PublicDateAtUSN: 2017-02-09
Candidate: CVE-2016-2147
PublicDate: 2017-02-09 15:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147
 https://ubuntu.com/security/notices/USN-3935-1
Description:
 Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0
 allows remote attackers to cause a denial of service (crash) via a
 malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap
 write.
Ubuntu-Description:
Notes:
Bugs:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818499
Priority: low
Discovered-by: Nico Golde
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]

Patches_busybox:
 upstream: https://git.busybox.net/busybox/commit/?id=d474ffc68290e0a83651c4432eeabfa62cd51e87
 upstream: https://git.busybox.net/busybox/commit/?id=1b7c17391de66502dd7a97c866e0a33681edbb1f
Tags_busybox: universe-binary
upstream_busybox: released (1:1.27.2-1)
precise_busybox: ignored (reached end-of-life)
precise/esm_busybox: ignored (end of ESM support, was needed)
trusty_busybox: released (1:1.21.0-1ubuntu1.4)
trusty/esm_busybox: released (1:1.21.0-1ubuntu1.4)
vivid/stable-phone-overlay_busybox: ignored (reached end-of-life)
vivid/ubuntu-core_busybox: ignored (reached end-of-life)
wily_busybox: ignored (reached end-of-life)
xenial_busybox: released (1:1.22.0-15ubuntu1.4)
esm-infra/xenial_busybox: released (1:1.22.0-15ubuntu1.4)
yakkety_busybox: ignored (reached end-of-life)
zesty_busybox: ignored (reached end-of-life)
artful_busybox: ignored (reached end-of-life)
bionic_busybox: not-affected (1:1.27.2-1ubuntu3)
cosmic_busybox: not-affected (1:1.27.2-1ubuntu3)
disco_busybox: not-affected (1:1.27.2-1ubuntu3)
eoan_busybox: not-affected (1:1.27.2-1ubuntu3)
focal_busybox: not-affected (1:1.27.2-1ubuntu3)
groovy_busybox: not-affected (1:1.27.2-1ubuntu3)
hirsute_busybox: not-affected (1:1.27.2-1ubuntu3)
devel_busybox: not-affected (1:1.27.2-1ubuntu3)