busybox (1:1.22.0-15ubuntu1.3) xenial-security; urgency=medium
* SECURITY UPDATE: directory traversal via tar symlink extraction
- debian/patches/CVE-2011-5325.patch: postpone creation of symlinks
with "suspicious" targets in archival/libarchive/data_extract_all.c,
archival/tar.c, archival/tar_symlink_attack, include/bb_archive.h,
testsuite/tar.tests.
- CVE-2011-5325
* SECURITY UPDATE: integer overflow in the DHCP client
- debian/patches/CVE-2016-2147-1.patch: fix a SEGV on malformed
RFC1035-encoded domain name in networking/udhcp/domain_codec.c.
- debian/patches/CVE-2016-2147-2.patch: fix a warning in debug code in
networking/udhcp/domain_codec.c.
- CVE-2016-2147
* SECURITY UPDATE: heap-based buffer overflow in the DHCP client
- debian/patches/CVE-2016-2148.patch: fix OPTION_6RD parsing in
networking/udhcp/common.c, networking/udhcp/dhcpc.c.
- CVE-2016-2148
* SECURITY UPDATE: integer overflow in get_next_block
- debian/patches/CVE-2017-15873.patch: fix runCnt overflow in
archival/libarchive/decompress_bunzip2.c.
- CVE-2017-15873
* SECURITY UPDATE: code execution in tab autocomplete feature
- debian/patches/CVE-2017-16544.patch: check for control characters in
libbb/lineedit.c.
- CVE-2017-16544
* debian/rules: fix nocheck test so test suite gets run during build and
set SKIP_INTERNET_TESTS=y.
-- Marc Deslauriers <email address hidden> Thu, 30 Nov 2017 10:54:24 -0500
Available diffs
diff from 1:1.22.0-15ubuntu1.2 to 1:1.22.0-15ubuntu1.3 (pending)