Source: busybox Version: 1:1.37.0-10 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for busybox. CVE-2026-26157[0]: | A flaw was found in BusyBox. Incomplete path sanitization in its | archive extraction utilities allows an attacker to craft malicious | archives that when extracted, and under specific conditions, may | write to files outside the intended directory. This can lead to | arbitrary file overwrite, potentially enabling code execution | through the modification of sensitive system files. CVE-2026-26158[1]: | A flaw was found in BusyBox. This vulnerability allows an attacker | to modify files outside of the intended extraction directory by | crafting a malicious tar archive containing unvalidated hardlink or | symlink entries. If the tar archive is extracted with elevated | privileges, this flaw can lead to privilege escalation, enabling an | attacker to gain unauthorized access to critical system files. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-26157 https://www.cve.org/CVERecord?id=CVE-2026-26157 [1] https://security-tracker.debian.org/tracker/CVE-2026-26158 https://www.cve.org/CVERecord?id=CVE-2026-26158 [2] https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb Please adjust the affected versions in the BTS as needed. Regards, Salvatore
