Re: [oss-security] vulnerabilities in busybox tar and cpio tools

Fri, 25 Apr 2025 12:16:43 -0700 

On 4/24/25 7:57 PM, Solar Designer wrote:
> On Thu, Apr 24, 2025 at 07:09:44PM -0400, Demi Marie Obenour wrote:
>> On 4/24/25 3:09 AM, Albert Veli wrote:
>>> On Wed, Apr 23, 2025 at 10:51 PM Salvatore Bonaccorso <car...@debian.org> 
>>> wrote:
>>>> FTR, this one has assigned CVE-2025-46394
>>>> ...
>>>> FTR, this one has CVE-2024-58251 assigned.
>>>
>>> From what I can tell the latest release is busybox-1.37.0. Are these fixed
>>> in this release? If not, do you have any link to patches I can apply to fix
>>> these issues?
>>>
>>> Regards,
>>> Albert
>>
>> This message was marked as spam by GMail.  The ARC-Authentication-Results
>> header indicates that the mailing list is not configured in a 
>> DMARC-compatible
>> way.  Specifically, the mailing list did not rewrite the From: header but did
>> modify the message body, so the DKIM signature check failed.
> 
> This was a special case - DKIM-breaking message body modification
> shouldn't normally happen here.
> 
> However, the list is indeed not DMARC-compatible: we insert
> [oss-security] into the Subject when it's not already near the beginning
> of that header (may break DKIM), and we relay messages from the list
> server's IP address (may be against the From header domain's SPF,
> although recipient servers may look at envelope-from instead, which we
> do rewrite, so SPF will match in that respect).

SPF won’t be a problem so long as the message is DKIM-signed.

> For now, this is simply how it is.  Most delivery problems occur when
> the sender's domain has strict DMARC policy ("p=reject"), so e.g. when
> someone from google.com posts, the message doesn't get through to
> subscribers on gmail.com.  For gmail.com to gmail.com, everything is
> usually "fine" for now.
gmail.com now has p=quarantine, so this is already starting to cause
problems even there.  I think it is best to either rewrite the From
header unless there is a DKIM signature and it is kept intact, or
bounce the message instructing the user to add [oss-security] to the
Subject themselves.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to