Is BusyBox affected by CVE-2022-28391 (BusyBox networking/nslookup.c parse_reply() Function DNS PTR Record Escape Sequence Handling Arbitrary Command Execution) and BusyBox networking/nslookup.c parse_reply() Function DNS PTR Record Escape Sequence Handling Arbitrary Command Execution)? If so, is there an official patch or update that fixes these vulnerabilities from BusyBox rather than git.alpinelinux.org? If https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch details a patch that can be applied to BusyBox, should the change from "xasprintf("%s:%s", host, serv);" to "xasprintf("%s:%s", printable_string(host), serv);" also be applied to ... #if ENABLE_FEATURE_IPV6 if (sa->sa_family == AF_INET6) { if (strchr(host, ':')) /* heh, it's not a resolved hostname */ return xasprintf("[%s]:%s", host, serv); /*return xasprintf("%s:%s", host, serv);*/ /* - fall through instead */ } #endif Thanks for your assistance and look forward to your response.
> Is BusyBox affected Appears so. The vulnerability was reproduced on arch: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
Could the below patches be reviewed for their applicability to bug 14811 and CVE-2022-28391? https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
Thank you Mark for your effort. Mr. John Simner has retired, and i replaced him.