- Package:
- src:busybox
- Source:
- busybox
- Submitter:
- Moritz Muehlenhoff
- Date:
- 2022-07-06 09:21:02 UTC
- Severity:
- important
- Tags:
This issue was found by Alpine: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661 Details and the patches they used are in the report above, but the patches are not yet merged upstream, might be worth to wait until that's fixed since the impact is rather low. Cheers, Moritz
Um, going to that link results in the (closed) alpine bug from three weeks ago: "netstat is vulnerable to escape sequence injection (busybox)" "Alpine ships BusyBox with the netstat applet enabled. This is vulnerable to escape sequence injection when used from an VT compatible terminal. To exploit this vulnerability the PTR for a remote host must contain a escape sequence and the victim has to execute netstat. I've set up an example at [elided] with the PTR resolving to \027[33\;46mlocalhost." The string "e2fsprogs" appears nowhere in on the page. I've done a search on Alpine/aports looking for "e2fsprogs" and could only find: e2fsprogs can be uninstalled manually on systems that depend on it #13584 · created 1 month ago by Álvaro Torralba updated 1 month ago modloop verification fails with apline usb drive when local disk partition has a alpine installation #11136 · created 2 years ago by nico Neither seems to be security related. Are you sure this was correctly filed against e2fsprogs? - Ted
and I must have mis-pasted the wrong Emacs buffer into the report. The correct references are https://bugzilla.redhat.com/show_bug.cgi?id=2069726 https://bugzilla.redhat.com/show_bug.cgi?id=2068113 And the proposed patch was already posted at: https://lore.kernel.org/linux-ext4/20220421173148.20193-1-lczerner@redhat.com/T/#u Cheers, Moritz
Hi, Theodore, btw the BTS reference for the e2fsprogs issue is #1010263 and the CVE id CVE-2022-1304. #1010264 and CVE-2022-28391 is respectively for busybox. the bug already reassigned accordingly earlier. Regards, Salvatore
Yes, I've noted that already. Apologies, I didn't get an e-mail notification for the bug getting reassigned; I should have double checked the BTS web page for the bug before replying. Regards, - Ted