Oval Definition:oval:com.redhat.rhsa:def:20120308
Revision Date:2012-02-21Version:647
Title:RHSA-2012:0308: busybox security and bug fix update (Low)
Description:BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries.

  • A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially-crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168)

  • The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially-crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Red Hat Enterprise Linux by default, and no DHCP client script is provided with the busybox packages. (CVE-2011-2716)

    This update also fixes the following bugs:

  • Prior to this update, the cp command wrongly returned the exit code 0 to indicate success if a device ran out of space while attempting to copy files of more than 4 gigabytes. This update modifies BusyBox, so that in such situations, the exit code 1 is returned. Now, the cp command shows correctly whether a process failed. (BZ#689659)

  • Prior to this update, the findfs command failed to check all existing block devices on a system with thousands of block device nodes in "/dev/". This update modifies BusyBox so that findfs checks all block devices even in this case. (BZ#756723)

    All users of busybox are advised to upgrade to these updated packages, which correct these issues.
  • Family:unixClass:patch
    Status:Reference(s):CVE-2006-1168
    CVE-2011-2716
    RHSA-2012:0308
    RHSA-2012:0308-03
    RHSA-2012:0308-03
    Platform(s):Red Hat Enterprise Linux 5
    Product(s):
    Definition Synopsis
  • Red Hat Enterprise Linux must be installed
  • OR Package Information
  • Red Hat Enterprise Linux 5 is installed
  • AND
  • busybox is earlier than 1:1.2.0-13.el5
  • AND busybox is signed with Red Hat redhatrelease2 key
  • busybox-anaconda is earlier than 1:1.2.0-13.el5
  • AND busybox-anaconda is signed with Red Hat redhatrelease2 key
  • BACK