Bug 14811

Summary: networking/nslookup.c parse_reply() CVE-2022-28391 patch query
Product: Busybox Reporter: john.simner
Component: NetworkingAssignee: unassigned
Status: NEW ---    
Severity: normal CC: busybox-cvs, mark.esler
Priority: P5    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:

Description john.simner 2022-05-18 14:23:16 UTC 
Is BusyBox affected by CVE-2022-28391 (BusyBox networking/nslookup.c parse_reply() Function DNS PTR Record Escape Sequence Handling Arbitrary Command Execution) and  BusyBox networking/nslookup.c parse_reply() Function DNS PTR Record Escape Sequence Handling Arbitrary Command Execution)?

If so, is there an official patch or update that fixes these vulnerabilities from BusyBox rather than git.alpinelinux.org?

If https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch details a patch that can be applied to BusyBox, should the change from  "xasprintf("%s:%s", host, serv);" to "xasprintf("%s:%s", printable_string(host), serv);" also be applied to ...

#if ENABLE_FEATURE_IPV6
	if (sa->sa_family == AF_INET6) {
		if (strchr(host, ':')) /* heh, it's not a resolved hostname */
			return xasprintf("[%s]:%s", host, serv);
		/*return xasprintf("%s:%s", host, serv);*/
		/* - fall through instead */
	}
#endif

Thanks for your assistance and look forward to your response.
Comment 1 Mark Esler 2022-07-08 19:19:32 UTC 
> Is BusyBox affected

Appears so. The vulnerability was reproduced on arch: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
Comment 3 nikoleta.chalvatzi@atos.net 2022-12-14 11:39:33 UTC 
Thank you Mark for your effort. Mr. John Simner has retired, and i replaced him.