package/busybox: security bump to version 1.33.2
Fixes the following vulnerabilities:
- CVE-2021-42374: An out-of-bounds heap read in Busybox's unlzma applet
leads to information leak and denial of service when crafted
LZMA-compressed input is decompressed
- CVE-2021-42375: An incorrect handling of a special element in Busybox's
ash applet leads to denial of service when processing a crafted shell
command, due to the shell mistaking specific characters for reserved
characters. This may be used for DoS under rare conditions of filtered
command input
- CVE-2021-42376: A NULL pointer dereference in Busybox's hush applet leads
to denial of service when processing a crafted shell command, due to
missing validation after a \x03 delimiter character. This may be used for
DoS under very rare conditions of filtered command input.
- CVE-2021-42377: An attacker-controlled pointer free in Busybox's hush
applet leads to denial of service and possible code execution when
processing a crafted shell command, due to the shell mishandling the &&&
string. This may be used for remote code execution under rare conditions
of filtered command input.
For details, see:
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard