Hi Michael, Hi Security Team So, I've imported the patches into the LTS repo: https://salsa.debian.org/lts-team/packages/busybox/-/tree/debian/bookworm
I've prepared CVE-2023-39810 on a dedicated branch, so this would be ready too: https://salsa.debian.org/lts-team/packages/busybox/-/tree/debian/bookworm-CVE-2023-39810 However, strictly spoken the fix for this CVE changes busybox behaviour, as directory traversal was "allowed" before and disallowing it is a behavioral change. @security team: I still think we should enable the feature (as it has in unstable already), but I'd like to RFC if this would be OK. Cheers, -- tobi On Sun, Feb 01, 2026 at 03:19:10PM +0100, Tobias Frost wrote: > Hi Michael, > > thanks for the quick reply! > > On Sun, Feb 01, 2026 at 12:17:12AM +0300, Michael Tokarev wrote: > > On 1/31/26 19:19, Tobias Frost wrote: > > > Hi Michael, > > > > > > I'm reaching out in regards of updates of busybox in bookworm. > > > Around a year ago I've uploaded fixes to LTS (bullseye), but > > > some of the fixed CVEs are currently unfixed in newer releases, > > > especially in bookworm and I'd like to close this gap. > > > > > > As "busybox" is listed as one where the maintainers would like > > > to be involved in LTS updates, I'm reaching out to coordinate this > > > update. > > > > > > The plan would be to at least close the gap in bookworm and at least fix > > > everything fixed in bullseye. > > > What do you think, how should be approach this issue? I can, as part of > > > the LTS effort, take a look at bullseye, but if you prefer to take a > > > look yourself that would be appreciated too. > > > > Please definitely do the fixes in bookworm if you're energetic enough > > to fix them. > > > > Which fixes are they, anyway? Are you talking about fixes to the 4 CVEs > > listed for bookworm but not for trixie, -- CVE-2022-48174 (ash), > > CVE-2023-42363 (uaf xasprintf), CVE-2023-42364 (uaf awk pattern), > > CVE-2023-42365 (uaf awk copyvar)? Or is it something else? > > > > Or do you think about the other vulns still listed for trixie and sid too? > > The bookworm update should target at least > CVE-2022-48174, CVE-2023-42364, CVE-2023-42365 - those are the "gap" > between bullseye and bookworm. > It won't hurt to fix CVE-2023-42363, too, as thise one is already fixed > in trixie and newer. > > So I will primarly target the above. > > CVE-2023-39810 would be nice too, but that will trigger an need to > update trixie as well. It's triaged as non-dsa by the security team, so > this would become an stable-proposed-update. (Let me know your thoughts > about this one.) > > For what I can see (it seems that upstream bug tracker is restricting > access), the 4 open CVEs in sid/testing doesn't have a resolution > yet. Do you by chance have an upstream contact to ask about them? > > Cheers, > tobi > > > Thanks, > > > > /mjt
signature.asc
Description: PGP signature
