-
busybox (1:1.27.2-2ubuntu3.4) bionic-security; urgency=medium
* SECURITY UPDATE: invalid free or segfault via gzip data
- debian/patches/CVE-2021-28831.patch: fix DoS if gzip is corrupt in
archival/libarchive/decompress_gunzip.c.
- CVE-2021-28831
* SECURITY UPDATE: OOB read in unlzma
- debian/patches/CVE-2021-42374.patch: fix a case where we could read
before beginning of buffer in archival/libarchive/decompress_unlzma.c.
- CVE-2021-42374
* SECURITY UPDATE: multiple security issues in awk
- debian/patches/CVE-2021-423xx-awk.patch: backport awk.c from
busybox 1.34.1.
- CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381,
CVE-2021-42382, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386
-- Marc Deslauriers <email address hidden> Wed, 24 Nov 2021 14:05:22 -0500
-
busybox (1:1.27.2-2ubuntu3.3) bionic-security; urgency=medium
* SECURITY UPDATE: missing ssl cert validation in wget applet
- debian/patches/CVE-2018-1000500-pre1.patch: emit a message that
certificate verification is not implemented in networking/wget.c.
- debian/patches/CVE-2018-1000500-pre2.patch: print warning only once
in networking/wget.c.
- debian/patches/CVE-2018-1000500-1.patch: implement TLS verification
with ENABLE_FEATURE_WGET_OPENSSL in networking/wget.c.
- debian/patches/CVE-2018-1000500-2.patch: fix openssl options for cert
verification in networking/wget.c.
- CVE-2018-1000500
-- Marc Deslauriers <email address hidden> Fri, 18 Sep 2020 10:26:16 -0400
-
busybox (1:1.27.2-2ubuntu3.2) bionic-security; urgency=medium
* SECURITY UPDATE: buffer overflow in wget
- debian/patches/CVE-2018-1000517.patch: check chunk length in
networking/wget.c.
- CVE-2018-1000517
* SECURITY UPDATE: out-of-bounds read in udhcp
- debian/patches/CVE-2018-20679.patch: check that 4-byte options are
indeed 4-byte in networking/udhcp/common.*,
networking/udhcp/dhcpc.c, networking/udhcp/dhcpd.c.
- CVE-2018-20679
* SECURITY UPDATE: incomplete fix for out-of-bounds read in udhcp
- debian/patches/CVE-2019-5747.patch: when decoding DHCP_SUBNET, ensure
it is 4 bytes long in networking/udhcp/common.*,
networking/udhcp/dhcpc.c.
- CVE-2019-5747
-- Marc Deslauriers <email address hidden> Wed, 06 Mar 2019 15:51:41 -0500
-
busybox (1:1.27.2-2ubuntu3.1) bionic; urgency=medium
* Fix symlink handling (LP: #1753572)
- debian/patches/CVE-2011-5325-2.patch: re-enable patch.
- debian/patches/CVE-2011-5325-3.patch:postpone creation of symlinks
with "suspicious" targets in archival/libarchive/data_extract_all.c,
archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
include/bb_archive.h, testsuite/tar.tests.
- debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks
the same way tar/unzip does in archival/cpio.c.
- debian/patches/CVE-2011-5325-5.patch: fix symlink creation in
archival/libarchive/get_header_ar.c.
-- Marc Deslauriers <email address hidden> Thu, 17 Jan 2019 13:16:38 -0500
-
busybox (1:1.27.2-2ubuntu3) bionic; urgency=medium
* debian/patches/CVE-2011-5325-2.patch: disable patch for now as the
behaviour is relied upon by debootstrap. (LP: #1737662)
-- Marc Deslauriers <email address hidden> Tue, 12 Dec 2017 12:58:01 -0500
-
busybox (1:1.27.2-2ubuntu2) bionic; urgency=medium
* Fix missing new config setting for Ubuntu flavors.
-- Steve Langasek <email address hidden> Wed, 06 Dec 2017 22:14:46 +0000
-
busybox (1:1.27.2-2ubuntu1) bionic; urgency=low
* Merge from Debian unstable.
- Fixes problem with linux boot parameters not being copied to
busybox environment, and breaking preseeding. LP: #1736421.
* Remaining changes:
- [udeb] Enable chvt, killall, losetup, od, and stat.
- test-bin.patch: Move test and friends to /bin.
- static-sh-alias.patch: Add static-sh alias name for ash, and install
/bin/static-sh symlink to busybox in busybox-static.
- Add busybox-initramfs.
- Enable chpasswd in standard and static builds (needed by LXC).
- Move zz-busybox to busybox-initramfs to ensure we get links to all
the tools we need, stop shipping it anywhere else.
- Prefer busybox commands over klibc commands where there is duplication.
- Add Ubuntu configuration for busybox binaries.
- debian/patches/CVE-2011-5325-2.patch: do not extract unsafe symlinks
unless env variable is set in archival/libarchive/Kbuild.src,
archival/libarchive/data_extract_all.c,
archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
coreutils/link.c, include/bb_archive.h, libbb/copy_file.c,
testsuite/tar.tests.
* Dropped changes, included in Debian:
- readlink-in-slash-bin.patch: move readlink to /bin.
- debian/patches/CVE-2017-15874.patch: add another check to
archival/libarchive/decompress_unlzma.c.
- debian/patches/CVE-2017-16544.patch: check for control characters in
libbb/lineedit.c.
- debian/patches/CVE-2017-15873.patch: fix runCnt overflow in
archival/libarchive/decompress_bunzip2.c.
busybox (1:1.27.2-2) unstable; urgency=medium
* Trigger an initramfs rebuild on installation. (Closes: #549022)
* Temporarily re-enable invalid variable names in the udeb flavour for
debian-installer.
* Install the readlink binary in /bin. (Closes: #801850)
* Fix integer overflow in bzip2 decompresson [CVE-2017-15874].
(Closes: #879732)
* Fix integer underflow in LZMA decompressor [CVE-2017-15874].
(Closes: #879732)
* Prevent tab completion for strings containing control characters
[CVE-2017-16544].
* Debian packaging changes:
- Update debian/control:
- Update Standards-Version to 4.1.1.
- Change Priority to optional for all packages.
- Remove obsolete debian/gbp.conf.
- Update debian/watch:
- Switch to format=4.
- Use HTTPS URI.
-- Steve Langasek <email address hidden> Wed, 06 Dec 2017 11:35:12 -0800
-
busybox (1:1.27.2-1ubuntu4) bionic; urgency=medium
* SECURITY UPDATE: directory traversal via tar symlink extraction
- debian/patches/CVE-2011-5325-2.patch: do not extract unsafe symlinks
unless env variable is set in archival/libarchive/Kbuild.src,
archival/libarchive/data_extract_all.c,
archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
coreutils/link.c, include/bb_archive.h, libbb/copy_file.c,
testsuite/tar.tests.
- CVE-2011-5325
* SECURITY UPDATE: integer overflow in get_next_block
- debian/patches/CVE-2017-15873.patch: fix runCnt overflow in
archival/libarchive/decompress_bunzip2.c.
- CVE-2017-15873
* SECURITY UPDATE: integer underflow in unlzma
- debian/patches/CVE-2017-15874.patch: add another check to
archival/libarchive/decompress_unlzma.c.
- CVE-2017-15874
* SECURITY UPDATE: code execution in tab autocomplete feature
- debian/patches/CVE-2017-16544.patch: check for control characters in
libbb/lineedit.c.
- CVE-2017-16544
-- Marc Deslauriers <email address hidden> Fri, 24 Nov 2017 12:55:21 -0500
-
busybox (1:1.27.2-1ubuntu3) bionic; urgency=medium
* static-sh-alias.patch: port for 1.27.2 to fix the FTBFS.
-- Steve Langasek <email address hidden> Thu, 26 Oct 2017 09:24:22 -0700
-
busybox (1:1.27.2-1ubuntu2) bionic; urgency=medium
* Fix up a few missed config reconciliations for busybox-initramfs.
-- Steve Langasek <email address hidden> Thu, 26 Oct 2017 14:55:05 +0000
-
busybox (1:1.27.2-1ubuntu1) bionic; urgency=low
* Merge from Debian unstable. Remaining changes:
- [udeb] Enable chvt, killall, losetup, od, and stat.
- test-bin.patch: Move test and friends to /bin.
- static-sh-alias.patch: Add static-sh alias name for ash, and install
/bin/static-sh symlink to busybox in busybox-static.
- Add busybox-initramfs.
- Enable chpasswd in standard and static builds (needed by LXC).
- Move zz-busybox to busybox-initramfs to ensure we get links to all
the tools we need, stop shipping it anywhere else.
- Prefer busybox commands over klibc commands where there is duplication.
- Add Ubuntu configuration for busybox binaries.
- readlink-in-slash-bin.patch: move readlink to /bin.
* Refresh busybox-initramfs config to keep it in sync with the featureset
of the other builds.
- FEATURE_USE_TERMIOS dropped upstream.
- FEATURE_STAT_FILESYSTEM enabled.
- disable FDFLUSH.
busybox (1:1.27.2-1) unstable; urgency=medium
* New upstream release. This addresses:
- Segmentation fault when creating compressed tar files. (Closes: #812074)
- Pointer misuse unziping files. (Closes: #803097)
- Buffer overflow in the DHCP client [CVE-2016-2148]. (Closes: #818497)
- Integer overflow in the DHCP client [CVE-2016-2147]. (Closes: #818499)
* Postpone creation of symlinks with "suspicious" targets [CVE-2011-5325].
(Closes: #802702)
* Re-enable the test suite during build. (Closes: #794526)
* udhcpc: correct a typo in /etc/udhcpc/default.script. (Closes: #873472)
* Debian packaging changes:
- Run wrap-and-sort -st.
- Update debian/control:
- Replace Uploaders with myself and Christoph Biedl. Many thanks to
Bastian Blank and Michael Tokarev for having maintained busybox for
many years prior.
- Remove Build-Depends to avoid ancient broken libc-dev-bin.
- Bump Build-Depends on debhelper to >= 10.
- Rewrite debian/rules:
- Simplify and use the dh sequencer.
- Remove test for ancient broken libc6 versions with static binaries.
- Strip -O2 from CFLAGS, falling back to -Os from the busybox
configuration.
- Abort the build if 'make oldconfig' changes the configuration at all.
- Update busybox build configuration files for the new upstream release.
- The udeb configuration mostly hasn't changed, but enable fgrep,
blkdiscard, bzcat and lsscsi.
- The deb and static configurations have had upstream recommendations
enabled for new options.
- Switch to debhelper compatibility level 10.
- Add Depends on lsb-base to busybox-syslogd and udhcpd.
- Update debian/.gitignore.
- Update Standards-Version to 4.0.1:
- Disable tests that require networking.
-- Steve Langasek <email address hidden> Wed, 25 Oct 2017 23:23:50 -0700
-
busybox (1:1.22.0-19ubuntu2) yakkety; urgency=medium
* debian/patches/readlink-in-slash-bin.patch: put readlink in /bin/
like coreutils. Closes LP: #1615021.
-- Steve Langasek <email address hidden> Tue, 23 Aug 2016 12:36:39 -0700
