I'm relaying this from Alpine's bug tracker as it seems nobody ever reported this upstream, "Hey there, Alpine ships BusyBox with the netstat applet enabled. This is vulnerable to escape sequence injection when used from an VT compatible terminal. To exploit this vulnerability the PTR for a remote host must contain a escape sequence and the victim has to execute netstat. I've set up an example at [elided] with the PTR resolving to \027[33\;46mlocalhost. $ dig -x [elided] @8.8.8.8 ; <<>> DiG 9.16.25 <<>> -x [elided] @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59625 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;[elided]. IN PTR ;; ANSWER SECTION: [elided]. 1 IN PTR \027[33\;46mlocalhost. ;; Query time: 55 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Apr 03 00:11:16 DST 2022 ;; MSG SIZE rcvd: 132 If you try to ssh [elided] and run netstat -t while trying to establish the connection from a different terminal, the second terminal will change the background and font color. Other escape sequences may lead to code execution." Alpine carries some patches but Ariadne says they're incorrect: https://bugs.gentoo.org/836920
CVE-2022-28391 is still shown as 'Fix not available' per different scanners for Busybox, is this something that will be fixed soon?
Created attachment 9718 [details] patch 1/2
Created attachment 9721 [details] patch 2/2
I have attached the two patches originating from Alpine and rebased on current busybox master. I'm not sure if they're correct, so reluctant to submit them formally. Please consider and adjust as needed.