Overview

File _patchinfo of Package patchinfo.43070

<patchinfo incident="43070">
  <!--generated with prepare-update from request 402964-->
  <issue tracker="bnc" id="1192869">VUL-0: busybox: v1.34.0 bugfixes</issue>
  <issue tracker="bnc" id="1217580">VUL-0: CVE-2023-42363: busybox: use-after-free vulnerability in xasprintf function in xfuncs_printf.c</issue>
  <issue tracker="bnc" id="1217584">VUL-0: CVE-2023-42364: busybox: use-after-free in the awk.c evaluate function</issue>
  <issue tracker="bnc" id="1217585">VUL-0: CVE-2023-42365: busybox: use-after-free in the awk.c copyvar function</issue>
  <issue tracker="bnc" id="1241661">VUL-0: CVE-2025-46394: busybox: files in a TAR archive can have their filenames hidden from a listing if terminal escape sequences are used when naming other files included in the archive</issue>
  <issue tracker="bnc" id="1253245">VUL-0: CVE-2025-60876: busybox: request line incorrectly neutralized mat lead to header injection</issue>
  <issue tracker="bnc" id="1258163">VUL-0: CVE-2026-26157: busybox: Arbitrary file overwrite and potential code execution via incomplete path sanitization</issue>
  <issue tracker="bnc" id="1258167">VUL-0: CVE-2026-26158: busybox: Arbitrary file modification and privilege escalation via unvalidated tar archive entries</issue>
  <issue tracker="cve" id="2021-42380"/>
  <issue tracker="cve" id="2023-42363"/>
  <issue tracker="cve" id="2023-42364"/>
  <issue tracker="cve" id="2023-42365"/>
  <issue tracker="cve" id="2025-46394"/>
  <issue tracker="cve" id="2025-60876"/>
  <issue tracker="cve" id="2026-26157"/>
  <issue tracker="cve" id="2026-26158"/>
  <category>security</category>
  <rating>important</rating>
  <packager>radolin</packager>
  <summary>Security update for busybox</summary>
  <description>This update for busybox fixes the following issues:

- CVE-2023-42363: use-after-free vulnerability in xasprintf function in xfuncs_printf.c (bsc#1217580).
- CVE-2023-42364: use-after-free in the awk.c evaluate function (bsc#1217584).
- CVE-2023-42365: use-after-free in the awk.c copyvar function (bsc#1217585).
- CVE-2025-46394: files in a TAR archive can have their filenames hidden from a listing if terminal escape sequences are
  used when naming other files included in the archive (bsc#1241661).
- CVE-2025-60876: request line incorrectly neutralized mat lead to header injection (bsc#1253245).
- CVE-2026-26157: Arbitrary file overwrite and potential code execution via incomplete path sanitization (bsc#1258163).
- CVE-2026-26158: Arbitrary file modification and privilege escalation via unvalidated tar archive entries
  (bsc#1258167).
- CVE-2021-42380: Additional fix for use-after-realloc in awk (bsc#1192869).
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places