busybox (1:1.22.0-15ubuntu1.4) xenial-security; urgency=medium
* SECURITY UPDATE: directory traversal via tar symlink extraction
- debian/patches/CVE-2011-5325-1.patch: postpone creation of symlinks
with "suspicious" targets in archival/libarchive/data_extract_all.c,
archival/tar.c, archival/tar_symlink_attack, include/bb_archive.h,
testsuite/tar.tests.
- debian/patches/CVE-2011-5325-2.patch: do not extract unsafe symlinks
unless env variable is set in archival/libarchive/Kbuild.src,
archival/libarchive/data_extract_all.c,
archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
include/bb_archive.h, libbb/copy_file.c, testsuite/tar.tests.
- debian/patches/CVE-2011-5325-3.patch: postpone creation of symlinks
with "suspicious" targets in archival/libarchive/data_extract_all.c,
archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
include/bb_archive.h, testsuite/tar.tests.
- debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks
the same way tar/unzip does in archival/cpio.c.
- debian/patches/CVE-2011-5325-5.patch: fix symlink creation in
archival/libarchive/get_header_ar.c.
- CVE-2011-5325
* SECURITY UPDATE: integer overflow in the DHCP client
- debian/patches/CVE-2016-2147-1.patch: fix a SEGV on malformed
RFC1035-encoded domain name in networking/udhcp/domain_codec.c.
- debian/patches/CVE-2016-2147-2.patch: fix a warning in debug code in
networking/udhcp/domain_codec.c.
- CVE-2016-2147
* SECURITY UPDATE: heap-based buffer overflow in the DHCP client
- debian/patches/CVE-2016-2148.patch: fix OPTION_6RD parsing in
networking/udhcp/common.c, networking/udhcp/dhcpc.c.
- CVE-2016-2148
* SECURITY UPDATE: integer overflow in get_next_block
- debian/patches/CVE-2017-15873.patch: fix runCnt overflow in
archival/libarchive/decompress_bunzip2.c.
- CVE-2017-15873
* SECURITY UPDATE: code execution in tab autocomplete feature
- debian/patches/CVE-2017-16544.patch: check for control characters in
libbb/lineedit.c.
- CVE-2017-16544
* SECURITY UPDATE: DoS in unzip operations
- debian/patches/CVE-2015-9261-1.patch: test for a bad archive in
archival/libarchive/decompress_gunzip.c, added test in
testsuite/unzip.tests.
- debian/patches/CVE-2015-9261-2.patch: further fix decompression code
in archival/libarchive/decompress_gunzip.c, testsuite/unzip.tests.
- CVE-2015-9261
* SECURITY UPDATE: buffer overflow in wget
- debian/patches/CVE-2018-1000517.patch: check chunk length in
networking/wget.c.
- CVE-2018-1000517
* SECURITY UPDATE: out-of-bounds read in udhcp
- debian/patches/CVE-2018-20679.patch: check that 4-byte options are
indeed 4-byte in networking/udhcp/common.*,
networking/udhcp/dhcpc.c, networking/udhcp/dhcpd.c.
- CVE-2018-20679
* SECURITY UPDATE: incomplete fix for out-of-bounds read in udhcp
- debian/patches/CVE-2019-5747.patch: when decoding DHCP_SUBNET, ensure
it is 4 bytes long in networking/udhcp/common.*,
networking/udhcp/dhcpc.c.
- CVE-2019-5747
* debian/rules: fix nocheck test so test suite gets run during build and
set SKIP_INTERNET_TESTS=y.
-- Marc Deslauriers <email address hidden> Wed, 06 Mar 2019 11:51:19 -0500
busybox (1:1.22.0-15ubuntu1) wily; urgency=low
* Merge from Debian unstable (LP: #1486231). Remaining changes:
- [udeb] Enable chvt, killall, losetup, od, and stat.
- test-bin.patch: Move test and friends to /bin.
- static-sh-alias.patch: Add static-sh alias name for ash, and install
/bin/static-sh symlink to busybox in busybox-static.
- Add busybox-initramfs.
- Refresh busybox-initramfs config to keep it in sync with the featureset
of the other builds. (No changes upstream.)
- Enable chpasswd in standard and static builds (needed by LXC).
- Move zz-busybox to busybox-initramfs to ensure we get links to all
the tools we need, stop shipping it anywhere else.
- Prefer busybox commands over klibc commands where there is duplication.
busybox (1:1.22.0-15) unstable; urgency=medium
[ Michael Gilbert ]
* Fix CVE-2014-9645: modprobe accepts paths as modules (closes: #776186).
busybox (1:1.22.0-14) unstable; urgency=low
* one more attempt to fix the glibc build-depend for #769190, now
using versioned build-dependency on libc-dev-bin which is named
this way on all architectures (unlike libc6|libc6.1|libc0.1|libc0.3)
busybox (1:1.22.0-13) unstable; urgency=medium
* really fix #769190 the hard way, by build-conflicting with all
arch-specific names of libc with version <2.19-12 (Closes: #769190)
* check if glibc can produce working statically linked binaries
by performing a getpwnam("root") call before building (#754813)
busybox (1:1.22.0-12) unstable; urgency=medium
* fix the previous changelog entry (wrong bug# was "fixed" and typos)
* ensure we build against non-broken glibc (>=2.19-12) (Closes: #769190)
busybox (1:1.22.0-11) unstable; urgency=medium
* fix the built-using generation in the previous upload -- did not
work correctly for != 1 dependency and #588505 in dpkg
busybox (1:1.22.0-10) unstable; urgency=high
* lzop-add-overflow-check-CVE-2014-4607.patch (Closes: #768945)
* add Built-Using control field for -static, deriving it from
regular build (this will be glibc) (Closes: #768876)
* install only arch/indep deb as requested by binary-arch or binary-indep
target. This fixes a long-standing lintian error, when package build
always produces busybox-syslogd package which is arch:all and should not
be built on a buildd.
-- Andy Whitcroft <email address hidden> Wed, 19 Aug 2015 11:30:32 +0100
