[Git][security-tracker-team/security-tracker][master] CVE-2023-42363/busyboy - triaging to identify introducing commit

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6291efc5 by Tobias Frost at 2025-01-11T19:53:07+01:00
CVE-2023-42363/busyboy - triaging to identify introducing commit

Using the poc and git bisect to identify the first commit that triggers
the poc.

Very likely this is the source of the vulnerability, but no certain
proof it is, so not marking as "introduced by."

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -110332,7 +110332,8 @@ CVE-2023-42363 (A use-after-free vulnerability was discovered in xasprintf funct
 	[bullseye] - busybox <no-dsa> (Minor issue)
 	[buster] - busybox <no-dsa> (Minor issue)
 	NOTE: https://bugs.busybox.net/show_bug.cgi?id=15865
-	NOTE: The abov ticket contains a poc, poc triggers on bookworm but not on bullseye.
+	NOTE: The above ticket contains a poc, poc triggers on bookworm but not on bullseye.
+	NOTE: The poc starts triggering with https://github.com/mirror/busybox/commit/a885ce1af05c4eaa5ebcf883cb3da3433ca1c48b (1_34_0)
 	NOTE: https://git.busybox.net/busybox/commit/?id=fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa (1_37_0)
 CVE-2023-3545 (Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo  ...)
 	NOT-FOR-US: Chamilo LMS



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6291efc599ab21ce8b4422321c34eedf914567bf

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6291efc599ab21ce8b4422321c34eedf914567bf
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250111/84c75e26/attachment.htm>