[Git][security-tracker-team/security-tracker][master] Add new busybox issue CVE-2018-20679

Salvatore Bonaccorso carnil at debian.org
Wed Jan 9 20:26:06 GMT 2019 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1b01f43e by Salvatore Bonaccorso at 2019-01-09T20:24:21Z
Add new busybox issue CVE-2018-20679

There is as well CVE-2019-5747 which got assigned for an initial
incomplete fix for CVE-2018-20679. Thus not affecting any released
version in Debian.

When fixing CVE-2018-20679 it is just important to apply the complete
fix to not open up CVE-2019-5747 itself.

Add respective notes to the CVE-2018-20679 entry.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -11,7 +11,9 @@ CVE-2019-5749
 CVE-2019-5748 (In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might ...)
 	TODO: check
 CVE-2019-5747 (An issue was discovered in BusyBox through 1.30.0. An out of bounds ...)
-	TODO: check
+	- busybox <not-affected> (Incomplete fix for CVE-2018-20679 not applied)
+	NOTE: https://bugs.busybox.net/show_bug.cgi?id=11506
+	NOTE: https://git.busybox.net/busybox/commit/?id=74d9f1ba37010face4bd1449df4d60dd84450b06
 CVE-2019-5746
 	RESERVED
 CVE-2019-5745
@@ -35,7 +37,13 @@ CVE-2019-5737
 CVE-2018-20680 (Frog CMS 0.9.5 has XSS in the admin/?/page/edit/1 body field. ...)
 	TODO: check
 CVE-2018-20679 (An issue was discovered in BusyBox before 1.30.0. An out of bounds read ...)
-	TODO: check
+	- busybox <unfixed>
+	NOTE: https://bugs.busybox.net/show_bug.cgi?id=11506
+	NOTE: https://git.busybox.net/busybox/commit/?id=6d3b4bb24da9a07c263f3c1acf8df85382ff562c
+	NOTE: When fixing this issue make sure to not open CVE-2019-5747 by only
+	NOTE: applying the partial fix. The followup commit
+	NOTE: https://git.busybox.net/busybox/commit/?id=74d9f1ba37010face4bd1449df4d60dd84450b06
+	NOTE: is needed to fix the issue completely.
 CVE-2018-20678
 	RESERVED
 CVE-2019-5736



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1b01f43e34481dd27e09eb166a794a707c5e9d6c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1b01f43e34481dd27e09eb166a794a707c5e9d6c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190109/281266bb/attachment.html>

More information about the debian-security-tracker-commits mailing list