JFrog Security Research

XRAY-189472 - BusyBox LZMA OOB-R

CVE-2021-42374 | CVSS 5.3

JFrog Severity:medium

Published 9 Nov. 2021 | Last updated 9 Nov. 2021

A OOB heap read in Busybox lzma leads to data leakage and denial of service when decompressing a malformed LZMA-based archive


BusyBox [1.33.0, 1.33.1], fixed in 1.34.0

The BusyBox toolkit implements a large number of Linux tools in a single executable and can even replace the Linux init system. Its small size and flexibility make it popular in embedded devices.

An out-of-bounds heap read in unlzma leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that internally supports LZMA compression. An attacker that can pass an LZMA-based archive to be decompressed, can cause data leakage and denial of service. Note that the following applets all accept and decompress an LZMA-based archive: unlzma, tar, unzip, rpm, dpkg, man

As shown in the JFrog blogpost, the attack is most potent when the victim unzips a crafted zip archive, since there are no special requirements on the unzipped filename and the leaked data can be archived back into the original zip archive.

No PoC is supplied for this issue

No vulnerability mitigations are supplied for this issue

(JFrog) Unboxing BusyBox - 14 new vulnerabilities uncovered by Claroty and JFrog