oss-sec mailing list archives
Re: vulnerabilities in busybox tar and cpio tools
From: Demi Marie Obenour <demiobenour () gmail com>
Date: Fri, 25 Apr 2025 14:58:15 -0400
On 4/24/25 7:57 PM, Solar Designer wrote:
On Thu, Apr 24, 2025 at 07:09:44PM -0400, Demi Marie Obenour wrote:On 4/24/25 3:09 AM, Albert Veli wrote:On Wed, Apr 23, 2025 at 10:51 PM Salvatore Bonaccorso <carnil () debian org> wrote:FTR, this one has assigned CVE-2025-46394 ... FTR, this one has CVE-2024-58251 assigned.From what I can tell the latest release is busybox-1.37.0. Are these fixed in this release? If not, do you have any link to patches I can apply to fix these issues? Regards, AlbertThis message was marked as spam by GMail. The ARC-Authentication-Results header indicates that the mailing list is not configured in a DMARC-compatible way. Specifically, the mailing list did not rewrite the From: header but did modify the message body, so the DKIM signature check failed.This was a special case - DKIM-breaking message body modification shouldn't normally happen here. However, the list is indeed not DMARC-compatible: we insert [oss-security] into the Subject when it's not already near the beginning of that header (may break DKIM), and we relay messages from the list server's IP address (may be against the From header domain's SPF, although recipient servers may look at envelope-from instead, which we do rewrite, so SPF will match in that respect).
SPF won’t be a problem so long as the message is DKIM-signed.
For now, this is simply how it is. Most delivery problems occur when
the sender's domain has strict DMARC policy ("p=reject"), so e.g. when
someone from google.com posts, the message doesn't get through to
subscribers on gmail.com. For gmail.com to gmail.com, everything is
usually "fine" for now.
gmail.com now has p=quarantine, so this is already starting to cause problems even there. I think it is best to either rewrite the From header unless there is a DKIM signature and it is kept intact, or bounce the message instructing the user to add [oss-security] to the Subject themselves. -- Sincerely, Demi Marie Obenour (she/her/hers)
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
Current thread:
- vulnerabilities in busybox tar and cpio tools Ian Norton (Apr 23)
- Re: vulnerabilities in busybox tar and cpio tools Ricardo Branco (Apr 23)
- Re: vulnerabilities in busybox tar and cpio tools Salvatore Bonaccorso (Apr 23)
- Re: vulnerabilities in busybox tar and cpio tools Albert Veli (Apr 24)
- Re: [EXTERNAL] Re: [oss-security] vulnerabilities in busybox tar and cpio tools Ian Norton (Apr 24)
- Re: vulnerabilities in busybox tar and cpio tools Demi Marie Obenour (Apr 24)
- Re: vulnerabilities in busybox tar and cpio tools Solar Designer (Apr 24)
- Re: vulnerabilities in busybox tar and cpio tools Demi Marie Obenour (Apr 25)
- Re: vulnerabilities in busybox tar and cpio tools Salvatore Bonaccorso (Apr 23)
- Re: vulnerabilities in busybox tar and cpio tools Ricardo Branco (Apr 23)
- Re: [EXTERNAL] Re: [oss-security] vulnerabilities in busybox tar and cpio tools Ian Norton (Apr 24)