UBUNTU-CVE-2017-16544

See a problem?

Source

https://ubuntu.com/security/CVE-2017-16544

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-16544.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2017-16544

Related

Published

2017-11-20T00:00:00Z

Modified

2017-11-20T00:00:00Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.

References

Affected packages

Ubuntu:14.04:LTS / busybox

Package

Name: busybox
Purl: pkg:deb/ubuntu/busybox?arch=src?distro=trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:1.21.0-1ubuntu1.4

Affected versions

1:1.*

1:1.20.0-8.1ubuntu1

1:1.20.0-9ubuntu1

1:1.20.0-9ubuntu2

1:1.21.0-1ubuntu1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1:1.21.0-1ubuntu1.4",
            "binary_name": "busybox"
        },
        {
            "binary_version": "1:1.21.0-1ubuntu1.4",
            "binary_name": "busybox-dbgsym"
        },
        {
            "binary_version": "1:1.21.0-1ubuntu1.4",
            "binary_name": "busybox-initramfs"
        },
        {
            "binary_version": "1:1.21.0-1ubuntu1.4",
            "binary_name": "busybox-initramfs-dbgsym"
        },
        {
            "binary_version": "1:1.21.0-1ubuntu1.4",
            "binary_name": "busybox-static"
        },
        {
            "binary_version": "1:1.21.0-1ubuntu1.4",
            "binary_name": "busybox-static-dbgsym"
        },
        {
            "binary_version": "1:1.21.0-1ubuntu1.4",
            "binary_name": "busybox-syslogd"
        },
        {
            "binary_version": "1:1.21.0-1ubuntu1.4",
            "binary_name": "busybox-udeb"
        },
        {
            "binary_version": "1:1.21.0-1ubuntu1.4",
            "binary_name": "busybox-udeb-dbgsym"
        },
        {
            "binary_version": "1:1.21.0-1ubuntu1.4",
            "binary_name": "udhcpc"
        },
        {
            "binary_version": "1:1.21.0-1ubuntu1.4",
            "binary_name": "udhcpd"
        }
    ]
}

Ubuntu:16.04:LTS / busybox

Package

Name: busybox
Purl: pkg:deb/ubuntu/busybox?arch=src?distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:1.22.0-15ubuntu1.4

Affected versions

1:1.*

1:1.22.0-15ubuntu1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1:1.22.0-15ubuntu1.4",
            "binary_name": "busybox"
        },
        {
            "binary_version": "1:1.22.0-15ubuntu1.4",
            "binary_name": "busybox-dbgsym"
        },
        {
            "binary_version": "1:1.22.0-15ubuntu1.4",
            "binary_name": "busybox-initramfs"
        },
        {
            "binary_version": "1:1.22.0-15ubuntu1.4",
            "binary_name": "busybox-initramfs-dbgsym"
        },
        {
            "binary_version": "1:1.22.0-15ubuntu1.4",
            "binary_name": "busybox-static"
        },
        {
            "binary_version": "1:1.22.0-15ubuntu1.4",
            "binary_name": "busybox-static-dbgsym"
        },
        {
            "binary_version": "1:1.22.0-15ubuntu1.4",
            "binary_name": "busybox-syslogd"
        },
        {
            "binary_version": "1:1.22.0-15ubuntu1.4",
            "binary_name": "busybox-udeb"
        },
        {
            "binary_version": "1:1.22.0-15ubuntu1.4",
            "binary_name": "busybox-udeb-dbgsym"
        },
        {
            "binary_version": "1:1.22.0-15ubuntu1.4",
            "binary_name": "udhcpc"
        },
        {
            "binary_version": "1:1.22.0-15ubuntu1.4",
            "binary_name": "udhcpd"
        }
    ]
}

Ubuntu:18.04:LTS / busybox

Package

Name: busybox
Purl: pkg:deb/ubuntu/busybox?arch=src?distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:1.27.2-1ubuntu4

Affected versions

1:1.*

1:1.22.0-19ubuntu2

1:1.27.2-1ubuntu3

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1:1.27.2-1ubuntu4",
            "binary_name": "busybox"
        },
        {
            "binary_version": "1:1.27.2-1ubuntu4",
            "binary_name": "busybox-dbgsym"
        },
        {
            "binary_version": "1:1.27.2-1ubuntu4",
            "binary_name": "busybox-initramfs"
        },
        {
            "binary_version": "1:1.27.2-1ubuntu4",
            "binary_name": "busybox-initramfs-dbgsym"
        },
        {
            "binary_version": "1:1.27.2-1ubuntu4",
            "binary_name": "busybox-static"
        },
        {
            "binary_version": "1:1.27.2-1ubuntu4",
            "binary_name": "busybox-static-dbgsym"
        },
        {
            "binary_version": "1:1.27.2-1ubuntu4",
            "binary_name": "busybox-syslogd"
        },
        {
            "binary_version": "1:1.27.2-1ubuntu4",
            "binary_name": "busybox-udeb"
        },
        {
            "binary_version": "1:1.27.2-1ubuntu4",
            "binary_name": "udhcpc"
        },
        {
            "binary_version": "1:1.27.2-1ubuntu4",
            "binary_name": "udhcpd"
        }
    ]
}