On 4/24/25 7:57 PM, Solar Designer wrote:
> On Thu, Apr 24, 2025 at 07:09:44PM -0400, Demi Marie Obenour wrote:
>> On 4/24/25 3:09 AM, Albert Veli wrote:
>>> On Wed, Apr 23, 2025 at 10:51 PM Salvatore Bonaccorso
>>> wrote:
FTR, this one has assigned CVE-2025-46394
...
FTR, this one
On Thu, Apr 24, 2025 at 07:09:44PM -0400, Demi Marie Obenour wrote:
> On 4/24/25 3:09 AM, Albert Veli wrote:
> > On Wed, Apr 23, 2025 at 10:51 PM Salvatore Bonaccorso
> > wrote:
> >> FTR, this one has assigned CVE-2025-46394
> >> ...
> >> FTR, this one has CVE-2024-58251 assigned.
> >
> > From w
On 4/24/25 3:09 AM, Albert Veli wrote:
> Hi,
>
> On Wed, Apr 23, 2025 at 10:51 PM Salvatore Bonaccorso
> wrote:
>
>>
>> FTR, this one has assigned CVE-2025-46394
>> ...
>> FTR, this one has CVE-2024-58251 assigned.
>
> From what I can tell the latest release is busybox-1.37.0. Are these fixed
>
On Thursday, 24 April 2025 at 17:16 Albert Veli wrote:
> On Wed, Apr 23, 2025 at 10:51 PM Salvatore Bonaccorso
> wrote:
> > FTR, this one has assigned CVE-2025-46394
> From what I can tell the latest release is busybox-1.37.0. Are these fixed
> in this release? If not, do you have any link to p
On Wednesday 23 April 2025 at 17:04 Jakub Wilk wrote
> > CVE-2023-39810
> But it seems busybox committed a different patch, which looks good:
> https:/git.busybox.net/busybox/commit/?id=9a8796436b9b0641
> ("archival: disallow path traversals (CVE-2023-39810)")
>
> The essence of the patch is:
>
>
Hi,
On Wed, Apr 23, 2025 at 10:51 PM Salvatore Bonaccorso
wrote:
>
> FTR, this one has assigned CVE-2025-46394
> ...
> FTR, this one has CVE-2024-58251 assigned.
>From what I can tell the latest release is busybox-1.37.0. Are these fixed
in this release? If not, do you have any link to patches
Hi,
On Wed, Apr 23, 2025 at 02:11:44PM +, Ian Norton wrote:
>
> https://bugs.busybox.net/show_bug.cgi?id=16018 (awaiting CVE)
>
> Busybox's cpio and tar tools will print un-escaped filenames when listing and
> unpacking
> cpio and tar files. Malicious files containing filenames with termin
Hi,
On Wed, Apr 23, 2025 at 05:38:17PM +0200, Ricardo Branco wrote:
> I reported this one in busybox's netstat a year ago:
>
> https://bugs.busybox.net/show_bug.cgi?id=15922
>
>
> The whole code needs a security audit for ANSI escapes like this.
FTR, this one has CVE-2024-58251 assigned.
Rega
* Ian Norton , 2025-04-23 14:11:
https://security-tracker.debian.org/tracker/CVE-2023-39810
This is: "An issue in the CPIO command of Busybox v1.33.2 allows
attackers to execute a directory traversal."
see also https://lists.busybox.net/pipermail/busybox/2024-July/090851.html
This patch a
I reported this one in busybox's netstat a year ago:
https://bugs.busybox.net/show_bug.cgi?id=15922
The whole code needs a security audit for ANSI escapes like this.
Best,
R
On 4/23/25 4:11 PM, Ian Norton wrote:
https://bugs.busybox.net/show_bug.cgi?id=16018 (awaiting CVE)
Busybox's cpi
https://bugs.busybox.net/show_bug.cgi?id=16018 (awaiting CVE)
Busybox's cpio and tar tools will print un-escaped filenames when listing and
unpacking
cpio and tar files. Malicious files containing filenames with terminal escapes
can be used
to mask or modify earlier or later files in the archi
11 matches
Mail list logo
