CVE-2024-58251
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine.
See How to fix? for Alpine:3.21 relevant fixed versions and status.
In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.
Remediation
Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.
References
- https://bugs.busybox.net/show_bug.cgi?id=15922
- https://www.busybox.net
- https://www.busybox.net/downloads/
- http://www.openwall.com/lists/oss-security/2025/04/23/6
CVE-2025-46394
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine.
See How to fix? for Alpine:3.21 relevant fixed versions and status.
In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.
Remediation
Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.
References
- https://bugs.busybox.net/show_bug.cgi?id=16018
- https://www.busybox.net
- https://www.busybox.net/downloads/
- http://www.openwall.com/lists/oss-security/2025/04/23/5
- http://www.openwall.com/lists/oss-security/2025/04/24/3