PublicDateAtUSN: 2021-11-15 21:15:00 UTC
Candidate: CVE-2021-42381
PublicDate: 2021-11-15 21:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42381
 https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
 https://ubuntu.com/security/notices/USN-5179-1
Description:
 A use-after-free in Busybox's awk applet leads to denial of service and
 possibly code execution when processing a crafted awk pattern in the
 hash_init function
Ubuntu-Description:
Notes:
 ccdm94> fix (importing awk.c from busybox version >= 1.34.0 due to large  
 ccdm94> amount of changes made to the awk.c code) introduces a regression 
 ccdm94> to busybox awk in xenial and earlier. Applying changes from the 
 ccdm94> commit which prevents this regression from happening (237bedd499c)  
 ccdm94> could result in further regressions being introduced to other 
 ccdm94> applets in busybox. This happens because interfaces for applets
 ccdm94> are altered in this commit, and the calls to get them executed
 ccdm94> through busybox are modified. External applications which use
 ccdm94> busybox could end up with regressions as well because of this.
Mitigation:
Bugs:
Priority: low
Discovered-by: Vera Mens, Uri Katz, Tal Keren, Sharon Brizinov, and Shachar Menashe
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H [7.2 HIGH]


Patches_busybox:
upstream_busybox: released (1.34.0)
trusty/esm_busybox: ignored (see notes)
esm-infra/xenial_busybox: ignored (see notes)
trusty_busybox: ignored (out of standard support)
xenial_busybox: ignored (out of standard support)
bionic_busybox: released (1:1.27.2-2ubuntu3.4)
focal_busybox: released (1:1.30.1-4ubuntu6.4)
hirsute_busybox: released (1:1.30.1-6ubuntu2.1)
impish_busybox: released (1:1.30.1-6ubuntu3.1)
jammy_busybox: released (1:1.30.1-7ubuntu2)
devel_busybox: released (1:1.30.1-7ubuntu2)