USN-6961-1: BusyBox vulnerabilities
14 August 2024
Several security issues were fixed in BusyBox.
Releases
Packages
- busybox - Tiny utilities for small and embedded systems
Details
It was discovered that BusyBox did not properly validate user input when
performing certain arithmetic operations. If a user or automated system
were tricked into processing a specially crafted file, an attacker could
possibly use this issue to cause a denial of service, or execute arbitrary
code. (CVE-2022-48174)
It was discovered that BusyBox incorrectly managed memory when evaluating
certain awk expressions. An attacker could possibly use this issue to cause
a denial of service, or execute arbitrary code. This issue only affected
Ubuntu 24.04 LTS. (CVE-2023-42363, CVE-2023-42364, CVE-2023-42365)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 24.04
-
busybox
-
1:1.36.1-6ubuntu3.1
-
busybox-initramfs
-
1:1.36.1-6ubuntu3.1
-
busybox-static
-
1:1.36.1-6ubuntu3.1
Ubuntu 22.04
-
busybox
-
1:1.30.1-7ubuntu3.1
-
busybox-initramfs
-
1:1.30.1-7ubuntu3.1
-
busybox-static
-
1:1.30.1-7ubuntu3.1
Ubuntu 20.04
-
busybox
-
1:1.30.1-4ubuntu6.5
-
busybox-initramfs
-
1:1.30.1-4ubuntu6.5
-
busybox-static
-
1:1.30.1-4ubuntu6.5
In general, a standard system update will make all the necessary changes.
References
Related notices
- USN-6335-1: busybox, busybox-syslogd, udhcpd, udhcpc, busybox-initramfs, busybox-static