PublicDateAtUSN: 2017-03-12 Candidate: CVE-2014-9645 PublicDate: 2017-03-12 06:59:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9645 https://ubuntu.com/security/notices/USN-3935-1 Description: The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. Ubuntu-Description: Notes: Bugs: https://bugs.busybox.net/show_bug.cgi?id=7652 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776186 Priority: low Discovered-by: Mathias Krause Assigned-to: mdeslaur CVSS: nvd: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N [5.5 MEDIUM] Patches_busybox: upstream: http://git.busybox.net/busybox/commit/?id=4e314faa0aecb66717418e9a47a4451aec59262b upstream_busybox: released (1:1.22.0-15) lucid_busybox: ignored (reached end-of-life) precise_busybox: ignored (reached end-of-life) precise/esm_busybox: ignored (end of ESM support, was needed) trusty_busybox: released (1:1.21.0-1ubuntu1.4) trusty/esm_busybox: released (1:1.21.0-1ubuntu1.4) utopic_busybox: ignored (reached end-of-life) vivid_busybox: ignored (reached end-of-life) vivid/stable-phone-overlay_busybox: ignored (reached end-of-life) vivid/ubuntu-core_busybox: ignored (reached end-of-life) wily_busybox: not-affected (1:1.22.0-15ubuntu1) xenial_busybox: not-affected (1:1.22.0-15ubuntu1) esm-infra/xenial_busybox: not-affected (1:1.22.0-15ubuntu1) yakkety_busybox: not-affected (1:1.22.0-15ubuntu1) zesty_busybox: not-affected (1:1.22.0-15ubuntu1) artful_busybox: not-affected (1:1.22.0-15ubuntu1) bionic_busybox: not-affected (1:1.22.0-15ubuntu1) cosmic_busybox: not-affected (1:1.22.0-15ubuntu1) disco_busybox: not-affected (1:1.22.0-15ubuntu1) eoan_busybox: not-affected (1:1.22.0-15ubuntu1) focal_busybox: not-affected (1:1.22.0-15ubuntu1) groovy_busybox: not-affected (1:1.22.0-15ubuntu1) hirsute_busybox: not-affected (1:1.22.0-15ubuntu1) devel_busybox: not-affected (1:1.22.0-15ubuntu1)