[Git][security-tracker-team/security-tracker][master] CVE-2023-42363/busybox - document triage with poc results.
Tobias Frost (@tobi)
tobi at debian.org
Sat Jan 11 15:55:13 GMT 2025
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker
Commits:
3a370da8 by Tobias Frost at 2025-01-11T16:50:44+01:00
CVE-2023-42363/busybox - document triage with poc results.
The instructions how to run the poc and the data files are in the upstream ticket.
poc triggers on bookworm, but not on bullseye, details below.
For CVE-2021-42377 remove not-affected annotation for ELTS so that this
is aligned with the usage of the state. Thanks to carnil for their in depth explaration.
bookworm:
SUMMARY: AddressSanitizer: heap-use-after-free (/home/tobi/workspace/deb/Xlts/Repositories/busybox/unstable/busybox-1.35.0/busybox_unstripped+0x4a2036) (BuildId: cc32b22f94f821d020fdcf2b02f27c6819feb733)
Shadow bytes around the buggy address:
0x502000023480: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x502000023500: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x502000023580: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x502000023600: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x502000023680: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 02 fa
=>0x502000023700: fa fa[fd]fa fa fa fd fa fa fa fd fa fa fa fd fa
0x502000023780: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x502000023800: fa fa 02 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000023880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000023900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000023980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==429114==ABORTING
Aborted
bullseye only reports some leaks:
================================================================
==206956==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 768 byte(s) in 24 object(s) allocated from:
#0 0x49d90d (/home/tobi/build/busybox-poc/busybox_unstripped+0x49d90d)
#1 0x4d7292 (/home/tobi/build/busybox-poc/busybox_unstripped+0x4d7292)
#2 0x4c85e5 (/home/tobi/build/busybox-poc/busybox_unstripped+0x4c85e5)
Direct leak of 32 byte(s) in 1 object(s) allocated from:
#0 0x49d90d (/home/tobi/build/busybox-poc/busybox_unstripped+0x49d90d)
#1 0x4d7292 (/home/tobi/build/busybox-poc/busybox_unstripped+0x4d7292)
#2 0xe251a8 (/home/tobi/build/busybox-poc/busybox_unstripped+0xe251a8)
#3 0x4c85e5 (/home/tobi/build/busybox-poc/busybox_unstripped+0x4c85e5)
Indirect leak of 64 byte(s) in 2 object(s) allocated from:
#0 0x49d90d (/home/tobi/build/busybox-poc/busybox_unstripped+0x49d90d)
#1 0x4d7292 (/home/tobi/build/busybox-poc/busybox_unstripped+0x4d7292)
#2 0x4c85e5 (/home/tobi/build/busybox-poc/busybox_unstripped+0x4c85e5)
SUMMARY: AddressSanitizer: 864 byte(s) leaked in 27 allocation(s).
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -110317,7 +110317,8 @@ CVE-2023-42363 (A use-after-free vulnerability was discovered in xasprintf funct
[bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
NOTE: https://bugs.busybox.net/show_bug.cgi?id=15865
- NOTE: https://git.busybox.net/busybox/commit/?id=fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa (1_37_0)
+ NOTE: The abov ticket contains a poc, poc triggers on bookworm but not on bullseye.
+ NOTE: https://git.busybox.net/busybox/commit/?id=fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa (1_37_0
CVE-2023-3545 (Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo ...)
NOT-FOR-US: Chamilo LMS
CVE-2023-3533 (Path traversal in file upload functionality in `/main/webservices/addi ...)
@@ -263205,8 +263206,6 @@ CVE-2021-42378 (A use-after-free in Busybox's awk applet leads to denial of serv
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
CVE-2021-42377 (An attacker-controlled pointer free in Busybox's hush applet leads to ...)
- busybox 1:1.35.0-1 (bug #999567; unimportant)
- [buster] - busybox <not-affected> (CONFIG_HUSH is not set)
- [stretch] - busybox <not-affected> (CONFIG_HUSH is not set)
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
NOTE: CONFIG_HUSH is not set to build hush
CVE-2021-42376 (A NULL pointer dereference in Busybox's hush applet leads to denial of ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a370da8685fe6153463df8346f3f4110cb1107f
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a370da8685fe6153463df8346f3f4110cb1107f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250111/22e6966c/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list