PublicDateAtUSN: 2019-01-09
Candidate: CVE-2019-5747
PublicDate: 2019-01-09 16:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5747
 https://ubuntu.com/security/notices/USN-3935-1
Description:
 An issue was discovered in BusyBox through 1.30.0. An out of bounds read in
 udhcp components (consumed by the DHCP server, client, and/or relay) might
 allow a remote attacker to leak sensitive information from the stack by
 sending a crafted DHCP message. This is related to assurance of a 4-byte
 length when decoding DHCP_SUBNET. NOTE: this issue exists because of an
 incomplete fix for CVE-2018-20679.
Ubuntu-Description:
Notes:
Bugs:
 https://bugs.busybox.net/show_bug.cgi?id=11506
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]


Patches_busybox:
 upstream: https://git.busybox.net/busybox/commit/?id=74d9f1ba37010face4bd1449df4d60dd84450b06
upstream_busybox: released (1:1.30.1-2)
precise/esm_busybox: ignored (end of ESM support, was needed)
trusty_busybox: released (1:1.21.0-1ubuntu1.4)
trusty/esm_busybox: released (1:1.21.0-1ubuntu1.4)
xenial_busybox: released (1:1.22.0-15ubuntu1.4)
esm-infra/xenial_busybox: released (1:1.22.0-15ubuntu1.4)
bionic_busybox: released (1:1.27.2-2ubuntu3.2)
cosmic_busybox: released (1:1.27.2-2ubuntu4.1)
disco_busybox: released (1:1.27.2-2ubuntu5)
eoan_busybox: released (1:1.27.2-2ubuntu5)
focal_busybox: released (1:1.27.2-2ubuntu5)
groovy_busybox: released (1:1.27.2-2ubuntu5)
hirsute_busybox: released (1:1.27.2-2ubuntu5)
devel_busybox: released (1:1.27.2-2ubuntu5)