PublicDateAtUSN: 2021-03-19 05:15:00 UTC
Candidate: CVE-2021-28831
PublicDate: 2021-03-19 05:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831
 https://ubuntu.com/security/notices/USN-5179-1
Description:
 decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on
 the huft_build result pointer, with a resultant invalid free or
 segmentation fault, via malformed gzip data.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985674
Priority: low
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_busybox:
 upstream: https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd
upstream_busybox: released (1.33.1, 1.34.0)
precise/esm_busybox: ignored (end of ESM support, was needed)
trusty_busybox: ignored (out of standard support)
trusty/esm_busybox: needed
xenial_busybox: ignored (end of standard support, was needed)
esm-infra/xenial_busybox: needed
bionic_busybox: released (1:1.27.2-2ubuntu3.4)
focal_busybox: released (1:1.30.1-4ubuntu6.4)
groovy_busybox: ignored (reached end-of-life)
hirsute_busybox: released (1:1.30.1-6ubuntu2.1)
impish_busybox: released (1:1.30.1-6ubuntu3.1)
jammy_busybox: released (1:1.30.1-7ubuntu2)
devel_busybox: released (1:1.30.1-7ubuntu2)