Source: busybox Version: 1:1.27.2-1 Severity: grave Tags: security Hi,
the following vulnerability was published for busybox. I realize you know of the issue already but just filling to have a tracking bug as well in the BTS. CVE-2017-16544[0]: | In the add_match function in libbb/lineedit.c in BusyBox through | 1.27.2, the tab autocomplete feature of the shell, used to get a list | of filenames in a directory, does not sanitize filenames and results in | executing any escape sequence in the terminal. This could potentially | result in code execution, arbitrary file writes, or other attacks. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-16544 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16544 [1] https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8 Please adjust the affected versions in the BTS as needed, only unstable checked so far. Regards, Salvatore
