SB2016120405 - Gentoo update for BusyBox
Published: December 4, 2016 Updated: December 4, 2016
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Integer overflow (CVE-ID: CVE-2016-2147)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write.
2) Heap-based buffer overflow (CVE-ID: CVE-2016-2148)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in udhcpc client when parsing DHCP packets with specially crafted OPTION_6RD option. A remote attacker can trick the victim to connect to malicious DHCP server, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.