XPost: linux.debian.maint.boot   
   From: carnil@debian.org   
      
   Source: busybox   
   Version: 1:1.37.0-10   
   Severity: important   
   Tags: security upstream   
   X-Debbugs-Cc: carnil@debian.org, Debian Security Team    
      
   Hi,   
      
   The following vulnerabilities were published for busybox.   
      
   CVE-2026-26157[0]:   
   | A flaw was found in BusyBox. Incomplete path sanitization in its   
   | archive extraction utilities allows an attacker to craft malicious   
   | archives that when extracted, and under specific conditions, may   
   | write to files outside the intended directory. This can lead to   
   | arbitrary file overwrite, potentially enabling code execution   
   | through the modification of sensitive system files.   
      
      
   CVE-2026-26158[1]:   
   | A flaw was found in BusyBox. This vulnerability allows an attacker   
   | to modify files outside of the intended extraction directory by   
   | crafting a malicious tar archive containing unvalidated hardlink or   
   | symlink entries. If the tar archive is extracted with elevated   
   | privileges, this flaw can lead to privilege escalation, enabling an   
   | attacker to gain unauthorized access to critical system files.   
      
      
   If you fix the vulnerabilities please also make sure to include the   
   CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.   
      
   For further information see:   
      
   [0] https://security-tracker.debian.org/tracker/CVE-2026-26157   
       https://www.cve.org/CVERecord?id=CVE-2026-26157   
   [1] https://security-tracker.debian.org/tracker/CVE-2026-26158   
       https://www.cve.org/CVERecord?id=CVE-2026-26158   
   [2] https://git.busybox.net/busybox/commit/archival?id=3fb6b31c7   
   6669e12f75a2accd31bb7685b1a1cb   
      
   Please adjust the affected versions in the BTS as needed.   
      
   Regards,   
   Salvatore   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)