CVE-2021-42382
Publication date 15 November 2021
Last updated 24 July 2024
Ubuntu priority
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| busybox | 22.04 LTS jammy |
Fixed 1:1.30.1-7ubuntu2
|
| 20.04 LTS focal |
Fixed 1:1.30.1-4ubuntu6.4
|
|
| 18.04 LTS bionic |
Fixed 1:1.27.2-2ubuntu3.4
|
|
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored |
Notes
ccdm94
fix (importing awk.c from busybox version >= 1.34.0 due to large amount of changes made to the awk.c code) introduces a regression to busybox awk in xenial and earlier. Applying changes from the commit which prevents this regression from happening (237bedd499c) could result in further regressions being introduced to other applets in busybox. This happens because interfaces for applets are altered in this commit, and the calls to get them executed through busybox are modified. External applications which use busybox could end up with regressions as well because of this.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.2 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | High |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-5179-1
- BusyBox vulnerabilities
- 7 December 2021