Gentoo Archives: gentoo-announce

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 202105-09 ] BusyBox: Denial of service
Date: Wed, 26 May 2021 08:45:52
Message-Id: c881275d-ad95-7556-0f9e-abb33ade0ba7@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 202105-09
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Low
8 Title: BusyBox: Denial of service
9 Date: May 26, 2021
10 Bugs: #777255
11 ID: 202105-09
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A vulnerability in BusyBox might allow remote attackers to cause a
19 Denial of Service condition.
20
21 Background
22 ==========
23
24 BusyBox is a set of tools for embedded systems and is a replacement for
25 GNU Coreutils.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 sys-apps/busybox < 1.32.1 >= 1.32.1
34
35 Description
36 ===========
37
38 It was discovered that BusyBox mishandled the error bit on the
39 huft_build result pointer when decompressing GZIP compressed data.
40
41 Impact
42 ======
43
44 A remote attacker could entice a user to open a specially crafted GZIP
45 file using BusyBox, possibly resulting in a Denial of Service
46 condition.
47
48 Workaround
49 ==========
50
51 There is no known workaround at this time.
52
53 Resolution
54 ==========
55
56 All BusyBox users should upgrade to the latest version:
57
58 # emerge --sync
59 # emerge --ask --oneshot --verbose ">=sys-apps/busybox-1.32.1"
60
61 References
62 ==========
63
64 [ 1 ] CVE-2021-28831
65 https://nvd.nist.gov/vuln/detail/CVE-2021-28831
66
67 Availability
68 ============
69
70 This GLSA and any updates to it are available for viewing at
71 the Gentoo Security Website:
72
73 https://security.gentoo.org/glsa/202105-09
74
75 Concerns?
76 =========
77
78 Security is a primary focus of Gentoo Linux and ensuring the
79 confidentiality and security of our users' machines is of utmost
80 importance to us. Any security concerns should be addressed to
81 security@g.o or alternatively, you may file a bug at
82 https://bugs.gentoo.org.
83
84 License
85 =======
86
87 Copyright 2021 Gentoo Foundation, Inc; referenced text
88 belongs to its owner(s).
89
90 The contents of this document are licensed under the
91 Creative Commons - Attribution / Share Alike license.
92
93 https://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
OpenPGP_signature.asc application/pgp-signature