Bugzilla – Bug 1198092
VUL-0: CVE-2022-28391: busybox: arbitrary code execution if netstat is used to print a DNS PTR record's value to a VT compatible terminal
Last modified: 2022-11-04 11:00:19 UTC
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if
netstat is used to print a DNS PTR record's value to a VT compatible terminal.
Alternatively, the attacker could choose to change the terminal's colors.
tracking as affected, based on busybox.SuSE.config/busybox.config:
I investigated this further, and the problem seems to only be present when busybox is build against musl. At least I couldn't reproduce the issue with our busybox package in carwos, based on SLE15-SP2. With the exact same DNS server config the issue is reproducible on Alpine Linux, which uses musl.