BusyBox: Multiple vulnerabilities — GLSA 201803-12

Multiple vulnerabilities have been found in BusyBox, the worst of which could allow remote attackers to execute arbitrary code.

Affected Packages

sys-apps/busybox on all architectures
Affected versions < 1.28.0
Unaffected versions >= 1.28.0

Background

BusyBox is a set of tools for embedded systems and is a replacement for GNU Coreutils.

Description

Multiple vulnerabilities have been discovered in BusyBox. Please review the CVE identifiers referenced below for details.

Impact

A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or have other unspecified impacts.

Workaround

There is no known workaround at this time.

Resolution

All BusyBox users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-apps/busybox-1.28.0"
 

References

Release Date
March 26, 2018

Latest Revision
March 26, 2018: 1

Severity
normal

Exploitable
remote

Bugzilla entries