Change logs for busybox source package in Xenial

  • busybox (1:1.22.0-15ubuntu1.4) xenial-security; urgency=medium
      * SECURITY UPDATE: directory traversal via tar symlink extraction
        - debian/patches/CVE-2011-5325-1.patch: postpone creation of symlinks
          with "suspicious" targets in archival/libarchive/data_extract_all.c,
          archival/tar.c, archival/tar_symlink_attack, include/bb_archive.h,
        - debian/patches/CVE-2011-5325-2.patch: do not extract unsafe symlinks
          unless env variable is set in archival/libarchive/Kbuild.src,
          archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
          include/bb_archive.h, libbb/copy_file.c, testsuite/tar.tests.
        - debian/patches/CVE-2011-5325-3.patch: postpone creation of symlinks
          with "suspicious" targets in archival/libarchive/data_extract_all.c,
          archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
          include/bb_archive.h, testsuite/tar.tests.
        - debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks
          the same way tar/unzip does in archival/cpio.c.
        - debian/patches/CVE-2011-5325-5.patch: fix symlink creation in
        - CVE-2011-5325
      * SECURITY UPDATE: integer overflow in the DHCP client
        - debian/patches/CVE-2016-2147-1.patch: fix a SEGV on malformed
          RFC1035-encoded domain name in networking/udhcp/domain_codec.c.
        - debian/patches/CVE-2016-2147-2.patch: fix a warning in debug code in
        - CVE-2016-2147
      * SECURITY UPDATE: heap-based buffer overflow in the DHCP client
        - debian/patches/CVE-2016-2148.patch: fix OPTION_6RD parsing in
          networking/udhcp/common.c, networking/udhcp/dhcpc.c.
        - CVE-2016-2148
      * SECURITY UPDATE: integer overflow in get_next_block
        - debian/patches/CVE-2017-15873.patch: fix runCnt overflow in
        - CVE-2017-15873
      * SECURITY UPDATE: code execution in tab autocomplete feature
        - debian/patches/CVE-2017-16544.patch: check for control characters in
        - CVE-2017-16544
      * SECURITY UPDATE: DoS in unzip operations
        - debian/patches/CVE-2015-9261-1.patch: test for a bad archive in
          archival/libarchive/decompress_gunzip.c, added test in
        - debian/patches/CVE-2015-9261-2.patch: further fix decompression code
          in archival/libarchive/decompress_gunzip.c, testsuite/unzip.tests.
        - CVE-2015-9261
      * SECURITY UPDATE: buffer overflow in wget
        - debian/patches/CVE-2018-1000517.patch: check chunk length in
        - CVE-2018-1000517
      * SECURITY UPDATE: out-of-bounds read in udhcp
        - debian/patches/CVE-2018-20679.patch: check that 4-byte options are
          indeed 4-byte in networking/udhcp/common.*,
          networking/udhcp/dhcpc.c, networking/udhcp/dhcpd.c.
        - CVE-2018-20679
      * SECURITY UPDATE: incomplete fix for out-of-bounds read in udhcp
        - debian/patches/CVE-2019-5747.patch: when decoding DHCP_SUBNET, ensure
          it is 4 bytes long in networking/udhcp/common.*,
        - CVE-2019-5747
      * debian/rules: fix nocheck test so test suite gets run during build and
        set SKIP_INTERNET_TESTS=y.
     -- Marc Deslauriers <email address hidden>  Wed, 06 Mar 2019 11:51:19 -0500
  • busybox (1:1.22.0-15ubuntu1) wily; urgency=low
      * Merge from Debian unstable (LP: #1486231).  Remaining changes:
        - [udeb] Enable chvt, killall, losetup, od, and stat.
        - test-bin.patch: Move test and friends to /bin.
        - static-sh-alias.patch: Add static-sh alias name for ash, and install
          /bin/static-sh symlink to busybox in busybox-static.
        - Add busybox-initramfs.
        - Refresh busybox-initramfs config to keep it in sync with the featureset
          of the other builds.  (No changes upstream.)
        - Enable chpasswd in standard and static builds (needed by LXC).
        - Move zz-busybox to busybox-initramfs to ensure we get links to all
          the tools we need, stop shipping it anywhere else.
        - Prefer busybox commands over klibc commands where there is duplication.
    busybox (1:1.22.0-15) unstable; urgency=medium
      [ Michael Gilbert ]
      * Fix CVE-2014-9645: modprobe accepts paths as modules (closes: #776186).
    busybox (1:1.22.0-14) unstable; urgency=low
      * one more attempt to fix the glibc build-depend for #769190, now
        using versioned build-dependency on libc-dev-bin which is named
        this way on all architectures (unlike libc6|libc6.1|libc0.1|libc0.3)
    busybox (1:1.22.0-13) unstable; urgency=medium
      * really fix #769190 the hard way, by build-conflicting with all
        arch-specific names of libc with version <2.19-12 (Closes: #769190)
      * check if glibc can produce working statically linked binaries
        by performing a getpwnam("root") call before building (#754813)
    busybox (1:1.22.0-12) unstable; urgency=medium
      * fix the previous changelog entry (wrong bug# was "fixed" and typos)
      * ensure we build against non-broken glibc (>=2.19-12) (Closes: #769190)
    busybox (1:1.22.0-11) unstable; urgency=medium
      * fix the built-using generation in the previous upload -- did not
        work correctly for != 1 dependency and #588505 in dpkg
    busybox (1:1.22.0-10) unstable; urgency=high
      * lzop-add-overflow-check-CVE-2014-4607.patch (Closes: #768945)
      * add Built-Using control field for -static, deriving it from
        regular build (this will be glibc) (Closes: #768876)
      * install only arch/indep deb as requested by binary-arch or binary-indep
        target.  This fixes a long-standing lintian error, when package build
        always produces busybox-syslogd package which is arch:all and should not
        be built on a buildd.
     -- Andy Whitcroft <email address hidden>  Wed, 19 Aug 2015 11:30:32 +0100