voitylov
commented
4 months ago This set of issues seems to have been reported to busybox by someone who ran a fuzzer and reported its output as CVEs.
We have submitted a fix upstream for [1] and the fix was incorporated in Alpaquita busybox package since busybox-1.36.1-r26 [2]. The bug is triggered by a syntactically invalid awk program, and awk immediately gives up and exits after reporting a syntax error, so any exploitation of this bug is highly unlikely. It's unclear why Aqua considers Alpaquita as affected (maybe because they treat Alpaquita as some other linux distribution).
The upstream busybox doesn't yet have fixes for the remaining issues. We have tried to help the busybox community with the investigation, you may also lend them a helping hand.
The bug in 15865 [3] is triggered by an awk program that would be rejected as syntactically invalid by other versions of awk (though it is accepted by busybox awk), so the chances of encountering such an awk script in the wild and unwittingly running it are slim.
15868 [4] and 15871 [5] are actually the same bug.
[1] https://bugs.busybox.net/show_bug.cgi?id=15874 [2] https://docs.bell-sw.com/security/cves/CVE-2023-42366/ [3] https://bugs.busybox.net/show_bug.cgi?id=15865 [4] https://bugs.busybox.net/show_bug.cgi?id=15868 [5] https://bugs.busybox.net/show_bug.cgi?id=15871
Hello,
I was reviewing the usage of alpaquita Docker images and noticed Aqua (https://www.aquasec.com/products/container-vulnerability-scanning/) is reporting CVEs against "busybox":
CVE-2023-42363 - Medium CVE-2023-42364 - Medium CVE-2023-42365 - Medium CVE-2023-42366 - Medium