Ariadne Conill 🐰
https://lists.busybox.net/pipermail/busybox/2025-August/091665.html
I am happy to observe a 30-day embargo to coordinate with downstream distributions. Please let me know if you need more or less time.
🤦♀️
working on busybox updates, obviously... no CVE number yet
fixed versions:
Alpine edge: busybox-1.37.0-r22
Alpine 3.22: busybox-1.37.0-r19
Alpine 3.21: busybox-1.37.0-r13
Alpine 3.20: busybox-1.36.1-r30
Alpine 3.19: busybox-1.36.1-r20
don't use his patch, it is wrong. correct patch is in aports... https://git.alpinelinux.org/aports/tree/main/busybox/0001-tar-fix-TOCTOU-symlink-race-condition.patch?id=9e42dea5fba84a8afad1f1910b7d3884128a567e
can't wait for someone to dub this "busybox-tar4shell"
Josh Bressers@ariadne I'm sure this is a CVSS 9.8
@joshbressers i would say probably CVSS 6.5 or so. you have to already have the ability to untar a file somehow in the right place with effective root permissions. it's bad, but not the end of the world.
@ariadne Heh, I'm more joking that NVD seems to give everything a 9.8
I agree, this isn't a huge deal
@joshbressers i’ve debated changing my algorithm to guess severity ratings with “return 9.8” before
endrift 🏳️⚧️
Haelwenn /элвэн/ 
@ariadne - flags = O_WRONLY | O_CREAT | O_TRUNC;
+ flags = O_WRONLY | O_CREAT | O_TRUNC | O_NOFOLLOW | O_EXCL;
And of course that doesn't looks correct… at least O_TRUNC and O_EXCL (fail if already exists) don't really go together.
Laurent Bercot@ariadne "You keep using that word. I don't think it means what you think it means."
Camelia 
🇵🇸@ariadne did they just report a vulnerability on a public mailing list? 
lvl45 good doggie🐾💖✨🏳️⚧️@ariadne oh fun seems like i already mitigated that one by accident when customizing my kernel a year ago