Busybox CVE-2014-9645

Bug #1420508 reported by Erica Windisch
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
CirrOS
Fix Committed
Medium
Dr. Jens Harbott

Bug Description

Busybox issued a CVE for a vulnerable modprobe. This is a public vulnerability.

http://www.openwall.com/lists/oss-security/2015/01/26/1

Certain interfaces in the kernel allow unprivileged users to trigger register_module in the kernel, autoloading modules of a specific pattern. With util-linux modprobe, these patterns are usually safe, but with this busybox vulnerability would allow any user to load arbitrary modules known to modprobe.

Revision history for this message
Dr. Jens Harbott (j-harbott) wrote :

Should be easily fixed by rebuilding with a recent buildroot.

Changed in cirros:
status: New → In Progress
assignee: nobody → Dr. Jens Rosenboom (j-rosenboom-j)
Revision history for this message
Scott Moser (smoser) wrote :

I suspect this is fixed in trunk which is at buildroot 2015.5-rc3 and busybox at 1.23.2.

Changed in cirros:
importance: Undecided → Medium
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.