CLSA-2026-1777368104

See a problem?
Import Source
https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1777368104.json
JSON Data
https://api.osv.dev/v1/vulns/CLSA-2026-1777368104
Upstream
Published
2026-04-28T09:21:49Z
Modified
2026-06-04T09:47:37.756361823Z
Summary
Fix CVE(s): CVE-2023-39810
Details
  • SECURITY UPDATE: directory traversal in cpio extraction
    • debian/patches/CVE-2023-39810.patch: add FEATUREPATHTRAVERSALPROTECTION config option, call stripunsafeprefix() in dataextract_all.c to prevent path traversal via ../ in archive filenames. Covers cpio, ar, rpm.
    • Enable CONFIGFEATUREPATHTRAVERSALPROTECTION=y in all build configs.
    • debian/patches/CVE-2023-39810.patch: replace echo -e with printf in the new cpio path-traversal testcase so it is portable to dash (the Ubuntu /bin/sh).
    • debian/testsuite-linux.diff: skip the pre-existing "cpio uses by default uid/gid" test, which is fragile in the pbuilder chroot (id -u returns 0 but source files retain uid=1000 from the build worker, causing a spurious mismatch).
    • debian/patches/CVE-2023-39810.patch: include the "1 blocks" summary line that busybox cpio -vi emits (to stderr, merged via 2>&1) at end-of-archive in the expected output of the new path-traversal testcase; the functional check (file not written, exit 0) already passed but the string-match failed because 1.30.1 always prints "N blocks", matching the pattern used by other cpio tests in testsuite/cpio.tests.
    • debian/testsuite-linux.diff: skip the pre-existing hostname-d-works test when the pbuilder chroot cannot resolve its own hostname via DNS (no /etc/hosts entry for the build host).
    • CVE-2023-39810
References

Affected packages

TuxCare:Ubuntu:20.04
busybox

Package

Name
busybox
Purl
pkg:deb/tuxcare/busybox?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:1.30.1-4ubuntu6.5+tuxcare.els1

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1777368104.json"
busybox-initramfs

Package

Name
busybox-initramfs
Purl
pkg:deb/tuxcare/busybox-initramfs?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:1.30.1-4ubuntu6.5+tuxcare.els1

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1777368104.json"
busybox-static

Package

Name
busybox-static
Purl
pkg:deb/tuxcare/busybox-static?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:1.30.1-4ubuntu6.5+tuxcare.els1

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1777368104.json"
busybox-syslogd

Package

Name
busybox-syslogd
Purl
pkg:deb/tuxcare/busybox-syslogd?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:1.30.1-4ubuntu6.5+tuxcare.els1

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1777368104.json"
udhcpc

Package

Name
udhcpc
Purl
pkg:deb/tuxcare/udhcpc?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:1.30.1-4ubuntu6.5+tuxcare.els1

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1777368104.json"
udhcpd

Package

Name
udhcpd
Purl
pkg:deb/tuxcare/udhcpd?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:1.30.1-4ubuntu6.5+tuxcare.els1

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1777368104.json"