CVE-2017-15873 — Integer Overflow or Wraparound in Busybox

CWE-190 — Integer Overflow or Wraparound9 documents7 sources

Severity

5.5MEDIUMNVD

OSV7.5

EPSS

0.1%

top 66.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Busybox Debian Busybox Canonical Ubuntu Linux +1 more

Timeline

PublishedOct 24

Latest updateMay 13

Description

The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/busybox< busybox 1:1.27.2-2 (bookworm)

▶Debianbusybox/busybox< 1:1.27.2-2+3

▶Ubuntubusybox/busybox< 1:1.21.0-1ubuntu1.4+2

▶NVDbusybox/busybox1.27.2

Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 18.04, 18.10

Patches

Patch: git.busybox.net ↗Patch: git.busybox.net ↗

🔴Vulnerability Details

GHSA

GHSA-8g36-v598-qvrf: The get_next_block function in archival/libarchive/decompress_bunzip2↗2022-05-13

▶

OSV

busybox vulnerabilities↗2019-04-03

▶

OSV

CVE-2017-15873: The get_next_block function in archival/libarchive/decompress_bunzip2↗2017-10-24

▶

📋Vendor Advisories

Ubuntu

BusyBox vulnerabilities↗2019-04-03

▶

Red Hat

busybox: Integer overflow in the get_next_block function↗2017-10-22

▶

Debian

CVE-2017-15873: busybox - The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyB...↗2017

▶

💬Community

Bugzilla

CVE-2017-15873 busybox: Integer overflow in the get_next_block function↗2017-11-20

▶

Bugzilla

CVE-2017-15873 CVE-2017-15874 CVE-2017-16544 busybox: various flaws [fedora-all]↗2017-11-20

▶