Arch Linux Security Advisory ASA-201803-2

Severity: High
Date : 2018-03-01
CVE-ID : CVE-2017-16544
Package : mkinitcpio-busybox
Type : arbitrary code execution
Remote : No
Link : https://security.archlinux.org/AVG-514

Summary

The package mkinitcpio-busybox before version 1.28.1-1 is vulnerable to
arbitrary code execution.

Resolution

Upgrade to 1.28.1-1.

pacman -Syu “mkinitcpio-busybox>=1.28.1-1”

The problem has been fixed upstream in version 1.28.1.

Workaround

None.

Description

In the add_match function in libbb/lineedit.c in BusyBox through
1.27.2, the tab autocomplete feature of the shell, used to get a list
of filenames in a directory, does not sanitize filenames and results in
executing any escape sequence in the terminal. This could potentially
result in code execution, arbitrary file writes, or other attacks.

Impact

An attacker is able to execute arbitrary code by tricking the user into
auto-completing a crafted filename.

References

https://bugs.archlinux.org/task/56391
https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8
https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/
https://security.archlinux.org/CVE-2017-16544