oss-sec mailing list archives

Re: vulnerabilities in busybox tar and cpio tools

From: Salvatore Bonaccorso <carnil () debian org>
Date: Wed, 23 Apr 2025 22:47:17 +0200

Hi,

On Wed, Apr 23, 2025 at 02:11:44PM +0000, Ian Norton wrote:


https://bugs.busybox.net/show_bug.cgi?id=16018  (awaiting CVE)

Busybox's cpio and tar tools will print un-escaped filenames when listing and unpacking
cpio and tar files. Malicious files containing filenames with terminal escapes can be used
to mask or modify earlier or later files in the archive from anyone running busybox tar or cpio
from a terminal.


FTR, this one has assigned CVE-2025-46394 .

Regards,
Salvatore

Current thread:

vulnerabilities in busybox tar and cpio tools Ian Norton (Apr 23)
- Re: vulnerabilities in busybox tar and cpio tools Ricardo Branco (Apr 23)
  - Re: vulnerabilities in busybox tar and cpio tools Salvatore Bonaccorso (Apr 23)
    - Re: vulnerabilities in busybox tar and cpio tools Albert Veli (Apr 24)
    - Re: [EXTERNAL] Re: [oss-security] vulnerabilities in busybox tar and cpio tools Ian Norton (Apr 24)
    - Re: vulnerabilities in busybox tar and cpio tools Demi Marie Obenour (Apr 24)
    - Re: vulnerabilities in busybox tar and cpio tools Solar Designer (Apr 24)
    - Re: vulnerabilities in busybox tar and cpio tools Demi Marie Obenour (Apr 25)
- Re: vulnerabilities in busybox tar and cpio tools Jakub Wilk (Apr 23)
  - Re: [EXTERNAL] Re: [oss-security] vulnerabilities in busybox tar and cpio tools Ian Norton (Apr 24)
- Re: vulnerabilities in busybox tar and cpio tools Salvatore Bonaccorso (Apr 23)