]> git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/commit
projects / thirdparty / openembedded / openembedded-core-contrib.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 09b8b36) | patch
busybox: CVE-2017-16544
authorZhixiong Chi <zhixiong.chi@windriver.com>
Mon, 4 Dec 2017 08:17:25 +0000 (00:17 -0800)
committerRichard Purdie <richard.purdie@linuxfoundation.org>
Sun, 10 Dec 2017 22:45:20 +0000 (22:45 +0000)
commit07447113ad492dde7fe6cde916a0e9833b5d6164
tree80771af7ec07aea62fcf7f0b515560a2b38e76batree | snapshot
parent09b8b36b30cc5a359fc316169a037a03512cd5afcommit | diff
busybox: CVE-2017-16544

In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2,
the tab autocomplete feature of the shell, used to get a list of filenames
in a directory, does not sanitize filenames and results in executing any
escape sequence in the terminal. This could potentially result in code
execution, arbitrary file writes, or other attacks.

Backport the patch from:
https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8
https://nvd.nist.gov/vuln/detail/CVE-2017-16544

(From OE-Core rev: aa41f0c37460a2863ce26d1321c19c9bedf680c4)

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
meta/recipes-core/busybox/busybox/busybox-CVE-2017-16544.patch [new file with mode: 0644] blob
meta/recipes-core/busybox/busybox_1.27.2.bb diff | blob | blame | history
Mirror of git://git.openembedded.org/openembedded-core-contrib