Ariadne Conill 🐰Aug 5, 2025

https://lists.busybox.net/pipermail/busybox/2025-August/091665.html

I am happy to observe a 30-day embargo to coordinate with downstream distributions. Please let me know if you need more or less time.

🤦‍♀️

[SECURITY] busybox tar: TOCTOU symlink race overwrites arbitrary root file with --overwrite

Show threadAriadne Conill 🐰Aug 5, 2025
working on busybox updates, obviously... no CVE number yet
Show threadAriadne Conill 🐰Aug 5, 2025

fixed versions:

Alpine edge: busybox-1.37.0-r22
Alpine 3.22: busybox-1.37.0-r19
Alpine 3.21: busybox-1.37.0-r13
Alpine 3.20: busybox-1.36.1-r30
Alpine 3.19: busybox-1.36.1-r20

Show threadAriadne Conill 🐰Aug 5, 2025
don't use his patch, it is wrong. correct patch is in aports... https://git.alpinelinux.org/aports/tree/main/busybox/0001-tar-fix-TOCTOU-symlink-race-condition.patch?id=9e42dea5fba84a8afad1f1910b7d3884128a567e
0001-tar-fix-TOCTOU-symlink-race-condition.patch « busybox « main - aports - Alpine packages build scripts

Show threadendrift 🏳️‍⚧️Aug 5, 2025
@ariadne I'm impressed that cgit just...doesn't show the removed lines in this patch
Show threadAriadne Conill 🐰Aug 5, 2025
@endrift it's in aports, so aports tracks patch files, not patches themselves
Show threadendrift 🏳️‍⚧️
@ariadne Hence I would expect it to show the whole file. But...it doesn't. It misses two lines.
Aug 5, 2025 at 5:45pmWeb