1. Forum
  2. Usenet
  3. LINUX.DEBIAN.MAINT.BOOT

  • Working towards a stable update of busybox to fix 3 CVEs

    From Tobias Frost@21:1/5 to All on Sun Mar 2 11:40:01 2025
    Dear Busybox maintainers,

    currently stable has three open CVEs which are already fixed for LTS
    already but remain unfixed for stable. We'd like to avoid a situation
    where people updating from an LTS release to stable and then regress
    into having the CVEs not fixed.

    For this I'd like to coordinate with you an update for stable, targeting CVE-2023-42364, CVE-2023-42365 and CVE-2022-48174

    Those CVEs are also unfixed in unstable, so a path fixing those busybox vulnerabilties needs to be fixed in unstable first.

    For unstable, I can prepare a patchset for unstable, I can do a NMU for
    the issues, or of course you can fix those issues yourself

    What would be your preferenced way to solve this issues?

    Once fixed in unstable, I'll offer to help with an s-p-u as well,
    just let me know how you'd like to tackle it.

    At the LTS Team, we track this issue with this issue ticket: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/186
    (You're welcome to directly comment there.)

    Cheers,
    --
    tobi (as LTS team contributor)


    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmfENBMACgkQkWT6HRe9 XTY1Mg/7BzObnEHqE0D+m7H9nanuOd86Er4nSP2BcO1Pj93rYOBQzmkXy4nf6t9g i2Be3xzpnWUWLf0tzoGCsUGtdndJX8k2T6gNSrIQYq7b1s0Jeo9pRgIo/O4q5jOY Od/nLsZZ5Szsf9iIoBo/kMcbmboHlojtfk5uXD/2mecVE2vPC8Nz2+X8npV6tpaQ 4fDXO07CP2c+ElTG4Nq4NqIxckYYVT1herBd6E+qyTeIlijW1PXeU6rbiMgZDICa asI3jN8v63hoes0M23xtzogpvH7cnjWktsCo9K/sI+U8olAahZsyvMVlp0CtHjB7 gfz8J7TEtDvuiATst3QZNcRMf4cWKFgwoqo3w7Ba8GmHW1eZUGKA9XDmB9zDUkUY 9kz+cfz3XAKOb7He+zTCVgfEIKCEneCv8U6VKhZorPjuyOVW4XgG5NE9iQJeJXQQ jGWhyVD+0YQMEWRaISKtLcbGhbh96EX+IdmbMI0Reb0jujYNuF1T9gVHIeZFFsoe 2fVWz5sAMtK+9szfkADxSwOtOPmgAzD9zFnHDP6vyiuffea5M9gloK1FDl+MbheQ /1XRuVEuG6YjBNOckl28Br5Tf3vEExLUedG1LBwNj2MhauWgFhWn4nQ2XCZAu6n3 stty5AJ+BTob1LDF/YrAODQhOcMXp0iFpUhn+mbWNTZJtn8QXt0=
    =vVmv
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Michael Tokarev@21:1/5 to Tobias Frost on Fri Mar 7 07:20:01 2025
    02.03.2025 13:33, Tobias Frost wrote:
    Dear Busybox maintainers,

    currently stable has three open CVEs which are already fixed for LTS
    already but remain unfixed for stable. We'd like to avoid a situation
    where people updating from an LTS release to stable and then regress
    into having the CVEs not fixed.

    For this I'd like to coordinate with you an update for stable, targeting CVE-2023-42364, CVE-2023-42365 and CVE-2022-48174

    Those CVEs are also unfixed in unstable, so a path fixing those busybox vulnerabilties needs to be fixed in unstable first.

    The 3 CVEs mentioned by you are fixed by bb 1.37, which is in trixie for
    quite a while. They're not fixed in bookworm though, as you correctly
    noted.

    For unstable, I can prepare a patchset for unstable, I can do a NMU for
    the issues, or of course you can fix those issues yourself

    I'm not sure I follow, since it's fixed in unstable for a long time.

    We can fix it for stable (bookworm) for sure, but I'm kinda skeptical
    here, - the issues are minor, and I'm not sure it's worth to bother at
    all. The stable and security teams have their own share of work already :)

    You can prepare an update for bookworm together with the update for LTS
    if you like, - I think this would be more productive, since you know
    exactly what to do, as you're doing it for the LTS already. Or I can
    do it in parallel with (or before) you, provided I got the commits
    correctly:

    CVE-2022-48174:
    d417193cf37ca1005830d7e16f5fa7e1d8a44209

    CVE-2023-42363:
    fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa

    CVE-2023-42364:
    38335df9e9f45378c3407defd38b5b610578bdda 0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4

    Thanks,

    /mjt

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Tobias Frost@21:1/5 to Michael Tokarev on Sat Apr 5 10:00:02 2025
    Hi Michael,

    (sorry for the late reply, somehow I've missed to send it out...)

    On Fri, Mar 07, 2025 at 09:03:06AM +0300, Michael Tokarev wrote:
    02.03.2025 13:33, Tobias Frost wrote:
    Dear Busybox maintainers,

    currently stable has three open CVEs which are already fixed for LTS already but remain unfixed for stable. We'd like to avoid a situation
    where people updating from an LTS release to stable and then regress
    into having the CVEs not fixed.

    For this I'd like to coordinate with you an update for stable, targeting CVE-2023-42364, CVE-2023-42365 and CVE-2022-48174

    Those CVEs are also unfixed in unstable, so a path fixing those busybox vulnerabilties needs to be fixed in unstable first.

    The 3 CVEs mentioned by you are fixed by bb 1.37, which is in trixie for quite a while. They're not fixed in bookworm though, as you correctly
    noted.

    For unstable, I can prepare a patchset for unstable, I can do a NMU for
    the issues, or of course you can fix those issues yourself

    I'm not sure I follow, since it's fixed in unstable for a long time.

    I'm sorry, I've messed up here. You're right, those three are fixed
    already,

    We can fix it for stable (bookworm) for sure, but I'm kinda skeptical
    here, - the issues are minor, and I'm not sure it's worth to bother at
    all. The stable and security teams have their own share of work already :)

    Well, background is that due when we fix issues in LTS we also try to
    get them fixed in newer releaes, so that users won't get a regression
    when updaring to a newer release, eg. from bullseye to bookworm.
    In my experience the release team is very open to this (especially if
    the update is small and targeted)

    You can prepare an update for bookworm together with the update for LTS
    if you like, - I think this would be more productive, since you know
    exactly what to do, as you're doing it for the LTS already. Or I can
    do it in parallel with (or before) you, provided I got the commits
    correctly:

    CVE-2022-48174:
    d417193cf37ca1005830d7e16f5fa7e1d8a44209

    CVE-2023-42363:
    fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa

    CVE-2023-42364:
    38335df9e9f45378c3407defd38b5b610578bdda 0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4

    I'll happily prepare the s-p-u, thanks for the heads-up!

    Thanks,

    /mjt

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)