[security-announce] busybox: Security update

Sona Sarmadi sona.sarmadi at enea.com
Mon Jun 1 12:33:36 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Enea Linux Security Advisory

=========================================================
Product/package: busybox 1.22.1
Severity: Low
CVE Names: CVE-2014-9645 modprobe wrongly accepts paths as module names
=========================================================
This security update fixes unprivileged arbitrary module load
via basename abuse.

The patch and README files are gpg signed by ESRT (Enea Security
Response Team) for verification of origin.
To verify the integrity of patches download the ESRT public Key from:
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x773EF6EF68716A14

For detailed info refer to
https://linux.enea.com/5.0-beta-m400/patche/patches/README.asc

Signed patch and README files
=============================
0014-busybox-CVE-2014-9645.README.asc
0014-busybox-CVE-2014-9645.patch.asc

Description
===========
The modprobe command in busybox before 1.23.0 uses the basename of
the module argument as the module to load, allowing arbitrary
modules, even when some kernel subsystems try to prevent this.

References:
==========
https://bugs.busybox.net/show_bug.cgi?id=7652

How to apply the patches
=======================
- - - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget http://linux.enea.com/5.0-beta-m400/Enea-Linux-5.0-beta-m400.tar.gz
tar zxvf Enea-Linux-5.0-beta-m400.tar.gz
<Fetch and apply the existing patches, please refer to
    README file for the individual patch>

 - Fetch and apply the new patch
cd Enea-Linux-5.0-beta-m400/poky
wget
http://linux.enea.com/5.0-beta-m400/patches/0014-busybox-CVE-2014-9645.p
atch.asc
patch -p1 < ./0014-busybox-CVE-2014-9645.patch.asc

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVbDUAAAoJEHc+9u9ocWoUnYEP/2r8MCvECsj2osTPfANEoBLw
3YYZNrs3TB1uwXa1EAMYYCkfRpt+EXNYKqrtbO+AXZUyqoq5HuZuvul7/lPZNbP8
9d6at6WsxCdY8k+nXRzyMi0hJ7FDNTeUkY1OsuCXA3kXEHoqE8GZguXXfReUziev
SLl4g3dn09RIV6usg4XH8QcPLnTgyGO4OQ0ej7cYyviaUHEzQ4gpNO+u7dDTD+8v
QxgwLmb4WZ0qfBTcE7TKkZtpeOOO5GPWvtO5fvA163rDzHTpa1ovkj2P1hPAa16x
yipexFmlyBT646wFoF98OeeKxkUtMhSYlg/uanesIVOUftXlrsZF9iT2b1TZ9Wsb
LWwVwIG1QpNbWdaaTD/fIxT1I11z2YRrIJLzVOXSc95ctNRVQobj2RxEoljwBLwP
Rxginnzg+5gLmUMZBtkM7Uj8nbEsAmxy6BNHh29sm/Iwhh977Xh8pD3yfy8qhoVP
HF6hKLb7b4yM0OnfxXF92hvNKLcVGB742TRWA0LtQMOxlOl0DcEbk0ZcbI4AVMlR
6+hgzowQ8P+dnvWYlh02CfiB/6yA1bSJB0c8WqAYgMsOjTxTollEl7gLw7HJMRir
RH6IfnnqDGJvjSsykJXBOM+dMjauHLfVUcqNR6nUXkK7sXTI+aKBdenQV7DcBAcS
jt/KNvNiXZB9ET6JiFAK
=j97y
-----END PGP SIGNATURE-----


More information about the security-announce mailing list