openwrtv4

KumiSystems/openwrtv4

Fork 0

Commit graph

Author	SHA1	Message	Date
Kevin Darbyshire-Bryant	b61a648e4a	busybox: clean up patch fuzz Refresh patches to tidy up fuzz. No functional changes Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>	2018-01-05 10:35:51 +01:00
John Crispin	7c0a2bc930	busybox: backport cve-2017-16544 fix In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. Fixes: FS#1181 - CVE-2017-16544: Backport the patch from: https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8 https://nvd.nist.gov/vuln/detail/CVE-2017-16544 Signed-off-by: Derek Werthmuller <thewerthfam@gmail.com> Signed-off-by: John Crispin <john@phrozen.org>	2018-01-02 07:14:08 +01:00

Author

SHA1

Message

Date

Kevin Darbyshire-Bryant

b61a648e4a

busybox: clean up patch fuzz

Refresh patches to tidy up fuzz.  No functional changes

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>

2018-01-05 10:35:51 +01:00

John Crispin

7c0a2bc930

busybox: backport cve-2017-16544 fix

In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2,
the tab autocomplete feature of the shell, used to get a list of filenames
in a directory, does not sanitize filenames and results in executing any
escape sequence in the terminal. This could potentially result in code
execution, arbitrary file writes, or other attacks.

Fixes: FS#1181 - CVE-2017-16544:

Backport the patch from:
https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8
https://nvd.nist.gov/vuln/detail/CVE-2017-16544

Signed-off-by: Derek Werthmuller <thewerthfam@gmail.com>
Signed-off-by: John Crispin <john@phrozen.org>

2018-01-02 07:14:08 +01:00

2 commits