Your message dated Fri, 06 Mar 2026 10:06:23 +0000
with message-id <[email protected]>
and subject line Bug#1127782: fixed in busybox 1:1.37.0-10.1
has caused the Debian Bug report #1127782,
regarding busybox: CVE-2026-26157 CVE-2026-26158
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127782: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127782
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: busybox
Version: 1:1.37.0-10
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for busybox.
CVE-2026-26157[0]:
| A flaw was found in BusyBox. Incomplete path sanitization in its
| archive extraction utilities allows an attacker to craft malicious
| archives that when extracted, and under specific conditions, may
| write to files outside the intended directory. This can lead to
| arbitrary file overwrite, potentially enabling code execution
| through the modification of sensitive system files.
CVE-2026-26158[1]:
| A flaw was found in BusyBox. This vulnerability allows an attacker
| to modify files outside of the intended extraction directory by
| crafting a malicious tar archive containing unvalidated hardlink or
| symlink entries. If the tar archive is extracted with elevated
| privileges, this flaw can lead to privilege escalation, enabling an
| attacker to gain unauthorized access to critical system files.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-26157
https://www.cve.org/CVERecord?id=CVE-2026-26157
[1] https://security-tracker.debian.org/tracker/CVE-2026-26158
https://www.cve.org/CVERecord?id=CVE-2026-26158
[2]
https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: busybox
Source-Version: 1:1.37.0-10.1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
busybox, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated busybox package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 04 Mar 2026 19:42:01 +0200
Source: busybox
Architecture: source
Version: 1:1.37.0-10.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1127782
Changes:
busybox (1:1.37.0-10.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2026-26157: Incomplete path sanitization in archive
extraction utilities
* CVE-2026-26158: File modification outside of the intended
extraction directory in tar
* (Closes: #1127782)
Checksums-Sha1:
cf3bd6438ab94036abe75dd0eb18435ea1310af9 2289 busybox_1.37.0-10.1.dsc
0a46c8c5a8b2dbcb6ab4eb6dcc216c5b40811dce 71232
busybox_1.37.0-10.1.debian.tar.xz
Checksums-Sha256:
693c293dcfc2cfded30adbb1b1527e624f4afbacbfaadc9322d199e4174f06bc 2289
busybox_1.37.0-10.1.dsc
45c11b16e7031eb5ea691944408724084527732bf8e729e79cc74325eccf1e9f 71232
busybox_1.37.0-10.1.debian.tar.xz
Files:
63fb165bb8fd1930ed7e99dbce8a901f 2289 utils optional busybox_1.37.0-10.1.dsc
3c610b7f2d812d1d77103961def0f4d2 71232 utils optional
busybox_1.37.0-10.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmmocYUACgkQiNJCh6LY
mLHwcBAAq+rJAn+JbJQRfMhPdsZIz6rE6sv1zKIE+/1kGgOsssqp/iOGa+LYByUz
SAL8qAWRfVM3OsDhMwgYXjluHx9sTUYNIq05NvTD24S48EkVbOk/RwLIplzpplcx
FID9iNhsJ6ErtTUKq55kV8jcJHWJftl62lLsp6GoBeVrkIPKibhhzCwrNvy75XI8
jJyii7W+cHz/Er4PZBaoXLZPwGbGtnrCYM1g1a94rD2SzFSw2aHUtiJ863awkar6
v5FERnk/9EBJUebQZknd1g5BsZZoMcP0RsK9H1GQtW/gPSaOea3Zu71d166OTa5i
1B0l/I6iMlDXzuwN9PN76oEUtshQQaUPM8zjhePRsCI7nsiS0HIyFVAe7nb3FOzQ
c0EJrdak5JzsCGiKcQpQuz+Na3OLYc4FM/JYOyRi3Cdu4bEp5Hb4wVgqZ7Fg4KL+
5gtzxEsNSa9e97/BiZ26qmYM0mqhzsnEFUqIEddiSKzqyfOn8TCOIKSFA/moR4kA
ZzhIS1c/hzel3J0Y2VC2QYRBjnTi63Vq9F7p9vj1pfEdpqJ6EBPMDsDa5AIzTI0+
jOAbl88DzunImCQeEemj8gzxqo/K1ZvqRzlrzz+rwVTkM33MJV0+OzX3kWa+Wqzf
LSY9uJmj4iKRNtGOxVT4eTvolYcI1eOpzvM6zw44rzwWWp5wL/I=
=sAD4
-----END PGP SIGNATURE-----
pgpKFcWS0WKW4.pgp
Description: PGP signature
--- End Message ---
