GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Wed Jun 17, 2015 6:26 pm Post subject: [ GLSA 201503-13 ] BusyBox |
|
|
Gentoo Linux Security Advisory
Title: BusyBox: Multiple vulnerabilities (GLSA 201503-13)
Severity: normal
Exploitable: local, remote
Date: March 29, 2015
Bug(s): #515254, #537978
ID: 201503-13
Synopsis
Multiple vulnerabilities have been found in BusyBox, allowing
context dependent attackers to load arbitrary kernel modules, execute
arbitrary files, or cause a Denial of Service condition.
Background
BusyBox is set of tools for embedded systems and is a replacement for
GNU Coreutils.
Affected Packages
Package: sys-apps/busybox
Vulnerable: < 1.23.1
Unaffected: >= 1.23.1
Architectures: All supported architectures
Description
Multiple vulnerabilities have been discovered in BusyBox. Please review
the CVE identifiers referenced below for details.
Impact
A context-dependent attacker can load kernel modules without privileges
by nullifying enforced module
prefixes. Execution of arbitrary files or a Denial of Service can be
caused through the included vulnerable LZO library.
Workaround
There is no known workaround at this time.
Resolution
All BusyBox users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/busybox-1.23.1"
|
References
CVE-2014-4607
CVE-2014-9645 |
|