
 counterparts.
 .
 busybox-static provides you with a statically linked simple stand alone shell
 that provides all the utilities available in BusyBox. This package is
 intended to be used as a rescue shell, in the event that you screw up your
 system. Invoke "busybox sh" and you have a standalone shell ready to save
 your system from certain destruction. Invoke "busybox", and it will list the
 available builtin commands.

busybox-syslogd: Provides syslogd and klogd using busybox

 The system log daemon is responsible for providing logging of
 messages received from programs and facilities on the local host as
 well as from remote hosts.
 .
 The kernel log daemon listens to kernel message sources and is
 responsible for prioritizing and processing operating system
 messages.
 .
 The busybox implementation of the syslogd is particular useful on
 embedded, diskless (netboot) or flash disk based systems because it
 can use a fixed size ring buffer for logging instead of saving logs
 to the disk or sending it to remote logging servers. The ring buffer
 can be read using the (also busybox based) command logread.
 .
 This package provides the glue to the busybox syslogd and klogd to be
 used in the system by providing the appropriate symbolic links and
 scripts.

busybox-udeb: Tiny utilities for the debian-installer

 BusyBox combines tiny versions of many common UNIX utilities into a single
 small executable. It provides minimalist replacements for the most common
 utilities you would usually find on your desktop system (i.e., ls, cp, mv,
 mount, tar, etc.). The utilities in BusyBox generally have fewer options than
 their full-featured GNU cousins; however, the options that are included
 provide the expected functionality and behave very much like their GNU
 counterparts.
 .
 busybox-udeb is used by the debian-installer, so unless you are working on
 the debian-installer, this package is not for you. Installing this
 on your Debian system is a very, very bad idea. You have been warned.

busybox-udeb-dbgsym: debug symbols for package busybox-udeb

 BusyBox combines tiny versions of many common UNIX utilities into a single
 small executable. It provides minimalist replacements for the most common
 utilities you would usually find on your desktop system (i.e., ls, cp, mv,
 mount, tar, etc.). The utilities in BusyBox generally have fewer options than
 their full-featured GNU cousins; however, the options that are included
 provide the expected functionality and behave very much like their GNU
 counterparts.
 .
 busybox-udeb is used by the debian-installer, so unless you are working on
 the debian-installer, this package is not for you. Installing this
 on your Debian system is a very, very bad idea. You have been warned.

udhcpc: Provides the busybox DHCP client implementation

 Busybox contains a very small yet fully functional RFC compliant DHCP
 client formerly known as udhcpc.
 .
 This package contains the glue to use the busybox udhcpc as DHCP
 client in the system by providing the appropriate symbolic links and
 scripts.

udhcpd: Provides the busybox DHCP server implementation

 Busybox contains a very small yet fully function RFC compliant DHCP
 server formerly known as udhcpd.
 .
 This package contains the glue to use the busybox udhcpd as DHCP
 server in the system by providing the appropriate symbolic links and
 scripts.