[Git][security-tracker-team/security-tracker][master] CVE-2023-42363/busybox - document triage with poc results.

Tobias Frost (@tobi) tobi at debian.org
Sat Jan 11 15:55:13 GMT 2025



Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3a370da8 by Tobias Frost at 2025-01-11T16:50:44+01:00
CVE-2023-42363/busybox - document triage with poc results.

The instructions how to run the poc and the data files are in the upstream ticket.

poc triggers on bookworm, but not on bullseye, details below.

For CVE-2021-42377 remove not-affected annotation for ELTS so that this
is aligned with the usage of the state. Thanks to carnil for their in depth explaration.

bookworm:
SUMMARY: AddressSanitizer: heap-use-after-free (/home/tobi/workspace/deb/Xlts/Repositories/busybox/unstable/busybox-1.35.0/busybox_unstripped+0x4a2036) (BuildId: cc32b22f94f821d020fdcf2b02f27c6819feb733)
Shadow bytes around the buggy address:
  0x502000023480: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x502000023500: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x502000023580: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x502000023600: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x502000023680: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 02 fa
=>0x502000023700: fa fa[fd]fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x502000023780: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x502000023800: fa fa 02 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x502000023880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x502000023900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x502000023980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==429114==ABORTING
Aborted

bullseye only reports some leaks:

================================================================
==206956==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 768 byte(s) in 24 object(s) allocated from:
    #0 0x49d90d  (/home/tobi/build/busybox-poc/busybox_unstripped+0x49d90d)
    #1 0x4d7292  (/home/tobi/build/busybox-poc/busybox_unstripped+0x4d7292)
    #2 0x4c85e5  (/home/tobi/build/busybox-poc/busybox_unstripped+0x4c85e5)

Direct leak of 32 byte(s) in 1 object(s) allocated from:
    #0 0x49d90d  (/home/tobi/build/busybox-poc/busybox_unstripped+0x49d90d)
    #1 0x4d7292  (/home/tobi/build/busybox-poc/busybox_unstripped+0x4d7292)
    #2 0xe251a8  (/home/tobi/build/busybox-poc/busybox_unstripped+0xe251a8)
    #3 0x4c85e5  (/home/tobi/build/busybox-poc/busybox_unstripped+0x4c85e5)

Indirect leak of 64 byte(s) in 2 object(s) allocated from:
    #0 0x49d90d  (/home/tobi/build/busybox-poc/busybox_unstripped+0x49d90d)
    #1 0x4d7292  (/home/tobi/build/busybox-poc/busybox_unstripped+0x4d7292)
    #2 0x4c85e5  (/home/tobi/build/busybox-poc/busybox_unstripped+0x4c85e5)

SUMMARY: AddressSanitizer: 864 byte(s) leaked in 27 allocation(s).

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -110317,7 +110317,8 @@ CVE-2023-42363 (A use-after-free vulnerability was discovered in xasprintf funct
 	[bullseye] - busybox <no-dsa> (Minor issue)
 	[buster] - busybox <no-dsa> (Minor issue)
 	NOTE: https://bugs.busybox.net/show_bug.cgi?id=15865
-	NOTE: https://git.busybox.net/busybox/commit/?id=fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa (1_37_0)
+	NOTE: The abov ticket contains a poc, poc triggers on bookworm but not on bullseye.
+	NOTE: https://git.busybox.net/busybox/commit/?id=fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa (1_37_0
 CVE-2023-3545 (Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo  ...)
 	NOT-FOR-US: Chamilo LMS
 CVE-2023-3533 (Path traversal in file upload functionality in `/main/webservices/addi ...)
@@ -263205,8 +263206,6 @@ CVE-2021-42378 (A use-after-free in Busybox's awk applet leads to denial of serv
 	NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
 CVE-2021-42377 (An attacker-controlled pointer free in Busybox's hush applet leads to  ...)
 	- busybox 1:1.35.0-1 (bug #999567; unimportant)
-	[buster] - busybox <not-affected> (CONFIG_HUSH is not set)
-	[stretch] - busybox <not-affected> (CONFIG_HUSH is not set)
 	NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
 	NOTE: CONFIG_HUSH is not set to build hush
 CVE-2021-42376 (A NULL pointer dereference in Busybox's hush applet leads to denial of ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a370da8685fe6153463df8346f3f4110cb1107f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a370da8685fe6153463df8346f3f4110cb1107f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250111/22e6966c/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list