Change logs for busybox source package in Bionic

  • busybox (1:1.27.2-2ubuntu3.3) bionic-security; urgency=medium
    
      * SECURITY UPDATE: missing ssl cert validation in wget applet
        - debian/patches/CVE-2018-1000500-pre1.patch: emit a message that
          certificate verification is not implemented in networking/wget.c.
        - debian/patches/CVE-2018-1000500-pre2.patch: print warning only once
          in networking/wget.c.
        - debian/patches/CVE-2018-1000500-1.patch: implement TLS verification
          with ENABLE_FEATURE_WGET_OPENSSL in networking/wget.c.
        - debian/patches/CVE-2018-1000500-2.patch: fix openssl options for cert
          verification in networking/wget.c.
        - CVE-2018-1000500
    
     -- Marc Deslauriers <email address hidden>  Fri, 18 Sep 2020 10:26:16 -0400
  • busybox (1:1.27.2-2ubuntu3.2) bionic-security; urgency=medium
    
      * SECURITY UPDATE: buffer overflow in wget
        - debian/patches/CVE-2018-1000517.patch: check chunk length in
          networking/wget.c.
        - CVE-2018-1000517
      * SECURITY UPDATE: out-of-bounds read in udhcp
        - debian/patches/CVE-2018-20679.patch: check that 4-byte options are
          indeed 4-byte in networking/udhcp/common.*,
          networking/udhcp/dhcpc.c, networking/udhcp/dhcpd.c.
        - CVE-2018-20679
      * SECURITY UPDATE: incomplete fix for out-of-bounds read in udhcp
        - debian/patches/CVE-2019-5747.patch: when decoding DHCP_SUBNET, ensure
          it is 4 bytes long in networking/udhcp/common.*,
          networking/udhcp/dhcpc.c.
        - CVE-2019-5747
    
     -- Marc Deslauriers <email address hidden>  Wed, 06 Mar 2019 15:51:41 -0500
  • busybox (1:1.27.2-2ubuntu3.1) bionic; urgency=medium
    
      * Fix symlink handling (LP: #1753572)
        - debian/patches/CVE-2011-5325-2.patch: re-enable patch.
        - debian/patches/CVE-2011-5325-3.patch:postpone creation of symlinks
          with "suspicious" targets in archival/libarchive/data_extract_all.c,
          archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
          include/bb_archive.h, testsuite/tar.tests.
        - debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks
          the same way tar/unzip does in archival/cpio.c.
        - debian/patches/CVE-2011-5325-5.patch: fix symlink creation in
          archival/libarchive/get_header_ar.c.
    
     -- Marc Deslauriers <email address hidden>  Thu, 17 Jan 2019 13:16:38 -0500
  • busybox (1:1.27.2-2ubuntu3) bionic; urgency=medium
    
      * debian/patches/CVE-2011-5325-2.patch: disable patch for now as the
        behaviour is relied upon by debootstrap. (LP: #1737662)
    
     -- Marc Deslauriers <email address hidden>  Tue, 12 Dec 2017 12:58:01 -0500
  • busybox (1:1.27.2-2ubuntu2) bionic; urgency=medium
    
      * Fix missing new config setting for Ubuntu flavors.
    
     -- Steve Langasek <email address hidden>  Wed, 06 Dec 2017 22:14:46 +0000
  • busybox (1:1.27.2-2ubuntu1) bionic; urgency=low
    
      * Merge from Debian unstable.
        - Fixes problem with linux boot parameters not being copied to
          busybox environment, and breaking preseeding.  LP: #1736421.
      * Remaining changes:
        - [udeb] Enable chvt, killall, losetup, od, and stat.
        - test-bin.patch: Move test and friends to /bin.
        - static-sh-alias.patch: Add static-sh alias name for ash, and install
          /bin/static-sh symlink to busybox in busybox-static.
        - Add busybox-initramfs.
        - Enable chpasswd in standard and static builds (needed by LXC).
        - Move zz-busybox to busybox-initramfs to ensure we get links to all
          the tools we need, stop shipping it anywhere else.
        - Prefer busybox commands over klibc commands where there is duplication.
        - Add Ubuntu configuration for busybox binaries.
        - debian/patches/CVE-2011-5325-2.patch: do not extract unsafe symlinks
          unless env variable is set in archival/libarchive/Kbuild.src,
          archival/libarchive/data_extract_all.c,
          archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
          coreutils/link.c, include/bb_archive.h, libbb/copy_file.c,
          testsuite/tar.tests.
      * Dropped changes, included in Debian:
        - readlink-in-slash-bin.patch: move readlink to /bin.
        - debian/patches/CVE-2017-15874.patch: add another check to
          archival/libarchive/decompress_unlzma.c.
        - debian/patches/CVE-2017-16544.patch: check for control characters in
          libbb/lineedit.c.
        - debian/patches/CVE-2017-15873.patch: fix runCnt overflow in
          archival/libarchive/decompress_bunzip2.c.
    
    busybox (1:1.27.2-2) unstable; urgency=medium
    
      * Trigger an initramfs rebuild on installation. (Closes: #549022)
      * Temporarily re-enable invalid variable names in the udeb flavour for
        debian-installer.
      * Install the readlink binary in /bin. (Closes: #801850)
      * Fix integer overflow in bzip2 decompresson [CVE-2017-15874].
        (Closes: #879732)
      * Fix integer underflow in LZMA decompressor [CVE-2017-15874].
        (Closes: #879732)
      * Prevent tab completion for strings containing control characters
        [CVE-2017-16544].
      * Debian packaging changes:
        - Update debian/control:
          - Update Standards-Version to 4.1.1.
          - Change Priority to optional for all packages.
        - Remove obsolete debian/gbp.conf.
        - Update debian/watch:
          - Switch to format=4.
          - Use HTTPS URI.
    
     -- Steve Langasek <email address hidden>  Wed, 06 Dec 2017 11:35:12 -0800
  • busybox (1:1.27.2-1ubuntu4) bionic; urgency=medium
    
      * SECURITY UPDATE: directory traversal via tar symlink extraction
        - debian/patches/CVE-2011-5325-2.patch: do not extract unsafe symlinks
          unless env variable is set in archival/libarchive/Kbuild.src,
          archival/libarchive/data_extract_all.c,
          archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
          coreutils/link.c, include/bb_archive.h, libbb/copy_file.c,
          testsuite/tar.tests.
        - CVE-2011-5325
      * SECURITY UPDATE: integer overflow in get_next_block
        - debian/patches/CVE-2017-15873.patch: fix runCnt overflow in
          archival/libarchive/decompress_bunzip2.c.
        - CVE-2017-15873
      * SECURITY UPDATE: integer underflow in unlzma
        - debian/patches/CVE-2017-15874.patch: add another check to
          archival/libarchive/decompress_unlzma.c.
        - CVE-2017-15874
      * SECURITY UPDATE: code execution in tab autocomplete feature
        - debian/patches/CVE-2017-16544.patch: check for control characters in
          libbb/lineedit.c.
        - CVE-2017-16544
    
     -- Marc Deslauriers <email address hidden>  Fri, 24 Nov 2017 12:55:21 -0500
  • busybox (1:1.27.2-1ubuntu3) bionic; urgency=medium
    
      * static-sh-alias.patch: port for 1.27.2 to fix the FTBFS.
    
     -- Steve Langasek <email address hidden>  Thu, 26 Oct 2017 09:24:22 -0700
  • busybox (1:1.27.2-1ubuntu2) bionic; urgency=medium
    
      * Fix up a few missed config reconciliations for busybox-initramfs.
    
     -- Steve Langasek <email address hidden>  Thu, 26 Oct 2017 14:55:05 +0000
  • busybox (1:1.27.2-1ubuntu1) bionic; urgency=low
    
      * Merge from Debian unstable.  Remaining changes:
        - [udeb] Enable chvt, killall, losetup, od, and stat.
        - test-bin.patch: Move test and friends to /bin.
        - static-sh-alias.patch: Add static-sh alias name for ash, and install
          /bin/static-sh symlink to busybox in busybox-static.
        - Add busybox-initramfs.
        - Enable chpasswd in standard and static builds (needed by LXC).
        - Move zz-busybox to busybox-initramfs to ensure we get links to all
          the tools we need, stop shipping it anywhere else.
        - Prefer busybox commands over klibc commands where there is duplication.
        - Add Ubuntu configuration for busybox binaries.
        - readlink-in-slash-bin.patch: move readlink to /bin.
      * Refresh busybox-initramfs config to keep it in sync with the featureset
        of the other builds.
        - FEATURE_USE_TERMIOS dropped upstream.
        - FEATURE_STAT_FILESYSTEM enabled.
        - disable FDFLUSH.
    
    busybox (1:1.27.2-1) unstable; urgency=medium
    
      * New upstream release. This addresses:
        - Segmentation fault when creating compressed tar files. (Closes: #812074)
        - Pointer misuse unziping files. (Closes: #803097)
        - Buffer overflow in the DHCP client [CVE-2016-2148]. (Closes: #818497)
        - Integer overflow in the DHCP client [CVE-2016-2147]. (Closes: #818499)
      * Postpone creation of symlinks with "suspicious" targets [CVE-2011-5325].
        (Closes: #802702)
      * Re-enable the test suite during build. (Closes: #794526)
      * udhcpc: correct a typo in /etc/udhcpc/default.script. (Closes: #873472)
      * Debian packaging changes:
        - Run wrap-and-sort -st.
        - Update debian/control:
          - Replace Uploaders with myself and Christoph Biedl. Many thanks to
            Bastian Blank and Michael Tokarev for having maintained busybox for
            many years prior.
          - Remove Build-Depends to avoid ancient broken libc-dev-bin.
          - Bump Build-Depends on debhelper to >= 10.
        - Rewrite debian/rules:
          - Simplify and use the dh sequencer.
          - Remove test for ancient broken libc6 versions with static binaries.
          - Strip -O2 from CFLAGS, falling back to -Os from the busybox
            configuration.
          - Abort the build if 'make oldconfig' changes the configuration at all.
        - Update busybox build configuration files for the new upstream release.
          - The udeb configuration mostly hasn't changed, but enable fgrep,
            blkdiscard, bzcat and lsscsi.
          - The deb and static configurations have had upstream recommendations
            enabled for new options.
        - Switch to debhelper compatibility level 10.
        - Add Depends on lsb-base to busybox-syslogd and udhcpd.
        - Update debian/.gitignore.
        - Update Standards-Version to 4.0.1:
          - Disable tests that require networking.
    
     -- Steve Langasek <email address hidden>  Wed, 25 Oct 2017 23:23:50 -0700
  • busybox (1:1.22.0-19ubuntu2) yakkety; urgency=medium
    
      * debian/patches/readlink-in-slash-bin.patch: put readlink in /bin/
        like coreutils.  Closes LP: #1615021.
    
     -- Steve Langasek <email address hidden>  Tue, 23 Aug 2016 12:36:39 -0700