- Status Closed
- Percent Complete
- Task Type Security Issue
- Category Any
-
Assigned To
Emulatorman - Operating System All
- Severity High
- Priority High
- Reported Version Any
- Due in Version Starfix
-
Due Date
Undecided
- Votes
- Private
Attached to Project: Packages
Opened by bugmen0t - 20/11/2017
Last edited by Emulatorman - 22/11/2017
Opened by bugmen0t - 20/11/2017
Last edited by Emulatorman - 22/11/2017
FS#145 - [busybox] CVE-2017-16544: autocompletion vulnerability
Package: https://www.hyperbola.info/packages/community/x86_64/busybox/
https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/
In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.
Patch: https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task