RedHat Update for busybox RHSA-2012:0308-03

  1. Network Vulnerabilities
  2. Red Hat Local Security Checks
  3. RedHat Update for busybox RHSA-2012:0308-03
Solution
Please Install the Updated Packages.
Insight
BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries. A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially-crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168) The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially-crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Red Hat Enterprise Linux by default, and no DHCP client script is provided with the busybox packages. (CVE-2011-2716) This update also fixes the following bugs: * Prior to this update, the cp command wrongly returned the exit code 0 to indicate success if a device ran out of space while attempting to copy files of more than 4 gigabytes. This update modifies BusyBox, so that in such situations, the exit code 1 is returned. Now, the cp command shows correctly whether a process failed. (BZ#689659) * Prior to this update, the findfs command failed to check all existing block devices on a system with thousands of block device nodes in &quot /dev/&quot . This update modifies BusyBox so that findfs checks all block devices even in this case. (BZ#756723) All users of busybox are advised to upgrade to these updated packages, which correct these issues.
Affected
busybox on Red Hat Enterprise Linux (v. 5 server)
References
Updated on 2015-03-25
Severity
High Severity
Classification
Related Vulnerabilities