Ubuntu Security Notice 3935-1 - Tyler Hicks discovered that BusyBox incorrectly handled symlinks inside tar archives. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could overwrite arbitrary files outside of the current directory. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. Mathias Krause discovered that BusyBox incorrectly handled kernel module loading restrictions. A local attacker could possibly use this issue to bypass intended restrictions. This issue only affected Ubuntu 14.04 LTS. Various other issues were also addressed.
d04293581994ba012e305b667f533a43f91c013c6da677eff4fa9c29ace725ff
==========================================================================
Ubuntu Security Notice USN-3935-1
April 03, 2019
busybox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in BusyBox.
Software Description:
- busybox: Tiny utilities for small and embedded systems
Details:
Tyler Hicks discovered that BusyBox incorrectly handled symlinks inside tar
archives. If a user or automated system were tricked into processing a
specially crafted tar archive, a remote attacker could overwrite arbitrary
files outside of the current directory. This issue only affected Ubuntu
14.04 LTS and Ubuntu 16.04 LTS. (CVE-2011-5325)
Mathias Krause discovered that BusyBox incorrectly handled kernel module
loading restrictions. A local attacker could possibly use this issue to
bypass intended restrictions. This issue only affected Ubuntu 14.04 LTS.
(CVE-2014-9645)
It was discovered that BusyBox incorrectly handled certain ZIP archives. If
a user or automated system were tricked into processing a specially crafted
ZIP archive, a remote attacker could cause BusyBox to crash, leading to a
denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu
16.04 LTS. (CVE-2015-9261)
Nico Golde discovered that the BusyBox DHCP client incorrectly handled
certain malformed domain names. A remote attacker could possibly use this
issue to cause the DHCP client to crash, leading to a denial of service.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2016-2147)
Nico Golde discovered that the BusyBox DHCP client incorrectly handled
certain 6RD options. A remote attacker could use this issue to cause the
DHCP client to crash, leading to a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04
LTS. (CVE-2016-2148)
It was discovered that BusyBox incorrectly handled certain bzip2 archives.
If a user or automated system were tricked into processing a specially
crafted bzip2 archive, a remote attacker could cause BusyBox to crash,
leading to a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-15873)
It was discovered that BusyBox incorrectly handled tab completion. A local
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-16544)
It was discovered that the BusyBox wget utility incorrectly handled certain
responses. A remote attacker could use this issue to cause BusyBox to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2018-1000517)
It was discovered that the BusyBox DHCP utilities incorrectly handled
certain memory operations. A remote attacker could possibly use this issue
to access sensitive information. (CVE-2018-20679, CVE-2019-5747)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
busybox 1:1.27.2-2ubuntu4.1
busybox-initramfs 1:1.27.2-2ubuntu4.1
busybox-static 1:1.27.2-2ubuntu4.1
udhcpc 1:1.27.2-2ubuntu4.1
udhcpd 1:1.27.2-2ubuntu4.1
Ubuntu 18.04 LTS:
busybox 1:1.27.2-2ubuntu3.2
busybox-initramfs 1:1.27.2-2ubuntu3.2
busybox-static 1:1.27.2-2ubuntu3.2
udhcpc 1:1.27.2-2ubuntu3.2
udhcpd 1:1.27.2-2ubuntu3.2
Ubuntu 16.04 LTS:
busybox 1:1.22.0-15ubuntu1.4
busybox-initramfs 1:1.22.0-15ubuntu1.4
busybox-static 1:1.22.0-15ubuntu1.4
udhcpc 1:1.22.0-15ubuntu1.4
udhcpd 1:1.22.0-15ubuntu1.4
Ubuntu 14.04 LTS:
busybox 1:1.21.0-1ubuntu1.4
busybox-initramfs 1:1.21.0-1ubuntu1.4
busybox-static 1:1.21.0-1ubuntu1.4
udhcpc 1:1.21.0-1ubuntu1.4
udhcpd 1:1.21.0-1ubuntu1.4
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3935-1
CVE-2011-5325, CVE-2014-9645, CVE-2015-9261, CVE-2016-2147,
CVE-2016-2148, CVE-2017-15873, CVE-2017-16544, CVE-2018-1000517,
CVE-2018-20679, CVE-2019-5747
Package Information:
https://launchpad.net/ubuntu/+source/busybox/1:1.27.2-2ubuntu4.1
https://launchpad.net/ubuntu/+source/busybox/1:1.27.2-2ubuntu3.2
https://launchpad.net/ubuntu/+source/busybox/1:1.22.0-15ubuntu1.4
https://launchpad.net/ubuntu/+source/busybox/1:1.21.0-1ubuntu1.4