SB2025042503 - Multiple vulnerabilities in BusyBox

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2025-46394)

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of filenames inside a tar archive. A remote attacker can add a specially crafted file into an archive and trick the victim into overwriting critical files on the system, leading to a potential privilege escalation.

2) Input validation error (CVE-ID: CVE-2024-58251)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in netstat when launched with an argv[0] containing an ANSI terminal escape sequence. A local user can lock the terminal when netstat is used by a victim.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• http://www.openwall.com/lists/oss-security/2025/04/23/5
• http://www.openwall.com/lists/oss-security/2025/04/24/3
• https://bugs.busybox.net/show_bug.cgi?id=16018
• http://www.openwall.com/lists/oss-security/2025/04/23/6
• https://bugs.busybox.net/show_bug.cgi?id=15922