Format: 1.8
Date: Wed, 06 Mar 2019 11:51:19 -0500
Source: busybox
Binary: busybox busybox-static busybox-initramfs busybox-udeb busybox-syslogd udhcpc udhcpd
Architecture: armhf
Version: 1:1.22.0-15ubuntu1.4
Distribution: xenial
Urgency: medium
Maintainer: Launchpad Build Daemon <buildd@bos02-arm64-077.buildd>
Changed-By: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Description:
 busybox    - Tiny utilities for small and embedded systems
 busybox-initramfs - Standalone shell setup for initramfs
 busybox-static - Standalone rescue shell with tons of builtin utilities
 busybox-syslogd - Provides syslogd and klogd using busybox
 busybox-udeb - Tiny utilities for the debian-installer (udeb)
 udhcpc     - Provides the busybox DHCP client implementation
 udhcpd     - Provides the busybox DHCP server implementation
Changes:
 busybox (1:1.22.0-15ubuntu1.4) xenial-security; urgency=medium
 .
   * SECURITY UPDATE: directory traversal via tar symlink extraction
     - debian/patches/CVE-2011-5325-1.patch: postpone creation of symlinks
       with "suspicious" targets in archival/libarchive/data_extract_all.c,
       archival/tar.c, archival/tar_symlink_attack, include/bb_archive.h,
       testsuite/tar.tests.
     - debian/patches/CVE-2011-5325-2.patch: do not extract unsafe symlinks
       unless env variable is set in archival/libarchive/Kbuild.src,
       archival/libarchive/data_extract_all.c,
       archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
       include/bb_archive.h, libbb/copy_file.c, testsuite/tar.tests.
     - debian/patches/CVE-2011-5325-3.patch: postpone creation of symlinks
       with "suspicious" targets in archival/libarchive/data_extract_all.c,
       archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
       include/bb_archive.h, testsuite/tar.tests.
     - debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks
       the same way tar/unzip does in archival/cpio.c.
     - debian/patches/CVE-2011-5325-5.patch: fix symlink creation in
       archival/libarchive/get_header_ar.c.
     - CVE-2011-5325
   * SECURITY UPDATE: integer overflow in the DHCP client
     - debian/patches/CVE-2016-2147-1.patch: fix a SEGV on malformed
       RFC1035-encoded domain name in networking/udhcp/domain_codec.c.
     - debian/patches/CVE-2016-2147-2.patch: fix a warning in debug code in
       networking/udhcp/domain_codec.c.
     - CVE-2016-2147
   * SECURITY UPDATE: heap-based buffer overflow in the DHCP client
     - debian/patches/CVE-2016-2148.patch: fix OPTION_6RD parsing in
       networking/udhcp/common.c, networking/udhcp/dhcpc.c.
     - CVE-2016-2148
   * SECURITY UPDATE: integer overflow in get_next_block
     - debian/patches/CVE-2017-15873.patch: fix runCnt overflow in
       archival/libarchive/decompress_bunzip2.c.
     - CVE-2017-15873
   * SECURITY UPDATE: code execution in tab autocomplete feature
     - debian/patches/CVE-2017-16544.patch: check for control characters in
       libbb/lineedit.c.
     - CVE-2017-16544
   * SECURITY UPDATE: DoS in unzip operations
     - debian/patches/CVE-2015-9261-1.patch: test for a bad archive in
       archival/libarchive/decompress_gunzip.c, added test in
       testsuite/unzip.tests.
     - debian/patches/CVE-2015-9261-2.patch: further fix decompression code
       in archival/libarchive/decompress_gunzip.c, testsuite/unzip.tests.
     - CVE-2015-9261
   * SECURITY UPDATE: buffer overflow in wget
     - debian/patches/CVE-2018-1000517.patch: check chunk length in
       networking/wget.c.
     - CVE-2018-1000517
   * SECURITY UPDATE: out-of-bounds read in udhcp
     - debian/patches/CVE-2018-20679.patch: check that 4-byte options are
       indeed 4-byte in networking/udhcp/common.*,
       networking/udhcp/dhcpc.c, networking/udhcp/dhcpd.c.
     - CVE-2018-20679
   * SECURITY UPDATE: incomplete fix for out-of-bounds read in udhcp
     - debian/patches/CVE-2019-5747.patch: when decoding DHCP_SUBNET, ensure
       it is 4 bytes long in networking/udhcp/common.*,
       networking/udhcp/dhcpc.c.
     - CVE-2019-5747
   * debian/rules: fix nocheck test so test suite gets run during build and
     set SKIP_INTERNET_TESTS=y.
Checksums-Sha1:
 15b1b4229fe6a9b5c8e7f230ecf6240fa295be89 871888 busybox-dbgsym_1.22.0-15ubuntu1.4_armhf.ddeb
 1a219855ecba2d4cc7084aed0f66e54faed7325d 468356 busybox-initramfs-dbgsym_1.22.0-15ubuntu1.4_armhf.ddeb
 543b9a1e13bdcd9bd454d5f6dc77fb988817d055 164136 busybox-initramfs_1.22.0-15ubuntu1.4_armhf.deb
 decd3c85d1b4465a5f107e1b71813bac202b8582 1018068 busybox-static-dbgsym_1.22.0-15ubuntu1.4_armhf.ddeb
 2ccca9a6c7320c9ab48fd2c9cf1c417a7ecc1493 694006 busybox-static_1.22.0-15ubuntu1.4_armhf.deb
 ac4bd4dcec2ad0940ff7476e297dab71d1b8e43d 517342 busybox-udeb-dbgsym_1.22.0-15ubuntu1.4_armhf.ddeb
 072887eccaa124464cb24de7c61053f0f2883645 167198 busybox-udeb_1.22.0-15ubuntu1.4_armhf.udeb
 9fb2c874789fa80f862dd115d3d85fa057e869b9 351662 busybox_1.22.0-15ubuntu1.4_armhf.deb
 a3a06e8cf35e47e7952338a9081d216aef2998bf 2878 udhcpc_1.22.0-15ubuntu1.4_armhf.deb
 eb9d2da806f333e4b3e4461dfc7c3c9abe48cddd 5636 udhcpd_1.22.0-15ubuntu1.4_armhf.deb
Checksums-Sha256:
 c2696540bcb11a006c8cc6c2abe9c578d70bcda3fb7e586f89a23eb891397e11 871888 busybox-dbgsym_1.22.0-15ubuntu1.4_armhf.ddeb
 3175bfacd85a5f2390efef08cb420125f5e828e55d1fe916eabd0ea3a1655e3c 468356 busybox-initramfs-dbgsym_1.22.0-15ubuntu1.4_armhf.ddeb
 c19399c6c390256d3dccb3303d52df41ad32cee2cdd309af27b3a941092b0715 164136 busybox-initramfs_1.22.0-15ubuntu1.4_armhf.deb
 4f7e63e880d6d84f0a0a449ca6357efdd1b3d401f48d8b9b03d8314cbd2fe429 1018068 busybox-static-dbgsym_1.22.0-15ubuntu1.4_armhf.ddeb
 30dffec31f85640af1d36718bc15b3b08c02fed3d42f5b59a31e446af98fa4aa 694006 busybox-static_1.22.0-15ubuntu1.4_armhf.deb
 87c874e7ed6285c05889198b0771da445ce78ab58d48e3a337831cc1d34cf4f9 517342 busybox-udeb-dbgsym_1.22.0-15ubuntu1.4_armhf.ddeb
 8ab394f48eb79bc2ea662aed07108f6ec62d36c36c2c7de1738a88bb8d88c1eb 167198 busybox-udeb_1.22.0-15ubuntu1.4_armhf.udeb
 47291b740711288004fa70f8491771a05614227f35f4bdc13fbbc7a25283b684 351662 busybox_1.22.0-15ubuntu1.4_armhf.deb
 0b1f7902f020ac16a000ff8d0c7b551348685c3f1aa90ed0bba662a7f8befb48 2878 udhcpc_1.22.0-15ubuntu1.4_armhf.deb
 97c4d560628f2d5c68a09a5015c4eee5ee07839e5977206c750cb49809ed0351 5636 udhcpd_1.22.0-15ubuntu1.4_armhf.deb
Files:
 8b5630741838c2295fff55b29152969f 871888 utils extra busybox-dbgsym_1.22.0-15ubuntu1.4_armhf.ddeb
 9edab91343b08915f17c2d62cbb9153a 468356 shells extra busybox-initramfs-dbgsym_1.22.0-15ubuntu1.4_armhf.ddeb
 11f484d34d4e621b9fa8101e6802df94 164136 shells optional busybox-initramfs_1.22.0-15ubuntu1.4_armhf.deb
 d65ea16f0ce6faf9ec9855735df53dc3 1018068 shells extra busybox-static-dbgsym_1.22.0-15ubuntu1.4_armhf.ddeb
 8d46c28c4f9d4706e102b9a37760ee07 694006 shells extra busybox-static_1.22.0-15ubuntu1.4_armhf.deb
 a11579efa51faa7a65ca61c44476f36a 517342 debian-installer extra busybox-udeb-dbgsym_1.22.0-15ubuntu1.4_armhf.ddeb
 f6c2f1ea562210992748363850b04a74 167198 debian-installer extra busybox-udeb_1.22.0-15ubuntu1.4_armhf.udeb
 752039a40ccf609e0b0087587a5b9fd8 351662 utils optional busybox_1.22.0-15ubuntu1.4_armhf.deb
 20c0b77d46eae4429a4d3bbf016dc8d3 2878 net optional udhcpc_1.22.0-15ubuntu1.4_armhf.deb
 2f59820694071a07375f1992ea8fc569 5636 net optional udhcpd_1.22.0-15ubuntu1.4_armhf.deb
Original-Maintainer: Debian Install System Team <debian-boot@lists.debian.org>