PT-2015-3405 · Busybox+2 · Busybox+2

Denys Vlasenko

Publicado

2015-10-26

Atualizado

2024-06-15

CVE-2015-9261

CVSS v3.1

5.5

Média

Vetor

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions BusyBox versions prior to 1.27.2

Description The issue is related to the huft build function in the archival/libarchive/decompress gunzip.c component of the BusyBox set of UNIX utilities. It involves a null pointer dereference. An attacker, acting remotely, can exploit this issue by using a specially crafted ZIP file to cause a denial of service, resulting in application crashes and segfaults during an unzip operation.

Recommendations For versions prior to 1.27.2, update to version 1.27.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the huft build function in the decompress gunzip.c component until a patch is available. Avoid using specially crafted ZIP files that could trigger the vulnerability.

Exploit

Correção

NULL Pointer Dereference

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-476

Identificadores relacionados

BDU:2021-03344

CVE-2015-9261

DLA-1445-1

DLA-1445-2

DLA-2559-1

DLA-337-1

MGASA-2018-0413

OPENSUSE-SU-2022:0135-1

OPENSUSE-SU-2022_0135-1

OPENSUSE-SU-2022_3959-1

OPENSUSE-SU-2024:11738-1

SUSE-SU-2022:0135-1

SUSE-SU-2022:0135-2

SUSE-SU-2022:3959-1

SUSE-SU-2022:4253-1

USN-3935-1

Produtos afetados

Busybox

Suse

Ubuntu

PT-2015-3405 · Busybox+2 · Busybox+2

CVE-2015-9261

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 203