Debian 10324 Published by

Debian GNU/Linux has undergone multiple security updates, encompassing busybox, libreoffice, and tryton-server for Debian 11 LTS, libreoffice for Debian 12, and a rsync regression update for Debian 8/9/10 ELTS.

[DLA 4019-1] busybox security update
[DSA 5846-1] libreoffice security update
[DLA 4022-1] tryton-server security update
[DLA 4020-1] libreoffice security update
ELA-1290-2 rsync regression update




[SECURITY] [DLA 4019-1] busybox security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4019-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
January 19, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : busybox
Version : 1:1.30.1-6+deb11u1
CVE ID : CVE-2021-28831 CVE-2021-42374 CVE-2021-42378 CVE-2021-42379
CVE-2021-42380 CVE-2021-42381 CVE-2021-42382 CVE-2021-42384
CVE-2021-42385 CVE-2021-42386 CVE-2022-48174 CVE-2023-42364
CVE-2023-42365
Debian Bug : 985674 999567 1059049 1059051 1059052

Multiple vulnerabilities have been found in BusyBox, a lightweight
single-executable containing various Unix utilities, which potentially
allow attackers to cause denial of service, information leakage, or
arbitrary code execution through malformed gzip data, crafted LZMA
input or crafted awk patterns.

CVE-2021-28831

decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit
on the huft_build result pointer, with a resultant invalid free or
segmentation fault, via malformed gzip data.

CVE-2021-42374

An out-of-bounds heap read in Busybox's unlzma applet leads to
information leak and denial of service when crafted LZMA-compressed
input is decompressed. This can be triggered by any applet/format that

CVE-2021-42378

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
getvar_i function

CVE-2021-42379

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
next_input_file function

CVE-2021-42380

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
clrvar function

CVE-2021-42381

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
hash_init function

CVE-2021-42382

use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
getvar_s function

CVE-2021-42384

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
handle_special function

CVE-2021-42385

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
evaluate function

CVE-2021-42386

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
nvalloc function

CVE-2022-48174

There is a stack overflow vulnerability in ash.c:6030 in busybox before
1.35. In the environment of Internet of Vehicles, this vulnerability can
be executed from command to arbitrary code execution.

CVE-2023-42364

A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to
cause a denial of service via a crafted awk pattern in the awk.c
evaluate function.

CVE-2023-42365

A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a
crafted awk pattern in the awk.c copyvar function.

For Debian 11 bullseye, these problems have been fixed in version
1:1.30.1-6+deb11u1.

We recommend that you upgrade your busybox packages.

For the detailed security status of busybox please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/busybox

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 5846-1] libreoffice security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5846-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 19, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libreoffice
CVE ID : CVE-2024-12425 CVE-2024-12426

Thomas Rinsma discovered two security vulnerabilities in LibreOffice,
which could result in information disclosure or overwriting of files when
opening malformed documents.

For the stable distribution (bookworm), these problems have been fixed in
version 4:7.4.7-1+deb12u6.

We recommend that you upgrade your libreoffice packages.

For the detailed security status of libreoffice please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libreoffice

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DLA 4022-1] tryton-server security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4022-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
January 19, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : tryton-server
Version : 5.0.33-2+deb11u3
CVE ID : not yet available
Debian Bug : none

Cédric Krier has found that trytond, the Tryton application server,
accepts compressed content from unauthenticated requests which makes it
vulnerable to zip bomb attacks.

The fix requires a small update to tryton-client as well to prevent a
regression.

For Debian 11 bullseye, this problem has been fixed in version
5.0.33-2+deb11u3 in tryton-server and in version 5.0.33-1+deb11u1 for
tryton-client.

We recommend that you upgrade your tryton-server and tryton-client
packages.

For the detailed security status of tryton-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tryton-server

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4020-1] libreoffice security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4020-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
January 19, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libreoffice
Version : 1:7.0.4-4+deb11u12
CVE ID : CVE-2024-12425 CVE-2024-12426

Libreoffice an office productivity software suite,
was affected by two vulnerabilities

CVE-2024-12425

Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal') vulnerability allows Absolute Path Traversal.
An attacker can write to arbitrary locations, albeit suffixed
with ".ttf", by supplying a file in a format that supports
embedded font files

CVE-2024-12426

Exposure of Environmental Variables and arbitrary INI file values
to an Unauthorized Actor vulnerability.
URLs could be constructed which expanded environmental variables
or INI file values, so potentially sensitive information could
be exfiltrated to a remote server on opening a document
containing such links.

For Debian 11 bullseye, these problems have been fixed in version
1:7.0.4-4+deb11u12.

We recommend that you upgrade your libreoffice packages.

For the detailed security status of libreoffice please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libreoffice

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1290-2 rsync regression update


Package : rsync
Version : 3.1.1-3+deb8u4 (jessie), 3.1.2-1+deb9u5 (stretch), 3.1.3-6+deb10u2 (buster)

The update for rsync announced in ELA 1290-1 introduced a regression
when using the -H option to preserve hard links. Updated packages are
now available to correct this issue.


ELA-1290-2 rsync regression update