CVE-2017-15873 CVE-2017-16544 CVE-2018-1000517 Debian Bug : 902724 882258 879732 818497 818499 803097 802702
Busybox, utility programs for small and embedded systems, was affected by several security vulnerabilities. The Common Vulnerabilities and Exposures project identifies the following issues.
CVE-2011-5325
A path traversal vulnerability was found in Busybox implementation
of tar. tar will extract a symlink that points outside of the
current working directory and then follow that symlink when
extracting other files. This allows for a directory traversal
attack when extracting untrusted tarballs.
CVE-2013-1813
When device node or symlink in /dev should be created inside
2-or-deeper subdirectory (/dev/dir1/dir2.../node), the intermediate
directories are created with incorrect permissions.
CVE-2014-4607
An integer overflow may occur when processing any variant of a
"literal run" in the lzo1x_decompress_safe function. Each of these three locations is subject to an integer overflow when processing zero bytes. This exposes the code that copies literals to memory corruption.
CVE-2014-9645
The add_probe function in modutils/modprobe.c in BusyBox allows
local users to bypass intended restrictions on loading kernel
modules via a / (slash) character in a module name, as demonstrated
by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none
/" command.
CVE-2016-2147
Integer overflow in the DHCP client (udhcpc) in BusyBox allows
remote attackers to cause a denial of service (crash) via a
malformed RFC1035-encoded domain name, which triggers an
out-of-bounds heap write.
CVE-2016-2148
Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox
allows remote attackers to have unspecified impact via vectors
involving OPTION_6RD parsing.
CVE-2017-15873
The get_next_block function in archival/libarchive...
1:1.22.0-19+deb9u1