CVE-2015-9261

Summary

CVE	CVE-2015-9261
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-07-26 19:29:00 UTC
Updated	2022-10-29 02:30:00 UTC
Description	huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file.

Risk And Classification

Problem Types: CWE-476

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Busybox	Busybox	All	All	All	All
Application	Busybox	Busybox	All	All	All	All
Operating System	Canonical	Ubuntu Linux	14.04	All	All	All
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Canonical	Ubuntu Linux	14.04	All	All	All
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All

References

Reference	Source	Link	Tags
Full Disclosure: SEC Consult SA-20190612-0 :: Multiple vulnerabilities in WAGO 852 Industrial Managed Switch Series	FULLDISC	seclists.org	Exploit, Mailing List, Third Party Advisory
#803097 - busybox: CVE-2015-9261: segmentation fault while unzipping bad archive - Debian Bug report logs	MISC	bugs.debian.org	Issue Tracking, Mailing List, Patch, Third Party Advisory
Full Disclosure: SEC Consult SA-20200827-0 :: Multiple Vulnerabilities in ZTE mobile Hotspot MS910S	FULLDISC	seclists.org	Exploit, Mailing List, Third Party Advisory
[SECURITY] [DLA 1445-1] busybox security update	MLIST	lists.debian.org	Mailing List, Third Party Advisory
Bugtraq: SEC Consult SA-20190612-0 :: Multiple vulnerabilities in WAGO 852 Industrial Managed Switch Series	BUGTRAQ	seclists.org	Exploit, Mailing List, Third Party Advisory
Full Disclosure: SEC Consult SA-20190904-0 :: Multiple vulnerabilities in Cisco router series RV34X, RV26X and RV16X	FULLDISC	seclists.org	Exploit, Mailing List, Third Party Advisory
Cisco Device Hardcoded Credentials / GNU glibc / BusyBox ≈ Packet Storm	MISC	packetstormsecurity.com	Exploit, Third Party Advisory, VDB Entry
USN-3935-1: BusyBox vulnerabilities \| Ubuntu security notices \| Ubuntu	UBUNTU	usn.ubuntu.com	Third Party Advisory
Bugtraq: SEC Consult SA-20190904-0 :: Multiple vulnerabilities in Cisco router series RV34X, RV26X and RV16X	BUGTRAQ	seclists.org	Exploit, Mailing List, Third Party Advisory
Nexans FTTO GigaSwitch Outdated Components / Hardcoded Backdoor ≈ Packet Storm	MISC	packetstormsecurity.com
oss-security - Pointer misuse unziping files with busybox	MISC	www.openwall.com	Exploit, Mailing List, Third Party Advisory
busybox - BusyBox: The Swiss Army Knife of Embedded Linux	MISC	git.busybox.net	Patch, Vendor Advisory
[SECURITY] [DLA 2559-1] busybox security update	MLIST	lists.debian.org	Mailing List, Third Party Advisory
Full Disclosure: SEC Consult SA-20220615-0 :: Hardcoded Backdoor User and Outdated Software Components in Nexans FTTO GigaSwitch series	FULLDISC	seclists.org
WAGO 852 Industrial Managed Switch Series Code Execution / Hardcoded Credentials ≈ Packet Storm	MISC	packetstormsecurity.com	Exploit, Third Party Advisory, VDB Entry
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

590948 Advantech Spectre RT Industrial Routers Multiple Vulnerabilities (ICSA-21-054-03)
751624 SUSE Enterprise Linux Security Update for busybox (SUSE-SU-2022:0135-1)
751633 OpenSUSE Security Update for busybox (openSUSE-SU-2022:0135-1)
752794 SUSE Enterprise Linux Security Update for busybox (SUSE-SU-2022:3959-1)
752903 SUSE Enterprise Linux Security Update for busybox (SUSE-SU-2022:4253-1)