%20--%3e%3csvg%20version='1.1'%20id='Layer_1'%20x='0px'%20y='0px'%20viewBox='0%200%20107.30001%20140.79999'%20xml:space='preserve'%20sodipodi:docname='mind_logo_positief.svg'%20width='107.30001'%20height='140.79999'%20xmlns:inkscape='http://www.inkscape.org/namespaces/inkscape'%20xmlns:sodipodi='http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd'%20xmlns='http://www.w3.org/2000/svg'%20xmlns:svg='http://www.w3.org/2000/svg'%3e%3cdefs%20id='defs29'%20/%3e%3csodipodi:namedview%20id='namedview29'%20pagecolor='%23505050'%20bordercolor='%23eeeeee'%20borderopacity='1'%20inkscape:showpageshadow='0'%20inkscape:pageopacity='0'%20inkscape:pagecheckerboard='0'%20inkscape:deskcolor='%23d1d1d1'%3e%3cinkscape:page%20x='0'%20y='0'%20width='107.30001'%20height='140.79999'%20id='page2'%20margin='0'%20bleed='0'%20/%3e%3c/sodipodi:namedview%3e%3cstyle%20type='text/css'%20id='style1'%3e%20.st0{fill:%231F1FA3;}%20.st1{fill:url(%23SVGID_1_);}%20.st2{fill:url(%23SVGID_00000033333245342322421190000001486717665348835473_);}%20.st3{fill:url(%23SVGID_00000075852413222229328580000001131059578544388517_);}%20%3c/style%3e%3cg%20id='g9'%20transform='translate(-21.299999,-20.6)'%3e%3clinearGradient%20id='SVGID_1_'%20gradientUnits='userSpaceOnUse'%20x1='4.8695998'%20y1='142.78'%20x2='99.248901'%20y2='35.348301'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop4'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop5'%20/%3e%3c/linearGradient%3e%3crect%20x='21.299999'%20y='64'%20class='st1'%20width='19.9'%20height='97.400002'%20id='rect5'%20style='fill:url(%23SVGID_1_)'%20/%3e%3clinearGradient%20id='SVGID_00000007421653842672228110000012418760815982452352_'%20gradientUnits='userSpaceOnUse'%20x1='23.7796'%20y1='159.3925'%20x2='118.1588'%20y2='51.9608'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop6'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop7'%20/%3e%3c/linearGradient%3e%3cpath%20style='fill:url(%23SVGID_00000007421653842672228110000012418760815982452352_)'%20d='M%2072.3,64%20H%2064%20v%2075.2%20H%2085.1%20V%2076.8%20C%2085.1,69.7%2079.4,64%2072.3,64%20Z'%20id='path7'%20/%3e%3clinearGradient%20id='SVGID_00000072986549029232277750000008760038133176911550_'%20gradientUnits='userSpaceOnUse'%20x1='20.501699'%20y1='156.51289'%20x2='114.881'%20y2='49.0812'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop8'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop9'%20/%3e%3c/linearGradient%3e%3cpath%20style='fill:url(%23SVGID_00000072986549029232277750000008760038133176911550_)'%20d='M%2073.6,20.6%20H%2064%20v%2019.9%20h%209.6%20c%2019.3,0%2035.1,15.7%2035.1,35.1%20v%2044.3%20h%2019.9%20V%2075.6%20c%200,-30.3%20-24.7,-55%20-55,-55%20z'%20id='path9'%20/%3e%3c/g%3e%3c/svg%3e)
Name
busybox
Version
1.35.0
Type
library
Description
Tiny versions of many common UNIX utilities in a single small executable
Licenses
GPL-2.0-only & bzip2-1.0.4
PURL
-
CPE
cpe:2.3:*:busybox:busybox:1.35.0:*:*:*:*:*:*:*
Other Versions#
Patches#
#
Title
Author
Resolve
1
testsuite/tar.tests: fix test after CVE-2025-46394
Peter Marko <peter.marko@siemens.com>
CVE-2025-46394
2
Patch #2
Juro Bystricky <juro.bystricky@intel.com>
3
testsuite: check uudecode before using it
Chen Qi <Qi.Chen@windriver.com>
4
archival/libarchive: sanitize filenames on output (prevent
Denys Vlasenko <vda.linux@googlemail.com>
CVE-2025-46394
5
archival: disallow path traversals (CVE-2023-39810)
Denys Vlasenko <vda.linux@googlemail.com>
CVE-2023-39810
6
awk: fix use after free (CVE-2023-42363)
Natanael Copa <ncopa@alpinelinux.org>
CVE-2023-42363
7
busybox: fail on no media
Saul Wold <sgw@linux.intel.com>
8
awk.c: fix CVE-2023-42366 (bug #15874)
Valery Ushakov <uwe@stderr.spb.ru>
CVE-2023-42366
9
libbb: sockaddr2str: ensure only printable characters are
Ariadne Conill <ariadne@dereferenced.org>
CVE-2022-28391
10
busybox-udhcpc-no_deconfig.patch
Anders Darander <anders@chargestorm.se>
11
awk: fix precedence of = relative to ==
Denys Vlasenko <vda.linux@googlemail.com>
CVE-2023-42364
CVE-2023-42365
12
menuconfig,check-lxdiaglog.sh: Allow specification of ncurses location
Jason Wessel <jason.wessel@windriver.com>
13
awk: fix ternary operator and precedence of =
Natanael Copa <ncopa@alpinelinux.org>
CVE-2023-42364
CVE-2023-42365
14
Patch #14
Saul Wold <sgw@linux.intel.com>
15
devmem: add 128-bit width
Aaro Koskinen <aaro.koskinen@nokia.com>
16
du-l-works: fix to use 145 instead of 144
Chen Qi <Qi.Chen@windriver.com>
17
busybox: shell: avoid segfault on ${0::0/0~09J}. Closes 15216
Denys Vlasenko <vda.linux@googlemail.com>
CVE-2022-48174
18
Patch #18
Ross Burton <ross.burton@arm.com>
CVE-2022-30065
19
depmod: Ignore .debug directories
Saul Wold <saul.wold@windriver.com>
20
sysctl: ignore EIO of stable_secret below
Yi Zhao <yi.zhao@windriver.com>
21
cut: Fix "-s" flag to omit blank lines
Colin McAllister <colinmca242@gmail.com>
22
wget: don't allow control characters or spaces in the URL
Radoslav Kolev <radoslav.kolev@suse.com>
CVE-2025-60876
23
awk: fix use-after-realloc (CVE-2021-42380), closes 15601
Denys Vlasenko <vda.linux@googlemail.com>
CVE-2021-42380
24
nslookup: sanitize all printed strings with
Ariadne Conill <ariadne@dereferenced.org>
CVE-2022-28391
25
testsuite: use www.example.org for wget test cases
Chen Qi <Qi.Chen@windriver.com>
Vulnerabilities#
Name
Analysis
Description
Patched
BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).
Patched
In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.
Patched
A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.
Patched
A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.
Patched
A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.
Patched
A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.
Patched
An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.
Patched
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.
Patched
A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.
Patched
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.
Patched
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function