-------------------------------------------------------------------------
Debian LTS Advisory DLA-4019-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Tobias Frost
January 19, 2025                              https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : busybox
Version        : 1:1.30.1-6+deb11u1
CVE ID         : CVE-2021-28831 CVE-2021-42374 CVE-2021-42378 CVE-2021-42379 
                 CVE-2021-42380 CVE-2021-42381 CVE-2021-42382 CVE-2021-42384 
                 CVE-2021-42385 CVE-2021-42386 CVE-2022-48174 CVE-2023-42364 
                 CVE-2023-42365
Debian Bug     : 985674 999567 1059049 1059051 1059052

Multiple vulnerabilities have been found in BusyBox, a lightweight
single-executable containing various Unix utilities, which potentially
allow attackers to cause denial of service, information leakage, or
arbitrary code execution through malformed gzip data, crafted LZMA
input or crafted awk patterns.

CVE-2021-28831

    decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit
    on the huft_build result pointer, with a resultant invalid free or
    segmentation fault, via malformed gzip data.

CVE-2021-42374

    An out-of-bounds heap read in Busybox's unlzma applet leads to
    information leak and denial of service when crafted LZMA-compressed
    input is decompressed. This can be triggered by any applet/format that

CVE-2021-42378

    A use-after-free in Busybox's awk applet leads to denial of service and
    possibly code execution when processing a crafted awk pattern in the
    getvar_i function

CVE-2021-42379

    A use-after-free in Busybox's awk applet leads to denial of service and
    possibly code execution when processing a crafted awk pattern in the
    next_input_file function

CVE-2021-42380

    A use-after-free in Busybox's awk applet leads to denial of service and
    possibly code execution when processing a crafted awk pattern in the
    clrvar function

CVE-2021-42381

    A use-after-free in Busybox's awk applet leads to denial of service and
    possibly code execution when processing a crafted awk pattern in the
    hash_init function

CVE-2021-42382

    use-after-free in Busybox's awk applet leads to denial of service and
    possibly code execution when processing a crafted awk pattern in the
    getvar_s function

CVE-2021-42384

    A use-after-free in Busybox's awk applet leads to denial of service and
    possibly code execution when processing a crafted awk pattern in the
    handle_special function

CVE-2021-42385

    A use-after-free in Busybox's awk applet leads to denial of service and
    possibly code execution when processing a crafted awk pattern in the
    evaluate function

CVE-2021-42386

    A use-after-free in Busybox's awk applet leads to denial of service and
    possibly code execution when processing a crafted awk pattern in the
    nvalloc function

CVE-2022-48174

    There is a stack overflow vulnerability in ash.c:6030 in busybox before
    1.35. In the environment of Internet of Vehicles, this vulnerability can
    be executed from command to arbitrary code execution.

CVE-2023-42364

    A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to
    cause a denial of service via a crafted awk pattern in the awk.c
    evaluate function.

CVE-2023-42365

    A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a
    crafted awk pattern in the awk.c copyvar function.

For Debian 11 bullseye, these problems have been fixed in version
1:1.30.1-6+deb11u1.

We recommend that you upgrade your busybox packages.

For the detailed security status of busybox please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/busybox

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-4019-1: busybox Security Advisory Updates

January 19, 2025
Multiple vulnerabilities have been found in BusyBox, a lightweight single-executable containing various Unix utilities, which potentially allow attackers to cause denial of service...

Summary

CVE-2021-28831

decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit
on the huft_build result pointer, with a resultant invalid free or
segmentation fault, via malformed gzip data.

CVE-2021-42374

An out-of-bounds heap read in Busybox's unlzma applet leads to
information leak and denial of service when crafted LZMA-compressed
input is decompressed. This can be triggered by any applet/format that

CVE-2021-42378

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
getvar_i function

CVE-2021-42379

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
next_input_file function

CVE-2021-42380

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
clrvar function

CVE-2021-42381

...

Read the Full Advisory


Severity
Package : busybox
Version : 1:1.30.1-6+deb11u1
CVE ID : CVE-2021-28831 CVE-2021-42374 CVE-2021-42378 CVE-2021-42379
Debian Bug : 985674 999567 1059049 1059051 1059052

Related News

Parrot OS 6.3: Elevating Security with Enhanced Features & Tools
3 - 5 min read
Parrot OS 6.3 has just arrived , bringing crucial updates that security admins should note. This latest version of the popular secure Linux
Linux Kernel 6.14 Released: Top Security Features You Need to Know
3 - 6 min read
With the release of Linux kernel 6.14 , admins and Linux users have many new features and enhancements to look forward to - especially in the realm
Don
2 - 4 min read
Google recently issued a crucial Chrome update that those using a version of the browser prior to version 132.0.6834.110 should implement
Intel Brings Next-Level Security to Linux with Partner Security Engine
3 - 6 min read
Intel recently introduced a game-changer in hardware security with its new Partner Security Engine integrated into the Core Ultra Series 2. This
A Tiny Linux Kernel Tweak with Massive Implications for Datacenter Efficiency
3 - 6 min read
In a groundbreaking development, security researchers have introduced a small but mighty tweak to the Linux kernel that promises to cut data center
Best Practices for Securing Linux Systems Against Malicious Bots
3 - 6 min read
Linux systems have long been an indispensable asset to businesses and individuals alike. From running servers and cloud infrastructure to powering
Securing Open-Source Projects with Automated Testing on Linux
4 - 7 min read
Open-source project security testing focuses on many components, ensuring there are no safety vulnerabilities. These components include physical
KaOS Linux 2025.01: Merging Security with Practicality
3 - 6 min read
As the realm of Linux distribution expands, security admins find themselves faced with choosing a system that fits operational needs and upholds

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved